Tuesday, May 05, 2009

SSH Protection in IPTables

So now that we are off of Windoze IIS as our main production web server and onto Linux, I’ve been watching the logs very closely to verify all is well.  I’ve got OSSEC, Logwatch  and a few “custom” scripts installed for this purpose.   imageOne thing I noticed was the daily SSH brute force/dictionary attacks.  I’m only password protecting the service because I’ve still got a few developers working remotely and dealing with them and certificates is a little more pain then I want right now.  So, to slow down the attacks I’ve added two lines to my iptables config to keep attempted logins down to 3 per minute.    Here are the two lines (watch the wrap):

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent   --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent   --update --seconds 60 --hitcount 4 -j DROP

Essentially, a timer is kicked off at each attempt to login.  On the forth attempt, the IP is banned until the first attempt times out at over 60 seconds. If someone runs a script against the server the first 3 will be denied because of incorrect passwords and the rest will be banned because of repeated attempts.  Since the timer resets with each attempt they can keep sending user/pass combos but until they back off for 60 seconds they will just be denied.  Not a perfect solution, but one to certainly stop the madness I’m currently seeing.  After we get out of developer mode I’ll probably increase it to 10 minutes.

I also looked at two scripts fail2ban and one called protect-ssh. fail2ban_logo Both looked like they worked ok, but they were a little more difficult then the two lines above which did pretty much what I wanted. When I get some more time I’ll probably look into both of them again.


No comments: