Re: One approach to dealing with SSH brute force attacks.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Jay Leafey wrote:


What I would I like to do is:

- allow 22 from specific IPs
- allow another port (redirected) from anywhere. this port is then redirected to 22.
I do exactly this with a combination of SSH config options and iptables rules. In your /etc/ssh/sshd_config file, find the "Port 22" statement and add a "Port" statement for the desired port, something like: 

<snip>
Port 22
Port 20022
Protocol 2
<snip>
Then, in iptables, add the appropriate rules to let incoming connections to port 22 from only specific addresses and to allow port 20022 (or whatever you pick) to be available worldwide. Assuming you wanted port 22 access for a local subnet like 192.169.1.0/24, add the following to the /etc/sysconfig/iptables file before the REJECT statement at the end of the file:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20022 -j ACCEPT
After restarting SSH and reloading iptables you should have just what you want. I use this, in addition to blockhosts (http://www.aczoom.com/cms/blockhosts/), on several production systems and the result has been almost total elimination of brute-force attacks. on those systems.
Another possibility is a variation on port-knocking using PKI authentication or a shared secret. The project is called fwknop (http://www.cipherdyne.org/fwknop/) and has the potential to almost completely eliminate brute-force attacks.
Essentially, the target port (22 in the case of SSH) is not open at all normally, but a daemon monitors the network interface for a specific packet signed using either a shared secret or a pre-authorized PGP key. When it sees the packet, it opens up the appropriate port for a specified time (usually just a few seconds) to the IP address the packet comes from. This allows a very short time window for the client system to complete its connection before the port gets closed down. I've set this up on a couple of systems so far with excellent results. 

Your mileage may vary!


I didn't think about adding the port in ssh. Thanks for the hint.
I was however looking for a way to implement this without touching sshd ports. After playing a little, I found the following to work
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 12345 -j REDIRECT --to-ports 22 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 12345 -j MARK --set-mark 0x22 
iptables -A INPUT -m mark --mark 0x22 -j ACCEPT

seems to do it. (12345 is not the real port).
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux