+- Linux-Noob Forums (https://www.linux-noob.com/forums)
+-- Forum: Linux Server Administration (https://www.linux-noob.com/forums/forum-8.html)
+--- Forum: Remote Access (https://www.linux-noob.com/forums/forum-88.html)
+--- Thread: limit ssh connections - OLD METHOD - DO NOT USE. (/thread-2808.html)
limit ssh connections - OLD METHOD - DO NOT USE. - anyweb - 2005-03-02
to avoid brute forcing on your ssh, limit connections to it using iptables
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-resetplease note if the above doesnt work for you then check if lokkit is running (fedoras/redhat's firewall)
disable it if it is and use iptables to control your ports instead
Quote:iptables-savewill list any previously saved iptables rules.
Quote:[root@www root]# iptables-save# Generated by iptables-save v1.2.9 on Wed Mar 2 14:41:07 2005
*nat
:PREROUTING ACCEPT [79:5539]
:POSTROUTING ACCEPT [28:1666]
:OUTPUT ACCEPT [26:1586]
COMMIT
# Completed on Wed Mar 2 14:41:07 2005
# Generated by iptables-save v1.2.9 on Wed Mar 2 14:41:07 2005
*filter
:INPUT DROP [148:12439]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2707:2040105]
-A INPUT -p tcp -m multiport --dports 80 -j ACCEPT
-A INPUT -p udp -m multiport --dports 53 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m limit --limit 2/min --limit-burst 1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Wed Mar 2 14:41:07 2005
that's it, done :)(thanks flukex)
cheers
anyweb
limit ssh connections - OLD METHOD - DO NOT USE. - wizzard - 2005-09-19
ok i did that :
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh limit: avg 2/min burst 1
REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with tcp-reset
but in /var/log/secure i get :
Sep 8 18:13:46 server sshd[4338]: Failed password for root from ::ffff:141.85.99.76 port 2651 ssh2
Sep 8 18:13:46 server sshd[4339]: Failed password for root from ::ffff:141.85.99.76 port 2651 ssh2
Sep 8 18:13:49 server sshd[4340]: Failed password for root from ::ffff:141.85.99.76 port 2801 ssh2
Sep 8 18:13:49 server sshd[4341]: Failed password for root from ::ffff:141.85.99.76 port 2801 ssh2
Sep 8 18:13:52 server sshd[4342]: Failed password for root from ::ffff:141.85.99.76 port 2927 ssh2
Sep 8 18:13:52 server sshd[4343]: Failed password for root from ::ffff:141.85.99.76 port 2927 ssh2
Sep 8 18:13:54 server sshd[4344]: Failed password for root from ::ffff:141.85.99.76 port 3036 ssh2
Sep 8 18:13:54 server sshd[4345]: Failed password for root from ::ffff:141.85.99.76 port 3036 ssh2
Sep 8 18:14:00 server sshd[4346]: Failed password for root from ::ffff:141.85.99.76 port 3158 ssh2
Sep 8 18:14:00 server sshd[4347]: Failed password for root from ::ffff:141.85.99.76 port 3158 ssh2
Sep 8 18:14:03 server sshd[4348]: Failed password for root from ::ffff:141.85.99.76 port 3397 ssh2
Sep 8 18:14:03 server sshd[4349]: Failed password for root from ::ffff:141.85.99.76 port 3397 ssh2
Sep 8 18:14:06 server sshd[4350]: Failed password for root from ::ffff:141.85.99.76 port 3526 ssh2
so in a minute they open many ssh conection how it is possible ?
limit ssh connections - OLD METHOD - DO NOT USE. - anyweb - 2005-09-20
post your iptables -L output here please
also, what distro ?
cheers
anyweb
limit ssh connections - OLD METHOD - DO NOT USE. - hijinks - 2005-09-20
i noticed you posted this yesterday (9/19) and your logs are from 9/8
so maybe that is why?
limit ssh connections - OLD METHOD - DO NOT USE. - anyweb - 2005-09-20
good point jy heh i never noticed
on a similar note i checked my own /var/log/secure and sure enough it correctly records my log ins via ssh, but does not record the denied logins (as iptables correctly denies tcp/ip if more than 2 per minute)
so my question is, where if anywhere is that logged ? (the denying bit)
cheers
anyweb
limit ssh connections - OLD METHOD - DO NOT USE. - wizzard - 2005-09-21
no i do that long time ago
i post new logs
Sep 21 14:06:53 wiz sshd[2665]: Failed password for invalid user jean from ::ffff:62.117.91.188 port 35303 ssh2
Sep 21 14:07:20 wiz sshd[2668]: Invalid user joachim from ::ffff:62.117.91.188
Sep 21 14:07:20 wiz sshd[2669]: input_userauth_request: invalid user joachim
Sep 21 14:07:23 wiz sshd[2668]: Failed password for invalid user joachim from ::ffff:62.117.91.188 port 36827 ssh2
Sep 21 14:07:50 wiz sshd[2671]: Invalid user corinna from ::ffff:62.117.91.188
Sep 21 14:07:50 wiz sshd[2672]: input_userauth_request: invalid user corinna
Sep 21 14:07:53 wiz sshd[2671]: Failed password for invalid user corinna from ::ffff:62.117.91.188 port 38273 ssh2
Sep 21 14:08:21 wiz sshd[2674]: Invalid user visitor from ::ffff:62.117.91.188
Sep 21 14:08:21 wiz sshd[2675]: input_userauth_request: invalid user visitor
Sep 21 14:08:23 wiz sshd[2674]: Failed password for invalid user visitor from ::ffff:62.117.91.188 port 39686 ssh2
in 2 minute they made many ssh conection
[root@wiz log]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh limit: avg 2/min burst 1
REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with tcp-reset
DROP all -- 82.79.48.111 anywhere
DROP all -- 192.168.0.0/24 anywhere
DROP all -- 127.0.0.0/8 anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:chargen flags:SYN,RST,ACK/SYN
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- 81-196-170-20.rdsnet.ro anywhere udp spt:domain
ACCEPT udp -- 82.79.48.111 anywhere udp spt:domain
ACCEPT icmp -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
limit ssh connections - OLD METHOD - DO NOT USE. - wizzard - 2005-09-22
i make some changes to my firewall seen now its ok .i wait cuple of days to see if i get those logs.
i had 2 ssh rules in my firewall i delete one and let that one with ip limit
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh limit: avg 2/min burst 1
REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with tcp-reset
and then :
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
i delete the last rule
i will come with a reply
limit ssh connections - OLD METHOD - DO NOT USE. - znx - 2005-09-22
Quote:::ffff:62.117.91.188
This is an ipv6 connection, the iptables rules you are using are for ipv4 only.
You need to use ip6tables to handle ipv6 connections.
limit ssh connections - OLD METHOD - DO NOT USE. - FluKex - 2005-09-29
Ok, we have a new method of rate limiting.
This new method is WAYYY better.
the old -m limit method limits per packet per port.. if you have someone flooding your ssh connetion, it'll actually disable the service all around, causing YOU not to be able to get on. not really the effect you wanted.
This new method, actually bases its rate limit on a per IP basis.
So if you are getting flooded from 1 ip specifically, only that 1 ip will be locked down.
Everyone else will be able to get on still. as long as they stay within the connection limit itself.
I'll be honest. *I* didnt figure this out. i found it on a url
[/url][url=http://www.debian-administration.org/articles/187]http://www.debian-administration.org/articles/187
It does work, as a few linux-noob'ers helped me test it successfully.
-----------
The way the recent module works is fairly straightforward, you basically add IP addresses to a list, which can then be used in the future to test connection attempts against. This allows you to limit the number of connections against either a number of seconds, or connection attempts. In our example we'll do both.
An example is probably the simplest way to illustrate how it works. The following two rules will limit incoming connections to port 22 to no more than 3 attemps in a minute - an more than that will be dropped:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP
The --state flag takes a comma seperated list of connection states as an argument, by using "--state NEW" as we did we make sure that only new connections are managed by the module.
The --set parameter in the first line will make sure that the IP address of the host which initiated the connection will be added to the "recent list", where it can be tested and used again in the future i.e. in our second rule.
The second rule is where the magic actually happens. The --update flag tests whether the IP address is in the list of recent connections, in our case each new connection on port 22 will be in the list because we used the --set flag to add it in the preceeding rule.
Once that's done the --seconds flag is used to make sure that the IP address is only going to match if the last connection was within the timeframe given. The --hitcount flag works in a similar way - matching only if the given count of connection attempts is greater than or equal to the number given.
Together the second line will DROP an incoming connection if:
* The IP address which initiated the connection has previously been added to the list and
* The IP address has sent a packet in the past 60 seconds and
* The IP address has sent more than 4 packets in total.
You can adjust the numbers yourself to limit connections further, so the following example will drop incoming connections which make more than 2 connection attempts upon port 22 within ten minutes:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--update --seconds 600 --hitcount 2 -j DROP
If you wish to test these rules you can script a number of connection attempts from an external host with the netcat package.
The following script attempts to connect to the IP address 192.168.1.1 5 times. The first couple of attempts you should see a welcome banner such as "SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4" - after that the script will hang as it's packets are dropped and no response is sent:
#!/bin/bash
for i in `seq 1 5` ; do
echo 'exit' | nc 192.168.1.1 22 ;
done
There's a lot of documentation on the netfilter/iptables firewall, and it's available modules which you can find in the Netfilter Extension HOWTO.
This HOWTO contains documentation on many different modules, along with examples. A recommended read if you're interested in Linux firewalling.
If you wish to experiment with rules and testing it's worth remembering how to remove all active rules. The following commands will flush your iptables filewall, and remove all currently active rules:
iptables -F
iptables -X