[lug] iptables help

George Sexton georges at mhsoftware.com
Wed Feb 16 09:24:22 MST 2011 

In general, if you run on a different port than 22 that pretty much
eliminates brute force attacks. Also, you should change PermitRootLogin to
no.

Here's my complete ruleset for SSH.

########################################################################
#       SSH RULES
########################################################################
ALLOW_SSH_HOSTS="a.mydomain.com b.mydomain.com"
SSHPORT=22

iptables -F SSHRULES
iptables -X SSHRULES
iptables -N SSHRULES

iptables -F LOGDROP
iptables -X LOGDROP
iptables -N LOGDROP

iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP

#
# If it's an already established session, let it continue.
#
iptables -A SSHRULES -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# If it's a new session, rate limit it by IP address using the RECENT
module.
#
if [ ! -z "$ALLOW_SSH_HOSTS" ]; then
	for THISHOST in $ALLOW_SSH_HOSTS; do
		THISIP=`host $THISHOST | cut -f 4 -d " "`
	iptables -A SSHRULES -m state --state NEW --source $THISIP -j ACCEPT
	done
fi

iptables -A SSHRULES -m state --state NEW -m recent --name SSHPROBES --set
iptables -A SSHRULES -m state --state NEW -m recent --name SSHPROBES \
        --update --seconds 180 --hitcount 6 -j LOGDROP
#
# If we got here, we are a new connection and not violating the rate limit.
#
iptables -A SSHRULES -j ACCEPT

########################################################################
#       END SSH RULES
########################################################################

iptables -A INPUT -i $WAN_IF -p tcp --dport $SSHPORT  -j SSHRULES



George Sexton
MH Software, Inc.
303 438-9585
www.mhsoftware.com


> -----Original Message-----
> From: lug-bounces at lug.boulder.co.us [mailto:lug-
> bounces at lug.boulder.co.us] On Behalf Of Paul Nowosielski
> Sent: Tuesday, February 15, 2011 4:20 PM
> To: lug
> Subject: [lug] iptables help
> 
> Dear All,
> 
> I have a iptables script that helps to stop
> brute force ssh attacks.
> 
> The rules are supposed to drop
> the IP for 180 seconds if they make more then 3 unsuccessful
> login attempts via ssh.
> 
> But it blocks an rsync via ssh process after 3 successful logins from
> $CRM_CA.
> The script needs to run perpetually but
> is being dropped.
> 
> 
> Here is the meaningful snippet.
> 
> # allow ssh
> 
> iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport
> 22 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport
> 513:65535 -m
> state --state ESTABLISHED -j ACCEPT
> 
> # always allow from CA systems
> 
> iptables -A INPUT -j ACCEPT -p all -s $CRM_CA
> iptables -A OUTPUT  -j ACCEPT -p all -d $CRM_CA
> 
> # slow down brute force
> 
> iptables -I INPUT  -p tcp -m tcp --dport 22 -m state --state NEW -m
> recent --set
> --name DEFAULT --rsource
> iptables -I INPUT  -p tcp -m tcp --dport 22 -m state --state NEW -m
> recent
> --update --seconds 180 --hitcount 3 --name DEFAULT --rsource -j DROP
> 
> 
> I really don't want to remove the logic to drop an IP after 3 login
> attempts
> because it work so well.
> Does anyone see a simple solution to my problem?
> 
> Thank you,
> 
> Paul
> 
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety

More information about the LUG mailing list