LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 10-19-2005, 04:49 AM   #1
maginotjr
Member
 
Registered: Aug 2004
Location: BR - Floripa
Distribution: Ubuntu 9.10 - 2.6.x.x
Posts: 661

Rep: Reputation: 34
how to deny ssh for ip range?


Lately I have receive a lot of tries of connections on my server's ssh. So I was thinking (and I think it is) if is possible to deny connection of ssh or ftp or even smtp and pop to a range of ips. I realy want to deny connection from any ip not equal to 200.*.*.* or 201.*.*.*

maybe iptables or some ssh rule....

thankss...
 
Old 10-19-2005, 05:08 AM   #2
gbonvehi
Senior Member
 
Registered: Jun 2004
Location: Argentina (SR, LP)
Distribution: Slackware
Posts: 3,145

Rep: Reputation: 51
The easiest way to avoid those attacks is by changing the default sshd port from 22 to something else, since most of them are automated attacks.
You can also use iptables, the commands would vary if you're already using it, since you can allow only from those IP or deny from all others, depends on how you're protecting.

Two other things to set by default is to use Protocol 2 only and set PermitRootLogin no.

To deny it would be something like: iptables -A INPUT -i ppp0 -p tcp -s IPRANGE -d 0/0 --dport 22 -j DROP

Last edited by gbonvehi; 10-19-2005 at 05:13 AM.
 
Old 10-19-2005, 06:25 AM   #3
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
Personally, my way of avoiding these attacks without moving ports was to install knockd (available from linuxpackages). With this, I was then able to have port 22 closed to everyone that didn't know the knock. I have the Cygwin knock client on my USB key and anytime I need to ssh in, I just run it with the right knock and then, bam, the SSH port is open (but only to that IP). Then when I'm done, I can knock a different tune and it closes the SSH port.

This way, SSH is closed to everyone else in the world but I can selectively open it to any computer that I happen to be at just by knowing the knock. Must have cut a meg a day of logs out of the picture with only a tiny added inconvenience.
 
Old 10-19-2005, 07:06 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,781
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
Another way of trimming the logs is using sshblack which is a perl script that monitors a log file for multiple attempts to log in via ssh. It then alters your firewall to drop the offending IP address. It requires you to tweak your firewall a bit, but it works well.

The other thing to consider is to not allow ssh login using usernames and passwords, but rather require public key authentication instead. There is a really excellent tutorial on how to set this up here .
 
Old 10-19-2005, 07:59 AM   #5
maginotjr
Member
 
Registered: Aug 2004
Location: BR - Floripa
Distribution: Ubuntu 9.10 - 2.6.x.x
Posts: 661

Original Poster
Rep: Reputation: 34
very good advices!
I was searching some time ago for some knock soft... I will try the one you said.. the problem will be have to use a knocking client everywhere...

the client you said is for linux or windows? I need a client for both...

thanks!
[ ]'s
 
Old 10-20-2005, 04:32 AM   #6
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
The version of knock I use has available for download the linux command line knock and a windows cygwin executable for windows (two files, knock and the cygwin dll, put them both in the same folder and it just works like the linux command line version).

I got knockd from linuxpackages.net:

http://www.linuxpackages.net/pkg_details.php?id=7828

and the homepage for the software has the knock client software for both platforms:

http://www.zeroflux.org/knock/
 
Old 10-21-2005, 04:15 AM   #7
maginotjr
Member
 
Registered: Aug 2004
Location: BR - Floripa
Distribution: Ubuntu 9.10 - 2.6.x.x
Posts: 661

Original Poster
Rep: Reputation: 34
thanks!

this will be very usefull!

regards [ ]'s
 
Old 10-21-2005, 06:09 AM   #8
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 197Reputation: 197
Quote:
Originally posted by gbonvehi
The easiest way to avoid those attacks is by changing the default sshd port from 22 to something else, since most of them are automated attacks.
Just for the newbies out there, security thru obscurity is not an effective way of securing a host on a network.
 
Old 10-21-2005, 06:38 AM   #9
Freemor
Member
 
Registered: Aug 2005
Location: New Brunswick
Distribution: Trisquel
Posts: 70
Blog Entries: 8

Rep: Reputation: 15
I would suggest looking into using the hosts.allow and hosts.deny files I have found them exceedingly effective in limiting who can connect the ssh servers I have set up. Their syntax is pretty straigh forward and they can even be used to log who is allowed or denied. They are well documented both in man pages and on the net.

Hope this helps
Freemor
 
Old 10-24-2005, 09:13 AM   #10
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
On the "security through obscurity" note, yes, you're right but that phrase is overused. My bank card has a pin that relies on security through obscurity - you don't know my number or my pin but that's the only thing stopping you drawing money out of my account. The security of the portknock level is only as good as the security of the password, the knock itself. I don't tell people my knock and if I did, it would only be to those people who I also trust to login to the machine via SSH. I trust them not to disclose their portknock as much as I trust them not to disclose their public key.

The main purpose of using portknock software for myself and the above poster is that it stops any amount of dumb brute-force password attacks on my SSH (which is public-key only) and also stops no end of log entries from filling my logs.

Most people, when a port is closed, just ignore that port. To do anything else is just logistically crazy (i.e. if you assumed that every closed port you saw had a port-knock and then tried to find it, you would have to try many BILLIONS of knock combinations before you even got into the complex knocks, time-related knocks, hash-related knocks, IP-related knocks etc.).

Port knocking keeps the kids out. Anyone else who gets in is going to have found out the knock from someone who already has the knock and/or password and/or key.

Currently, I have the following setup:

- All closed (stealthed or whatever, not that it makes much difference) ports, for sanity when reading through logs.
[Therefore most observers see no difference between this and a machine that is turned off. Script kiddies have nothing to work from when they nmap, SSH bots see a machine that's not worth trying.]

- A "secret" port knock to open up SSH only to the IP that the knock came from.
[Effectively a password, potentially sniffable.]

- Only a single user can log in via SSH
[Username is non-standard, and SSH is encrypted therefore it is effectively a password that cannot be sniffed]

- That user has a single private key which is the only accepted way to login (no passwords)
[That key is effectively a password which cannot be sniffed]

- That key has a large passphrase.
[That passphrase never goes out across the Internet and therefore is a password that cannot be sniffed]

- That user account has limited access unless you su or sudo, which needs the root password.
[That is yet another password, unsniffable as this is the only way to get to it]

Therefore that's effectively four pieces of non-sniffable information and one (potentially) sniffable. The port-knock is therefore roughly as effective as a GOOD root password on a machine that has the latest version of SSH and is running no other services. This is, despite popular belief, quite secure because a full-text brute-force of any decent length password is still not practical across even a broadband internet connection, especially not with retry limits etc. Some portknock software has these same retry limits. Port knocks also mean that any brute-force attempt has bounces off your TCP/IP stack rather than SSH. This takes less resources and less logfile lines on the target machine (I don't log stray packets, I see no point).

Port knocks are easily sniffable assuming you can watch both ends of the conversation but they are not necessarily replayable (there are knocks based on one-time password lists, hashes of the time, source IP and other information, encrypted knocks and all sorts). This makes those portknocks as secure as something like SSH.

Say someone DOES steal/sniff/guess my portknock? Big deal. You opened a port that would have already been open without portknocks. I can still blacklist/whitelist certain IP's from having a successful portknock, I can still block IP's/usernames from SSH or whatever other service it opens up, I can get portknock to open ANY port, I can get the computer to do ANYTHING when it recieves a portknock (send SMS, reboot switches or computers etc.), I can have multiple portknocks for multiple tasks.

This all makes it absolutely invaluable for many tasks, means my computer becomes no less secure and much harder to try to invade, makes brute-force attacks MUCH, MUCH harder, is of minimal overhead (a single tiny daemon listening for SYN packets), of little inconvenience to someone who tries to log in (a simple password entry into a piece of tiny portknock client software that can accompany your SSH login software), another level of defense against things like new SSH vulnerabilities, an extra layer over any potentially stupid admin decisions that open holes, doesn't interfere with any of the software that it protects, can protect every service on a machine that doesn't need to be open to everyone and costs nothing but about ten minutes to set up.
 
Old 10-27-2005, 09:49 PM   #11
ravee
Member
 
Registered: Jan 2005
Location: India
Distribution: Fedora Core 2
Posts: 83

Rep: Reputation: 15
I agree with what freemor has said. The easiest (though not best) way of solving your problem is to use TCP Wrappers. ssh is compiled with wrapper support. So it is as simple as entering the following line in your /etc/hosts.allow file.

sshd: ALL EXCEPT 200. , 201. : deny

And that will start working immediatly.
 
Old 11-01-2005, 07:01 AM   #12
maginotjr
Member
 
Registered: Aug 2004
Location: BR - Floripa
Distribution: Ubuntu 9.10 - 2.6.x.x
Posts: 661

Original Poster
Rep: Reputation: 34
Okay thanks, I will do it too !
But I have to admit, using another port have already made a big change here... no more tries on ssh port. I changed the ssh and ftp ports and the things are very quiet...

[ ]' s
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh: deny all users, except one hamish Linux - Security 13 09-07-2008 07:58 PM
How do you deny root logins with ssh? Thaidog Linux - General 5 03-01-2006 04:36 PM
deny ip address with ssh DaWallace Slackware 16 05-31-2005 08:40 PM
how to deny password login in the ssh? please u2911 Linux - Security 4 07-02-2004 12:42 AM
SSH hosts.deny file WoodyH Linux - Security 1 10-11-2003 07:44 AM


All times are GMT -5. The time now is 01:36 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration