Shorewall users - Aug 2005 - Custom rule to secure SSH possible with Shorewall?

Hi list!

On another list I read a suggestion to secure ssh a tiny bit but using a 
special firewall rule. This is a snippet from the post:

---quote---
I have the following in my firewall:

-A INPUT -p tcp --dport 12345 -m recent --set
-A INPUT -p tcp --dport ssh -m state --state NEW \
   -m recent --update --seconds 43200 -j ACCEPT

This will only allow SSH from a computer which has telneted to port 12345 
(obviously I use something else) in the past 12
hours (even the simple windows telnet will work, it''s just important to
try to
connect). Obviously the above could be made
more complicated with more than 1 port having to be ''telneted''
but I doubt it''s
worth the trouble.
---unquote---


Would anything such be possible with shorewall?

Thanks!!
Remco


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Please have a look at http://www.shorewall.net/PortKnocking.html

HTH

On 8/23/05, Remco Barendse <shorewall@barendse.to>
wrote:
> Hi list!
> 
> On another list I read a suggestion to secure ssh a tiny bit but using a
> special firewall rule. This is a snippet from the post:
> 
> ---quote---
> I have the following in my firewall:
> 
> -A INPUT -p tcp --dport 12345 -m recent --set
> -A INPUT -p tcp --dport ssh -m state --state NEW \
>   -m recent --update --seconds 43200 -j ACCEPT
> 
> This will only allow SSH from a computer which has telneted to port 12345
> (obviously I use something else) in the past 12
> hours (even the simple windows telnet will work, it''s just
important to try to
> connect). Obviously the above could be made
> more complicated with more than 1 port having to be
''telneted'' but I doubt it''s
> worth the trouble.
> ---unquote---
> 
> 
> Would anything such be possible with shorewall?
> 
> Thanks!!
> Remco
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *
Testing & QA
> Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 

-- 
Linux Registered User #385459
http://counter.li.org/cgi-bin/certificate.cgi/385459


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Remco wrote on 23/08/2005 16:53:36:
> Hi list!
Hi!
> 
> On another list I read a suggestion to secure ssh a tiny bit but using a 
> special firewall rule. This is a snippet from the post:
> 
> ---quote---
> I have the following in my firewall:
> 
> -A INPUT -p tcp --dport 12345 -m recent --set
> -A INPUT -p tcp --dport ssh -m state --state NEW \
>    -m recent --update --seconds 43200 -j ACCEPT
> 
there''s a doc page talking about integrating this with shorewall. try 
looking for "knock" in the shorewall site.

HIH,

--
Eduardo Ferreira

Remco Barendse escribió:
> Hi list!
> 
> On another list I read a suggestion to secure ssh a tiny bit but using a 
> special firewall rule. This is a snippet from the post:
> 
> ---quote---
> I have the following in my firewall:
> 
> -A INPUT -p tcp --dport 12345 -m recent --set
> -A INPUT -p tcp --dport ssh -m state --state NEW \
>   -m recent --update --seconds 43200 -j ACCEPT
> 
> This will only allow SSH from a computer which has telneted to port 

Use only ssh-keys and the problem is gone,

Thanks all!  I had no idea it was called port knocking but I''m a bit 
embarrassed I didn''t find it on the website.

I know it''s not really secure but at least it will keep most of the 
ssh script kiddies out

Thanks! :)

On Tue, 23 Aug 2005, Lucas Velasco wrote:
> Please have a look at http://www.shorewall.net/PortKnocking.html
>
> HTH
>
> On 8/23/05, Remco Barendse <shorewall@barendse.to> wrote:
>> Hi list!
>>
>> On another list I read a suggestion to secure ssh a tiny bit but using
a
>> special firewall rule. This is a snippet from the post:
>>
>> ---quote---
>> I have the following in my firewall:
>>
>> -A INPUT -p tcp --dport 12345 -m recent --set
>> -A INPUT -p tcp --dport ssh -m state --state NEW \
>>   -m recent --update --seconds 43200 -j ACCEPT
>>
>> This will only allow SSH from a computer which has telneted to port
12345
>> (obviously I use something else) in the past 12
>> hours (even the simple windows telnet will work, it''s just
important to try to
>> connect). Obviously the above could be made
>> more complicated with more than 1 port having to be
''telneted'' but I doubt it''s
>> worth the trouble.
>> ---unquote---
>>
>>
>> Would anything such be possible with shorewall?
>>
>> Thanks!!
>> Remco
>>
>>
>> -------------------------------------------------------
>> SF.Net email is Sponsored by the Better Software Conference & EXPO
>> September 19-22, 2005 * San Francisco, CA * Development Lifecycle
Practices
>> Agile & Plan-Driven Development * Managing Projects & Teams *
Testing & QA
>> Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>
>
>

-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

On Wednesday 24 Aug 2005 19:20, Remco Barendse wrote:
> Thanks all!  I had no idea it was called port knocking but I''m a
bit
> embarrassed I didn''t find it on the website.
>
> I know it''s not really secure but at least it will keep most of
the
> ssh script kiddies out
>
> Thanks! :)
port knocking is an interesting appoach, but have you tried the rate-limiting 
feature in the rules file? I added this to a testbox:

ACCEPT  net     $FW     tcp     ssh     -       -       2/min:4

Then I emulated a dictionary attack and it got stuck in the tar almost 
immediately. Any comments anyone on this approach?
>
> On Tue, 23 Aug 2005, Lucas Velasco wrote:
> > Please have a look at http://www.shorewall.net/PortKnocking.html
> >
> > HTH
> >
> > On 8/23/05, Remco Barendse <shorewall@barendse.to> wrote:
> >> Hi list!
> >>
> >> On another list I read a suggestion to secure ssh a tiny bit but
using a
> >> special firewall rule. This is a snippet from the post:
> >>
> >> ---quote---
> >> I have the following in my firewall:
> >>
> >> -A INPUT -p tcp --dport 12345 -m recent --set
> >> -A INPUT -p tcp --dport ssh -m state --state NEW \
> >>   -m recent --update --seconds 43200 -j ACCEPT
> >>
> >> This will only allow SSH from a computer which has telneted to
port
> >> 12345 (obviously I use something else) in the past 12
> >> hours (even the simple windows telnet will work, it''s
just important to
> >> try to connect). Obviously the above could be made
> >> more complicated with more than 1 port having to be
''telneted'' but I
> >> doubt it''s worth the trouble.
> >> ---unquote---
> >>
> >>
> >> Would anything such be possible with shorewall?
> >>
> >> Thanks!!
> >> Remco
> >>
> >>
> >> -------------------------------------------------------
> >> SF.Net email is Sponsored by the Better Software Conference &
EXPO
> >> September 19-22, 2005 * San Francisco, CA * Development Lifecycle
> >> Practices Agile & Plan-Driven Development * Managing Projects
& Teams *
> >> Testing & QA Security * Process Improvement & Measurement
*
> >> http://www.sqe.com/bsce5sf
> >> _______________________________________________
> >> Shorewall-users mailing list
> >> Shorewall-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *
Testing & QA
> Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
-- 
-----------------
Bob Hutchinson
Midwales dot com
-----------------



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Bob Hutchinson wrote:
> ...
> port knocking is an interesting appoach, but have you tried the
rate-limiting
> feature in the rules file? I added this to a testbox:
> 
> ACCEPT  net     $FW     tcp     ssh     -       -       2/min:4
> 
> Then I emulated a dictionary attack and it got stuck in the tar almost 
> immediately. Any comments anyone on this approach?
Excellent advice, as long as you''re not expecting a lot of ssh traffic
(which most of us aren''t).  When my box was getting hit by an ssh brute
forcer, it was getting more like 60/min.  You might need to adjust the
actual figures based on your link speed.

Paul



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

> port knocking is an interesting appoach, but have you tried the
rate-limiting
> feature in the rules file? I added this to a testbox:
> 
> ACCEPT  net     $FW     tcp     ssh     -       -       2/min:4
> 
> Then I emulated a dictionary attack and it got stuck in the tar almost 
> immediately. Any comments anyone on this approach?
Yup. You''re DoS''ing yourself.

During an ongoing SSH brute force attack odds are high that you won''t
be
able to SSH into your own machine, case the rate limiting prevents this.
The attacker gets stuck in the tar, but you are walking on the very same
street...

If you want/need to access the machine from the net for maintenance at
any time, this is a risky approach.

 karsten





-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

On Thu, 25 Aug 2005 03:05:07 +0200
"K." Bräckelmann <k.braeckelmann@davision.com> wrote:
> 
> > port knocking is an interesting appoach, but have you tried the
rate-limiting
> > feature in the rules file? I added this to a testbox:
> > 
> > ACCEPT  net     $FW     tcp     ssh     -       -       2/min:4
> > 
> > Then I emulated a dictionary attack and it got stuck in the tar almost
> > immediately. Any comments anyone on this approach?
> 
> Yup. You''re DoS''ing yourself.
> 
> During an ongoing SSH brute force attack odds are high that you
won''t be
> able to SSH into your own machine, case the rate limiting prevents this.
> The attacker gets stuck in the tar, but you are walking on the very same
> street...
> 
> If you want/need to access the machine from the net for maintenance at
> any time, this is a risky approach.
> 
>  karsten
> 
> 
Would there be some way to specify a "not IP xx.xx.xx.xx"? Like 
ACCEPT  net :!management.IP    $FW     tcp     ssh     -       -       2/min:4
ACCEPT net: managemen.IP $FW 	tcp 	ssh

That would ensure that at least one IP wouldn''t be in tarland.



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

> > > port knocking is an interesting appoach, but have you tried the
rate-limiting
> > > feature in the rules file? I added this to a testbox:
> > > 
> > > ACCEPT  net     $FW     tcp     ssh     -       -       2/min:4
> > > 
> > > Then I emulated a dictionary attack and it got stuck in the tar
almost
> > > immediately. Any comments anyone on this approach?
> > 
> > Yup. You''re DoS''ing yourself.
> > 
> > During an ongoing SSH brute force attack odds are high that you
won''t be
> > able to SSH into your own machine, case the rate limiting prevents
this.
> > The attacker gets stuck in the tar, but you are walking on the very
same
> > street...
> > 
> > If you want/need to access the machine from the net for maintenance at
> > any time, this is a risky approach. 
> 
> Would there be some way to specify a "not IP xx.xx.xx.xx"? Like 
> ACCEPT  net :!management.IP    $FW     tcp     ssh     -       -      
2/min:4
> ACCEPT net: managemen.IP $FW 	tcp 	ssh
> 
> That would ensure that at least one IP wouldn''t be in tarland.
Yes. First come, first serve.

The first rule, that matches the connection request will be processed.
Thus an unlimited (as in rate-limit) ACCEPT rule limited to specific IPs
only would do:

ACCEPT  net:1.2.3.4  $FW  tcp  ssh
ACCEPT  net          $FW  tcp  ssh  -  -  2/min:4

See http://shorewall.net/Documentation.htm#Rules for details.

Note though, that this will enable the attacker to bypass the rate-limit
by address spoofing...

 karsten





-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

On Thu, 25 Aug 2005 03:51:26 +0200
"K." Bräckelmann <k.braeckelmann@davision.com> wrote:
> 
> > > > port knocking is an interesting appoach, but have you tried
the rate-limiting
> > > > feature in the rules file? I added this to a testbox:
> > > > 
> > > > ACCEPT  net     $FW     tcp     ssh     -       -      
2/min:4
> > > > 
> > > > Then I emulated a dictionary attack and it got stuck in the
tar almost
> > > > immediately. Any comments anyone on this approach?
> > > 
> > > Yup. You''re DoS''ing yourself.
> > > 
> > > During an ongoing SSH brute force attack odds are high that you
won''t be
> > > able to SSH into your own machine, case the rate limiting
prevents this.
> > > The attacker gets stuck in the tar, but you are walking on the
very same
> > > street...
> > > 
> > > If you want/need to access the machine from the net for
maintenance at
> > > any time, this is a risky approach. 
> > 
> > Would there be some way to specify a "not IP xx.xx.xx.xx"?
Like
> > ACCEPT  net :!management.IP    $FW     tcp     ssh     -       -      
2/min:4
> > ACCEPT net: managemen.IP $FW 	tcp 	ssh
> > 
> > That would ensure that at least one IP wouldn''t be in
tarland.
> 
> Yes. First come, first serve.
> 
> The first rule, that matches the connection request will be processed.
> Thus an unlimited (as in rate-limit) ACCEPT rule limited to specific IPs
> only would do:
> 
> ACCEPT  net:1.2.3.4  $FW  tcp  ssh
> ACCEPT  net          $FW  tcp  ssh  -  -  2/min:4
> 
> See http://shorewall.net/Documentation.htm#Rules for details.
> 
> Note though, that this will enable the attacker to bypass the rate-limit
> by address spoofing...
> 
>  karsten
> 
> 
Thats a good point, but they would need to know your management IP to spoof
it....
 


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Ryan wrote:
> On Thu, 25 Aug 2005 03:51:26 +0200
> "K." Bräckelmann <k.braeckelmann@davision.com> wrote:
>>
>>The first rule, that matches the connection request will be processed.
>>Thus an unlimited (as in rate-limit) ACCEPT rule limited to specific IPs
>>only would do:
>>
>>ACCEPT  net:1.2.3.4  $FW  tcp  ssh
>>ACCEPT  net          $FW  tcp  ssh  -  -  2/min:4
>>
>>See http://shorewall.net/Documentation.htm#Rules for details.
>>
>>Note though, that this will enable the attacker to bypass the rate-limit
>>by address spoofing...
>>
>> karsten
>>
>>
> Thats a good point, but they would need to know your management IP to spoof
it....
>  
Some patient person working at your ISP could easily engineer such an
attack.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

K. Bräckelmann wrote:
> ...
> The first rule, that matches the connection request will be processed.
> Thus an unlimited (as in rate-limit) ACCEPT rule limited to specific IPs
> only would do:
> 
> ACCEPT  net:1.2.3.4  $FW  tcp  ssh
> ACCEPT  net          $FW  tcp  ssh  -  -  2/min:4
> 
> See http://shorewall.net/Documentation.htm#Rules for details.
> 
> Note though, that this will enable the attacker to bypass the rate-limit
> by address spoofing...
In that case, you''d still be protected against brute force attacks,
because they wouldn''t get an open connection.

Paul



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Ryan escribió:
>>
>>ACCEPT  net:1.2.3.4  $FW  tcp  ssh
>>ACCEPT  net          $FW  tcp  ssh  -  -  2/min:4
>>
>>See http://shorewall.net/Documentation.htm#Rules for details.
>>
>>Note though, that this will enable the attacker to bypass the rate-limit
>>by address spoofing...
>>
>> karsten
>>
>>
> Thats a good point, but they would need to know your management IP to spoof
it....
>  
and ip addresses aren''t secrets.. :-)

use that trick, but with caution, you can D.o.S yourself :-P

frankly, I think is not worth the hassle. use very good passwords, or 
simple use ssh-keys.



Cristian Rodriguez R.
perl -e
''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''

>>> The first rule, that matches the connection request will be
processed.
>>> Thus an unlimited (as in rate-limit) ACCEPT rule limited to
specific IPs
>>> only would do:
>>>
>>> ACCEPT  net:1.2.3.4  $FW  tcp  ssh
>>> ACCEPT  net          $FW  tcp  ssh  -  -  2/min:4
>>>
>>> See http://shorewall.net/Documentation.htm#Rules for details.
>>>
>>> Note though, that this will enable the attacker to bypass the
rate-limit
>>> by address spoofing...
>>>
>>> karsten
>>>
>>>
>> Thats a good point, but they would need to know your management IP to
spoof it....
>>
>
> Some patient person working at your ISP could easily engineer such an
> attack.
Fully agree but on the other hand (that''s why I like port knocking) is 
that the logs will be readable. On my humble home box I have 1.4 megabytes 
of ssh login attempts of just last night.

If I use port knocking and I do see some ssh login attempts I know it''s
not one of the million ssh probe scripts that are running but somebody 
putting in some serious effort which is something to worry about!

Maybe I''ll do both, first port knocking, then still rate limit the ssh 
port. Good luck brute forcing that before I notice :)

Thanks for the hints all!


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

On Thursday 25 Aug 2005 01:08, Bob Hutchinson wrote:
> On Wednesday 24 Aug 2005 19:20, Remco Barendse wrote:
> > Thanks all!  I had no idea it was called port knocking but
I''m a bit
> > embarrassed I didn''t find it on the website.
> >
> > I know it''s not really secure but at least it will keep most
of the
> > ssh script kiddies out
> >
> > Thanks! :)
>
> port knocking is an interesting appoach, but have you tried the
> rate-limiting feature in the rules file? I added this to a testbox:
>
> ACCEPT  net     $FW     tcp     ssh     -       -       2/min:4
>
> Then I emulated a dictionary attack and it got stuck in the tar almost
> immediately. Any comments anyone on this approach?
>
There have been some interesting responses to this.
I ran some more tests on my little intranet and came to the following 
conclusion:

the rate-limiting seems to be per-ip, so if I fire off repeated attempts from 
one machine it gets tarred, but if I try to get in from another machine a few 
seconds later the password prompt appears straightaway, even while the tarred 
one is stuck.

I already have rules for admin ips so I can get in straightaway, so I
don''t
DOS myself (phew!)

I haven''t applied this on my live boxes yet, all of which are being
subjected
to several dictionary attacks per day, occasionally at the rate of 150 per 
minute. Ouch. Hopefully tarring them will croak their scripts.

ATM I am running an sshprobeblocker script every two minutes, scans the logs 
and puts them into hosts.deny. This is clearly a cludge I want to get rid of, 
but it does (sort of) work.

The very good advice of just using keys is clearly the best solution,
it''s
convincing the few customers that have ssh enabled to use keys is the hard 
part ;-( It was hard enough to get them to use decent passwords!

I''m not too worried about spoofing the admin ips, as others have
pointed out
they would have to be known. If a blackhat working at my isp gave the game 
away it wouldn''t be just me who was up the creek....

I think I''ve covered all the points raised, a good thread!

-- 
-----------------
Bob Hutchinson
Midwales dot com
-----------------


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Bob Hutchinson wrote:
>
> the rate-limiting seems to be per-ip
It''s not.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Thursday 25 Aug 2005 14:56, Tom Eastep wrote:
> Bob Hutchinson wrote:
> > the rate-limiting seems to be per-ip
>
> It''s not.
Thank you Tom, that''s the definitive answer I was looking for, hence
''seems''.

I''ve gone ahead and added the rule to one of my boxes, see if it stops
these
attempts in a more elegant way


-- 
-----------------
Bob Hutchinson
Midwales dot com
-----------------


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

On Tuesday 23 August 2005 21:53, Remco Barendse wrote:
> -A INPUT -p tcp --dport 12345 -m recent --set
> -A INPUT -p tcp --dport ssh -m state --state NEW \
>    -m recent --update --seconds 43200 -j ACCEPT
Another approach that I have seen recently for blocking these attacks 
uses this (excuse the line wrapping):

iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -m recent --update --seconds 60 -j 
DROP
iptables -A INPUT -p tcp --dport ssh --tcp-flags syn,ack,rst syn -m 
recent --set -j ACCEPT

And this site has a recipe for implementing these rules with a custom 
Shorewall action rule:

http://blog.blackdown.de/2005/02/18/mitigating-ssh-brute-force-attacks-with-ipt_recent/

Would somebody care to comment:

Will this work with a recent versions of iptable/kernel, eg as supplied 
with Debian, "sarge", or will custom/patched tools be required?

I understand this is IP specific. Is it correct to assume that a random 
dictionary attack on the server''s ssh port wont prevent a from a 
specific client IP.

Is the custom action rule the best (or at least a good) way of 
implementing the rules from within Shorewall?


Thanks

Ian



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Ian wrote:
> On Tuesday 23 August 2005 21:53, Remco Barendse wrote:
>
>>-A INPUT -p tcp --dport 12345 -m recent --set
>>-A INPUT -p tcp --dport ssh -m state --state NEW \
>>   -m recent --update --seconds 43200 -j ACCEPT
>
> Another approach that I have seen recently for blocking these attacks
> uses this (excuse the line wrapping):
>
> iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp --dport ssh -m recent --update --seconds 60 -j
> DROP
> iptables -A INPUT -p tcp --dport ssh --tcp-flags syn,ack,rst syn -m
> recent --set -j ACCEPT
>
> And this site has a recipe for implementing these rules with a custom
> Shorewall action rule:
>
>
http://blog.blackdown.de/2005/02/18/mitigating-ssh-brute-force-attacks-with-ipt_recent/
>
> Would somebody care to comment:
>
Please read the entire thread you are replying to -- this thread STARTED
with exactly your question!!

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi Tom

On Monday 29 August 2005 17:06, Tom Eastep wrote:
> Ian wrote:
> > On Tuesday 23 August 2005 21:53, Remco Barendse wrote:
> >>-A INPUT -p tcp --dport 12345 -m recent --set
> >>-A INPUT -p tcp --dport ssh -m state --state NEW \
> >>   -m recent --update --seconds 43200 -j ACCEPT
> >
> > Another approach that I have seen recently for blocking these
> > attacks uses this (excuse the line wrapping):
> >
> > iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p tcp --dport ssh -m recent --update --seconds
> > 60 -j DROP
> > iptables -A INPUT -p tcp --dport ssh --tcp-flags syn,ack,rst syn -m
> > recent --set -j ACCEPT
> >
> > And this site has a recipe for implementing these rules with a
> > custom Shorewall action rule:
> >
> > http://blog.blackdown.de/2005/02/18/mitigating-ssh-brute-force-atta
> >cks-with-ipt_recent/
> >
> > Would somebody care to comment:
>
> Please read the entire thread you are replying to -- this thread
> STARTED with exactly your question!!
If my understanding is correct:

The original poster (quoted above) suggest a "port knocking" solution.
Ie requiring a connection be made to another port to enable connections 
to the ssh one.

While, the iptables snippet I have quoted, and "Limit" action rule
from
the above site, limit the IP connection rate per originating IP 
address.



Ian

-- 
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 21 683-1388  Fax: +27 21 674-1106
Snail Mail: P. O. Box 46827, Glosderry, 7702, South Africa



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Hi Ian,

Ian wrote:
>>>Another approach that I have seen recently for blocking these
>>>attacks uses this (excuse the line wrapping):
>>>
>>>iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
>>>iptables -A INPUT -p tcp --dport ssh -m recent --update --seconds
>>>60 -j DROP
>>>iptables -A INPUT -p tcp --dport ssh --tcp-flags syn,ack,rst syn -m
>>>recent --set -j ACCEPT
>>>
>>>And this site has a recipe for implementing these rules with a
>>>custom Shorewall action rule:
>>>
>>>http://blog.blackdown.de/2005/02/18/mitigating-ssh-brute-force-atta
>>>cks-with-ipt_recent/
>>>
>>>Would somebody care to comment:
>>Please read the entire thread you are replying to -- this thread
>>STARTED with exactly your question!!
>
> If my understanding is correct:
>
> The original poster (quoted above) suggest a "port knocking"
solution.
> Ie requiring a connection be made to another port to enable connections
> to the ssh one.
>
> While, the iptables snippet I have quoted, and "Limit" action
rule from
> the above site, limit the IP connection rate per originating IP
> address.
>
Yes, sorry; you are correct. The example that you posted is a cute way
of limiting the number of connections/unit time/IP address. Using an
Action is the correct way to implement that approach, although I object
to Juergen''s use of $TAG (he and I exchanged emails about this --
it''s
the only way to pass parameters to an action currently).

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>>
>
> Yes, sorry; you are correct. The example that you posted is a cute way
> of limiting the number of connections/unit time/IP address. Using an
> Action is the correct way to implement that approach, although I object
> to Juergen''s use of $TAG (he and I exchanged emails about this --
it''s
> the only way to pass parameters to an action currently).
>
In the Development branch, I''ve changed the code to allow $TAG to be
used as a generalized parameter to Action extension scripts like
Juergen''s. See the release notes for details (they will be in
tomorrow''s
snapshot).

One thing that is very wrong with Juergen''s script though is the first
line:

	[ -n "$TAG" ] || exit 1

Extension scripts are run in the context of the shell process that it
[re]starting Shorewall; exiting that shell will cause:

a) Netfilter to be left in an inconsistent state (although there should
be no security risk).

b) A stale lock file will remain on disk (/var/lib/shorewall/lock)
causing subsequent Shorewall operations to hang.

Extension scripts that detect an error should call "fatal_error"
passing
as an argument the error message that they wish displayed.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key