[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Blocking SSH ... BUT...



From: "Ashley M. Kirchner" <ashley pcraft com>
Sent: Tuesday, 2007, September 18 10:53
Subject: Blocking SSH ... BUT...



   Hey all,

I have the following lines in my iptables config file to curb ssh knocking on our servers:

# Let's see if we can curb SSH attacks.
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set

-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck --seconds 120 --hitcount 2 -j LOG -log-prefix "SSH REJECT: "

-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck --seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset


This works great...EXCEPT it also blocks our own access to the servers if we need to get on them in a short amount of time (less than 120 seconds). So how can I still implement the above blocking, but allow anything from our different subnets (we have 4) come through without going through that block routine?

I see the rubes have forgotten the IPTables trick I learned from this
list and have been propagating ever since.

You can tell IPTables to allow X number of attempts from any particular
source for any given port within a interval and then block it. I like
to log such blocked attempts. It's fun to see where would be crackers
come from. If it's a "Western" university I send a note to the sysadmin
with details. (I don't bother with China or Russia, for example.)

The trick look like this for ssh:
# Then setup the reject trap
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
 --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
 --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset

As configured it allows one attempt every 3 minutes. If a user messes up
they have to wait three minutes. (When I am on the road I set it down to
one a minute. With a moderately decent password of even exactly 8 characters
the brute force attack would take a rather long time noticeable in the
logs as an unusual number of failed login attempts. In twenty four hours
that's 1440 attacks. Could they get "abcdefgh" as a password in that
period? Only if it is in a small dictionary. And we don't use dictionary
words here.

When I bounce I simple mutter to myself, "Patience, Joanne." That works.

{^_-}
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]