I have a line in my shorewall rules file Limit:info:SSHBFAttack,3,60 net $MACHINE tcp 22 to counter SSH attacks to the machine $MACHINE (max 3 SSH requests per minute from same machine, then one needs to wait a minute for next SSH request) Now I want to make 1 exception to this limitation for one particular machine on the ''net'' zone, say 217.218.219.220 I tried Limit:info:SSHBFAttack,3,60 net:!217.218.219.220 tcp 22 but the result is that 217.218.219.220 is excluded totally from SSH, definitely not what I want :-) What line(s) must be used to achieve that? ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
n dhert wrote:> I have a line in my shorewall rules file > Limit:info:SSHBFAttack,3,60 net $MACHINE tcp 22 > to counter SSH attacks to the machine $MACHINE (max 3 SSH requests per > minute from same machine, then one needs to wait a minute for next SSH > request) > > Now I want to make 1 exception to this limitation for one particular > machine on the ''net'' zone, say 217.218.219.220 > I tried > Limit:info:SSHBFAttack,3,60 net:!217.218.219.220 tcp 22 > but the result is that 217.218.219.220 is excluded totally from SSH, > definitely not what I want :-) > > What line(s) must be used to achieve that?Rather than exclude 217.218.219.220 from the Limit rule, the simplest thing to do is add this rule BEFORE the Limit rule: ACCEPT net:217.218.219.220 $MACHINE tcp 22 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Thanks for the hint. But now I see my machine is SSH Brute force attacked (someone is trying to login with all possible first names from the alphabet) but by continously changing IP source address, so Limit:... does not help I guess, since this limits the number of SSH requests for a same IP address... In the last 3 months some 13.000 tries ( "Invalid user" in my /var/mail/root) have been done coming from 1.750 different IP adresses :-(( Any ideas how to counter this? 2009/11/8 Tom Eastep <teastep@shorewall.net>> n dhert wrote: > > I have a line in my shorewall rules file > > Limit:info:SSHBFAttack,3,60 net $MACHINE tcp 22 > > to counter SSH attacks to the machine $MACHINE (max 3 SSH requests per > > minute from same machine, then one needs to wait a minute for next SSH > > request) > > > > Now I want to make 1 exception to this limitation for one particular > > machine on the ''net'' zone, say 217.218.219.220 > > I tried > > Limit:info:SSHBFAttack,3,60 net:!217.218.219.220 tcp 22 > > but the result is that 217.218.219.220 is excluded totally from SSH, > > definitely not what I want :-) > > > > What line(s) must be used to achieve that? > > Rather than exclude 217.218.219.220 from the Limit rule, the simplest > thing to do is add this rule BEFORE the Limit rule: > > ACCEPT net:217.218.219.220 $MACHINE tcp 22 > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On Sun, 2009-11-08 at 14:18 +0100, n dhert wrote:> > But now I see my machine is SSH Brute force attacked (someone is > trying to login with all possible first names from the alphabet) but > by continously changing IP source address,Ayup. Wave hello to the botnet network.> so > Limit:... does not help I guess, since this limits the number of SSH > requests for a same IP address... > > In the last 3 months some 13.000 tries ( "Invalid user" in > my /var/mail/root) have been done coming from 1.750 different IP > adresses :-((So why not just do what the rest of us do and change the port you use for SSH to something other than 22. Sure, it''s totally security-through-obscurity but security is never absolute. It''s just about making your premises harder to get into than your neighbour''s. Fortunately, unless you are a specific target for some reason, thieves are lazy and will look for the lowest hanging fruit. b. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
n dhert wrote:> Thanks for the hint. > > But now I see my machine is SSH Brute force attacked (someone is trying > to login with all possible first names from the alphabet) but by > continously changing IP source address, so > Limit:... does not help I guess, since this limits the number of SSH > requests for a same IP address...Yes -- and given that SSHD normally allows three attempts before breaking the connection, each connection recorded by Netfilter represents three login attempts. So with your Limit rule, the IP address gets cut off after 9 attempts in a 60 second interval.> > In the last 3 months some 13.000 tries ( "Invalid user" in my > /var/mail/root) have been done coming from 1.750 different IP adresses :-((I haven''t counted them here but I suspect that your result is about average. Together with using ''Limit'', I disable password authentication in all of my SSH servers and then don''t worry about it. They can try until hell freezes over and they still won''t get in. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On Sun, Nov 8, 2009 at 7:37 AM, Tom Eastep <teastep@shorewall.net> wrote:> n dhert wrote: >> Thanks for the hint. >> >> But now I see my machine is SSH Brute force attacked (someone is trying >> to login with all possible first names from the alphabet) but by >> continously changing IP source address, so >> Limit:... does not help I guess, since this limits the number of SSH >> requests for a same IP address...You could also try allowing specific IPs to your ssh service. I have allowed two network locations and my home IP to get to my ssh port and that''s all. You might also try some form of port knocking, but i''ve never implemented that, so i''m not sure of it''s ability to fit in your situation. On my web server, i setup a password protected php page that I can browse to from anywhere and it will save my IP to a file. In the backend I have a script running every minute looking for that file, if it''s found the IP is read into the shorewall params file and then shorewall is restarted and I have ssh access. I don''t use it often, but it''s there in case. Mostly if my home IP changes and I need access. bb ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
