SSH/iptables

This article is part of the Security series.

SSH Basics

Tips & Tricks

Introduction

This document describes how to install the netfilter and iptables kernel modules and configure them to successfully thwart brute-force SSH attacks.

Rules from http://www.debian-administration.org/articles/187 have been used in this article.

WARNING: Some sources (blog.blackdown.de , bugs.debian.org(Google cache)) states, that after some period of time ipt_recent can drop connections that even doesn't exceed --seconds parameter and bug is still unfixed, so be careful.

Installation

Enable the following kernel modules:

Linux Kernel Configuration: Name of Kernel 2.6.25 Config

Networking --->

[*] Networking support 
    Networking options  ---> 
    [*] Network packet filtering framework
       [ ]   Network packet filtering debugging
       [*]   Advanced netfilter configuration
             Core Netfilter Configuration --->
             <M> Netfilter connection tracking
             <M> Netfilter Xtables support
             <M> "state" match support

             IP: Netfilter Configuration --->
             <M> IPv4 connection tracking support 
             <M> IP tables support 
             <M> recent match support
             <M> Packet filtering

Be sure to recompile your kernel and install the modules:

gmake; gmake modules_install

Add the following to /etc/modules.autoload.d/kernel-2.6:

nf_conntrack
nf_conntrack_ipv4
xt_state
ipt_recent
ip_tables
iptable_filter
xt_tcpudp

Emerge IP Tables:

emerge iptables

Note: add iptables to the default runlevel ONLY after it is configured and confirmed to work, otherwise you may lock your self out of your system if you're not careful (if you're remotely connected)!

Note: if iptables complains about missing ipt_recent file, emerge iptables with "extensions" USE flag enabled

rc-update add iptables default

Deploy

Load the modules:

echo nf_conntrack nf_conntrack_ipv4 xt_state ipt_recent \
ip_tables iptable_filter xt_tcpudp | xargs -n1 modprobe

Load the rules (Note the ethernet interface, eth0 in this case, may need to be changed to match your configuration):

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state \
--state NEW -m recent --update --seconds 30 --hitcount 1    \
--name ssh_attempt --rsource -j DROP

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state \
--state NEW -m recent --set --name ssh_attempt --rsource

These rules will allow one ssh connection per remote host every 30 seconds and drop subsequent attempts, which is sufficient to cause a timeout in automated ssh bruteforce attack scripts. It's also generous enough for the average user.

Note: firewall rule allowing connections on port 22 (if you use such rule) should be added after above rules. Otherwise connections will be accepted before being examined by above filters.

Small script to unblock yourself after successful login to box(note that counter doesn't reset after correct login completion). It takes connect/login time from connected user table and removes it from blocked IPs

/root/unblockme:

#!/bin/bash
DATE=`date +%H:%M`
echo -`who | grep ${DATE} | sed 's/.*(\(.*\)).*/\1/g'` > /proc/net/ipt_recent/ssh_attempt

/root/.bashrc:

/root/unblockme

Configuration

Set SAVE_ON_STOP to no in /etc/conf.d/iptables to prevent accidentally wiping out your rules:

 # Save state on stopping iptables
 SAVE_ON_STOP="no"

Save the current IP Tables rules that were manually set during the Test step above:

 /etc/init.d/iptables save

Start the IP Tables service:

 /etc/init.d/iptables start

Retrieved from "http://www.gentoo-wiki.info/SSH/iptables"

Category: Subpages

Last modified: Wed, 03 Sep 2008 08:32:00 +0000 Hits: 6,698