Mailing List CGatePro@mail.stalker.com Message #92457
From: Graeme Fowler <G.E.Fowler@lboro.ac.uk>
Subject: Re: OT: dealing with SSH probes - was: Re: Case Study Request
Date: Tue, 04 Sep 2007 20:40:40 +0100
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: Evolution 2.8.3 (2.8.3-2.fc6)
On Tue, 2007-09-04 at 13:54 -0500, Lyle Giese wrote:
> Change the port ssh is listening to.  You don't have to run ssh on the
> 'standard' port.  It will work on almost any unused port above 1024.

It will work on *any* unused port above 1024, as will any other TCP
server :)

Anyway: for those running a reasonably recent Linux kernel, you can do
clever things with the 'hashlimit' and 'recent' modules. I use the
following (tune it to suit your environment) in /etc/sysconfig/iptables
(line continuations marked with \):

#### START OF FILE ####
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:eth0-firewall-INPUT - [0:0]

# Log connection attempts listed in SSH_SCANNERS recent list
-A INPUT -i eth0 -m recent --name SSH_SCANNERS \
        --rcheck -j LOG --log-prefix "[SSH_SCANNERS]: "

# Reject those we just logged outright
-A INPUT -i eth0 -m recent --name SSH_SCANNERS \
        --rcheck -j REJECT --reject-with icmp-host-prohibited

# Jump to eth0-firewall-INPUT chain (RedHat-ism)
-A INPUT -i eth0 -j eth0-firewall-INPUT
-A FORWARD -i eth0 -j eth0-firewall-INPUT

# Main ruleset
# Allow all inbound ICMP
-A eth0-firewall-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

# Allow IPSEC traffic for VPN purposes
-A eth0-firewall-INPUT -p ah -j ACCEPT

# Allow established,related traffic
-A eth0-firewall-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Create 'ssh' hashlimit table
# 6 SYN packets/minute maximum, table expires after 1 hour
-A eth0-firewall-INPUT -p tcp -m tcp -s 0/0 --dport 22 --syn \
        -m hashlimit --hashlimit 6/min --hashlimit-mode srcip \
        --hashlimit-name hashlimit_ssh --hashlimit-burst 6 \
        --hashlimit-htable-expire 60000 -j ACCEPT

# Log those over 6 SYN packets/min
-A eth0-firewall-INPUT -p tcp -m tcp -s 0/0 --dport 22 --syn \
        -j LOG --log-prefix "[SSH_RATELIMIT]: "

# Reject those over 6 SYN packets/min
# Also update the SSH_SCANNERS recent table (used above) if
# we've seen them in the last 60 seconds
-A eth0-firewall-INPUT -p tcp -m tcp -s 0/0 --dport 22 --syn \
        -m recent --name SSH_SCANNERS --update --seconds 60 \
        -j REJECT --reject-with icmp-host-prohibited

# Reject those over 6 SYN packets/min
# Also add them to the SSH_SCANNERS recent table (used above)
-A eth0-firewall-INPUT -p tcp -m tcp -s 0/0 --dport 22 --syn \
        -m recent --name SSH_SCANNERS --set \
        -j REJECT --reject-with icmp-host-prohibited

# Finally accept SSH traffic if it doesn't transgress
-A eth0-firewall-INPUT -p tcp -m state --state NEW -m tcp --dport 22 \
        -j ACCEPT

# Acept CGP traffic
-A eth0-firewall-INPUT -p tcp -m state --state NEW -m tcp -m multiport \
        --dports 8010,9010,8100,9100 -j ACCEPT

# Reject everything else!
-A eth0-firewall-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT
#### END OF FILE ####


What that does is keep a realtime list
in /proc/net/ipt_recent/SSH_SCANNERS of external users who have exceeded
6 SYNs/minute to my SSH server. That way, they get 5 brute force
attempts and then *plonk*, they can't reach the server at all.

I currently have 100 hosts listed (which is the module's default
maximum, so could be many more) since last reboot (48 days) - this is my
home machine - and in the last few weeks I've dropped:

/var/log/messages.4: 54994
/var/log/messages.3: 22542
/var/log/messages.2: 46014
/var/log/messages.1: 71248
/var/log/messages:   16320

...packets. I could stop logging, but I like the stats :)

The only issue is that it doesn't survive reboots, but that's a sysadmin
issue.

Graeme

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster