[H-GEN] iptables autoblocking

Christopher LeMoyne (Reply-To Humbug) christopher_lemoyne at yahoo.com.au
Wed Jul 20 09:16:20 EDT 2005 

Christopher LeMoyne (Reply-To Humbug) wrote:

> [ Humbug *General* list - semi-serious discussions about Humbug and     ]
> [ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
>
> James Mills wrote:
>
>> [ Humbug *General* list - semi-serious discussions about Humbug 
>> and     ]
>> [ Unix-related topics. Posts from non-subscribed addresses will 
>> vanish. ]
>>
>> On Wed, Jul 20, 2005 at 12:10:36AM -0700, Anthony Irwin wrote:
>>  
>>
>>> [ Humbug *General* list - semi-serious discussions about Humbug 
>>> and     ]
>>> [ Unix-related topics. Posts from non-subscribed addresses will 
>>> vanish. ]
>>>
>>> Hi everyone,
>>>
>>> I have been looking through my logs and noticed that
>>> over the last month I have had a large number of
>>> different ip addresses trying to login to my system
>>> via ssh with generated user names.
>>>
>>> I was wondering if there is a way I could easily write
>>> a script that automatically added invalid user login
>>> attempts via ssh to be blocked in iptables and added
>>> to a block list.
>>>
>>> below is a sample of my /var/log/auth.log file.
>>>
>>> Jul 20 10:30:41 localhost sshd[31205]: Illegal user
>>> test from 210.53.138.21
>>> Jul 20 10:30:44 localhost sshd[31207]: Illegal user
>>> test from 210.53.138.21
>>> Jul 20 10:30:47 localhost sshd[31209]: Illegal user
>>> guest from 210.53.138.21
>>> Jul 20 10:30:50 localhost sshd[31211]: Illegal user
>>> guest from 210.53.138.21
>>> Jul 20 10:31:00 localhost sshd[31217]: Illegal user
>>> daniel from 210.53.138.21
>>> Jul 20 10:31:06 localhost sshd[31221]: Illegal user
>>> admin from 210.53.138.21
>>> Jul 20 10:31:10 localhost sshd[31223]: Illegal user
>>> admin from 210.53.138.21
>>>
>>> I would really like to be able to automatically block
>>> such attacks. I have thought about limiting ssh to
>>> certain ip addresses but would prefer to leave it open
>>> so I can login from anywhere.
>>>
>>> Any suggestions would be apreciated.
>>>   
>>
>>
>> My own systems under-go such attacks as well. A couple of months ago one
>> of my boxes were attacked in this way with ~20,000 login attempts. I
>> would be interested in what others have to say first before I
>> contribute... I have as yet _not_ implemented any solution.
>>
>> cheers
>> James
>>
>>  
>>
> An interesting discussion relating to this on the OpenBSD Journal:
> http://undeadly.org/cgi?action=article&sid=20041231195454
>
> Seems there are a variety of methods for dealing with this, based on 
> personal preference.
>
> Regards,
> Christopher
>
Further to this:
http://www.linuxforums.org/forum/topic-24004.html

It details how to use Swatch, a simple script, and Cron to block common 
ssh attempts.  I'll be implementing this at some stage soon.  Grepping 
through my auth.log files showed 13 different IP's in under 2 days. 

I would also suggest changing "PermitRootLogin yes" in 
/etc/ssh/sshd_config to "PermitRootLogin no", then do a "/etc/init.d/ssh 
restart" (please note, this is Debian syntax).  This will disallow 
anyone using ssh to log in directly as root, instead they must log in as 
a valid user and then 'su' to root.

I am not an iptables expert, but in the above link, the forum user 
sparkix suggests the following:

    <!-- start quote --!>  
    modprobe ipt_recent ip_list_tot=200

    iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS
    -d $IPADDR --dport 22 -m state --state NEW -m recent --rcheck
    --hitcount 3 --seconds 60 --name SSH_PROBERS
    -j LOG --log-prefix "Adaptive-FW SSH Prober: "

    iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS
    -d $IPADDR --dport 22 -m state --state NEW -m recent
    --update --hitcount 3 --seconds 60 --name SSH_PROBERS
    -j DROP

    iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS
    -d $IPADDR --dport 22 -m state --state NEW -m recent
    --set --name SSH_PROBERS -j ACCEPT

    The first time someone attempts to contact the SSH server their IP
    gets added to the file SSH_PROBERS. If they are legit, their next
    connections will be established or related and their IP will expire
    from this file.

    If they failed at logging in and make another new attempt and their
    IP is listed in the SSH_PROBERS file then the first two rules take
    effect.

    The first two rules together will check the file and see if there
    are more than 3 listings of the source IP. If so, the packet is
    logged and dropped. It updates the SSH_PROBERS file with the new
    attempt and removes any listings older than 60 seconds.

    This means that to get another chance to try again without being
    dropped, you must wait until your IP is listed fewer than 3 times in
    the file. This stops bots from slamming port 22 with login attempts
    but does not deny you access from remote locations when it is legit.

    So far these rules have not blocked me but have reduced the SSH
    login attempts by bots for users like admin, guest, test, patrick,
    god, etc...

    I have also used similar rules to stop ftp probing as well as port
    scanning. It makes your firewall adapt to rapid portscans by just
    disappearing from the internet.
    <!-- end quote --!>


Would any iptables experts care to weigh in on the validity of the above 
rules?

Regards,
Christopher

More information about the General mailing list