how to make iptables blacklist a user if they connect to a certain port
What is the command, if any, to make iptables auto-blacklist an ip if they connect to a certain port?
For example, lets say that I want to auto-blacklist any script kiddie who connects to port 22 and tries to do a brute force. Because I have sshd on an alternate port, I want to have 22 as a trap. So then, if they try 22 and find nothing, they might try a portscanner and find the real port sshd is on. But if it auto-blacklists connections to 22, then when their portscanner passes 22, it is unlikely they will find my real port because any connection with them will be refused. |
I would suggest using the recent module. If you need help with the implementation, just ask.
|
For the reason you listed I would not even worry about it. Most of the scans that will ever hit your computer/server are automated, and looking to exploit a specific vulnerability. With ssh its usually brute force.
Also it may be prone to DoS. What happens if I send spoofed syn packets to tcp 22 on your computer with the src address as google's IPs? You firewall could very well block those IPs, and in turn deny access to google. Granted the chance of this is slim, but its still a possibility. Take a look at nmaps -D option as it does exactly this. You need to be very careful when using firewall rules that are created based on certain "matches". The same goes for using things like Snort inline where it blocks traffic when certain rules are matched. I would instead secure sshd by only allowing connections from specified IPs, and use ssh keys rather than passwords. Having it running on some random port only fools automated tools. All anyone has to do is telnet to that port you changed sshd to listen on, and the person will automatically know you are running ssh, and what version. Now if you have iptables setup to deny all first unless specified to allow they will be hitting a brick wall. |
I know it is specifically not iptables, but DenyHosts works great for SSH and writes to your /etc/hosts.deny automatically.
http://denyhosts.sourceforge.net/ |
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP works nicely for me, gives them 4 attempts, then they are blocked. |
Hello, thanks for all the replies!
re: restricting source ip: the thing is, I connect from lots of places so restricting a source ip would be very inconvenient. re: denyhosts Since I didn't know denyhosts existed, I wrote a script that does exactly what it does... guess I could have saved some time if i just googled it. Just, it is only using tcpwrappers, I wanted something more .. systemwide - what iptables does. re: iptables Ok, I'll put in those commands, and wait till the next script kiddie finds my ip :) |
All times are GMT -5. The time now is 08:21 AM. |