Hi Joe,

We get thousands of login attempts each day on SSH and yesterday I ran into this on the web, A simple fix to the firewall to get rid of some attacks on SSH, is it worth tryin/using? If so, how should I enter this in Webmin or should I use SSH to ad it and how should the line look that I enter or can I use this "as is"?

Please take a look and see what you think about this.

Regards,
Leif

-----------------------------------
here's an easy fix. It drops new ssh connections coming from the same IP with less than 15s intervals (or any timeout you want). In my server, this has shown to stop the automated attempts on the first failed connection - and even if the attacker waits for the 15s, it makes brute-force attempts not practical.

For legit sessions, 15s is reasonable (at least for me) between session starts.

It's just two lines on the iptables configuration. No other change required:

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

(eth0 is my external interface; I'm not limiting intranet connections)

This assumes you already have
iptables -A INPUT -j ACCEPT -p tcp ! --syn -s[ R E M O T E N E T] -d[ OUTERNET]
above that, to accept established connection packets.
-----------------------------------

Hey Leif,

Probably an excellent idea. I didn't know iptables could do that! I learn something new every day.

I don't think the Linux Firewall module covers the "-m" or "--update" or "--set" options...so I think you'll need to run it on the command line. The rules given are generic (except the interface eth0, which will likely apply to you, but it's not certain).

That last bit, about accepting established packets is a bit more specific, and you do need to fill in your outside network in place of OUTERNET (obviously)...but you don't need to include the -s field at all, however. (At least, I'm pretty sure you don't. I can't think of why it would be necessary if you want it to apply to all incoming traffic.)

Ok, can I use these lines as they are:

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

or do I modify something in them.

Should this line look like this and be just above the other two:
iptables -A INPUT -j ACCEPT -p tcp ! --syn -d[ OUTERNET]

Do you need to see my iptables? I can post it here if you like.

Regards,
Leif

The top two:

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT


Are correct as-is, assuming your primary world-facing interface is actually eth0 (it almost certainly is).

The third one (which actually should be inserted before the other two) should be modified to have your IP address or the network on which it lives in place of OUTERNET. i.e.:

iptables -A INPUT -j ACCEPT -p tcp ! --syn -d 192.168.1.0/24

Assuming your host is 192.168.1.1, and you also have the remaining 253 addresses in that class C network. (You can also use ranges like this: 192.168.1.1-192.168.1.24, or traditional four octet netmasks like this: 255.255.255.224, as well, if that's easier for you to think about.)

Ok, startin to get the picture :-)

But still one concern, a few days ago you did help me to add a new ip-range for the server... hmmm should I add two of these lines:
iptables -A INPUT -j ACCEPT -p tcp ! --syn -d 192.168.1.0/24
one for each ip-range?

Sorry for all my questions, I'm not so good at this! Rather obvious, don't you think! :-)

regards,
Leif

Hi Joe,

Here are some "feed-back" regarding the iptables SSH "fix".
First of all I have set the "MaxAuthTries" to 2, which gives me a third try to get the password right.
I have inserted these iptables settings and I think they work OK. If i connect to SSH and try to log in with incorrect user or password i get disconected, if I then try to restart the session the iptables settings have droped my IP for the prefered time, in my case 30 sec. I now have to wait these seconds until I'm able to start a new session from the same IP. And even if I just start a SSH session without trying to log in and close it, my ip gets droped for the prefered time.
I also did try to add the rules from Webmin-Networking-Linux Firewall and it works fine to enter them from there. One thing I'm not shure about is the SYN/ACK/RST options that is selected.
if I entered this line thru SSH:
iptables -A INPUT -j ACCEPT -p tcp ! --syn -d xxx.xxx.xxx.xxx
The line in iptables looks like this:
iptables -A RH-Firewall-1-INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT

The only settings that i canged from default when adding a new rule from Webmin is the options I have listed.
Maybe there are someone else that could have use for this. The rules have to be in this order


iptables -A RH-Firewall-1-INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT

From Webmin:
Action to take: Accept
Destination address or network: Equals xxx.xxx.xxx.xxx
Network protocol: Equals TCP
TCP flags set: Does not equal (First row) SYN
TCP flags set: Does not equal (Second row) SYN ACK RST


iptables -A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 30 --name DEFAULT --rsource -j DROP

From Webmin:
Action to take: Drop
Incoming interface: Equals eth0
Network protocol: Equals TCP
Destination TCP or UDP port: Port(s) 22
Connection states: Equals New connection(NEW)
Additional IPtables modules: recent
Additional parameters: --update --seconds 30 --name DEFAULT --rsource


iptables -A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name DEFAULT --rsource -j ACCEPT

From Webmin:
Action to take: Accept
Incoming interface: Equals eth0
Network protocol: Equals TCP
Destination TCP or UDP port: Port(s) 22
Connection states: Equals New connection(NEW)
Additional IPtables modules: recent
Additional parameters: --set --name DEFAULT --rsource

Regards,
Leif

Hi Joe,

Just some more news about my test.
Now these firewall settings have been running for some hours, and I'm impressed of the result. Earlier I hade between 500-2000 hits on port 22 every 24 hours, now I'm down to 5-15 !!! Impressive result!

Regards,
Leif

Hey Leif,

Nice! I think I'm gonna drop those rules on my boxes. It's better than my manual process of "look at the logwatch email every once in a while and block anyone that looks offensive". ;-)

The rules have to be in this order


iptables -A RH-Firewall-1-INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT

From Webmin:
Action to take: Accept
Destination address or network: Equals xxx.xxx.xxx.xxx
Network protocol: Equals TCP
TCP flags set: Does not equal (First row) SYN
TCP flags set: Does not equal (Second row) SYN ACK RST


iptables -A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 30 --name DEFAULT --rsource -j DROP

From Webmin:
Action to take: Drop
Incoming interface: Equals eth0
Network protocol: Equals TCP
Destination TCP or UDP port: Port(s) 22
Connection states: Equals New connection(NEW)
Additional IPtables modules: recent
Additional parameters: --update --seconds 30 --name DEFAULT --rsource


iptables -A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name DEFAULT --rsource -j ACCEPT

From Webmin:
Action to take: Accept
Incoming interface: Equals eth0
Network protocol: Equals TCP
Destination TCP or UDP port: Port(s) 22
Connection states: Equals New connection(NEW)
Additional IPtables modules: recent
Additional parameters: --set --name DEFAULT --rsource


Hi Leif,

I followed your instruction above (using > Webmin > Networking > Linux Firewall), but I still see more than 10,000 illegal login attempts at one go via SSH. I must have gotten something wrong.

Do I need to move your rules up to the top, above the Virtualmin Pro's default?

And yes, I have restarted iptables after the change.

Post edited by: ah...lifes...good, at: 2007/07/21 16:53

Screenprint

Post edited by: ah...lifes...good, at: 2007/07/21 16:54