iptables block attemtps

[Lars Noodén]

Lars, I'm not sure what you mean by your comment of: I do about the same thing, but on a single line. The default (last rule in the chain) I have for the chain is reject.

I do the rate limiting with a single line, as shown above in #7.
However, I allow in connections that don't exceed the rate limit and reject everything else. SSH connections that are under the limit are accepted, SSH connections that exceed the limit are ignored by that rule and it passes down the chain to the next rule(s) in the chain. If nothing else accepts the connection, then it hits the last rule in my chain which I have decided to be reject. It should be pointed out that there is a difference between drop and reject targets.

http://www.chrisbrenton.org/2009/07/...ll-drop-rules/
http://www.chiark.greenend.org.uk/~p...drop-vs-reject

[dkardell]

Thanks again Doug.

So will this stop these attacks or only those ssh's on port 22?

Code:

Failed password for root from 61.191.61.2 port 45805 ssh2
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.191.61.2  user=root
Failed password for root from 61.191.61.2 port 47037 ssh2
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.191.61.2  user=root
Failed password for root from 61.191.61.2 port 48096 ssh2
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.191.61.2  user=root
Failed password for root from 61.191.61.2 port 48970 ssh2

[dkardell]

Lars listed 2 interesting posts.

According to them we should use REJECT rather than DROP.

Comments?

[CharlesA]

I always use reject instead of drop now.

I've run into issues when using drop instead of reject that causes programs to just keep trying to connect and just sit there. With reject set, the program spits out an error message saying it couldn't connect.

[SeijiSensei]

I solve this problem by blocking all SSH access and only allowing specified IP addresses that I control to connect. If I need a mobile connection, I use a static OpenVPN tunnel from my laptop to the server. I can count on one or at most two hands the number of IP addresses that need to connect legitimately to my servers. I suspect that's true for a lot of folks.

[CharlesA]

I solve this problem by blocking all SSH access and only allowing specified IP addresses that I control to connect. If I need a mobile connection, I use a static OpenVPN tunnel from my laptop to the server. I can count on one or at most two hands the number of IP addresses that need to connect legitimately to my servers. I suspect that's true for a lot of folks.

I do the same minus the OpenVPN thing. If I know I will need to connect from a different IP than usual (traveling, relative's house, etc), I start a VM with only SSH installed on it and run it on a random high port. Both machines used keys for authentication, so I don't get too many hits from bad guys.

[dkardell]

I solve this problem by blocking all SSH access and only allowing specified IP addresses that I control to connect. If I need a mobile connection, I use a static OpenVPN tunnel from my laptop to the server. I can count on one or at most two hands the number of IP addresses that need to connect legitimately to my servers. I suspect that's true for a lot of folks.

Thanks, I think I'll move towards that. Being a newbie to Ubuntu and remote servers (just over a year now), I guess I'm worried that if my ISP changes my home IP then I won't be able to get into the system.

I don't know much about OpenVPN but will educate myself on that as well.

[CharlesA]

Thanks, I think I'll move towards that. Being a newbie to Ubuntu and remote servers (just over a year now), I guess I'm worried that if my ISP changes my home IP then I won't be able to get into the system.

I don't know much about OpenVPN but will educate myself on that as well.

Dynamic DNS would fix that problem. Check out no-ip or dyndns.

[SeijiSensei]

Thanks, I think I'll move towards that. Being a newbie to Ubuntu and remote servers (just over a year now), I guess I'm worried that if my ISP changes my home IP then I won't be able to get into the system.

I don't know much about OpenVPN but will educate myself on that as well.

OpenVPN is an excellent solution to this problem. I run simple point-to-point tunnels with a shared static key. My server is out in the "cloud" at Linode and is configured to listen for an OpenVPN connection on a specified high port. At home I have a machine configured as a client that connects to the server and sets up the tunnel. It doesn't matter if my home IP changes since the client simply connects through the firewall. I do have to leave a high port open accepting UDP traffic for the tunnel, but that's not much of a vulnerability since even if you find the port you'd need my encryption key to exploit it.

Here are the configuration files I use for future reference:

Server:

Code:

dev tun
ifconfig 10.1.1.1 10.1.1.20
#up /etc/openvpn/add_routes
secret /etc/openvpn/keys/my.key
port 43434
user nobody
group nogroup
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
verb 3
no-replay

Client:

Code:

dev tun
remote myserver.example.com
ifconfig 10.1.1.20 10.1.1.1
port 43434
secret /etc/openvpn/keys/my.key
up /etc/openvpn/add_routes
user nobody
group nogroup
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
verb 3

They are essentially identical except that the client has the "remote" directive telling it where to connect, and the order of IP addresses in the "ifconfig" directive are reversed. The server assigns 10.1.1.1 to its tunnel interface and 10.1.1.20 to the client.

[dkardell]

so SeijiSensei help the newbie out here. Again I'm a programmer of some 30 years and have been playing around with Ubuntu for a little over a year and am now doing remote admin of a server via SSH. This whole thread started because of the number of sshd root failures I'm seeing for other ips. I've read over the OpenVPN stuff and really want to understand it but a bit worried that I may screw someithing up and lock myself out. I have heard about shared static key's but have slept since then. How do I go about using keys on my mac local and on a Ubuntu server hosted at Godaddy?

Next what are your code examples above. Are scripts inside of executable files? or are these configs?

Thanks!

Dan]