[lug] SSH Probing Solution using IPTables

[George Sexton]

I've gotten tired of looking at hundreds or thousands of probe attempts in
my server logs lately. I was toying with the idea of writing a monitor app
that would look at the server logs, and create a customer firewall rule that
would block the IP after so many failed attempts.

In an uncharacteristic flash, I decided to search the web for solutions.
Here's an adaptation of what I found. It uses the "recent" module to create
a firewall rule that will block any IP that attempts more than 3 new SSH
sessions in a 3 minute period. I let it run last night, and I could see 3
different probe attempts, and all 3 were blocked after 3 trys.

I found a set of rules that Sean Ralfschneider had written, using the limit
module. The problem with the limit module was that lockout was based on the
entires service, and not the originating IP as the "recent" solution is.
Anyhow, here are the firewall rules. Of course, the limit solution works on
2.4 kernel, where it appears recent requires 2.6. I'd welcome any comments.


iptables -F SSHRULES
iptables -X SSHRULES
iptables -N SSHRULES
#
# If it's an already established session, let it continue.
#
iptables -A SSHRULES -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# If it's a new session, rate limit it by IP address using the RECENT
module.
#
iptables -A SSHRULES -m state --state NEW -m recent --name SSHPROBES --set
iptables -A SSHRULES -m state --state NEW -m recent --name SSHPROBES \
        --update --seconds 180 --hitcount 4 -j DROP
#
# If we got here, we are a new connection and not violating the rate limit.
#
iptables -A SSHRULES -j ACCEPT

########################################################################
#       END SSH RULES
########################################################################


iptables -A INPUT -i $WAN_IF -p tcp --dport ssh  -j SSHRULES



George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585