Re: Blocking SSH ... BUT...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: "Ashley M. Kirchner" <ashley@xxxxxxxxxx>
Sent: Tuesday, 2007, September 18 10:53
Subject: Blocking SSH ... BUT...




   Hey all,
I have the following lines in my iptables config file to curb ssh knocking on our servers: 

# Let's see if we can curb SSH attacks.
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck --seconds 120 --hitcount 2 -j LOG -log-prefix "SSH REJECT: "
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck --seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset
This works great...EXCEPT it also blocks our own access to the servers if we need to get on them in a short amount of time (less than 120 seconds). So how can I still implement the above blocking, but allow anything from our different subnets (we have 4) come through without going through that block routine? 

I see the rubes have forgotten the IPTables trick I learned from this
list and have been propagating ever since.

You can tell IPTables to allow X number of attempts from any particular
source for any given port within a interval and then block it. I like
to log such blocked attempts. It's fun to see where would be crackers
come from. If it's a "Western" university I send a note to the sysadmin
with details. (I don't bother with China or Russia, for example.)

The trick look like this for ssh:
# Then setup the reject trap
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
 --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
 --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset

As configured it allows one attempt every 3 minutes. If a user messes up
they have to wait three minutes. (When I am on the road I set it down to
one a minute. With a moderately decent password of even exactly 8 characters
the brute force attack would take a rather long time noticeable in the
logs as an unusual number of failed login attempts. In twenty four hours
that's 1440 attacks. Could they get "abcdefgh" as a password in that
period? Only if it is in a small dictionary. And we don't use dictionary
words here.

When I bounce I simple mutter to myself, "Patience, Joanne." That works.
{^_-}
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux