Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Port Limits: Too Much of a Good Thing?

  1. #1
    Join Date
    Nov 2011
    Beans
    Hidden!

    Port Limits: Too Much of a Good Thing?

    Greetings!

    Had a "really simple" idea/question for the community tonight; and need some savvy to move things along

    In that spirit, I'll submit the well-known "ufw limit ssh/tcp" commandline which is proffered as a means of thwarting a brute-force attack on a plain-jane client install:

    Code:
    root@laptop1:~# ufw limit ssh/tcp
    Rule added
    Skipping unsupported IPv6 'limit' rule
    
    root@laptop1:~# ufw status verbose
    Status: active
    Logging: on (low)
    Default: deny (incoming), allow (outgoing)
    New profiles: skip
    
    To                         Action      From
    --                         ------      ----
    22/tcp                     LIMIT IN    Anywhere
    OK, so we're setting up a rule to quash a dictionary attack directed @ port 22. Good enough.

    However, hypothetically, let's say we have a scenario in which other (unforeseen) ports on the subject machine could present themselves as a useful target for some miscreant passerby.

    In that (academic?) case, how does this look as a way of essentially telling a would-be interloper to buzz off & stop hammering at all possible points of entry:

    Code:
    root@laptop1:~# ufw limit proto tcp from any to any port 1:65535
    Rule added
    Skipping unsupported IPv6 'limit' rule
    
    root@laptop1:~# ufw status verbose
    Status: active
    Logging: on (low)
    Default: deny (incoming), allow (outgoing)
    New profiles: skip
    
    To                         Action      From
    --                         ------      ----
    1:65535/tcp                LIMIT IN    Anywhere
    In sum, what are the pros & cons of setting up a rule like this on a typical client; and would such an arrangement, indeed, have the net collective effect of blockading the entire portset from brute-force attack?

    Finally, what are the relevant implications in the ubiquitous warning "Skipping unsupported IPv6 'limit' rule"?


    Thanks again --

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Port Limits: Too Much of a Good Thing?

    I just use iptables, not ufw for writing those rules.

    Code:
    # Impliment 90 minute lockout by rejecting any connections from an IP that is trying to bruteforce SSH.
    # Blame Doug S: http://ubuntuforums.org/showthread.php?t=2137073
    # Log anything that gets rejected - Commment this line out if you don't want logging enabled.
    iptables -A INPUT -m recent --update --hitcount 3 --seconds 5400 --name SSH -j LOG --log-prefix "SSH Attack: " --log-level info
    iptables -A INPUT -m recent --update --hitcount 3 --seconds 5400 --name SSH -j REJECT
    iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --set --name SSH -j ACCEPT
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Aug 2009
    Beans
    3,535
    Distro
    Ubuntu Development Release

    Re: Port Limits: Too Much of a Good Thing?

    Quote Originally Posted by CharlesA View Post
    I just use iptables, not ufw for writing those rules.

    Code:
    # Impliment 90 minute lockout by rejecting any connections from an IP that is trying to bruteforce SSH.
    # Blame Doug S: http://ubuntuforums.org/showthread.php?t=2137073
    # Log anything that gets rejected - Commment this line out if you don't want logging enabled.
    iptables -A INPUT -m recent --update --hitcount 3 --seconds 5400 --name SSH -j LOG --log-prefix "SSH Attack: " --log-level info
    iptables -A INPUT -m recent --update --hitcount 3 --seconds 5400 --name SSH -j REJECT
    iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --set --name SSH -j ACCEPT
    Would you put that in the home directory and execute it at startup?
    Check Java Version | Install Java via WEB UPD8 PPA
    Creating a Custom Maintenance Free GRUB2 Screen Community Wiki
    Precise 12.04 | Trusty 14.04 | Vivid 15.04 | Mint Rebecca 17 | Windows 7 | All 64 bit

  4. #4
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Port Limits: Too Much of a Good Thing?

    Quote Originally Posted by Cavsfan View Post
    Would you put that in the home directory and execute it at startup?
    I suppose you could.

    I have my iptables script sitting in /etc/network/if-pre-up.d/ so it runs before the network interface comes up.

    Those aren't my full rules, but it'll block any traffic coming on it port 22 after 3 new connections are made in rapid succession.

    As far as the OP's question goes, I'm not too sure what the limit part of ufw does as I don't use it, but I suspect you can find out by checking iptables directly:

    Code:
    sudo iptables -L
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #5
    Join Date
    Aug 2009
    Beans
    3,535
    Distro
    Ubuntu Development Release

    Re: Port Limits: Too Much of a Good Thing?

    Quote Originally Posted by Cavsfan View Post
    Would you put that in the home directory and execute it at startup?
    Quote Originally Posted by CharlesA View Post
    I suppose you could.

    I have my iptables script sitting in /etc/network/if-pre-up.d/ so it runs before the network interface comes up.

    Those aren't my full rules, but it'll block any traffic coming on it port 22 after 3 new connections are made in rapid succession.

    As far as the OP's question goes, I'm not too sure what the limit part of ufw does as I don't use it, but I suspect you can find out by checking iptables directly:

    Code:
    sudo iptables -L
    Code:
    cavsfan@cavsfan-MS-7529:~$ sudo iptables -L -n -v
    Chain INPUT (policy ACCEPT 4185 packets, 4275K bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    
    Chain OUTPUT (policy ACCEPT 3222 packets, 301K bytes)
     pkts bytes target     prot opt in     out     source               destination
    I guess I have no rules. What file name is that saved as in /etc/network/if-pre-up.d/ ? I see I have the directory but there is just these two files:
    Code:
    cavsfan@cavsfan-MS-7529:/etc/network/if-pre-up.d$ ls
    wireless-tools  wpasupplicant
    Do I put that code in one of those files or a new one?
    Thanks! Learning curve
    Check Java Version | Install Java via WEB UPD8 PPA
    Creating a Custom Maintenance Free GRUB2 Screen Community Wiki
    Precise 12.04 | Trusty 14.04 | Vivid 15.04 | Mint Rebecca 17 | Windows 7 | All 64 bit

  6. #6
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Port Limits: Too Much of a Good Thing?

    It shouldn't matter. The file I use in named iptables, but it's a script I wrote to apply iptables rule, not something you'd use with ufw.

    In any case, just add your rules to the file and run it and you should be good to go.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  7. #7
    Join Date
    Aug 2009
    Beans
    3,535
    Distro
    Ubuntu Development Release

    Re: Port Limits: Too Much of a Good Thing?

    Quote Originally Posted by CharlesA View Post
    It shouldn't matter. The file I use in named iptables, but it's a script I wrote to apply iptables rule, not something you'd use with ufw.

    In any case, just add your rules to the file and run it and you should be good to go.

    Ok Thanks!
    Check Java Version | Install Java via WEB UPD8 PPA
    Creating a Custom Maintenance Free GRUB2 Screen Community Wiki
    Precise 12.04 | Trusty 14.04 | Vivid 15.04 | Mint Rebecca 17 | Windows 7 | All 64 bit

  8. #8
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    9,041
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Port Limits: Too Much of a Good Thing?

    Quote Originally Posted by CharlesA View Post
    I have my iptables script sitting in /etc/network/if-pre-up.d/ so it runs before the network interface comes up.
    If you put scripts there, do they start when the network is activated from the desktop? On servers I always have static addressing and set up the network when the system boots. Ubuntu, by default, only starts the network after the user logs in. Are the contents of /etc/network/if-pre-up.d/ run then?
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  9. #9
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Port Limits: Too Much of a Good Thing?

    Quote Originally Posted by SeijiSensei View Post
    If you put scripts there, do they start when the network is activated from the desktop? On servers I always have static addressing and set up the network when the system boots. Ubuntu, by default, only starts the network after the user logs in. Are the contents of /etc/network/if-pre-up.d/ run then?
    I'm not sure. I don't run iptables like that on anything but my servers.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  10. #10
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,614
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Port Limits: Too Much of a Good Thing?

    Quote Originally Posted by SeijiSensei View Post
    If you put scripts there, do they start when the network is activated from the desktop? On servers I always have static addressing and set up the network when the system boots. Ubuntu, by default, only starts the network after the user logs in. Are the contents of /etc/network/if-pre-up.d/ run then?
    I tried it on a desktop computer, just as was described in the previous posts, and it worked fine. However, I had a tcpdump session running on another computer and noticed that the network stuff started on boot, not when I logged in. I thought I read somewhere that the delayed network start stuff only applied if one used something called network manager to configure the network. I didn't do anything to configure the network, it was a fresh saucy daily ISO installation from a day or two ago. (Notes: It was a VM, if that matters; I don't know much about Ubuntu desktop, as I normally only run Ubuntu servers.)
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •