Hello, I was reading up on how to do something about the ssh brute force attacks I recently see A LOT in my logs. Is it possible to allow only one connection every 60 sec (or so) per MAC address using shorewall? This should make brute forcing more difficult to anybody running the usual strategy (given the port scan constitutes a first connection attempt). Has anybody implemented this? Any pointers? Thanks for your insights, Joh -- +----------------------------------------------------------------------+ | Johannes Graumann, Dipl. Biol. | | | | Graduate Student Tel.: ++1 (626) 395 6602 | | Deshaies Lab Fax.: ++1 (626) 395 5739 | | Department of Biology | | CALTECH, M/C 156-29 | | 1200 E. California Blvd. | | Pasadena, CA 91125 | | USA | +----------------------------------------------------------------------+ ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> Hello, > > I was reading up on how to do something about the ssh brute force > attacks I recently see A LOT in my logs. Is it possible to allow only > one connection every 60 sec (or so) per MAC address using shorewall? > This should make brute forcing more difficult to anybody running the > usual strategy (given the port scan constitutes a first connection > attempt). Has anybody implemented this? Any pointers? > > Thanks for your insights, >MAC addresses would be useless, unless the machine is direcrtly connected to your lan. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Johannes Graumann wrote:> Hello, > > I was reading up on how to do something about the ssh brute force > attacks I recently see A LOT in my logs. Is it possible to allow only > one connection every 60 sec (or so) per MAC address using shorewall? > This should make brute forcing more difficult to anybody running the > usual strategy (given the port scan constitutes a first connection > attempt). Has anybody implemented this? Any pointers? > > Thanks for your insights, > > Joh >1 you can change the ssh listen port 2. You can use port knocking http://www.shorewall.net/PortKnocking.html 3. the only good solution : disable password auth and use only ssh Keys
Jerry Vonau wrote:>>Hello, >> >>I was reading up on how to do something about the ssh brute force >>attacks I recently see A LOT in my logs. Is it possible to allow only >>one connection every 60 sec (or so) per MAC address using shorewall? >>This should make brute forcing more difficult to anybody running the >>usual strategy (given the port scan constitutes a first connection >>attempt). Has anybody implemented this? Any pointers? >> >>Thanks for your insights, >> > MAC addresses would be useless, unless the machine is direcrtly > connected to your lan. >And any form of IP-based tracking would be wide open to DOS via source IP address spoofing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, Jul 17, 2005 at 08:14:13PM -0500, ryan wrote:> >>attacks I recently see A LOT in my logs. Is it possible to allow only > >>one connection every 60 sec (or so) per MAC address using shorewall?Keep in mind that if the attacker (or legitimate user) is not on the same subnet as the ssh server, the MAC address will be that of the router.> Would it be possible (using shorewall) to create a DNAT rule with MAC > addresses? For example, only accept port 22 traffic from a certain MAC > address instead of IP?This is already possible. I have a rule to allow VNC connections in my rules file: AllowVNC net:~00-02-E3-18-58-9B fw -Jason Martin -- Check book: a book with a unhappy ending. This message is PGP/MIME signed.
