Iptable rules dont work with RSA SSH Authentification

maxbaum · 10-18-2017, 11:43 AM

Hi there

I realy thought i can solve this on my own, but after a long day of trying i ran out of ideas.

Basically i have a centos7 server and authenticate with RSA key and ssh.

To prevent someone to "bruteforce the RSA key" or just DoS the server i want to drop every ip that trys to authenticate more than 2 times in 10 minutes

I found lots of help on this topic but it just doesnt seem to work for me.
I cant use fail2ban because im running on vps and fail2ban needs access to the hardware which is of virtual nature and it errors

So i want to do it with iptables, but the rules just dont do theyr job. the logins are not even logged in /var/log/messages

here are my rules, maybe someone can find an error. thanks to everybody

:

Code:

# Completed on Wed Oct 18 19:35:27 2017
# Generated by iptables-save v1.4.21 on Wed Oct 18 19:35:27 2017
*filter
:INPUT DROP [662:65949]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1023:99687]
:LOGDROP - [0:0]
:SSHATTACK - [0:0]
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 3 --name DEFAULT --rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 --name DEFAULT --rsource -j LOG
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT

Turbocapitalist · 10-18-2017, 12:07 PM

They seem to be in reverse order. It does not make so much difference, but in principle the more frequently used rules should come first. Such as the ones for established connections or the loopback interface. The loopback should also only talk to itself:

Code:

-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT

As for rate limiting, you can do that like this:

Code:

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

-A INPUT -p TCP --dport 22 -m state --state NEW -m limit --limit 2/minute --limit-burst 5 -j ACCEPT

Then you'll also need something similar to all that for IPv6. All that was just for IPv4.

Can you install SSHGuard on your machine to watch the logs and run the filter? iptables only looks at the TCP (or UDP or ICMP) connections and not what goes on inside them such as a failed or successful login.

lazydog · 10-18-2017, 09:34 PM

Never knew fail2ban to need access to the hardware seeing how it reading log files and then executing a script.
Have you looked at sshguard? Does the same as fail2ban using iptables or ipset.