On Thu, 4 Sep 2008, Roberto C. Sánchez wrote:
On Thu, Sep 04, 2008 at 01:29:47PM +0200, Pieter Donche wrote:
I want to counter SSH brute force attacks on the various servers with
This is a good thing to want to do.
Limit:info:SSHA,3,60 net serv tcp 22
There are multiple ways to do this. Here is how I prefer to set it up
on my servers:
SSH/ACCEPT loc $FW
SSH/ACCEPT net $FW - - - -
1/min:2
".. prefer to set it up on my servers": do you mean you have shorewall
running on each of your servers and set it up on each of them as above?
I'm looking for a way to set up on a single firewall between 'net'
and my 'serv' zone (several SSHD running machines) and 'loc' zone (15 to
20 SSHD running machines)
I do not allow SSH connection to $FW from 'net' except for 2 machines
which I manage myself. If I use the RATE LIMIT construct, I guess it
should be used on my
ACCEPT net serv tcp 22
ACCEPT net $SSH_LOC tcp 22
lines?
That lets machines on the local side (which often access things like
svn+ssh that make lots of new connection requests, have unresctricted
access.
- In the log I hope there will be only entries when there occur more
than 3 SSH connections from a same IP in a 60 seconds timeframe,
and not for every SSH connection, is that right?
It is actually a global limit. So, if I trigger the rate limit on your
server trying to attack it, then you also will be prevented from
accessing it until the rate limit allows another connection.
This I don't understand: you and I have different IP adresses when
trying to SSH connect to a machine in my serv or loc zone , and
the http://shorewall.net/Actions.html doc file names the technique
"Limiting Per-IP Connection Rate", so I understand the limit
should be independently applied for different incoming IPs.
A Brute force attacker initiates his attacks from a singe IP (at least
within a timeframe of one minute, next week he might have broken into
a different machine and attack from there) which fast succeeding trials,
then it makes sense to limit the rate to a maximum per minute..
Though, in
practice I have not found this to be too great of a problem, since
scripts often get stuck or bored on rate-limited connections and time
out.
I looked at the 'RATE LIMIT' field in the rules man-page.
The meaning of 'burst' is not clear to me.. I guess it's some sort of
'quantity of requests' but what quantity exactly ??
Though, in your case, port knocking might be a better solution.
- In case the seeker of access is a normal person, just not very well
remembering his password, will he get some warning that he will have
to wait for about a minute after 3 tries?
There will be no warning. The connection will simply appear to hang.
Incidentally, if you allow password-based logins, then there is no way
to guarantee protection from brute force attacks. The only way to
guarantee that a brute force attack will never succeed is to allow only
key-based logins. Also, if you go the route of having key-based logins,
make certain to educate your users on the importance of choosing string
passphrases for their keys and otherwise properly securing them.
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
