I want to counter SSH brute force attacks on the various servers with SSH access from the ''net'' zone. I have a firewall on a PC using Shorewall 4.0.6. (shorewall-common + perl) between ''net'' and the zones ''loc'' (most user PCs) and ''serv'' (my central servers). - I hope I can protect all ''loc'' and ''serv'' systems through changes in the shorewall rules? (I mean, not just protecting only the firewall itself) I understand Limiting Per-IP Connection rate can be done via the ''Limit'' Action (http://shorewall.net/Actions.html). Some of the rules in my /etc/sharewall/rules are: ACCEPT loc $FW tcp 22 ACCEPT serv $FW tcp 22 ACCEPT net serv tcp 22 ACCEPT net $SSH_LOC tcp 22 (SSH_LOC is a parameter defined in my /etc/shorewall/params file, listing all the IP adresses of machines behind my firewall which have sshd running and want their machine to be accessible via SSH) - Is is sufficient to just add (e.g. for the 3rd line) Limit:info:SSHA,3,60 net serv tcp 22 and similar lines for the other cases (and no need for separate files with specifications to create in e.g. /etc/shorewall) and restart shorewall ? - I do not understand well what the ''set name'' means (the SSHA) ... - In my /etc/shorewall nor in my /etc/share/shorewall directory I find no action.Limit or Limit file. Is this normal? - In the log I hope there will be only entries when there occur more than 3 SSH connections from a same IP in a 60 seconds timeframe, and not for every SSH connection, is that right? - In case the seeker of access is a normal person, just not very well remembering his password, will he get some warning that he will have to wait for about a minute after 3 tries? Thx, ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Thu, Sep 04, 2008 at 01:29:47PM +0200, Pieter Donche wrote:> I want to counter SSH brute force attacks on the various servers with >This is a good thing to want to do.> Limit:info:SSHA,3,60 net serv tcp 22 >There are multiple ways to do this. Here is how I prefer to set it up on my servers: SSH/ACCEPT loc $FW SSH/ACCEPT net $FW - - - - 1/min:2 That lets machines on the local side (which often access things like svn+ssh that make lots of new connection requests, have unresctricted access.> - In the log I hope there will be only entries when there occur more > than 3 SSH connections from a same IP in a 60 seconds timeframe, > and not for every SSH connection, is that right? >It is actually a global limit. So, if I trigger the rate limit on your server trying to attack it, then you also will be prevented from accessing it until the rate limit allows another connection. Though, in practice I have not found this to be too great of a problem, since scripts often get stuck or bored on rate-limited connections and time out. Though, in your case, port knocking might be a better solution.> - In case the seeker of access is a normal person, just not very well > remembering his password, will he get some warning that he will have > to wait for about a minute after 3 tries? >There will be no warning. The connection will simply appear to hang. Incidentally, if you allow password-based logins, then there is no way to guarantee protection from brute force attacks. The only way to guarantee that a brute force attack will never succeed is to allow only key-based logins. Also, if you go the route of having key-based logins, make certain to educate your users on the importance of choosing string passphrases for their keys and otherwise properly securing them. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Thu, 4 Sep 2008, Roberto C. Sánchez wrote:> On Thu, Sep 04, 2008 at 01:29:47PM +0200, Pieter Donche wrote: >> I want to counter SSH brute force attacks on the various servers with >> > This is a good thing to want to do. > >> Limit:info:SSHA,3,60 net serv tcp 22 >> > There are multiple ways to do this. Here is how I prefer to set it up > on my servers: > > SSH/ACCEPT loc $FW > SSH/ACCEPT net $FW - - - - 1/min:2".. prefer to set it up on my servers": do you mean you have shorewall running on each of your servers and set it up on each of them as above? I''m looking for a way to set up on a single firewall between ''net'' and my ''serv'' zone (several SSHD running machines) and ''loc'' zone (15 to 20 SSHD running machines) I do not allow SSH connection to $FW from ''net'' except for 2 machines which I manage myself. If I use the RATE LIMIT construct, I guess it should be used on my ACCEPT net serv tcp 22 ACCEPT net $SSH_LOC tcp 22 lines?> That lets machines on the local side (which often access things like > svn+ssh that make lots of new connection requests, have unresctricted > access.>> - In the log I hope there will be only entries when there occur more >> than 3 SSH connections from a same IP in a 60 seconds timeframe, >> and not for every SSH connection, is that right? >> > It is actually a global limit. So, if I trigger the rate limit on your > server trying to attack it, then you also will be prevented from > accessing it until the rate limit allows another connection.This I don''t understand: you and I have different IP adresses when trying to SSH connect to a machine in my serv or loc zone , and the http://shorewall.net/Actions.html doc file names the technique "Limiting Per-IP Connection Rate", so I understand the limit should be independently applied for different incoming IPs. A Brute force attacker initiates his attacks from a singe IP (at least within a timeframe of one minute, next week he might have broken into a different machine and attack from there) which fast succeeding trials, then it makes sense to limit the rate to a maximum per minute..> Though, in > practice I have not found this to be too great of a problem, since > scripts often get stuck or bored on rate-limited connections and time > out.I looked at the ''RATE LIMIT'' field in the rules man-page. The meaning of ''burst'' is not clear to me.. I guess it''s some sort of ''quantity of requests'' but what quantity exactly ??