Re: I love IP Tables....

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


From: "jdow" <[email protected]>

I craft my own firewall here using iptables.

I have a favorite trick I learned from someone else a few years ago that I
use to handle ssh security. Since ssh breaks every once and awhile and I
like to leave it open it gets special security efforts.

The trick is quite simple within iptables. If I get one connection failure
I have to wait several seconds before making a retry. ("OK, Joanne, don't
hyper ventillate. Just count to 10 and try again." {^_-})

The common attack is a dictionary attack with several attempts a second.
So of course, they get one shot to crack a password, usually for <snicker>
root, which is dumb to begin with. After that first attempt they are
blocked for the rest of their run.

If they are canny enough to figure out "wait N seconds and then try again"
they can dictionary attack me no more than about 43000 attempts per day if
they cut back to one every couple seconds. If I do not have a dictionary
word (or even a word) as a password, it is not 8 characters, and so forth
how long would it take to guess "Fis8ottlemew" or something equally silly?
The universe would grow cold, first.

So good attack developers (bless them in a left handed sort of way) are
smart enough not to attack for more than a minute or so, a few hundred
pakets floating in the attack, before they quit. The bad ones run up to
maybe 3000 or 4000 attempts to stop.

Now, I have to wonder about the quality of education in Albania after
last night. An Albanian cracker, or at least an idiot originating an
attack from ( wasted three full hours and
36807 connection attempts to get ONE, exactly ONE, shot at cracking
my system, the first attempt. All others were rejected and logged. I
just gotta shake my head at the pathetic twit who created the software
that made that attempt. At least my machine kept a whole lot of other
machines from being attacked and I got a huge laugh about it. (And finds its little block as one of my permanent blocks in
the firewall, now. This is not the first attack from that /20 block!)

I love IPTables.

{^_-}    Joanne

People asked - here is the answer:
# Then setup the reject trap
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
 --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
 --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset

Adapt it to your configuration, of course.
{^_^}   (I probably should have included that in the first email for
politeness. Please 'scuse me.)

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux