Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
limit ssh connections - OLD METHOD - DO NOT USE.
#1

to avoid brute forcing on your ssh, limit connections to it using iptables

 



Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset




 

please note if the above doesnt work for you then check if lokkit is running (fedoras/redhat's firewall)

 

disable it if it is and use iptables to control your ports instead

 

 

Quote:iptables-save
will list any previously saved iptables rules. 

Quote:[root@www root]# iptables-save# Generated by iptables-save v1.2.9 on Wed Mar  2 14:41:07 2005

*nat

:PREROUTING ACCEPT [79:5539]

:POSTROUTING ACCEPT [28:1666]

:OUTPUT ACCEPT [26:1586]

COMMIT

# Completed on Wed Mar  2 14:41:07 2005

# Generated by iptables-save v1.2.9 on Wed Mar  2 14:41:07 2005

*filter

:INPUT DROP [148:12439]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [2707:2040105]

-A INPUT -p tcp -m multiport --dports 80 -j ACCEPT

-A INPUT -p udp -m multiport --dports 53 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -m limit --limit 2/min --limit-burst 1 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with tcp-reset

COMMIT

# Completed on Wed Mar  2 14:41:07 2005
 

that's it, done :)(thanks flukex)

 

cheers

 

anyweb

Reply
#2

ok i did that :

 

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh limit: avg 2/min burst 1

REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with tcp-reset

 

 

 

but in /var/log/secure i get :

 

Sep 8 18:13:46 server sshd[4338]: Failed password for root from ::ffff:141.85.99.76 port 2651 ssh2

Sep 8 18:13:46 server sshd[4339]: Failed password for root from ::ffff:141.85.99.76 port 2651 ssh2

Sep 8 18:13:49 server sshd[4340]: Failed password for root from ::ffff:141.85.99.76 port 2801 ssh2

Sep 8 18:13:49 server sshd[4341]: Failed password for root from ::ffff:141.85.99.76 port 2801 ssh2

Sep 8 18:13:52 server sshd[4342]: Failed password for root from ::ffff:141.85.99.76 port 2927 ssh2

Sep 8 18:13:52 server sshd[4343]: Failed password for root from ::ffff:141.85.99.76 port 2927 ssh2

Sep 8 18:13:54 server sshd[4344]: Failed password for root from ::ffff:141.85.99.76 port 3036 ssh2

Sep 8 18:13:54 server sshd[4345]: Failed password for root from ::ffff:141.85.99.76 port 3036 ssh2

Sep 8 18:14:00 server sshd[4346]: Failed password for root from ::ffff:141.85.99.76 port 3158 ssh2

Sep 8 18:14:00 server sshd[4347]: Failed password for root from ::ffff:141.85.99.76 port 3158 ssh2

Sep 8 18:14:03 server sshd[4348]: Failed password for root from ::ffff:141.85.99.76 port 3397 ssh2

Sep 8 18:14:03 server sshd[4349]: Failed password for root from ::ffff:141.85.99.76 port 3397 ssh2

Sep 8 18:14:06 server sshd[4350]: Failed password for root from ::ffff:141.85.99.76 port 3526 ssh2

 

 

so in a minute they open many ssh conection how it is possible ?

Reply
#3

post your iptables -L output here please

 

also, what distro ?

 

cheers

anyweb

Reply
#4

i noticed you posted this yesterday (9/19) and your logs are from 9/8

 

so maybe that is why?

Reply
#5

good point jy heh i never noticed

 

on a similar note i checked my own /var/log/secure and sure enough it correctly records my log ins via ssh, but does not record the denied logins (as iptables correctly denies tcp/ip if more than 2 per minute)

 

so my question is, where if anywhere is that logged ? (the denying bit)

 

cheers

 

anyweb

Reply
#6

no i do that long time ago

 

i post new logs

 

Sep 21 14:06:53 wiz sshd[2665]: Failed password for invalid user jean from ::ffff:62.117.91.188 port 35303 ssh2

Sep 21 14:07:20 wiz sshd[2668]: Invalid user joachim from ::ffff:62.117.91.188

Sep 21 14:07:20 wiz sshd[2669]: input_userauth_request: invalid user joachim

Sep 21 14:07:23 wiz sshd[2668]: Failed password for invalid user joachim from ::ffff:62.117.91.188 port 36827 ssh2

Sep 21 14:07:50 wiz sshd[2671]: Invalid user corinna from ::ffff:62.117.91.188

Sep 21 14:07:50 wiz sshd[2672]: input_userauth_request: invalid user corinna

Sep 21 14:07:53 wiz sshd[2671]: Failed password for invalid user corinna from ::ffff:62.117.91.188 port 38273 ssh2

Sep 21 14:08:21 wiz sshd[2674]: Invalid user visitor from ::ffff:62.117.91.188

Sep 21 14:08:21 wiz sshd[2675]: input_userauth_request: invalid user visitor

Sep 21 14:08:23 wiz sshd[2674]: Failed password for invalid user visitor from ::ffff:62.117.91.188 port 39686 ssh2

 

in 2 minute they made many ssh conection

 

 

[root@wiz log]# iptables -L

Chain INPUT (policy DROP)

target prot opt source destination

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh limit: avg 2/min burst 1

REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with tcp-reset

DROP all -- 82.79.48.111 anywhere

DROP all -- 192.168.0.0/24 anywhere

DROP all -- 127.0.0.0/8 anywhere

ACCEPT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN

ACCEPT tcp -- anywhere anywhere tcp dpt:chargen flags:SYN,RST,ACK/SYN

ACCEPT udp -- anywhere anywhere udp dpt:domain

ACCEPT tcp -- anywhere anywhere tcp dpt:domain

ACCEPT udp -- 81-196-170-20.rdsnet.ro anywhere udp spt:domain

ACCEPT udp -- 82.79.48.111 anywhere udp spt:domain

ACCEPT icmp -- anywhere anywhere

DROP udp -- anywhere anywhere

DROP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN

Reply
#7

i make some changes to my firewall seen now its ok .i wait cuple of days to see if i get those logs.

i had 2 ssh rules in my firewall i delete one and let that one with ip limit

 

 

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh limit: avg 2/min burst 1

REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with tcp-reset

 

and then :

 

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN

 

i delete the last rule

 

i will come with a reply

Reply
#8

Quote:::ffff:62.117.91.188
 

This is an ipv6 connection, the iptables rules you are using are for ipv4 only.

 

You need to use ip6tables to handle ipv6 connections.

Reply
#9

Ok, we have a new method of rate limiting.

 

This new method is WAYYY better.

 

 

the old -m limit method limits per packet per port.. if you have someone flooding your ssh connetion, it'll actually disable the service all around, causing YOU not to be able to get on. not really the effect you wanted.

 

This new method, actually bases its rate limit on a per IP basis.

 

So if you are getting flooded from 1 ip specifically, only that 1 ip will be locked down.

 

Everyone else will be able to get on still. as long as they stay within the connection limit itself.

 

 

I'll be honest. *I* didnt figure this out. i found it on a url

 

[/url][url=http://www.debian-administration.org/articles/187]http://www.debian-administration.org/articles/187

 

 

It does work, as a few linux-noob'ers helped me test it successfully.

-----------

 

The way the recent module works is fairly straightforward, you basically add IP addresses to a list, which can then be used in the future to test connection attempts against. This allows you to limit the number of connections against either a number of seconds, or connection attempts. In our example we'll do both.

 

An example is probably the simplest way to illustrate how it works. The following two rules will limit incoming connections to port 22 to no more than 3 attemps in a minute - an more than that will be dropped:

 

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \

--set

 

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \

--update --seconds 60 --hitcount 4 -j DROP

 

The --state flag takes a comma seperated list of connection states as an argument, by using "--state NEW" as we did we make sure that only new connections are managed by the module.

 

The --set parameter in the first line will make sure that the IP address of the host which initiated the connection will be added to the "recent list", where it can be tested and used again in the future i.e. in our second rule.

 

The second rule is where the magic actually happens. The --update flag tests whether the IP address is in the list of recent connections, in our case each new connection on port 22 will be in the list because we used the --set flag to add it in the preceeding rule.

 

Once that's done the --seconds flag is used to make sure that the IP address is only going to match if the last connection was within the timeframe given. The --hitcount flag works in a similar way - matching only if the given count of connection attempts is greater than or equal to the number given.

 

Together the second line will DROP an incoming connection if:

 

* The IP address which initiated the connection has previously been added to the list and

* The IP address has sent a packet in the past 60 seconds and

* The IP address has sent more than 4 packets in total.

 

You can adjust the numbers yourself to limit connections further, so the following example will drop incoming connections which make more than 2 connection attempts upon port 22 within ten minutes:

 

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \

--set

 

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \

--update --seconds 600 --hitcount 2 -j DROP

 

If you wish to test these rules you can script a number of connection attempts from an external host with the netcat package.

 

The following script attempts to connect to the IP address 192.168.1.1 5 times. The first couple of attempts you should see a welcome banner such as "SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4" - after that the script will hang as it's packets are dropped and no response is sent:

 

#!/bin/bash

 

for i in `seq 1 5` ; do

echo 'exit' | nc 192.168.1.1 22 ;

done

 

There's a lot of documentation on the netfilter/iptables firewall, and it's available modules which you can find in the Netfilter Extension HOWTO.

 

This HOWTO contains documentation on many different modules, along with examples. A recommended read if you're interested in Linux firewalling.

 

If you wish to experiment with rules and testing it's worth remembering how to remove all active rules. The following commands will flush your iptables filewall, and remove all currently active rules:

 

iptables -F

iptables -X

Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)