How can I limit ssh connection attempts via UFW?

[bodhi.zazen]

Thank you cdenley for your assistance.

@ jocampo

See : http://bodhizazen.net/Tutorials/iptables/

To see your rules, you should ;

Code:

sudo iptables -L -v

Please note, UFW is a nice set of rules, but it is a bit complicated to follow as they use a number of user specified chains.

[jocampo]

Still! No success....

Here's is what I'm doing in that order....

Code:

sudo iptables -I INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
sudo iptables -I INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
sudo ufw default deny
sudo ufw

I can not connect via ssh! I tested with nmap and says

Code:

PORT   STATE    SERVICE
22/tcp filtered ssh

which of course, results on my connection problem...

[jocampo]

Found a workaround but disappointed with myself My main goal was combine that with UFW but for some reason is not working. Part of the problem was the virtual machine itself; UFW was not working properly, I discovered that with "nmap". So I uninstall and reinstall and that fixed the problem. However, when combining UFW and IPTABLES something happen that the ssh port become filtered instead of open.

My workaround is with IPTABLES only

Code:

iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
iptables -A INPUT -j DROP
iptables -I INPUT 1 -i lo -j ACCEPT

In that specific order.

Honestly? not so sure about the syntax like what NEW, recent or update is for, but I'll investigate.

Armed with denyhost plus these basic rules the script kiddies will go away or think twice when checking how to break into my server

[bodhi.zazen]

You are having two problems

1. UFW re-writes your rules. So when you enable ufw you are removing your manual rules you added with your iptables command.

To add them with ufw you will need to edit /etc/ufw/before.rules

Code:

-A ufw-before-input  -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

and on ...

IMO you are best using one or the other, not both.

2. I think this has been mentioned in this thread already, but ...

ORDER of the rules is CRITICAL

When you put

-p tcp -dport ssh -j ACCEPT

that is is, ssh is accepted, no further rules are processed.

3. Random comment: You probably do not need both a rule to limit ssh in iptables / ufw and deny hosts, one or the other.

[cdenley]

Code:

sudo iptables -I INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
sudo iptables -I INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
sudo ufw default deny
sudo ufw

You're inserting the second rule before the first. The "-I" switch inserts the rule at the top, unless you specify the position to insert it at.
http://ubuntuforums.org/showpost.php...35&postcount=9

Code:

man iptables

If you want to allow connections to a server, you do have to configure UFW to allow it.

Code:

sudo ufw allow ssh/tcp
sudo ufw status
man ufw

1. UFW re-writes your rules. So when you enable ufw you are removing your manual rules you added with your iptables command.

I think it used to, but UFW in jaunty seems to leave the INPUT, OUTPUT, and FORWARD chains intact so it will not interfere with user-defined rules. However, I also suggest using /etc/ufw/before.rules so the rules are persistent and they are put in the right place.

If you want to configure UFW to add those custom iptables rules, add this to /etc/ufw/before.rules before "COMMIT":

Code:

-A ufw-before-input -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
-A ufw-before-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP

Also, I agree that using denyhosts and iptables rate-limiting is a bit redundant. I can't imagine a scenario where limiting connections would offer more security if they are banned after a few failed authentication attempts anyway, except perhaps a DoS attack which didn't involve authentication.

[jocampo]

Well, my issue is that for some reason, no matter of the already configured threshold for my denyhost file, people are running brute force attacks and server allow them to check for passwords 6,7 or 8 times, not using the limit I put. After that is blocked, yes, but wanted to enforce the rule via iptables.

I saw this article and thought was a good one: http://kevin.vanzonneveld.net/techbl...with_iptables/ but you folks are telling me, if 1st rule allow, 2nd one limiting will never be applied.

I would like to use UFW only in fact, on my www server is configured that way, but UFW does not provide the limit I am looking for, just IPTABLES let me customize that (3 attempts every 60 seconds)

On my webserver (besides denyhosts) UFW was configured and is working, this way

Code:

sudo ufw allow ssh
sudo ufw allow www
sudo ufw default deny
sudo ufw enable

Allows www traffic, let me connect via ssh, but block the rest ...

[bodhi.zazen]

I think it used to, but UFW in jaunty seems to leave the INPUT, OUTPUT, and FORWARD chains intact so it will not interfere with user-defined rules. However, I also suggest using /etc/ufw/before.rules so the rules are persistent and they are put in the right place.

Thank you for that information. You are correct, UFW does not change the default INPUT OUTPUT or FORWARD tables.

I would have to look at the ufw chains though to see it simply adding a limit to INPUT would work, or if the ufw-before rules would accept ssh connections (sudo ufw allow ssh).

In general, I advise you use one or the other. Adding a few "simple" rules to ufw-before rules is what I needed to do in the past.

[tagwolf]

You can also use fail2ban and not have to deal with bruteforce attacks at all.

[cariboo]

4 year old thread closed.