Re: Countering some types of SSH spoofing with NFTables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 3 Nov 2024, at 10:08 AM, Kerin Millar wrote:
> On Sun, 3 Nov 2024, at 7:51 AM, Lars Noodén wrote:
>> Greetings,
>>
>> There is some discussion on another list about dealing with the problem
>> of a type of spoofed SSH connection.  Here is a description of the
>> problem, along with how to use tcpdump to identify it:
>>
>> 	https://delroth.net/posts/spoofed-mass-scan-abuse/
>>
>> One solution offered in a message on the other list was to add the
>> following rule into its own table:
>>
>> 	nft add rule ip accounting input \
>> 		tcp sport 22 tcp flags == syn\|ack counter
>>
>> The following seems to load without error and I have some beginner level
>> questions.  Specifically, I wonder how or if it does the job.
>
> For that rule to be of any conceivable value, you would have to refrain 
> from ever using your host to connect to an instance of sshd(8) that is 
> listening on port 22. Moreover, it does not account for RST 
> backscatter, should that be the job in question.

Upon reading your post a second time, I noticed that your sample ruleset already contains a rule that depends upon connection tracking. As such, you could use state matching to assist in accounting for backscatter.

table ip filter4 {
	chain input {
		type filter hook input priority filter; policy drop;
		ct state invalid goto invalid
		# ...
	}

	chain invalid {
                tcp flags == syn|ack counter comment "possible backscatter from bound port"
                tcp flags == rst|ack log counter comment "possible backscatter from unbound, unfiltered port"
	}
}

Owing to the use of goto, this would also serve to have invalid packets be dropped.

On a different note, rules such as the one below are incorrect.

  iif "lo" ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 counter accept

The lo interface is used for all packets that both originate from - and are destined to - addresses belonging to the host. You should remove the "ip saddr" and "ip daddr" components.

--
Kerin Millar





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux