removing a Linux Keylogger

[dsr at tao.merseine.nu (dsr at tao.merseine.nu)]

On Tue, Jul 26, 2005 at 08:59:59AM -0400, Derek Atkins wrote:
> dsr at tao.merseine.nu writes:
> 
> >> iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
> >> --set
> >> iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
> >> -j LOG --log-level WARN --log-prefix REJECT-SSH --log-ip-options
> >> iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
> >> --update --seconds 60 --hitcount 4 -j DROP
> >> 
> >> Should allow me to log this also?
> >
> > Certainly. I don't simply because Snort handles that for me.
> >
> > Do you want to log all the attempts or just those which result
> > in actual DROPs?
> 
> If I wanted to only log attemps that result in actual DROPs, how would
> I implement that?

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW \
-m recent --update --seconds 60 --hitcount 4 -j LOG --log-level \
WARN --log-prefix SSH-TOO-FAST

> Also, where in the iptables (ordered) list would I want to put these?

Assuming you do a sensible INPUT POLICY DENY, then immediately
after you open port 22 for connections, you would want to start
these rules. Note that the first rule doesn't accept the
connection, it just adds it to the recent list. 

Now, someone who knows you are doing this might try to DOS your
SSHd by sending SYN packets with spoofed sender addresses of
your legitimate remote hosts. You can counter that by testing
for --state ESTABLISHED --tcp-flags FIN,ACK instead of NEW, and
thus updating your list at session drop time instead of session
start time.

Documentation on this excellent module is at
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html
under "Recent"

-dsr-