I love IP Tables....

Manuel Arostegui Ramirez manuel at todo-linux.com
Sat May 26 06:45:25 UTC 2007


El Viernes, 25 de Mayo de 2007 22:09, jdow escribió:
> From: "jdow" <jdow at earthlink.net>
>
> >I craft my own firewall here using iptables.
> >
> > I have a favorite trick I learned from someone else a few years ago that
> > I use to handle ssh security. Since ssh breaks every once and awhile and
> > I like to leave it open it gets special security efforts.
> >
> > The trick is quite simple within iptables. If I get one connection
> > failure I have to wait several seconds before making a retry. ("OK,
> > Joanne, don't hyper ventillate. Just count to 10 and try again." {^_-})
> >
> > The common attack is a dictionary attack with several attempts a second.
> > So of course, they get one shot to crack a password, usually for
> > <snicker> root, which is dumb to begin with. After that first attempt
> > they are blocked for the rest of their run.
> >
> > If they are canny enough to figure out "wait N seconds and then try
> > again" they can dictionary attack me no more than about 43000 attempts
> > per day if they cut back to one every couple seconds. If I do not have a
> > dictionary word (or even a word) as a password, it is not 8 characters,
> > and so forth how long would it take to guess "Fis8ottlemew" or something
> > equally silly? The universe would grow cold, first.
> >
> > So good attack developers (bless them in a left handed sort of way) are
> > smart enough not to attack for more than a minute or so, a few hundred
> > pakets floating in the attack, before they quit. The bad ones run up to
> > maybe 3000 or 4000 attempts to stop.
> >
> > Now, I have to wonder about the quality of education in Albania after
> > last night. An Albanian cracker, or at least an idiot originating an
> > attack from albtelecom.al (217.24.240.77) wasted three full hours and
> > 36807 connection attempts to get ONE, exactly ONE, shot at cracking
> > my system, the first attempt. All others were rejected and logged. I
> > just gotta shake my head at the pathetic twit who created the software
> > that made that attempt. At least my machine kept a whole lot of other
> > machines from being attacked and I got a huge laugh about it. (And
> > albtelecom.al finds its little block as one of my permanent blocks in
> > the firewall, now. This is not the first attack from that /20 block!)
> >
> > I love IPTables.
> >
> > {^_-}    Joanne
>
> People asked - here is the answer:
> # Then setup the reject trap
> $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>   --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>   --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
>


I've been using this for a long time, it's quite similar:

iptables -N attacks
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j attacks
iptables -A attacks -m state --state NEW -m recent --set --name SSH
iptables -A attacks -m state --state NEW -m recent --update --seconds 60 
--hitcount 4 --name SSH
iptables -A attacks -m state --state NEW -m recent --rcheck --seconds 60 
--hitcount 4 --name SSH -j DROP

Cheers
-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.




More information about the fedora-list mailing list