Re: SSH Brute force attacks

Brent Clark <bclark@xxxxxxxxxxxxxxxxxxxx> · Thu, 26 May 2005 13:17:28 +0200

Taylor, Grant wrote:
Brent Clark wrote:

Based on the fact that you are getting a log entry with the "SSH Brute Force Attempt:  " in the log line I think that your SSH packets are some how having more than 3 hits by the time the packets make it to the "iptables -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN" rule.  This makes me think that there are other rules in your filter chains that are setting packets and thus making them continue through the afore mentioned rule and not be returned thus being DROPed.  Try doing an iptables-save and looking at the output to see if it agrees with what you are expecting based on your iptables script, I'm betting that there is something going on in the SSH_Brute_Force chain from previous test that have slipped your mind.  If you still want / need help please include the results of an iptables-save in your reply.

Grant. . . .

Hi Grant, and list

I have done as advised hope this helps.

A big thanks to all for enduring me on this list for this thread, I can 
only imagine how im making a nuisance of my self to all.

My apologies for this.

Again to all thanks.

Kind Regards
Brent Clark

# Generated by iptables-save v1.2.9 on Thu May 26 11:35:50 2005

*mangle

:PREROUTING ACCEPT [27:6779]

:INPUT ACCEPT [1804907:969471155]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [563791:72378022]

:POSTROUTING ACCEPT [16:1132]

COMMIT

# Completed on Thu May 26 11:35:50 2005

# Generated by iptables-save v1.2.9 on Thu May 26 11:35:50 2005

*nat

:PREROUTING ACCEPT [14:5635]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

COMMIT

# Completed on Thu May 26 11:35:50 2005

# Generated by iptables-save v1.2.9 on Thu May 26 11:35:50 2005

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

:SSH_Brute_Force - [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID input: " 
--log-tcp-options --log-ip-options

-A INPUT -m state --state INVALID -j DROP

-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with 
icmp-host-unreachable

-A INPUT -d 217.199.186.255 -j DROP

-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set 
--name SSH --rsource -j SSH_Brute_Force

-A INPUT -p tcp -m tcp --dport 10000 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 135 -j DROP

-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with 
icmp-host-unreachable

-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A INPUT -p icmp -m icmp ! --icmp-type 8 -j LOG

-A INPUT -j LOG --log-prefix "[INPUT  DROP]: " --log-tcp-options 
--log-ip-options

-A INPUT -j DROP

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID output: 
" --log-tcp-options --log-ip-options

-A OUTPUT -m state --state INVALID -j DROP

-A OUTPUT -m state --state NEW -j ACCEPT

-A OUTPUT -j LOG --log-prefix "[OUTPUT DROP]: " --log-tcp-options 
--log-ip-options

-A OUTPUT -j DROP

-A SSH_Brute_Force -s 196.36.10.114 -j RETURN

-A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 3 --name 
SSH --rsource -j RETURN

-A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt:  "

-A SSH_Brute_Force -p tcp -j DROP

COMMIT

# Completed on Thu May 26 11:35:50 2005

############################################################

#!/bin/sh -

IPT=/sbin/iptables

# Rules for gateway

#This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\)
echo 0 > /proc/sys/net/ipv4/ip_dynaddr

# If you do need to forward packets from one interface to another
echo 0 > /proc/sys/net/ipv4/ip_forward

#Clear \ Flush all the rules from the different chains and tables

$IPT --flush

$IPT --flush INPUT		#Flush the INPUT chain

$IPT --flush OUTPUT		#Flush the OUTPUT chain

$IPT --flush FORWARD		#Flush the FORWARD chain

$IPT -t nat --flush		#Flush the nat table

$IPT -t mangle --flush		#Flush the mangle table

$IPT --delete-chain		#Delete any pre-existing chains

$IPT -t nat --delete-chain	#Delete any pre-existing chains from nat table

$IPT -t mangle --delete-chain	#Delete any pre-existing chains from the 
mangle table

#Setting the default Policies for the chains
$IPT --policy INPUT DROP	#Setting the default policy for INPUT chain
$IPT --policy FORWARD DROP	#Setting the default plicy for FORWARD chain
$IPT --policy OUTPUT DROP	#Setting the default policy for the OUTPUT chain

#Setting Nat and mangle to default policy ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy POSTROUTING ACCEPT

#Accepting traffic for and to internal interface
$IPT -A INPUT -i lo -j ACCEPT		#Allowing unlimited loopback traffic
$IPT -A OUTPUT -o lo -j ACCEPT		#Allowing unlimited loopback traffic

$IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix 
"INVALID input: " --log-tcp-options --log-ip-options

$IPT -t filter -A INPUT -m state --state INVALID -j DROP

$IPT -t filter -A INPUT -p tcp  --dport 113 -j REJECT --reject-with 
icmp-host-unreachable

$IPT -t filter -A INPUT -d 217.199.186.255 -j DROP

$IPT -t filter -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

$IPT -t filter -A INPUT -p tcp --dport 20 -m state --state NEW -j ACCEPT

$IPT -t filter -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT

$IPT -t filter -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

$IPT -N SSH_Brute_Force

$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name 
SSH --set --rsource -j SSH_Brute_Force

$IPT -A SSH_Brute_Force -s 196.36.10.114 -j RETURN

$IPT -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 3 
--name SSH --rsource -j RETURN

$IPT -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt:  "

$IPT -A SSH_Brute_Force -p tcp -j DROP

$IPT -t filter -A INPUT -p tcp --dport 10000 -m state --state NEW -j ACCEPT

$IPT -t filter -A INPUT -p tcp --dport 135 -j DROP

$IPT -t filter -A INPUT -p tcp  --dport 113 -j REJECT --reject-with 
icmp-host-unreachable

$IPT -t filter -A INPUT -p icmp --icmp-type source-quench -j ACCEPT

$IPT -t filter -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT

$IPT -t filter -A INPUT -p icmp --icmp-type destination-unreachable -j 
ACCEPT

$IPT -t filter -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

$IPT -t filter -A INPUT -p icmp --icmp-type ! echo-request -j LOG

$IPT -t filter -A INPUT -j LOG --log-prefix "[INPUT  DROP]: " 
--log-tcp-options --log-ip-options

$IPT -t filter -A INPUT -j DROP

$IPT -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -t filter -A OUTPUT -m state --state INVALID -j LOG --log-prefix 
"INVALID output: " --log-tcp-options --log-ip-options

$IPT -t filter -A OUTPUT -m state --state INVALID -j DROP

$IPT -t filter -A OUTPUT -m state --state NEW -j ACCEPT

$IPT -t filter -A OUTPUT -j LOG --log-prefix "[OUTPUT DROP]: " 
--log-tcp-options --log-ip-options

$IPT -t filter -A OUTPUT -j DROP

############################################################

Chain INPUT (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source 
destination

    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0 
0.0.0.0/0

  122 10964 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED

    0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID LOG flags 6 level 4 prefix `INVALID 
input: '

    0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID

    0     0 REJECT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:113 reject-with icmp-host-unreachable

   38 17821 DROP       all  --  *      *       0.0.0.0/0 
217.199.186.255

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:80 state NEW

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:20 state NEW

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:21 state NEW

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:25 state NEW

    0     0 SSH_Brute_Force  tcp  --  *      *       0.0.0.0/0 
   0.0.0.0/0           tcp dpt:22 state NEW recent: SET name: SSH side: 
source

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:10000 state NEW

    0     0 DROP       tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:135

    0     0 REJECT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:113 reject-with icmp-host-unreachable

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           icmp type 4

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           icmp type 12

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           icmp type 3

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           icmp type 11

    0     0 LOG        icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           icmp !type 8 LOG flags 0 level 4

    1   412 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 6 level 4 prefix `[INPUT  DROP]: '

    1   412 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source 
destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source 
destination

    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0 
0.0.0.0/0

  124 13260 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED

    0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID LOG flags 6 level 4 prefix `INVALID 
output: '

    0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW

    0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 6 level 4 prefix `[OUTPUT DROP]: '

    0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain SSH_Brute_Force (1 references)

 pkts bytes target     prot opt in     out     source 
destination

    0     0 RETURN     all  --  *      *       196.36.10.114 
0.0.0.0/0

    0     0 RETURN     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           !recent: CHECK seconds: 60 hit_count: 3 name: SSH 
side: source

    0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 4 prefix `SSH Brute Force Attempt:  '

    0     0 DROP       tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0