Cristian Rodriguez wrote:> Johannes Graumann wrote: > >> Hello, >> >> I was reading up on how to do something about the ssh brute force >> attacks I recently see A LOT in my logs. Is it possible to allow only >> one connection every 60 sec (or so) per MAC address using shorewall? >> This should make brute forcing more difficult to anybody running the >> usual strategy (given the port scan constitutes a first connection >> attempt). Has anybody implemented this? Any pointers? >> >> Thanks for your insights, >> >> Joh >> > > 1 you can change the ssh listen port > > 2. You can use port knocking > > http://www.shorewall.net/PortKnocking.html > > 3. the only good solution : > > disable password auth and use only ssh Keys >I''d like to add 4. Gather the IP addresses of those attempting to brute force and use Shorewall''s blacklist feature. Would it be possible (using shorewall) to create a DNAT rule with MAC addresses? For example, only accept port 22 traffic from a certain MAC address instead of IP? ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Jason Martin wrote:>>Would it be possible (using shorewall) to create a DNAT rule with MAC >>addresses? For example, only accept port 22 traffic from a certain MAC >>address instead of IP? > This is already possible. I have a rule to allow VNC connections > in my rules file: > > AllowVNC net:~00-02-E3-18-58-9B fw > >But as Jerry points out, such rules only allow locally-connected hosts and are therefore generally useless for approaching the problem of blocking dictionary attacks from the Internet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> I''d like to add > > 4. Gather the IP addresses of those attempting to brute force and use > Shorewall''s blacklist feature.Just don''t automate the process, unless you can exclude your gateway, or any other host you need(think isp dns server). As Tom pointed out, your just setting yourself up for a DOS attack, should someone spoof the address. Setting up a pre-defined list of addresses that are allowed to connect to the port will go along way in limiting what the daemon will respond to. The problem with that occurs when you have clients with dymanic addresses that change often. Well, not a problem, just a PITA to keep current. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
On Sun, Jul 17, 2005 at 09:42:49PM -0500, ryan wrote:> So long as I''m not being NAT''d, wouldn''t my router see the incoming MAC > address of my away-frome-home-NIC?Unfortunately not. MAC address only works up until the packet has to cross a Layer-3 device, like a router. At that point the originating MAC address is lost. The MAC address is lost again at every router hop between you and the destination. The final MAC address visible to your server will be that of the router closest to your server. MAC address is the physical address of your card, such as AA:AB:12:11:11:11. NAT has nothing to do with the physical address of the card. -Jason Martin -- Check book: a book with a unhappy ending. This message is PGP/MIME signed.
ryan wrote:> ... >>But as Jerry points out, such rules only allow locally-connected hosts >>and are therefore generally useless for approaching the problem of >>blocking dictionary attacks from the Internet. >> >>... > If I were on the road, and had a publicly routed IP on my laptop, would the > MAC address rule work? > > So long as I''m not being NAT''d, wouldn''t my router see the incoming MAC > address of my away-frome-home-NIC?No - MACs are only seen on the local physical network. The MAC is meaningless across most WAN links. -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
ryan wrote:> > So long as I''m not being NAT''d, wouldn''t my router see the incoming MAC > address of my away-frome-home-NIC? > > >never use MAC address validation(won''t work,anyway..) as the only filtering method, nor automated blacklisting . use uncommon usernames and strong passwords, or simple use SSH keys.period.
On Sunday 17 July 2005 08:18 pm, Tom Eastep wrote:> Jason Martin wrote: > >>Would it be possible (using shorewall) to create a DNAT rule with MAC > >>addresses? For example, only accept port 22 traffic from a certain MAC > >>address instead of IP? > > > > This is already possible. I have a rule to allow VNC connections > > in my rules file: > > > > AllowVNC net:~00-02-E3-18-58-9B fw > > But as Jerry points out, such rules only allow locally-connected hosts > and are therefore generally useless for approaching the problem of > blocking dictionary attacks from the Internet. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.keyIf I were on the road, and had a publicly routed IP on my laptop, would the MAC address rule work? So long as I''m not being NAT''d, wouldn''t my router see the incoming MAC address of my away-frome-home-NIC? ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Johannes Graumann wrote:> > Hello, > > I was reading up on how to do something about the ssh brute force > attacks I recently see A LOT in my logs. Is it possible to allow only > one connection every 60 sec (or so) per MAC address using shorewall? > This should make brute forcing more difficult to anybody running the > usual strategy (given the port scan constitutes a first connection > attempt). Has anybody implemented this? Any pointers?As was mentioned earlier, if you want to avoid brute force attacks altogether just disable password access and only use RSA authentication with a private/public keypair, configured in your sshd_config file. Since you haven''t mentioned what type of network setup you want this to work on, standalone box or if it''s only LAN access or you would like to connect from WAN/Internet to the LAN, as well, I would suggest having a separate box configured as a relay. You can port forward from the net into this box, login as a normal user and then use su to login onto the firewall, also using RSA authentication. Works just as well within a LAN, just allow yourself access to this machine. This way you avoid opening the ssh server on the firewall to the net and you can also avoid adding extra accounts on the firewall itself. The only address allowed to connect to the ssh server on the firewall would be the relay box itself. Personally I use an old Pentium II machine running LEAF as the firewall and a Pentium III running OpenBSD as the relay, works like a charm. -- Patrick Benson Stockholm, Sweden ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click