Łukasz Hejnak napisał(a):
Gerard Beekmans napisał(a):
Hey guys,
Hi
Does anybody have other ideas? I'd like to keep ssh open for convenience
reasons.
some iptables config
Another thing is that from my logs I made a list of the most commonly
scanned ports and added them to a black list, so that when a connection
attempt is made to one of them, the IP is banned for an hour.
To be more specific, here's an example of what I'm talking about:
# First a 'BigTime' chain, for those that there's no hope for ;]
$ipt -N bigtime
$ipt -A bigtime -p tcp -j TARPIT
$ipt -A bigtime -j DROP
# second a 'byebye' chain for those that are supposed to get logged once
$ipt -N byebye
# log the source ip of the packet, as well as compare it's fingerprint
# to a set of fingerprints for different OS's, so often I know
# not only the IP, but also the more or less accurate OS version
$ipt -A byebye -p tcp -m osf --log 1 --smart
$ipt -A byebye -j LOG --log-level debug --log-prefix "Bugger byebye: "
$ipt -A byebye -p tcp -j TARPIT
$ipt -A byebye -j DROP
# now here's a chain for the SSH_Brute_Foce check
# notice below, as everything that enters this chain is
# tagged with 'SSH' name
$ipt -N SSH_Brute_Force
# let me from my home pc in
$ipt -A SSH_Brute_Force -s $MyIP -j ACCEPT
# if less than three times the packet got here (3 login try's)
# let him trough
$ipt -A SSH_Brute_Force -m recent ! --rcheck --name SSH --seconds 60
--hitcount 3 -j ACCEPT
# if this is the fourth attempt within the last 60s then go to byebye,
# where it is logged
$ipt -A SSH_Brute_Force -m recent ! --rcheck --name SSH --seconds 60
--hitcount 4 -j byebye
$ipt -A SSH_Brute_Force -m recent --name SSH --update
# each next attempt will be tarpited/droped
$ipt -A SSH_Brute_Force -p tcp -j TARPIT
$ipt -A SSH_Brute_Force -j DROP
# and last but not least, a rule for everything else that hits
# the firewall and should not (not existing services)
# the list of interesting porst here (I don't service those outside,
# and nobody should hit them)
porty="20 21 22 23 42 53 137 138 139 143 412 1026 1027 1028 1029 1030
1080 1433 4899 8080 10000 15118"
# notice below, as everything that enters this chain is
# tagged with 'abuggeri' name
$ipt -N buggerin
# my IP goes trough :]
$ipt -A buggerin -i eth0 -s $MyIP -j ACCEPT
# now all of those bad PORTs are re-tagged with the name 'abuggerti'
for port in $porty; do
$ipt -A buggerin -p tcp --dport $port -m recent --set --name abuggerti
$ipt -A buggerin -p udp --dport $port -m recent --set --name abuggerti
done
# if the abuggerti appear any more than one in a hour,
# they go directly to the BigTime chain
$ipt -A buggerin -m recent --rcheck --name abuggerti --seconds 3600
--hitcount 2 -j bigtime
# else they're logged
$ipt -A buggerin -m recent --rcheck --name abuggerti -p tcp -m osf --log
1 --smart
$ipt -A buggerin -m recent --rcheck --name abuggerti -j LOG --log-level
debug --log-prefix "BigtimeI: "
$ipt -A buggerin -m recent --name abuggerti --update
# and then they go to BigTime
$ipt -A buggerin -m recent --rcheck --name abuggerti -j bigtime
# as for other ports, they are logged and blocked for 4 minutes
$ipt -A buggerin -m recent ! --rcheck --name abuggeri --seconds 240
--hitcount 2 -j byebye
$ipt -A buggerin -m recent --name abuggeri --update
$ipt -A buggerin -p tcp -j TARPIT
$ipt -A buggerin -j DROP
# now as for the NEW SSH packets, let's tag it with 'SSH'
$ipt -A INPUT -p tcp --dport 42156 -m state --state NEW -m recent --set
--name SSH
# and send all of those 'SSH' to SSH_Brute_Force
$ipt -A INPUT -m recent --rcheck --name SSH -j SSH_Brute_Force
# these two are on the end of the firewall, they redirect anything
# that was not let trough (tag it with 'abuggeri') to the buggerin chain
$ipt -A INPUT -m recent --set --name abuggeri
$ipt -A INPUT -m recent --rcheck --name abuggeri -j buggerin
hope this helps :]
All of this was inspired by the 'SSH Brute Force discussion' at netfiler
the main branch of this thread is started here
(It was in May afterall.. ahh.. time flys..)
https://lists.netfilter.org/pipermail/netfilter/2005-May/060299.html
and another one started by me is here:
https://lists.netfilter.org/pipermail/netfilter/2005-May/060578.html
and there are some more in June and July
--
Best wishes
Łukasz Hejnak
--
http://linuxfromscratch.org/mailman/listinfo/lfs-security
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
