FW: NEW "SSH Brute Force " ruleset (20050628.0)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

has anyone used "expire" module to append a new rule that will last for
hour/day/week depending on number of new connection to sshd in one minute?

I am not an expert here but I saw that module and this ruleset was first
that came to my mind... suggestions??

Regards,

Edvin Seferovic

-----Original Message-----
From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of /dev/rob0
Sent: Sonntag, 04. September 2005 07:01
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: NEW "SSH Brute Force " ruleset (20050628.0)

I'm glad this came up again, because I have my own, simpler solution 
working. Mine only depends on the -m limit and -m state match 
extensions, both fairly standard and widely used.

My firewalls generally have a "State" chain called first from both 
FORWARD and INPUT, with these rules:
-A State -m state --state INVALID -j DROP
-A State -m state --state RELATED,ESTABLISHED -j ACCEPT

"--state RELATED" lets in the ssh attack bots, so I've diverted SSH 
packets in the State chain:
-A State -m state --state INVALID -j DROP
-A State -p tcp --dport 22 -j Ssh
-A State -m state --state RELATED,ESTABLISHED -j ACCEPT

The new "Ssh" chain does this:
-A Ssh -m state --state ESTABLISHED -j ACCEPT
# [ a rule to allow from internal hosts here, optional ]
-A Ssh -m limit --limit 3/m -j ACCEPT
-A Ssh -m limit --limit 1/m j LOG --log-prefix "SSH attack: "
-A Ssh -j REJECT
# or DROP if you prefer

It does seem to work to repel the attacks. IME of watching a couple 
attacks hit, they quit and move on after the rejections start. Script 
kiddie phishers don't deal well with rejection. :)

However, this might not be practical for a public shell server with a 
lot of users. (I guess. I don't know exactly how the --limit is 
applied. Is that 3/m from the whole Internet, or 3/m from any given 
host?)

Another curious thing about the --limit is that when I stress test it:
for X in `seq 99` ; do
    echo $X | nc target.hostname ssh & echo -n $X
done
with 3/m I get 5 connections through, and usually about 5 logged with 
the 1/m limit. That test just now got 8 connections through (not all 
made it in the first minute.)

I don't think the limit will cause me any problems; even if I had to 
retype a password I get 3 chances before sshd cuts me off, and those 
retries are in "--state ESTABLISHED".
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux