I love IP Tables....

Manuel Arostegui Ramirez manuel at todo-linux.com
Sat May 26 06:45:25 UTC 2007


El Viernes, 25 de Mayo de 2007 22:09, jdow escribió:
> From: "jdow" <jdow at earthlink.net>
>
> >I craft my own firewall here using iptables.
> >
> > I have a favorite trick I learned from someone else a few years ago that
> > I use to handle ssh security. Since ssh breaks every once and awhile and
> > I like to leave it open it gets special security efforts.
> >
> > The trick is quite simple within iptables. If I get one connection
> > failure I have to wait several seconds before making a retry. ("OK,
> > Joanne, don't hyper ventillate. Just count to 10 and try again." {^_-})
> >
> > The common attack is a dictionary attack with several attempts a second.
> > So of course, they get one shot to crack a password, usually for
> > <snicker> root, which is dumb to begin with. After that first attempt
> > they are blocked for the rest of their run.
> >
> > If they are canny enough to figure out "wait N seconds and then try
> > again" they can dictionary attack me no more than about 43000 attempts
> > per day if they cut back to one every couple seconds. If I do not have a
> > dictionary word (or even a word) as a password, it is not 8 characters,
> > and so forth how long would it take to guess "Fis8ottlemew" or something
> > equally silly? The universe would grow cold, first.
> >
> > So good attack developers (bless them in a left handed sort of way) are
> > smart enough not to attack for more than a minute or so, a few hundred
> > pakets floating in the attack, before they quit. The bad ones run up to
> > maybe 3000 or 4000 attempts to stop.
> >
> > Now, I have to wonder about the quality of education in Albania after
> > last night. An Albanian cracker, or at least an idiot originating an
> > attack from albtelecom.al (217.24.240.77) wasted three full hours and
> > 36807 connection attempts to get ONE, exactly ONE, shot at cracking
> > my system, the first attempt. All others were rejected and logged. I
> > just gotta shake my head at the pathetic twit who created the software
> > that made that attempt. At least my machine kept a whole lot of other
> > machines from being attacked and I got a huge laugh about it. (And
> > albtelecom.al finds its little block as one of my permanent blocks in
> > the firewall, now. This is not the first attack from that /20 block!)
> >
> > I love IPTables.
> >
> > {^_-}    Joanne
>
> People asked - here is the answer:
> # Then setup the reject trap
> $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>   --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>   --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
>


I've been using this for a long time, it's quite similar:

iptables -N attacks
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j attacks
iptables -A attacks -m state --state NEW -m recent --set --name SSH
iptables -A attacks -m state --state NEW -m recent --update --seconds 60 
--hitcount 4 --name SSH
iptables -A attacks -m state --state NEW -m recent --rcheck --seconds 60 
--hitcount 4 --name SSH -j DROP

Cheers
-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.




More information about the users mailing list