At 8:45 AM +0200 5/26/07, Manuel Arostegui Ramirez wrote:
>El Viernes, 25 de Mayo de 2007 22:09, jdow escribió:
>> From: "jdow" <jdow@xxxxxxxxxxxxx>
>>
>> >I craft my own firewall here using iptables.
>> >
>> > I have a favorite trick I learned from someone else a few years ago that
>> > I use to handle ssh security. Since ssh breaks every once and awhile and
>> > I like to leave it open it gets special security efforts.
>> >
>> > The trick is quite simple within iptables. If I get one connection
>> > failure I have to wait several seconds before making a retry. ("OK,
>> > Joanne, don't hyper ventillate. Just count to 10 and try again." {^_-})
>> >
>> > The common attack is a dictionary attack with several attempts a second.
>> > So of course, they get one shot to crack a password, usually for
>> > <snicker> root, which is dumb to begin with. After that first attempt
>> > they are blocked for the rest of their run.
>> >
>> > If they are canny enough to figure out "wait N seconds and then try
>> > again" they can dictionary attack me no more than about 43000 attempts
>> > per day if they cut back to one every couple seconds. If I do not have a
>> > dictionary word (or even a word) as a password, it is not 8 characters,
>> > and so forth how long would it take to guess "Fis8ottlemew" or something
>> > equally silly? The universe would grow cold, first.
>> >
>> > So good attack developers (bless them in a left handed sort of way) are
>> > smart enough not to attack for more than a minute or so, a few hundred
>> > pakets floating in the attack, before they quit. The bad ones run up to
>> > maybe 3000 or 4000 attempts to stop.
>> >
>> > Now, I have to wonder about the quality of education in Albania after
>> > last night. An Albanian cracker, or at least an idiot originating an
>> > attack from albtelecom.al (217.24.240.77) wasted three full hours and
>> > 36807 connection attempts to get ONE, exactly ONE, shot at cracking
>> > my system, the first attempt. All others were rejected and logged. I
>> > just gotta shake my head at the pathetic twit who created the software
>> > that made that attempt. At least my machine kept a whole lot of other
>> > machines from being attacked and I got a huge laugh about it. (And
>> > albtelecom.al finds its little block as one of my permanent blocks in
>> > the firewall, now. This is not the first attack from that /20 block!)
>> >
>> > I love IPTables.
>> >
>> > {^_-} Joanne
>>
>> People asked - here is the answer:
>> # Then setup the reject trap
>> $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
>> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>> --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
>> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>> --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
>>
>
>
>I've been using this for a long time, it's quite similar:
>
>iptables -N attacks
>iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j attacks
>iptables -A attacks -m state --state NEW -m recent --set --name SSH
>iptables -A attacks -m state --state NEW -m recent --update --seconds 60
>--hitcount 4 --name SSH
>iptables -A attacks -m state --state NEW -m recent --rcheck --seconds 60
>--hitcount 4 --name SSH -j DROP
>
>Cheers
While we're at it, I'm using:
-A RH-Firewall-1-INPUT -p tcp --syn --dport 21:22 -m recent --name sshattack --set
-A RH-Firewall-1-INPUT -p tcp --dport 21:22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix "SSH REJECT: "
-A RH-Firewall-1-INPUT -p tcp --dport 21:22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j DROP
along with pam_recent <http://snafu.priv.at/mystuff/recent-plus-pam.html>
so that successful logins don't count against the user.
I use ProFTPd as the FTP server, as it is the only one I know that can
limit connection attempts.
Instead of the two-port rules, one could use another chain the way Manuel
Arostegui Ramirez does.
I don't use another port for SSH or FTP as I want my security to be tested.
I do have SSH set up to prevent root logins via password, and have a key set
up for the case where I need a root login. Normally I log in as a normal
user and "su -" to root for administration.
--
____________________________________________________________________
TonyN.:' <mailto:tonynelson@xxxxxxxxxxxxxxxxx>
' <http://www.georgeanelson.com/>