> On my web server, i setup a password protected php page that I can > browse to from anywhere and > it will save my IP to a file. In the backend I have a script running > every minute looking for that > file, if it''s found the IP is read into the shorewall params file and > then shorewall is restarted and > I have ssh access. I don''t use it often, but it''s there in case. > Mostly if my home IP changes and I > need access.I do something similar. I have a specially worded email that will get picked up by procmail which then executes a script to open up access to whatever IP I specified in the email. Another specially worded email closes the access down again. Works really well. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
> I haven''t counted them here but I suspect that your result is about > average. Together with using ''Limit'', I disable password authentication > in all of my SSH servers and then don''t worry about it. They can try > until hell freezes over and they still won''t get in.Sorry, but this comment was lost on me! How does disabling password authentication make you more secure? Are you only allowing access with private keys or something? ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Phill Edwards wrote:>> I haven''t counted them here but I suspect that your result is about >> average. Together with using ''Limit'', I disable password authentication >> in all of my SSH servers and then don''t worry about it. They can try >> until hell freezes over and they still won''t get in. > > Sorry, but this comment was lost on me! How does disabling password > authentication make you more secure? Are you only allowing access with > private keys or something?Exactly. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
From: Phill Edwards [philledwards@gmail.com] Sent: Tuesday, 10 November 2009 12:24 PM To: Shorewall Users Subject: Re: [Shorewall-users] counter SSH brute force attacks> On my web server, i setup a password protected php page that I can > browse to from anywhere and > it will save my IP to a file. In the backend I have a script running > every minute looking for that > file, if it''s found the IP is read into the shorewall params file and > then shorewall is restarted and > I have ssh access. I don''t use it often, but it''s there in case. > Mostly if my home IP changes and I > need access.I do something similar. I have a specially worded email that will get picked up by procmail which then executes a script to open up access to whatever IP I specified in the email. Another specially worded email closes the access down again. Works really well. This too has its issues, SMTP is not secure be design. I have SSH on a non standard port, IPTables is configured to DROP any connections to that port, I have a port-knock''ing daemon setup listening on several other totally unrelated ports on both TCP and UDP, and when the correct sequence of knocks is heard, IPTables will open access to the SSH litening port for 15 seconds. Other than this I have made significant changes to the servers with modifying TTL reply data, Service Banners for HTTP, POP3, and SMTP so the servers are consistently detected incorrectly by "nmap -O", and many other small tips and tricks. Some of which may involve a dummy listener on NFS, or port 139, depending what I wanted to masq. as. Still, with all that, security by obscurity, isnt security at all, but it can be a small part of increasing the work-factor, and this may be just enough to convince the would be cracker to try some other server instead. Regards, T ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with NOTE: URL removed for security purposes - contact terry.gilsenan@interoil.com for support. _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
From: Phill Edwards [philledwards@gmail.com] Sent: Tuesday, 10 November 2009 12:25 PM To: Shorewall Users Subject: Re: [Shorewall-users] counter SSH brute force attacks> I haven''t counted them here but I suspect that your result is about > average. Together with using ''Limit'', I disable password authentication > in all of my SSH servers and then don''t worry about it. They can try > until hell freezes over and they still won''t get in.Sorry, but this comment was lost on me! How does disabling password authentication make you more secure? Are you only allowing access with private keys or something? Yep, No opportunity for brute-force dictionary attach, the server is not interested/listening for a username/password combination, it does the DH bit and then exchanges certificates, and if there is a match, you are connected. port knocking, obscure port, and certificates will make it about as good as it can get. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with NOTE: URL removed for security purposes - contact terry.gilsenan@interoil.com for support. _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Hi There! Letting SSH out into the wilds is a HUGE security risk! Either match it onto a fixed ip endpoint, or implement az easy SSH based VPN like OpenVPN, and connect through VPN and then SSH through it. Laszlo Balogh Terry Gilsenan írta:> From: Phill Edwards [philledwards@gmail.com] > Sent: Tuesday, 10 November 2009 12:25 PM > To: Shorewall Users > Subject: Re: [Shorewall-users] counter SSH brute force attacks > > >> I haven''t counted them here but I suspect that your result is about >> average. Together with using ''Limit'', I disable password authentication >> in all of my SSH servers and then don''t worry about it. They can try >> until hell freezes over and they still won''t get in. >> > > Sorry, but this comment was lost on me! How does disabling password > authentication make you more secure? Are you only allowing access with > private keys or something? > > Yep, No opportunity for brute-force dictionary attach, the server is not interested/listening for a username/password combination, it does the DH bit and then exchanges certificates, and if there is a match, you are connected. > > port knocking, obscure port, and certificates will make it about as good as it can get. > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what''s new with > NOTE: URL removed for security purposes - contact terry.gilsenan@interoil.com for support. > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
May I suggest something more effective? Please take a look at FWKNOP (http://cipherdyne.org/fwknop), that works well with Shorewall. You keep SSH (TCP 22) blocked but when FWKNOP receives a single UDP packet digitally signed that contains some identifier, it opens SSH (create a iptables rule) for that specific address for some seconds (30 by default) and then removes it after timeout. ESTABLISHED connections are mantained so even when the rule is removed an existing connection keeps working. It can do a lot more, but that specific use is what may help you. Seems like the perfect solution to you, no brute force attack cause no one can use SSH without authenticating with FWKNOP before. I used it and works like a charm. Flavio Brasil P.S. to Tom Eastep: I''m marvelled at Shorewall, what a software! Keep the fantastic work. n dhert <ndhert@gmail.com> wrote on 8 Nov 2009, 10:20 AM: Subject: [Shorewall-users] counter SSH brute force attacks I have a line in my shorewall rules file Limit:info:SSHBFAttack,3,60 net $MACHINE tcp 22 to counter SSH attacks to the machine $MACHINE (max 3 SSH requests per minute from same machine, then one needs to wait a minute for next SSH request) Now I want to make 1 exception to this limitation for one particular machine on the ''net'' zone, say 217.218.219.220 I tried Limit:info:SSHBFAttack,3,60 net:!217.218.219.220 tcp 22 but the result is that 217.218.219.220 is excluded totally from SSH, definitely not what I want :-) What line(s) must be used to achieve that? ----------------------------------------------------------------------------------------------------------------------- Send big files for free. Simple steps. No registration. Visit now http://www.nawelny.com ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On Tuesday, November 10, 2009, 13:05:47, Balogh László wrote:> Either match it onto a fixed ip endpoint, or implement > az easy SSH based VPN like OpenVPN, and > connect through VPN and then SSH through it.Why is SSH a greater risk than eg. OpenVPN? -- < Jernej Simončič ><><><><>< http://eternallybored.org/ > It is easier to get forgiveness than permission. -- Pope's Law of Retroactivity ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Jernej Simončič írta:> On Tuesday, November 10, 2009, 13:05:47, Balogh László wrote: > > >> Either match it onto a fixed ip endpoint, or implement >> az easy SSH based VPN like OpenVPN, and >> connect through VPN and then SSH through it. >> > > Why is SSH a greater risk than eg. OpenVPN? > >First: Because it is username/password based. A 6-16 character passowrd is easier to guess than a 1024-... kbyte encryption file..... Second: OpenVPN is much harder to crack with botnet bruteforce attacks, becouse one try takes much more time(seconds) than an SSH attempt (milliseconds) But I think that in combining the two together can you have better security. Laszlo Balogh ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Balogh László wrote:> Jernej Simončič írta: >> On Tuesday, November 10, 2009, 13:05:47, Balogh László wrote: >> >> >>> Either match it onto a fixed ip endpoint, or implement >>> az easy SSH based VPN like OpenVPN, and >>> connect through VPN and then SSH through it. >>> >> Why is SSH a greater risk than eg. OpenVPN? >> >> > First: > Because it is username/password based.It doesn''t have to be -- that was my point about disabling password authentication. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
> -----Original Message----- > From: pixel.hu@gmail.com > Sent: Thu, 12 Nov 2009 00:49:00 +0100 > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] counter SSH brute force attacks > > Jernej Simončič írta: >> On Tuesday, November 10, 2009, 13:05:47, Balogh László wrote: >> >> >>> Either match it onto a fixed ip endpoint, or implement >>> az easy SSH based VPN like OpenVPN, and >>> connect through VPN and then SSH through it. >>> >> >> Why is SSH a greater risk than eg. OpenVPN? >> >> > First: > Because it is username/password based. > A 6-16 character passowrd is easier to guess than a > 1024-... kbyte encryption file.....Username/password is one of the options of SSH, it is not essential as Tom pointed out earlier. Using the private/public keys is the main feature. Anyone trying to configure ssh properly should just read the "man sshd" pages thoroughly.. With only the keys enabled, no root login and strictmodes on, disabling the rest, I have yet to see someone try and get in on my end...> Second: > OpenVPN is much harder to crack with botnet > bruteforce attacks, becouse one try takes much > more time(seconds) than an SSH attempt > (milliseconds)Good complement but overkill for many out there..> But I think that in combining the two together can > you have better security. > > > Laszlo BaloghRegards, -- Patrick Benson Stockholm, Sweden ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Terry Gilsenan wrote:>Still, with all that, security by obscurity, isnt security at all, >but it can be a small part of increasing the work-factor, and this >may be just enough to convince the would be cracker to try some >other server instead.More importantly, in the context of this thread, the botnets are only looking for low hanging fruit - ie SSH servers with weak configs. Once they get one, they can then use it for more work - and a unix/linux machine is quite a useful tool for them. The port knocking doesn''t really need any great security (FWKNOP is way more than is actually needed) - unless someone is specifically targetting YOU and prepared to put the effort in, then they are unlikely to even realise what you are using. Of course, having strong protection when only weak is needed isn''t a bad thing - they have no way of knowing how much work will be required, so will just give up (unless you are a specific target for some reason). -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july