LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-25-2009, 06:51 PM   #1
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
limiting ssh logins.


I am trying to lock down ssh. Before I apply anything that requires me to go in and manually have to unhook things, I wanna check I have the rules sorted out correctly.

Effectively what I am after is a password cap of 3~5 attempts a minute, preferably one that then locks the connection for 15~30 minutes and logs the denial in a log. it's not the most straight forward passwords so I can sometimes make several mistakes, so I don't want a perm-block enforced and having to get deny.host cleared so I can re-access the server.

I have written the script below so that I don't inadvertily lock myself out of the server, generally I am running this on VPSs first so I can rescue them, but will want to apply it to the main server itself.

Code:
iptables -A RH-Firewall-1-INPUT -p tcp --dport 22 -j DROP
iptables -I RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 1/minute --limit-burst 5 -j ACCEPT
So is their anything I need to change or will this work, if this does block an IP how long would it be blocked for? Thanks for the help.

P.S. going to bed now so don't worry if I don't respond to this too quickly =P.

Last edited by r3sistance; 01-25-2009 at 06:53 PM.
 
Old 01-25-2009, 07:06 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by r3sistance View Post
I am trying to lock down ssh. Before I apply anything that requires me to go in and manually have to unhook things, I wanna check I have the rules sorted out correctly.

Effectively what I am after is a password cap of 3~5 attempts a minute, preferably one that then locks the connection for 15~30 minutes and logs the denial in a log. it's not the most straight forward passwords so I can sometimes make several mistakes, so I don't want a perm-block enforced and having to get deny.host cleared so I can re-access the server.

I have written the script below so that I don't inadvertily lock myself out of the server, generally I am running this on VPSs first so I can rescue them, but will want to apply it to the main server itself.

Code:
iptables -A RH-Firewall-1-INPUT -p tcp --dport 22 -j DROP
iptables -I RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 1/minute --limit-burst 5 -j ACCEPT
So is their anything I need to change or will this work, if this does block an IP how long would it be blocked for? Thanks for the help.

P.S. going to bed now so don't worry if I don't respond to this too quickly =P.
Your rules create a denial-of-service vulnerability. I would basically just need to send a couple TCP packets to your box every now and then and neither you or anyone else will be able to connect. I suggest you take some time to search the forum for threads in which people have done this sort of thing already - I know for a fact that there are several. Learning from tried and tested methods instead of trying to come up with stuff from scratch will save you a lot of headaches.

Last edited by win32sux; 01-25-2009 at 07:08 PM.
 
Old 01-26-2009, 08:59 AM   #3
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Original Poster
Rep: Reputation: 217Reputation: 217Reputation: 217
Ah lovely DOS, well these aren't rules that are up yet anyway, I would love to know what I have done wrong, I'll try a search some point soon anyways.
 
Old 01-26-2009, 10:09 AM   #4
CaptainInsane
Member
 
Registered: Nov 2003
Location: Peoria
Distribution: Fedora 8
Posts: 92

Rep: Reputation: 15
Search for fail2ban....
 
Old 01-26-2009, 10:23 AM   #5
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,529

Rep: Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899
This will block the ip after 3 wrong attempts for 60 sec


Code:
# Create chain for ssh attacks
$IPT -N SSH_CHECK
# ssh chain
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
$IPT -A SSH_CHECK -m recent --set --name SSH
$IPT -A SSH_CHECK -m recent --update --seconds 60 --hitcount 3 --name SSH -j DROP
 
Old 01-26-2009, 11:08 AM   #6
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Original Poster
Rep: Reputation: 217Reputation: 217Reputation: 217
Thanks Repo, I'll look over that, I take it that's meant to be run as a script. Sounds simple to just adjust seconds to 900 (or I am guessing minutes to 15) and hitcount to 5 and I think that fits what I am after?

CaptainInsane, I don't know much about fail2ban but have heard of it in the past, sounds like it perm blocks ip, which because of the passwords I use, isn't a good idea for me (not uncommon to type it in wrong let's say). Last thing I want to do is perm block my own ip out from the server. I'd rather have a time limited block that I can control.

Last edited by r3sistance; 01-26-2009 at 11:09 AM.
 
Old 01-26-2009, 12:55 PM   #7
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,529

Rep: Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899
Quote:
fail2ban but have heard of it in the past, sounds like it perm blocks ip
Fail2ban does the same, it also blocks for 60 sec
 
Old 01-26-2009, 02:50 PM   #8
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Original Poster
Rep: Reputation: 217Reputation: 217Reputation: 217
Ah ok, Might need to check it then .
 
Old 01-26-2009, 05:09 PM   #9
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Quote:
Originally Posted by r3sistance View Post
Thanks Repo, I'll look over that, I take it that's meant to be run as a script. Sounds simple to just adjust seconds to 900 (or I am guessing minutes to 15) and hitcount to 5 and I think that fits what I am after?

CaptainInsane, I don't know much about fail2ban but have heard of it in the past, sounds like it perm blocks ip, which because of the passwords I use, isn't a good idea for me (not uncommon to type it in wrong let's say). Last thing I want to do is perm block my own ip out from the server. I'd rather have a time limited block that I can control.
Most bruteforce tools such as fail2ban or Denyhosts have whitelists of IPs that the tool isn't supposed to ban.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How do i monitor SSH logins? gtwilliams Linux - Security 5 06-08-2005 10:43 PM
Restricting SSH logins. bullium Linux - Security 3 05-10-2005 01:15 AM
Limiting logins to server using pam_access Builder Linux - Enterprise 2 12-23-2004 10:42 AM
Need help using Webmin to tell SSH to allow logins Xolo Linux - Security 9 11-22-2004 03:57 PM
SSH logins and limiting remote users login rights. redgore Linux - Networking 2 07-16-2002 03:22 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration