Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
stopping the SSH attacks using iptables
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
mpagano
Developer
Developer


Joined: 27 Apr 2004
Posts: 185
Location: USA

PostPosted: Wed Oct 06, 2004 8:02 pm    Post subject: stopping the SSH attacks using iptables Reply with quote

I'm not a big fan of all the attacks my system receives via ssh but I needed the access to my systems.

If you don't need the world to access your system, and have a limited set of IP's that need access you may find the method I use helpful.


I use iptables to allow specfic IP's into my system and drop everyone else. This elimated all attacks via ssh on my system.

The simple rules I used are as follows:

To allow a specific IP to access your system run the following:
iptables -I INPUT -s X.X.X.X -p tcp --dport 22 -j ACCEPT

Where X.X.X.X is the IP you want to allow in.

To drop everyone else.
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j DROP

You can make a script that runs everytime you boot to insert the rules.

Another nice option to pursue would be to use a port knocker. Essentially a system that uses a port knocker contains a daemon that listens for a specific sequence of "knocks" recieved from a port knocking client. This sequence could trigger a script that opens or closes ports.

Mike

2.6.7-gentoo-r11
i686 Intel(R) Pentium(R) 4 CPU 1.60GHz GenuineIntel GNU/Linux
Back to top
View user's profile Send private message
outspoken
Guru
Guru


Joined: 14 Feb 2004
Posts: 464
Location: orlando, fl

PostPosted: Wed Oct 06, 2004 8:28 pm    Post subject: Reply with quote

good job on discovering one of the most common security features of the *nix environment. you might also want to include ssh key authentication, alternative port numbers (using the common port is not always suggested for personal systems or security concious networks). check out snort and tripwire or alternatives as well if you desire peace of mind when dealing with the possibility of intrusion.

post your full iptables script if you like, i would enjoy looking it over.

there are other security features in your /etc/sshd_config to consider such as allowrootlogin and usepam, etc.

there is always more to do, but for a few next steps consider checking into some of these things.

P.S. IM SO HAPPY FIREFOX_1.0_PRE-r2 IS OUT! FIND FINALLY WORKS CORRECTLY! (had to shout that out).
Back to top
View user's profile Send private message
mpagano
Developer
Developer


Joined: 27 Apr 2004
Posts: 185
Location: USA

PostPosted: Wed Oct 06, 2004 8:58 pm    Post subject: Reply with quote

Quote:
nclude ssh key authentication, alternative port numbers (using the common port is not always suggested for personal systems or security concious networks). check out snort and tripwire or alternatives as well if you desire peace of mind when dealing with the possibility of intrusion.


Yes, these are great suggestions, thank-you for adding to the thread.

Here's my script, it's really very basic and as a new Gentoo user, I'm just trying to contribute a little bit to the community that has given me loads.

Code:

#!/sbin/runscript

start() {
    ebegin "Inserting rules into iptables"
    iptables -I INPUT -s X.X.X.X -p tcp --dport 22 -j ACCEPT
    iptables -I INPUT -s Y.Y.Y.Y -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j DROP

    # show results
    iptables -t filter -nvL
    eend $?
}

stop() {
    ebegin "Flushing rules from iptables"
    iptables -F

    # show results
    iptables -t filter -nvL
        eend $?
}

restart() {
        # Reload the rules
        ebegin "Reloading iptable rules"

        # call the stop which will flush the rules
        svc_stop
        sleep 1

    # call the start which will reinsert the rules
        svc_start

        eend $?
}

Back to top
View user's profile Send private message
sireyessire
Advocate
Advocate


Joined: 20 Mar 2003
Posts: 2991
Location: back in Paris, France

PostPosted: Thu Oct 07, 2004 9:45 am    Post subject: Re: stopping the SSH attacks using iptables Reply with quote

mpagano wrote:


I use iptables to allow specfic IP's into my system and drop everyone else. This elimated all attacks via ssh on my system.

The simple rules I used are as follows:

To allow a specific IP to access your system run the following:
iptables -I INPUT -s X.X.X.X -p tcp --dport 22 -j ACCEPT

Where X.X.X.X is the IP you want to allow in.

To drop everyone else.
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j DROP


you could use also the config file of sshd (sshd_config) to drop unwanted guys:
Code:
AllowUsers youruser@X.X.X.X

will only allow the login youruser from the ip X.X.X.X ton connect on your sshd server, and all the others logins would be dropped even if they enter the right password.
_________________
I never think of the future. It comes soon enough.
Albert Einstein

Try simpler first
Shockley
Back to top
View user's profile Send private message
nx12
Apprentice
Apprentice


Joined: 14 Jan 2004
Posts: 193

PostPosted: Thu Oct 07, 2004 9:36 pm    Post subject: Re: stopping the SSH attacks using iptables Reply with quote

sireyessire wrote:

will only allow the login youruser from the ip X.X.X.X ton connect on your sshd server, and all the others logins would be dropped even if they enter the right password.


But with such setup you're still in danger to get r00ted with some exploit. Iptables is a bit more secure. :wink:
_________________
signature sucks
Back to top
View user's profile Send private message
ToeiRei
Veteran
Veteran


Joined: 03 Jan 2005
Posts: 1170
Location: Austria

PostPosted: Thu Feb 10, 2005 1:49 am    Post subject: Reply with quote

instead of dropping connections you could tarpit them.

Rei
_________________
Please stand by - The mailer daemon is busy burning your messages in hell...
Back to top
View user's profile Send private message
sarge
n00b
n00b


Joined: 30 Aug 2004
Posts: 27

PostPosted: Thu Feb 10, 2005 10:10 am    Post subject: Reply with quote

ToeiRei wrote:
instead of dropping connections you could tarpit them.

Rei


What means tarpit them please ?
Back to top
View user's profile Send private message
ToeiRei
Veteran
Veteran


Joined: 03 Jan 2005
Posts: 1170
Location: Austria

PostPosted: Thu Feb 10, 2005 10:17 am    Post subject: Reply with quote

tarpitting is a way of holding their connection open and idle to slow worms and hackers down by sending ACK 0 packets. Some malwere crashed by timeouting at my firewall.
You might want to check out the patch-o-matic-ng at iptables.org

Rei
_________________
Please stand by - The mailer daemon is busy burning your messages in hell...
Back to top
View user's profile Send private message
soramame
n00b
n00b


Joined: 07 Nov 2004
Posts: 35
Location: /brazil/sp/sao carlos

PostPosted: Tue Feb 15, 2005 1:50 pm    Post subject: port knocking Reply with quote

you may also use port knocking (which was already discussed in the forums, here)
_________________
bruno nery, i.e., solo soramame

you won't suceed unless you try.
Back to top
View user's profile Send private message
zeky
Guru
Guru


Joined: 24 Feb 2003
Posts: 470
Location: Vukojebina, Europe

PostPosted: Tue Feb 15, 2005 2:53 pm    Post subject: Reply with quote

And/or you can use:

/etc/hosts.deny

Code:
ALL: ALL


/etc/hosts.allow

Code:
sshd: <your_ip>

_________________
Beat your dick like it owes you money
Back to top
View user's profile Send private message
alinv
Guru
Guru


Joined: 19 Nov 2002
Posts: 395
Location: Bucharest

PostPosted: Thu Sep 08, 2005 1:18 am    Post subject: Reply with quote

This one looks interesting: Fail2ban (ebuilds)
Quote:
Fail2Ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.


More than that, it can unban the ip after a number of seconds. Just tested it and it works pretty well.
_________________
Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better.
S.B.
Back to top
View user's profile Send private message
behd
Apprentice
Apprentice


Joined: 11 Feb 2003
Posts: 154

PostPosted: Thu Sep 08, 2005 7:35 am    Post subject: Reply with quote

sorry to denigrate but that's not really interesting/usefull if it's the only rule...
if you want a pretty good set of rules for your iptables have look to:

http://rocky.molphys.leidenuniv.nl/page/iptables/download.htm

and just:
- customize it to your need (but most would leave it "as-is")
- configure it
Back to top
View user's profile Send private message
alinv
Guru
Guru


Joined: 19 Nov 2002
Posts: 395
Location: Bucharest

PostPosted: Thu Sep 08, 2005 9:16 am    Post subject: Reply with quote

behd wrote:
sorry to denigrate but that's not really interesting/usefull if it's the only rule...
if you want a pretty good set of rules for your iptables have look to:

http://rocky.molphys.leidenuniv.nl/page/iptables/download.htm

and just:
- customize it to your need (but most would leave it "as-is")
- configure it


Well, it doesn't have to be the only rule. For instance, I use firehol to generate the basic set of rules and on top of that I use fail2ban, to dynamically alter it.
_________________
Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better.
S.B.
Back to top
View user's profile Send private message
outspoken
Guru
Guru


Joined: 14 Feb 2004
Posts: 464
Location: orlando, fl

PostPosted: Thu Sep 08, 2005 2:06 pm    Post subject: Reply with quote

using hosts/allow or deny is not kernel based, iptables is.

you might want to setup a more strict iptables which allows only from certain hosts and also checks the state of the connection. also make sure your default policy is set for DROP.

one user suggested tarpitting the connections, this actual is resource intense and not really recommended as you are doing something which is not really necessary. instead you might want to setup an IPS (intrusion prevention system) using snort-inline which will allow you to reject the connection. you could also forward the connection onto something else which would throw the attacker a bit, but both methods fall short of holding onto the connection for a truely evil way to deal with the matter. again the resources are a question to ask yourself if it is worth the trouble, when someone realizes that you are doing this and decides to flood your system you may find your connection halted.

here is a small snippet from my drop script:
Code:

# Set default policies
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP

# Previously initiated and accepted exchanges bypass rule checking
# Allow unlimited outbound traffic
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

.......

# Allow incoming
#ssh
$IPTABLES -A INPUT -p tcp -s 1.2.3.4 --dport 22 -m state --state NEW -j ACCEPT


replace 1.2.3.4 with the ip address of the system you are allowing to ssh into your system. repeat that over and over for each ip you want to allow.
Back to top
View user's profile Send private message
zbindere
Guru
Guru


Joined: 27 May 2004
Posts: 356
Location: Switzerland

PostPosted: Fri Sep 09, 2005 11:00 am    Post subject: Reply with quote

Other nice tool:
denyhosts
The ebuild you can find here
Back to top
View user's profile Send private message
rusxakep
Guru
Guru


Joined: 09 Jul 2004
Posts: 458
Location: Moscow, Russia

PostPosted: Wed Sep 14, 2005 10:33 am    Post subject: Reply with quote

$IPTABLES -A eth0_tcp -p TCP --dport 22 -m state --state NEW -m recent --name fssh --set
$IPTABLES -A eth0_tcp -p TCP --dport 22 -m state --state NEW -m recent --name fssh --update --seconds 60 --hitcount 3 -j DROP

Allowing only 3 connection try (NEW connection, sure) in 60 second's. Good method for stop bruteforce.

good luck :roll:
Back to top
View user's profile Send private message
alinv
Guru
Guru


Joined: 19 Nov 2002
Posts: 395
Location: Bucharest

PostPosted: Wed Sep 14, 2005 10:58 am    Post subject: Reply with quote

rusxakep wrote:
$IPTABLES -A eth0_tcp -p TCP --dport 22 -m state --state NEW -m recent --name fssh --set
$IPTABLES -A eth0_tcp -p TCP --dport 22 -m state --state NEW -m recent --name fssh --update --seconds 60 --hitcount 3 -j DROP

Allowing only 3 connection try (NEW connection, sure) in 60 second's. Good method for stop bruteforce.

good luck :roll:

What happens to the 4th connection if I already have 3 valid connections in 60 secs?
Or what if the attacker is determined enough? Does he have 30 tries in 10 minutes?
_________________
Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better.
S.B.
Back to top
View user's profile Send private message
rusxakep
Guru
Guru


Joined: 09 Jul 2004
Posts: 458
Location: Moscow, Russia

PostPosted: Thu Sep 15, 2005 7:08 am    Post subject: Reply with quote

Key cmd "--state NEW".

Only creating connection passed in this rule.

In my system (with only 1 user), 3/60 - is best method.

For systems with more and more users, you should edit this setting's.

P.S: It is a necessary method of protection, but not sufficient
Back to top
View user's profile Send private message
outspoken
Guru
Guru


Joined: 14 Feb 2004
Posts: 464
Location: orlando, fl

PostPosted: Thu Sep 15, 2005 6:49 pm    Post subject: Reply with quote

an ip based method is much more secure than a connection limiting one.

connection limiting is helpful when atopping ddos or icmp attacks, but for a service connection - especially one like ssh, this is not a reasonable approach to security.

you can turn off keyboard login and make your server key authentication only as some higher measures of security. this would stop bruteforce dictionary attacks.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum