Comments on: IPTables against SSH dictionary attacks

By: Tom smish

Tom smish — Thu, 26 Nov 2009 10:28:42 +0000

Iâ€™ve always tried to learn the minimum to get iptables to do what I want it to. Using it effectively is like mastering another programming language.

By: D. Stussy

D. Stussy — Thu, 04 Jun 2009 13:48:53 +0000

If one has to have SSH open to the world, it’s better to implement the recent feature as a WHITELIST, not a blacklist – and deny everyone else.

As far as how to put systems into the whitelist, that’s done by accessing some other resource on the same physical machine. It doesn’t matter if this is a different TCP (or even UDP) port or a different IP address (for a multi-homed machine or one that services multiple IPs via virtual hosting), or an out-of-band method such as a web server script that writes directly the IP address of the requestor to the appropriate file in “/proc/net/xt_recent/” or via e-mail to a special mailbox that extracts the address to write. The whitelist should use both the “–seconds” and “–rttl” features of the “recent” module to time out entries and help prevent source IP forgery (at least by comparing TTL values).

By: Martin Wolf’s weblog » Blog Archive » Firewall improvements from R. Scott Smith

Sun, 03 Feb 2008 20:11:22 +0000

[...] In response to my article about using the recent IPTables module to fight brute-force password attacks, based on an idea from Andrew Pollock, a reader worked out the idea into a complete firewall script, with configurable whitelisting, the ability to block multiple ports, and several other enhancements. Read his post for the details. [...]

By: me

me — Fri, 04 May 2007 00:09:56 +0000

The reason it didn’t work right most likely is because you added -j ACCEPT to the first command. just strip that off.

By: Martin Wolf

Martin Wolf — Sun, 25 Mar 2007 16:25:50 +0000

Thanks!

I have made the script you sent me available for download:
http://mwolf.net/misc-files/rc.firewall

It’s linked to from a new article:
http://mwolf.net/archive/firewall-script-from-scott/

By: R. Scott Smith

R. Scott Smith — Sun, 25 Mar 2007 03:30:25 +0000

I made the improvements I described earlier. I also added some descriptions to what’s happening. The other thing is the logging switch. I put that in, but I have it turned off. Since I’m not interested in logging when the block occurs, I did not put that ability in script, but I don’t think it would be too hard to add. I’m e-mailing the script to you now.

This is my personal e-mail address you are receiving this from. I don’t give this one out to businesses or the like, only people I know. Please respect that and use meetscott@netscape.net if you want to distribute some correspondence to someone else. Thanks.

By: Martin Wolf

Martin Wolf — Fri, 23 Mar 2007 16:26:52 +0000

Hi Scott,

Cool! I’m very interested to see your improvements. If you don’t have a server to publish it on, feel free to use mine. If you prefer, you can mail it to me at “martin” at this domain, and I’ll publish it for you as a separate article.

By: R. Scott Smith

R. Scott Smith — Thu, 22 Mar 2007 15:58:56 +0000

Okay, I’ve added some functionality that others might be interested in. I did some more studying of iptables and came up with a method of including a whitelist along with this limiting behavior for the dictionary attacks. In addition, I have added the notion of listing other services. For example, right now I’m limiting ssh, ftp, and pop3. I recently got a pop3 attack that caused me to look at that too.

In summary:
– I have a whitelist that is *not* limited by the number of login attempts.
– I have this hack presented here that limits the number of attempts from *all* other people for the 10 minute period, same as presented above.
– I have a blacklist, which is no longer being used but it’s still nice that I can use it if I change my mind.
– I close all ports except the ones I specify to open.
– And finally, I drop SYN packets which are inbound start up requests.
– Another note is that all the adjustable parts listed above are either set in variables at the top of the script or they are included in external files (eg the whitelist and blacklist). Open ports are in an easily editable list and the limiting ports are in an easily editable list at the top of the firewall script. So in order to open up another port, just add it to the list. To make a port limited to use per time, just add it to the LIMITED list. Once something has been adjusted, the firewall script just gets re-run. The ports are treated as a group so 3 ssh attempts, 2 ftp attempts, and then 1 pop3 attempt will trigger the 10 minute blocking (unless you’re on the whitelist of course

For now, I think this is all the functionality I have ever wanted out of iptables or a any other firewall for that matter. I’m thinking I might want to eventually adjust it for variables on the number of attempts, the time frame for those attempts, and then the blocking time.

If you’re interested I’ll post the script. Otherwise, I’ll likely post it on a how to once I get my own server co-located. Thanks for all the help.