Blocking SSH ... BUT...

jdow jdow at earthlink.net
Sat Sep 22 23:03:13 UTC 2007 

From: "Ashley M. Kirchner" <ashley at pcraft.com>
Sent: Tuesday, 2007, September 18 10:53
Subject: Blocking SSH ... BUT...


>
>    Hey all,
>
>    I have the following lines in my iptables config file to curb ssh 
> knocking on our servers:
>
> # Let's see if we can curb SSH attacks.
> -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
>
> -A INPUT -p tcp --syn --dport 22 -m recent --name 
> sshattack --rcheck --seconds 120 --hitcount 2 -j LOG  -log-prefix "SSH 
> REJECT: "
>
> -A INPUT -p tcp --syn --dport 22 -m recent --name 
> sshattack --rcheck --seconds 120 --hitcount 2 -j REJECT --reject-with 
> tcp-reset
>
>
>    This works great...EXCEPT it also blocks our own access to the servers 
> if we need to get on them in a short amount of time (less than 120 
> seconds).  So how can I still implement the above blocking, but allow 
> anything from our different subnets (we have 4) come through without going 
> through that block routine?

I see the rubes have forgotten the IPTables trick I learned from this
list and have been propagating ever since.

You can tell IPTables to allow X number of attempts from any particular
source for any given port within a interval and then block it. I like
to log such blocked attempts. It's fun to see where would be crackers
come from. If it's a "Western" university I send a note to the sysadmin
with details. (I don't bother with China or Russia, for example.)

The trick look like this for ssh:
# Then setup the reject trap
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset

As configured it allows one attempt every 3 minutes. If a user messes up
they have to wait three minutes. (When I am on the road I set it down to
one a minute. With a moderately decent password of even exactly 8 characters
the brute force attack would take a rather long time noticeable in the
logs as an unusual number of failed login attempts. In twenty four hours
that's 1440 attacks. Could they get "abcdefgh" as a password in that
period? Only if it is in a small dictionary. And we don't use dictionary
words here.

When I bounce I simple mutter to myself, "Patience, Joanne." That works.

{^_-}

More information about the fedora-list mailing list