LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-22-2009, 01:17 AM   #1
whiskey06
LQ Newbie
 
Registered: Apr 2009
Location: NVLOC
Distribution: centos 5
Posts: 7

Rep: Reputation: 0
Prevent Login by IP address / limit login attempts / remedial IP tables question


Hai guys,

Using CENTOS 5.

Ran the lastb command, and it has over 10 000 entries, which is making me sad.

Is there a way I can prevent users from a certain IP from logging in as well as limit the amount of failed logins to 3?

Also, I have this IPTABLES rule for incoming pings, but allowing pings from the box out would be most helpful

Code:
#no pinging allowed!
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j REJECT
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j REJECT
iptables -A INPUT -p icmp -j REJECT
iptables -A OUTPUT -p icmp -j REJECT
merci buckets!
 
Old 04-22-2009, 04:36 AM   #2
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,285

Rep: Reputation: 61
Ok first of all you need to restrict connection using TCPWrappers, all distro come with this and it's very easy to setup. It uses the /etc/hosts.allow and /etc/hosts.deny file, just add all entries you want to allow to connect.

/etc/hosts.allow

Quote:
127.0.0.1
192.18.1.0/255.255.255.0

/etc/hosts.deny

Quote:
ALL:ALL

Basically this will only allow the ipaddresses you want, and deny any others.

Now for limiting the amount of login attempts, you can use the /etc/login.defs and limit the amount of failed attempts. You can also limit connection attempts for the ssh server as well look for MaxAuthTries in the /etc/ssh/sshd_config file.


You can also limit the amount of connection by a port address using the recent module in iptables as well, this will really slow them down, just adjust this to suit

Quote:
IPTABLES -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --update --seconds 600 --hitcount 3 -j DROP
IPTABLES -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --set -j ACCEPT

For anything likes pings, you are better of to drop rather than reject, drop will not send anything back and they will hang waiting for a reply, this will slow any auto scripts down quite a lot



Quote:
#no pinging allowed!

#allow ping request to go out
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT

# allow the reply to come in
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -m --state ESTABLISHED,RELATED -j ACCEPT

# drop any other icmp protocol that didn't come from us
iptables -A INPUT -p icmp -j DROP

Hope this helps
 
Old 04-22-2009, 02:10 PM   #3
whiskey06
LQ Newbie
 
Registered: Apr 2009
Location: NVLOC
Distribution: centos 5
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks for your help!

I have limited the amount of failed logins to 3, confirmed with test account.

I changed my IPTABLES rules as per your recommendation, but after adding the bit in about pinging I get this error:

Code:
 iptables v1.3.5: Couldn't load match `--state':/lib64/iptables/libipt_--state.so: cannot open shared object file: No such file or directory
And with the hosts.allow/.deny, when I set the deny file to ALL:ALL no one can login, even on an allowed IP address. Any suggestions?

Thanks again
 
Old 04-23-2009, 04:49 AM   #4
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,285

Rep: Reputation: 61
Quote:
Originally Posted by whiskey06 View Post
Thanks for your help!

I have limited the amount of failed logins to 3, confirmed with test account.

I changed my IPTABLES rules as per your recommendation, but after adding the bit in about pinging I get this error:

Code:
 iptables v1.3.5: Couldn't load match `--state':/lib64/iptables/libipt_--state.so: cannot open shared object file: No such file or directory
oops sorry a little mistake on my part forgot the state part, try


Quote:
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT

Quote:
And with the hosts.allow/.deny, when I set the deny file to ALL:ALL no one can login, even on an allowed IP address. Any suggestions?
OK this might be my fault on this as well, did you add your own network address to the /etc/hosts.allow file, the address I used was just for an example, you need to adjust it to suit your own network, but you do need to keep the 127.0.0.1 in there.

TCPWrappers always reads the hosts.allow file first, if there is a match then the packet is allowed throughit no match found it then reads the hosts.deny file

Last edited by fotoguy; 04-23-2009 at 04:53 AM.
 
Old 04-24-2009, 01:55 PM   #5
whiskey06
LQ Newbie
 
Registered: Apr 2009
Location: NVLOC
Distribution: centos 5
Posts: 7

Original Poster
Rep: Reputation: 0
Badical, so we have the IPTABLES sorted

hosts.allow file:
Code:
127.0.0.1
192.168.42.0/255.255.255.0
192.168.42.5
192.168.42.0/24
216.1x.xx4.xx0
10.75.5.0/255.255.255.0
10.75.5.115
hosts.deny
Code:
ALL:ALL
#219.146.252.203
#61.75.175.137
#221.5.250.94
(commented out IPS for testing)

When I try to hit the internal IP via ssh 192.168.42.8 from 192.168.42.5 with that setup I am told to beat it....I do realise that there are several entries, again from testing...

Thanks again
 
Old 04-26-2009, 04:48 AM   #6
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,285

Rep: Reputation: 61
Good to hear it's all ok
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Question about failed ssh login attempts natv Linux - Security 3 02-11-2007 07:46 AM
How do I block IP's to prevent unauthorized SSH login attempts? leofoxx Linux - Security 6 05-23-2005 10:36 PM
Is there a way to limit login attempts in RHL 7.3? RickMean Linux - Security 1 12-24-2004 09:54 PM
Limit the amount of login attempts to machine jester_69 Linux - Security 4 10-14-2003 03:35 PM
vsftp - limit login attempts bandersson Linux - Security 0 01-01-2003 05:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration