Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: iptables block attemtps

  1. #1
    Join Date
    Nov 2012
    Beans
    10

    iptables block attemtps

    Its been suggested that I use the following but not wure what the first line does:


    Alternately you may learn to use iptables. Iptables has several additional features including the ability to black list an ip address after failed attempts.

    Code:
    sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT
    sudo iptables -A INPUT -m recent --update --seconds 600 --hitcount 8 --rttl --name SSH --rsource -j DROP
    "--hit count" is the number of new connections. Keep in mind each new connection gives multiple opportunities to enter a password. If you use scp, use a higher hitcount as each file will be a new ssh session.

    "--seconds" How long an ipaddress will be blacklisted. 10 minutes is usually sufficient to deter most "script kiddies".

  2. #2
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,452
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: iptables block attemtps

    For many many years now, I have used a similar method to help deal with SSH attacks. Just within the last couple of months, on some other ubuntu forums thread, I saw the method you posted. I do not understand it, although I didn't actually test it. Here is what I do:
    Code:
    # Secure Shell on port 22.
    #
    # Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
    # Once they are on the BADGUY list then DROP all packets from them.
    $IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j DROP
    $IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --set --name BADGUY_SSH -j ACCEPT
    Notice how I have the DROP rule first, if there have alreay been "hitcount" attempts. Only, then does the SSH packet get accepted, and the hitcount bumped. I use a longer block time because I have had occurences where 10 minutes was not enough.

    My "ESTABLISHED, RELATED" bypass of these rules is earlier in my rules INPUT chain.
    Last edited by Doug S; November 25th, 2012 at 05:13 PM. Reason: added something

  3. #3
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,452
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: iptables block attemtps

    I tried the method of the original post on a test computer. It worked fine. To answer the orignal question: The first line allows packets for a NEW tcp connection for an ssh session through as long as "hitcount" has not been reached yet. Typically some sort of small hitcount allows legitimate users to log in.
    I did lock myself out of my test machine, as once the rule triggers all packets from the IP are dropped, and I did not have an ESTABLISHED, RELATED bypass in this case.

  4. #4
    Join Date
    Nov 2012
    Beans
    10

    Re: iptables block attemtps

    Thanks Doug. My only question is then

    My "ESTABLISHED, RELATED" bypass of these rules is earlier in my rules INPUT chain.

    What does that mean ? I have not added any rules to my INPUT chain other than the individual IP's i've manually blocked this far with -j DROPS.

    What is your code segment that you posted. What is

    $IPTABLES

    versus my command line entry of the commands with

    sudo iptables

  5. #5
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: iptables block attemtps

    Quote Originally Posted by dkardell View Post
    What is your code segment that you posted. What is

    $IPTABLES

    versus my command line entry of the commands with

    sudo iptables
    It's just a variable that probably uses the full path to iptables.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  6. #6
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,452
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: iptables block attemtps

    Sorry, I guess I posted without claifying some things.
    Thanks to Charles for explaining the variable.

    In what I posted the variables are:
    $IPTABLES means /sbin/iptables
    $EXITIF means the external network interface. (On my system I have an internal and an external network interface.) You could delete the interface specifier if you want. You could also delete the logging rule if you want.
    $EXTIP means my external IP address (see below)
    $UNIVERSE means any IP address or "0.0.0.0/0" (see below)

    When a new TCP session is started the first packet will be in a NEW state. Subsqequent packets for that same session are for either an ESTABLISHED or a RELATED state. Providing a path around the check for session already in progess is all I was saying. Your original rules included a "NEW" state check. Example:
    Code:
    $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Secure Shell on port 22.
    #
    # Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
    # Once they are on the BADGUY list then DROP all packets from them.
    $IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j DROP
    $IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --set --name BADGUY_SSH -j ACCEPT

  7. #7
    Join Date
    Sep 2006
    Beans
    7,354
    Distro
    Lubuntu Development Release

    Re: iptables block attemtps

    I do about the same thing, but on a single line. The default (last rule in the chain) I have for the chain is reject.

    Code:
       ip6tables -I INPUT -p TCP --dport 22 -m state --state NEW -m limit --limit 8/minute --limit-burst 8 -j ACCEPT
       iptables  -I INPUT -p TCP --dport 22 -m state --state NEW -m limit --limit 8/minute --limit-burst 8 -j ACCEPT

  8. #8
    Join Date
    Nov 2012
    Beans
    10

    Re: iptables block attemtps

    Thanks Doug this is now becoming a bit more clear. I still want to be sure I know everything I'm doing first.

    So if I go to the command line and issue

    sudo iptables -A INPUT -m recent --update --seconds 600 --hitcount 3 --rttl --name SSH --rsource -j DROP

    That will add any IP that attempts to try and ssh to my server and is rejected 3 times to the DROP list correct?


    Lars, I'm not sure what you mean by your comment of: I do about the same thing, but on a single line. The default (last rule in the chain) I have for the chain is reject.

    Code:
    ip6tables -I INPUT -p TCP --dport 22 -m state --state NEW -m limit --limit 8/minute --limit-burst 8 -j ACCEPT
    
    iptables  -I INPUT -p TCP --dport 22 -m state --state NEW -m limit --limit 8/minute --limit-burst 8 -j ACCEPT
    and what is ip6tables vs iptables?

  9. #9
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: iptables block attemtps

    ip6tables is iptables for IPv6.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  10. #10
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,452
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: iptables block attemtps

    Quote Originally Posted by dkardell View Post
    That will add any IP that attempts to try and ssh to my server and is rejected 3 times to the DROP list correct?
    Yes, as long as there is not 10 minutes between login attempts. Also, The default sshd_config allows 6 password tries on one TCP connection before it kicks you out. Most automated ssh attack programs only try once per connection. Another change I make is to add these lines to sshd_config:
    Code:
    #Smythies.com
    #Limit the number of bad passwords per connection to 2. Default is 6.
    #Then the iptables connection counter will kick in sooner to drop
    #password attack hackers.
    MaxAuthTries 2
    By the way, for this line:
    If you use scp, use a higher hitcount as each file will be a new ssh session.
    from your original post. I tested it and it is not true. There will one TCP ssh session per scp session, regardless of the number of files transferred. I also tested WinSCP from a windows computer, with the same results.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •