Re: Blocking SSH ... BUT...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: "Ashley M. Kirchner" <ashley@xxxxxxxxxx>
Sent: Tuesday, 2007, September 18 10:53
Subject: Blocking SSH ... BUT...



   Hey all,

I have the following lines in my iptables config file to curb ssh knocking on our servers:

# Let's see if we can curb SSH attacks.
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set

-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck --seconds 120 --hitcount 2 -j LOG -log-prefix "SSH REJECT: "

-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck --seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset


This works great...EXCEPT it also blocks our own access to the servers if we need to get on them in a short amount of time (less than 120 seconds). So how can I still implement the above blocking, but allow anything from our different subnets (we have 4) come through without going through that block routine?

I see the rubes have forgotten the IPTables trick I learned from this
list and have been propagating ever since.

You can tell IPTables to allow X number of attempts from any particular
source for any given port within a interval and then block it. I like
to log such blocked attempts. It's fun to see where would be crackers
come from. If it's a "Western" university I send a note to the sysadmin
with details. (I don't bother with China or Russia, for example.)

The trick look like this for ssh:
# Then setup the reject trap
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
 --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
 --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset

As configured it allows one attempt every 3 minutes. If a user messes up
they have to wait three minutes. (When I am on the road I set it down to
one a minute. With a moderately decent password of even exactly 8 characters
the brute force attack would take a rather long time noticeable in the
logs as an unusual number of failed login attempts. In twenty four hours
that's 1440 attacks. Could they get "abcdefgh" as a password in that
period? Only if it is in a small dictionary. And we don't use dictionary
words here.

When I bounce I simple mutter to myself, "Patience, Joanne." That works.

{^_-}
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux