iptables block attemtps

[dkardell]

Its been suggested that I use the following but not wure what the first line does:


Alternately you may learn to use iptables. Iptables has several additional features including the ability to black list an ip address after failed attempts.

Code:

sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT
sudo iptables -A INPUT -m recent --update --seconds 600 --hitcount 8 --rttl --name SSH --rsource -j DROP

"--hit count" is the number of new connections. Keep in mind each new connection gives multiple opportunities to enter a password. If you use scp, use a higher hitcount as each file will be a new ssh session.

"--seconds" How long an ipaddress will be blacklisted. 10 minutes is usually sufficient to deter most "script kiddies".

[Doug S]

For many many years now, I have used a similar method to help deal with SSH attacks. Just within the last couple of months, on some other ubuntu forums thread, I saw the method you posted. I do not understand it, although I didn't actually test it. Here is what I do:

Code:

# Secure Shell on port 22.
#
# Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
# Once they are on the BADGUY list then DROP all packets from them.
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --set --name BADGUY_SSH -j ACCEPT

Notice how I have the DROP rule first, if there have alreay been "hitcount" attempts. Only, then does the SSH packet get accepted, and the hitcount bumped. I use a longer block time because I have had occurences where 10 minutes was not enough.

My "ESTABLISHED, RELATED" bypass of these rules is earlier in my rules INPUT chain.

[Doug S]

I tried the method of the original post on a test computer. It worked fine. To answer the orignal question: The first line allows packets for a NEW tcp connection for an ssh session through as long as "hitcount" has not been reached yet. Typically some sort of small hitcount allows legitimate users to log in.
I did lock myself out of my test machine, as once the rule triggers all packets from the IP are dropped, and I did not have an ESTABLISHED, RELATED bypass in this case.

[dkardell]

Thanks Doug. My only question is then

My "ESTABLISHED, RELATED" bypass of these rules is earlier in my rules INPUT chain.

What does that mean ? I have not added any rules to my INPUT chain other than the individual IP's i've manually blocked this far with -j DROPS.

What is your code segment that you posted. What is

$IPTABLES

versus my command line entry of the commands with

sudo iptables

[CharlesA]

What is your code segment that you posted. What is

$IPTABLES

versus my command line entry of the commands with

sudo iptables

It's just a variable that probably uses the full path to iptables.

[Doug S]

Sorry, I guess I posted without claifying some things.
Thanks to Charles for explaining the variable.

In what I posted the variables are:
$IPTABLES means /sbin/iptables
$EXITIF means the external network interface. (On my system I have an internal and an external network interface.) You could delete the interface specifier if you want. You could also delete the logging rule if you want.
$EXTIP means my external IP address (see below)
$UNIVERSE means any IP address or "0.0.0.0/0" (see below)

When a new TCP session is started the first packet will be in a NEW state. Subsqequent packets for that same session are for either an ESTABLISHED or a RELATED state. Providing a path around the check for session already in progess is all I was saying. Your original rules included a "NEW" state check. Example:

Code:

$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# Secure Shell on port 22.
#
# Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
# Once they are on the BADGUY list then DROP all packets from them.
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --set --name BADGUY_SSH -j ACCEPT

[Lars Noodén]

I do about the same thing, but on a single line. The default (last rule in the chain) I have for the chain is reject.

Code:

   ip6tables -I INPUT -p TCP --dport 22 -m state --state NEW -m limit --limit 8/minute --limit-burst 8 -j ACCEPT
   iptables  -I INPUT -p TCP --dport 22 -m state --state NEW -m limit --limit 8/minute --limit-burst 8 -j ACCEPT

[dkardell]

Thanks Doug this is now becoming a bit more clear. I still want to be sure I know everything I'm doing first.

So if I go to the command line and issue

sudo iptables -A INPUT -m recent --update --seconds 600 --hitcount 3 --rttl --name SSH --rsource -j DROP

That will add any IP that attempts to try and ssh to my server and is rejected 3 times to the DROP list correct?


Lars, I'm not sure what you mean by your comment of: I do about the same thing, but on a single line. The default (last rule in the chain) I have for the chain is reject.

Code:

ip6tables -I INPUT -p TCP --dport 22 -m state --state NEW -m limit --limit 8/minute --limit-burst 8 -j ACCEPT

iptables  -I INPUT -p TCP --dport 22 -m state --state NEW -m limit --limit 8/minute --limit-burst 8 -j ACCEPT

and what is ip6tables vs iptables?

[CharlesA]

ip6tables is iptables for IPv6.

[Doug S]

That will add any IP that attempts to try and ssh to my server and is rejected 3 times to the DROP list correct?

Yes, as long as there is not 10 minutes between login attempts. Also, The default sshd_config allows 6 password tries on one TCP connection before it kicks you out. Most automated ssh attack programs only try once per connection. Another change I make is to add these lines to sshd_config:

Code:

#Smythies.com
#Limit the number of bad passwords per connection to 2. Default is 6.
#Then the iptables connection counter will kick in sooner to drop
#password attack hackers.
MaxAuthTries 2

By the way, for this line:

If you use scp, use a higher hitcount as each file will be a new ssh session.

from your original post. I tested it and it is not true. There will one TCP ssh session per scp session, regardless of the number of files transferred. I also tested WinSCP from a windows computer, with the same results.