Results 1 to 5 of 5

Thread: Configuring squid to block brute force attacks

  1. #1
    Join Date
    Apr 2014
    Beans
    13

    Configuring squid to block brute force attacks

    Hello there,

    Lately I detected several RDP brute force attacks to my proxy server.
    I was wondering how can I configure squid to drop a packet and block the sender (adding him to a blacklist) after several unsuccessful tries.

    Anyone have a script doing something like this?

    Thanks!

  2. #2
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    15,642
    Distro
    Kubuntu Development Release

    Re: Configuring squid to block brute force attacks

    Squid can't do that, but fail2ban can. You can also perform rate limiting in iptables or by "wrapping" a service with xinetd.

    You don't leave the RDP port open to the public, do you? So other than annoying entries in your logs, do these attacks actually threaten your server? If not, I'd just ignore them, or add a rule to the INPUT chain in iptables to drop connections to port 3389. Put that rule above any the generic logging rule for unmatched packets.

    Servers get a lot of unwanted probes. You could react to every attempt you see in your logs, or you can just make sure you have a solid firewall that blocks all unauthorized traffic. I've generally taken the latter approach. I do run a nightly script that compile lists of spamming IPs from my mail server logs and adds the addresses to a block list, but we're talking dozens of IPs, not just a couple.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #3
    Join Date
    Apr 2014
    Beans
    13

    Re: Configuring squid to block brute force attacks

    Thanks SeninjiSensei for your response!

    So, a good option is to make 3389 a private port then log every attack on IPTABLES, and use fail2ban to read logs and block the attacker, right?
    If I change port 3389 to private, this will restrict to some ips, but I need to access that from any device and any ip, is there any other way to do that?

    For Iptables, which package should I look for?

    Here's my Iptables rules to clarify.

    # Generated by iptables-save v1.4.14 on Wed Apr 9 12:16:19 2014
    *filter
    :FORWARD DROP [0:0]
    :INPUT DROP [0:0]
    :OUTPUT DROP [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp -m limit --limit 2/second -j LOG
    -A INPUT -p udp -m udp -m limit --limit 2/second -j LOG
    -A FORWARD -s 192.168.0.0/24 -d 192.168.100.0/24 -j DROP
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -m limit --limit 2/second -j LOG
    -A INPUT -m limit -f --limit 2/second -j LOG
    -A FORWARD -s 192.168.1.0/24 -d 192.168.100.0/24 -j DROP
    -A FORWARD -s 192.168.0.0/24 -d 192.168.25.0/24 -j DROP
    -A FORWARD -s 192.168.1.0/24 -d 192.168.25.0/24 -j DROP
    -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -j DROP
    -A INPUT -i eth4 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -s 192.168.0.0/24 -j ACCEPT
    -A INPUT -s 192.168.1.0/24 -j ACCEPT
    -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j DROP
    -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
    COMMIT
    # Completed on Wed Apr 9 12:16:19 2014
    # Generated by iptables-save v1.4.14 on Wed Apr 9 12:16:19 2014
    *nat
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    REROUTING ACCEPT [0:0]
    OSTROUTING ACCEPT [0:0]
    -A PREROUTING -p tcp -m tcp -m multiport -s 192.168.0.0/24 -j REDIRECT --to-ports 3128 --dports 80,8080
    -A PREROUTING -p tcp -m tcp -m multiport -s 192.168.1.0/24 -j REDIRECT --to-ports 3128 --dports 80,8080
    -A POSTROUTING -o eth4 -j MASQUERADE
    -A PREROUTING -p tcp -m tcp -i eth4 --dport 3389 -j DNAT --to-destination 192.168.0.240:3389
    -A PREROUTING -p tcp -m tcp -i eth4 --dport 80 -j DNAT --to-destination 192.168.0.240:80
    -A PREROUTING -p tcp -m tcp -i eth4 --dport 34567 -j DNAT --to-destination 192.168.0.215:34567
    -A PREROUTING -p tcp -m tcp -i eth4 --dport 9676 -j DNAT --to-destination 192.168.0.240:9676
    -A PREROUTING -p tcp -m tcp -i eth4 --dport 34568 -j DNAT --to-destination 192.168.0.215:34568
    COMMIT
    # Completed on Wed Apr 9 12:16:19 2014
    # Generated by iptables-save v1.4.14 on Wed Apr 9 12:16:19 2014
    *mangle
    REROUTING ACCEPT [349:91804]
    :INPUT ACCEPT [345:91481]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [341:90863]
    OSTROUTING ACCEPT [341:90863]
    COMMIT
    # Completed on Wed Apr 9 12:16:19 2014


    eth4 is internet.
    Last edited by rpugsley; July 17th, 2014 at 05:26 PM.

  4. #4
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    15,642
    Distro
    Kubuntu Development Release

    Re: Configuring squid to block brute force attacks

    Code:
    -A PREROUTING -p tcp -m tcp -i eth4 --dport 3389 -j DNAT --to-destination 192.168.0.240:3389
    As far as I can see, anyone on the Internet can connect to this port. That's a huge security hole. You either need to specify the source IP addresses for legitimate users, or adopt some kind of VPN.

    My servers, housed at Linode, only allow traffic from each other and over the VPN that interconnects them with my office. I have a "back door" into the network that I can use when I am traveling. I only ever use SSH to connect to these machines. I don't see any value to shipping entire desktops over the Internet just to manage servers. If I want to use a GUI application on a remote machine, I use "ssh -X" to set up a tunnel.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  5. #5
    Join Date
    Apr 2014
    Beans
    13

    Re: Configuring squid to block brute force attacks

    Quote Originally Posted by SeijiSensei View Post
    Code:
    -A PREROUTING -p tcp -m tcp -i eth4 --dport 3389 -j DNAT --to-destination 192.168.0.240:3389
    As far as I can see, anyone on the Internet can connect to this port. That's a huge security hole. You either need to specify the source IP addresses for legitimate users, or adopt some kind of VPN.

    My servers, housed at Linode, only allow traffic from each other and over the VPN that interconnects them with my office. I have a "back door" into the network that I can use when I am traveling. I only ever use SSH to connect to these machines. I don't see any value to shipping entire desktops over the Internet just to manage servers. If I want to use a GUI application on a remote machine, I use "ssh -X" to set up a tunnel.
    Thanks SeijiSensei, I will check that.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •