From: "Ashley M. Kirchner" <ashley@xxxxxxxxxx>
Sent: Tuesday, 2007, September 18 10:53
Subject: Blocking SSH ... BUT...
Hey all,
I have the following lines in my iptables config file to curb ssh
knocking on our servers:
# Let's see if we can curb SSH attacks.
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
-A INPUT -p tcp --syn --dport 22 -m recent --name
sshattack --rcheck --seconds 120 --hitcount 2 -j LOG -log-prefix "SSH
REJECT: "
-A INPUT -p tcp --syn --dport 22 -m recent --name
sshattack --rcheck --seconds 120 --hitcount 2 -j REJECT --reject-with
tcp-reset
This works great...EXCEPT it also blocks our own access to the servers
if we need to get on them in a short amount of time (less than 120
seconds). So how can I still implement the above blocking, but allow
anything from our different subnets (we have 4) come through without going
through that block routine?
I see the rubes have forgotten the IPTables trick I learned from this
list and have been propagating ever since.
You can tell IPTables to allow X number of attempts from any particular
source for any given port within a interval and then block it. I like
to log such blocked attempts. It's fun to see where would be crackers
come from. If it's a "Western" university I send a note to the sysadmin
with details. (I don't bother with China or Russia, for example.)
The trick look like this for ssh:
# Then setup the reject trap
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
As configured it allows one attempt every 3 minutes. If a user messes up
they have to wait three minutes. (When I am on the road I set it down to
one a minute. With a moderately decent password of even exactly 8 characters
the brute force attack would take a rather long time noticeable in the
logs as an unusual number of failed login attempts. In twenty four hours
that's 1440 attacks. Could they get "abcdefgh" as a password in that
period? Only if it is in a small dictionary. And we don't use dictionary
words here.
When I bounce I simple mutter to myself, "Patience, Joanne." That works.
{^_-}
