Configuring squid to block brute force attacks

**rpugsley** · July 16th, 2014

Hello there,

Lately I detected several RDP brute force attacks to my proxy server.
I was wondering how can I configure squid to drop a packet and block the sender (adding him to a blacklist) after several unsuccessful tries.

Anyone have a script doing something like this?

Thanks!

**SeijiSensei** · July 17th, 2014

Squid can't do that, but fail2ban can. You can also perform rate limiting in iptables or by "wrapping" a service with xinetd.

You don't leave the RDP port open to the public, do you? So other than annoying entries in your logs, do these attacks actually threaten your server? If not, I'd just ignore them, or add a rule to the INPUT chain in iptables to drop connections to port 3389. Put that rule above any the generic logging rule for unmatched packets.

Servers get a lot of unwanted probes. You could react to every attempt you see in your logs, or you can just make sure you have a solid firewall that blocks all unauthorized traffic. I've generally taken the latter approach. I do run a nightly script that compile lists of spamming IPs from my mail server logs and adds the addresses to a block list, but we're talking dozens of IPs, not just a couple.

**rpugsley** · July 17th, 2014

Thanks SeninjiSensei for your response!

So, a good option is to make 3389 a private port then log every attack on IPTABLES, and use fail2ban to read logs and block the attacker, right?
If I change port 3389 to private, this will restrict to some ips, but I need to access that from any device and any ip, is there any other way to do that?

For Iptables, which package should I look for?

Here's my Iptables rules to clarify.

# Generated by iptables-save v1.4.14 on Wed Apr 9 12:16:19 2014
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -m limit --limit 2/second -j LOG
-A INPUT -p udp -m udp -m limit --limit 2/second -j LOG
-A FORWARD -s 192.168.0.0/24 -d 192.168.100.0/24 -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m limit --limit 2/second -j LOG
-A INPUT -m limit -f --limit 2/second -j LOG
-A FORWARD -s 192.168.1.0/24 -d 192.168.100.0/24 -j DROP
-A FORWARD -s 192.168.0.0/24 -d 192.168.25.0/24 -j DROP
-A FORWARD -s 192.168.1.0/24 -d 192.168.25.0/24 -j DROP
-A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -j DROP
-A INPUT -i eth4 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j DROP
-A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
COMMIT
# Completed on Wed Apr 9 12:16:19 2014
# Generated by iptables-save v1.4.14 on Wed Apr 9 12:16:19 2014
*nat
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

REROUTING ACCEPT [0:0]

OSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -m multiport -s 192.168.0.0/24 -j REDIRECT --to-ports 3128 --dports 80,8080
-A PREROUTING -p tcp -m tcp -m multiport -s 192.168.1.0/24 -j REDIRECT --to-ports 3128 --dports 80,8080
-A POSTROUTING -o eth4 -j MASQUERADE
-A PREROUTING -p tcp -m tcp -i eth4 --dport 3389 -j DNAT --to-destination 192.168.0.240:3389
-A PREROUTING -p tcp -m tcp -i eth4 --dport 80 -j DNAT --to-destination 192.168.0.240:80
-A PREROUTING -p tcp -m tcp -i eth4 --dport 34567 -j DNAT --to-destination 192.168.0.215:34567
-A PREROUTING -p tcp -m tcp -i eth4 --dport 9676 -j DNAT --to-destination 192.168.0.240:9676
-A PREROUTING -p tcp -m tcp -i eth4 --dport 34568 -j DNAT --to-destination 192.168.0.215:34568
COMMIT
# Completed on Wed Apr 9 12:16:19 2014
# Generated by iptables-save v1.4.14 on Wed Apr 9 12:16:19 2014
*mangle

REROUTING ACCEPT [349:91804]
:INPUT ACCEPT [345:91481]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [341:90863]

OSTROUTING ACCEPT [341:90863]
COMMIT
# Completed on Wed Apr 9 12:16:19 2014

eth4 is internet.

**SeijiSensei** · July 18th, 2014

Code:

-A PREROUTING -p tcp -m tcp -i eth4 --dport 3389 -j DNAT --to-destination 192.168.0.240:3389

As far as I can see, anyone on the Internet can connect to this port. That's a huge security hole. You either need to specify the source IP addresses for legitimate users, or adopt some kind of VPN.

My servers, housed at Linode, only allow traffic from each other and over the VPN that interconnects them with my office. I have a "back door" into the network that I can use when I am traveling. I only ever use SSH to connect to these machines. I don't see any value to shipping entire desktops over the Internet just to manage servers. If I want to use a GUI application on a remote machine, I use "ssh -X" to set up a tunnel.

**rpugsley** · July 18th, 2014

Originally Posted by SeijiSensei

Code:

-A PREROUTING -p tcp -m tcp -i eth4 --dport 3389 -j DNAT --to-destination 192.168.0.240:3389

As far as I can see, anyone on the Internet can connect to this port. That's a huge security hole. You either need to specify the source IP addresses for legitimate users, or adopt some kind of VPN.

My servers, housed at Linode, only allow traffic from each other and over the VPN that interconnects them with my office. I have a "back door" into the network that I can use when I am traveling. I only ever use SSH to connect to these machines. I don't see any value to shipping entire desktops over the Internet just to manage servers. If I want to use a GUI application on a remote machine, I use "ssh -X" to set up a tunnel.

Thanks SeijiSensei, I will check that.