> Though, in your case, port knocking might be a better solution. > >> - In case the seeker of access is a normal person, just not very well >> remembering his password, will he get some warning that he will have >> to wait for about a minute after 3 tries? >> > There will be no warning. The connection will simply appear to hang. > Incidentally, if you allow password-based logins, then there is no way > to guarantee protection from brute force attacks. The only way to > guarantee that a brute force attack will never succeed is to allow only > key-based logins. Also, if you go the route of having key-based logins, > make certain to educate your users on the importance of choosing string > passphrases for their keys and otherwise properly securing them. > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto > http://www.connexer.com >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Pieter Donche wrote:> > - I hope I can protect all ''loc'' and ''serv'' systems through changes in > the shorewall rules? (I mean, not just protecting only the firewall itself)Yes.> > I understand Limiting Per-IP Connection rate can be done via the > ''Limit'' Action (http://shorewall.net/Actions.html). > > Some of the rules in my /etc/sharewall/rules are: > ACCEPT loc $FW tcp 22 > ACCEPT serv $FW tcp 22 > ACCEPT net serv tcp 22 > ACCEPT net $SSH_LOC tcp 22 > > (SSH_LOC is a parameter defined in my /etc/shorewall/params file, listing > all the IP adresses of machines behind my firewall which have sshd > running and want their machine to be accessible via SSH) > > - Is is sufficient to just add (e.g. for the 3rd line) > Limit:info:SSHA,3,60 net serv tcp 22 > and similar lines for the other cases > (and no need for separate files with specifications to create > in e.g. /etc/shorewall) > and restart shorewall ?You should replace the third line with that new rule. You probably also want to replace the fourth rule as well.> > - I do not understand well what the ''set name'' means (the SSHA) ...It is the name of a set of counters and is only meaningful if you have more than one Limit rule. Limit rules that share the same set name share the same set of counters.> > - In my /etc/shorewall nor in my /etc/share/shorewall directory > I find no action.Limit or Limit file. Is this normal?Yes. Limit has been a built-in action for many releases now.> > - In the log I hope there will be only entries when there occur more > than 3 SSH connections from a same IP in a 60 seconds timeframe, > and not for every SSH connection, is that right?Yes.> > - In case the seeker of access is a normal person, just not very well > remembering his password, will he get some warning that he will have > to wait for about a minute after 3 tries? >No. This is implemented at the IP level. If the limit is exceeded, the firewall will just ignore that person''s attempts to connect. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Thu, 4 Sep 2008, Tom Eastep wrote:>> - I do not understand well what the ''set name'' means (the SSHA) ... > It is the name of a set of counters and is only meaningful if you have more > than one Limit rule. Limit rules that share the same set name share the same > set of counters.OK. The technique is called ''Limiting Per-IP Connection Rate''. From this I understand the limit (e.g. max 3 per minute) is applied independently for different incoming IPs. Is that correct? Is the ''set of counters'' for a given minute, the array of SSH-access requesting IP-addresses with their number of trials recorded so far in the minute? - Someone else on the mailing list reported the use of the ''RATE LIMIT'' optional field in a rules line, e.g.: SSH/ACCEPT net $FW - - - - 1/min:2> "You should replace the third line with that new rule. You probably also > want to replace the fourth rule as well."- To enable Limits, an original line as below ACCEPT net serv tcp 22 is replaced by Limit:info:SSHA,3,60 net serv tcp 22 So, was this RATE LIMIT field introduced to enable a combination of rule syntax using macro''s, such as SSH/ACCEPT in the Action field with a Limit Action? - It is not clear to me what the ''burst'' parameter means in the [-|rate/{sec/min}[:burst] man page description (note: a ] too short..) Thanks for your help! Pieter ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Pieter Donche wrote:> On Thu, 4 Sep 2008, Tom Eastep wrote: > >>> - I do not understand well what the ''set name'' means (the SSHA) ... >> It is the name of a set of counters and is only meaningful if you have more >> than one Limit rule. Limit rules that share the same set name share the same >> set of counters. > > OK. > The technique is called ''Limiting Per-IP Connection Rate''. From this > I understand the limit (e.g. max 3 per minute) is applied independently > for different incoming IPs. Is that correct?That is correct.> > Is the ''set of counters'' for a given minute, the array of SSH-access > requesting IP-addresses with their number of trials recorded so far in > the minute? >I haven''t researched how Netfilter actually implements this. Remember, the Limit action is just taking advantage of the Netfilter ''recent match''; Shorewall doesn''t implement the matching.> - Someone else on the mailing list reported the use of the ''RATE LIMIT'' > optional field in a rules line, e.g.: > SSH/ACCEPT net $FW - - - - 1/min:2> >> "You should replace the third line with that new rule. You probably also >> want to replace the fourth rule as well." > - To enable Limits, an original line as below > ACCEPT net serv tcp 22 > is replaced by > Limit:info:SSHA,3,60 net serv tcp 22 > > So, was this RATE LIMIT field introduced to enable a combination of > rule syntax using macro''s, such as SSH/ACCEPT in the Action field > with a Limit Action?The RATE LIMIT field was introduced so that users could limit the rate at which connections match a particular rule.> > - It is not clear to me what the ''burst'' parameter means in the > [-|rate/{sec/min}[:burst] man page description (note: a ] too short..) >The Netfilter rate limiting algorithm is explained under the LOGRATE parameter in the shorewall.conf manpage and in the excellent iptables tutorial by Oskar Andreasson (http://iptables-tutorial.frozentux.net/). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/