Comments on: IPTables against SSH dictionary attacks

By: Martin Wolf’s weblog » Blog Archive » Firewall improvements from R. Scott Smith

Sun, 03 Feb 2008 20:11:22 +0000

[...] In response to my article about using the recent IPTables module to fight brute-force password attacks, based on an idea from Andrew Pollock, a reader worked out the idea into a complete firewall script, with configurable whitelisting, the ability to block multiple ports, and several other enhancements. Read his post for the details. [...]

By: me

me — Fri, 04 May 2007 00:09:56 +0000

The reason it didn’t work right most likely is because you added -j ACCEPT to the first command. just strip that off.

By: Martin Wolf

Martin Wolf — Sun, 25 Mar 2007 16:25:50 +0000

Thanks!

I have made the script you sent me available for download:
http://mwolf.net/misc-files/rc.firewall

It’s linked to from a new article:
http://mwolf.net/archive/firewall-script-from-scott/

By: R. Scott Smith

R. Scott Smith — Sun, 25 Mar 2007 03:30:25 +0000

I made the improvements I described earlier. I also added some descriptions to what’s happening. The other thing is the logging switch. I put that in, but I have it turned off. Since I’m not interested in logging when the block occurs, I did not put that ability in script, but I don’t think it would be too hard to add. I’m e-mailing the script to you now.

This is my personal e-mail address you are receiving this from. I don’t give this one out to businesses or the like, only people I know. Please respect that and use meetscott@netscape.net if you want to distribute some correspondence to someone else. Thanks.

By: Martin Wolf

Martin Wolf — Fri, 23 Mar 2007 16:26:52 +0000

Hi Scott,

Cool! I’m very interested to see your improvements. If you don’t have a server to publish it on, feel free to use mine. If you prefer, you can mail it to me at “martin” at this domain, and I’ll publish it for you as a separate article.

By: R. Scott Smith

R. Scott Smith — Thu, 22 Mar 2007 15:58:56 +0000

Okay, I’ve added some functionality that others might be interested in. I did some more studying of iptables and came up with a method of including a whitelist along with this limiting behavior for the dictionary attacks. In addition, I have added the notion of listing other services. For example, right now I’m limiting ssh, ftp, and pop3. I recently got a pop3 attack that caused me to look at that too.

In summary:
- I have a whitelist that is *not* limited by the number of login attempts.
- I have this hack presented here that limits the number of attempts from *all* other people for the 10 minute period, same as presented above.
- I have a blacklist, which is no longer being used but it’s still nice that I can use it if I change my mind.
- I close all ports except the ones I specify to open.
- And finally, I drop SYN packets which are inbound start up requests.
- Another note is that all the adjustable parts listed above are either set in variables at the top of the script or they are included in external files (eg the whitelist and blacklist). Open ports are in an easily editable list and the limiting ports are in an easily editable list at the top of the firewall script. So in order to open up another port, just add it to the list. To make a port limited to use per time, just add it to the LIMITED list. Once something has been adjusted, the firewall script just gets re-run. The ports are treated as a group so 3 ssh attempts, 2 ftp attempts, and then 1 pop3 attempt will trigger the 10 minute blocking (unless you’re on the whitelist of course

For now, I think this is all the functionality I have ever wanted out of iptables or a any other firewall for that matter. I’m thinking I might want to eventually adjust it for variables on the number of attempts, the time frame for those attempts, and then the blocking time.

If you’re interested I’ll post the script. Otherwise, I’ll likely post it on a how to once I get my own server co-located. Thanks for all the help.

By: R. Scott Smith

R. Scott Smith — Sat, 03 Mar 2007 23:56:18 +0000

Martin, you hit the nail on the head! I made the changes you suggested, that is moving your code to the beginning of the firewall script. It works for both ftp and ssh. I had to wait until I had an attack on both before I posted back. to be sure everything was working as intended. So this means that your rules are applied first so there is no way that either users from my whitelist or blacklist for that matter can violate your limit rules. I then have all ports closed and I reopen only the ones I specify. Lastly, I drop inbound startup requests (SYN drop). This has the effect of making port scans take *much* longer because they must operate in passive mode.

I would like to have an exempt whitelist though. But for now it’s not really needed and therefore I’m not going to spend the time to figure it out. I think it would be a matter of !192.168.0.0/24 or something added to your portion of the firewall script. You could loop through the whitelist in the shell script with the other networks similarly.

Let me know if you are interested in the rest of the script. I actually got most of it from Rob Flickenger in a book he wrote called “Linux Server Hacks” I think.

I also wrote a Perl script a couple of years ago for mining out ip addresses from the logs. This gives me a summary (with number of hits from each address) of all the ip addresses that have hit me based on the log files passed from the script. The script does *not* try to figure out multiline entries. It simply finds an entry and then increments that ip address as having occurred again in the log file. Let me know if your are interested in this too. It enables you to go through logs very quickly.

Thanks again for this little hack. I have over 500,000 entries from the last 4 weeks in my logs. This is ftp and ssh attacks. I hope in another 4 weeks that this number will be around 2000 or so thanks to your firewall addition. An added bonus: my system is *much* faster because my blacklist has been completely eliminated in both iptables and hosts.deny. Now I’m only going to need this stuff you wrote:-D

By: R. Scott Smith

R. Scott Smith — Thu, 01 Mar 2007 07:46:52 +0000

Okay, your script worked for ftp and ssh just like I posted above. I had to take out all my other firewall rules and try it. Since I like blocking all but certain ports I specify, I’m going to have to investigate why iptables works this way. I’m certainly *not* an iptables expert, maybe not even a novice, but I thought you would like to know it was *my* fault.

I’ve always tried to learn the minimum to get iptables to do what I want it to. Using it effectively is like mastering another programming language. And then you only write one “program” with it, namely your firewall rules for your server.

I’m really beat, so I’m going to have to take this up later. I will post back my findings when I get that far. Thanks again. It was really beautiful watching that scripting attack die after six tries. I tailed the logs while it was happening and then ran the script to see it in action real time!