[lug] SSH Probing Solution using IPTables
Sean Reifschneider
jafo at tummy.com
Mon Sep 26 16:52:59 MDT 2005
On Wed, Sep 14, 2005 at 08:24:33AM -0600, George Sexton wrote:
>I found a set of rules that Sean Ralfschneider had written, using the limit
No relation... :-)
>module. The problem with the limit module was that lockout was based on the
>entires service, and not the originating IP as the "recent" solution is.
>Anyhow, here are the firewall rules. Of course, the limit solution works on
>2.4 kernel, where it appears recent requires 2.6. I'd welcome any comments.
Correct me if I'm misunderstanding you, but you want to block that IP
address from accessing ANY service on your system, which the hashlimit
module can't do. And that's why you want to use the recent module,
correct? However, the implementation you have listed seems to only block
users accessing the SSH service.
>iptables -A SSHRULES -m state --state NEW -m recent --name SSHPROBES --set
>iptables -A SSHRULES -m state --state NEW -m recent --name SSHPROBES \
> --update --seconds 180 --hitcount 4 -j DROP
>iptables -A SSHRULES -j ACCEPT
>iptables -A INPUT -i $WAN_IF -p tcp --dport ssh -j SSHRULES
You only get to the SSHRULES table for packets going to the SSH port, so
the DROP action only applies to packets that match "--dport ssh". Easily
fixed, of course, and a clever solution if that's what you want to do. I'm
really only concerned about slowing down or blocking users who are
hammering the SSH port. You'll need to add another recent rule that
in the INPUT table to block other traffic.
The SSH password crackers I've seen don't seem to be doing other attacks
at the same time, so I don't know that there would be any benefit to
blocking other services at the same time, especially for only 180 seconds.
Sean
--
The best way to predict the future is to invent it.
-- Alan Kay
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability
More information about the LUG
mailing list