IPTables

From VVCWiki
Jump to navigationJump to search

Block ssh brutal force attack

  • /etc/modprobe.conf
options ipt_recent ip_list_tot=200 ip_pkt_list_tot=15 ip_list_hash_size=0
  • /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:IN - [0:0]
:blacklist - [0:0]
:ssh - [0:0]
-A INPUT -j IN
-A FORWARD -j IN
-A IN -i lo -j ACCEPT
-A IN -p icmp --icmp-type any -j ACCEPT
-A IN -m state --state INVALID -j DROP
-A IN -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH handler
-A IN -m state --state NEW -m tcp -p tcp --syn --dport ssh -j ssh
-A blacklist -m recent --name blacklist --set -j DROP
-A ssh -m recent --update --name blacklist --seconds 600 --hitcount 1 -j DROP
-A ssh -m recent --set --name sshcount 
-A ssh -m recent --rcheck --name sshcount --seconds 60 --hitcount 10 -j blacklist
-A ssh -j ACCEPT
# Other services
-A IN -m state --state NEW -m tcp -p tcp --syn --dport http -j ACCEPT
-A IN -j REJECT --reject-with icmp-host-prohibited
COMMIT
Make sure ip_pkt_list_tot is big enough to fit hitcount

This firewall configuration "blacklist"s any IP, which tries to establish an ssh connection more then 10 times in any given 60 seconds interval.
The IP will be blacklisted for 600 seconds, as long as no new packets arrived from this IP during this grace period, otherwise, the timer will be reset to 0 with each new packet.


Observe your good work:

watch cat /proc/net/ipt_recent/blacklist