Countering some types of SSH spoofing with NFTables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Greetings,

There is some discussion on another list about dealing with the problem
of a type of spoofed SSH connection.  Here is a description of the
problem, along with how to use tcpdump to identify it:

	https://delroth.net/posts/spoofed-mass-scan-abuse/

One solution offered in a message on the other list was to add the
following rule into its own table:

	nft add rule ip accounting input \
		tcp sport 22 tcp flags == syn\|ack counter

The following seems to load without error and I have some beginner level
questions.  Specifically, I wonder how or if it does the job.

Also,

1) Do port 22 IPv4 packets pass through both tables?  They seem to.  But
how can I verify that?

2) Is a second similar table needed for IPv6?

3) Are the counters for port 22 in the 'filter4' table redundant with
the counters for port 22 in the 'accounting' table?

Any explanations or corrections welcome.

/Lars

#!/usr/sbin/nft -f
# vim:set ts=4:

flush ruleset

table ip filter4 {
	chain input {
		type filter hook input priority filter; policy drop;
		iif "lo" ip saddr 127.0.0.0/8 \
			ip daddr 127.0.0.0/8 counter accept
		ct state established,related counter accept
		icmp type echo-request limit rate 1/second \
			counter accept
		tcp dport 22 ct state new limit rate 4/minute \
			counter accept
		counter reject
	}
	chain output {
		type filter hook output priority filter; policy drop;
		oif "lo" ip saddr 127.0.0.0/8 \
			ip daddr 127.0.0.0/8 counter accept
		ip protocol tcp counter accept
		ip protocol udp counter accept
		ip protocol icmp counter accept
		counter reject
	}
}
table ip accounting {
	chain input {
		type filter hook input priority filter; policy accept;
		tcp sport 22 tcp flags == 0x12 counter
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux