[lug] SSH Probing Solution using IPTables
George Sexton
gsexton at mhsoftware.com
Mon Sep 26 20:15:49 MDT 2005
> -----Original Message-----
> From: lug-bounces at lug.boulder.co.us
> [mailto:lug-bounces at lug.boulder.co.us] On Behalf Of Sean Reifschneider
> Sent: Monday, September 26, 2005 4:53 PM
> To: Boulder (Colorado) Linux Users Group -- General Mailing List
> Subject: Re: [lug] SSH Probing Solution using IPTables
>
>
>
> Correct me if I'm misunderstanding you, but you want to block that IP
> address from accessing ANY service on your system, which the hashlimit
> module can't do. And that's why you want to use the recent module,
> correct? However, the implementation you have listed seems
> to only block
> users accessing the SSH service.
>
> >iptables -A SSHRULES -m state --state NEW -m recent --name
> SSHPROBES --set
> >iptables -A SSHRULES -m state --state NEW -m recent --name
> SSHPROBES \
> > --update --seconds 180 --hitcount 4 -j DROP
> >iptables -A SSHRULES -j ACCEPT
> >iptables -A INPUT -i $WAN_IF -p tcp --dport ssh -j SSHRULES
>
You only get to the SSHRULES chain if the destination port is SSH. The first
rule sends existing connection to Accept. The "recent" module rule looks to
see if there are more than 3 hits on the SSHPROBES counter for that IP
address within a 3 minute window. If there is, then the packet is dropped.
If this is a new connection, and it hasn't exceeded the recent source IP
connection limit, then it is accepted.
I pushed 500K Bytes/second through the machine with that firewall. It didn't
seem to impact things that much.
> You only get to the SSHRULES table for packets going to the
> SSH port, so
> the DROP action only applies to packets that match "--dport
> ssh". Easily
> fixed, of course, and a clever solution if that's what you
> want to do. I'm
> really only concerned about slowing down or blocking users who are
> hammering the SSH port. You'll need to add another recent rule that
> in the INPUT table to block other traffic.
George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
More information about the LUG
mailing list