Hello everybody, I''ve found some examples on similar things for pure iptables, but nothing exactly for Shorewall as far as I was able to go. I have four services which share the same passwords for users - SSH, SMTP, IMAP and POP3. All have different "hard" rate limits set in the rules file, like the bellow example: Limit:info:MAILA,1,1 net $FW tcp 25 I see in my logs that some clever lad now thinks it''s fun to have a script try passwords for the same user across all of the services in parallel, so that he can try 10 or so times per second instead of just, say 1 or 2 per second... Also, when he''s "working", I often get DOS-ed just because he''s using up the ratelimit on the port or so it seems. (At least I can get in via VPN when that happens...) Which of course just adds some more fun for him... Denying his IPs does nothing, for he seems to be using zombie hosts or he simply has too many boxes. I can''t go around killing out entire subnets either... The passwords for users are made sure to be fairly strong, so I''m not much worried, but I''m not comfortable with the rates he can achieve anyway. I need to: - Protect these services by mitigating the effectiveness of the parallel brute-force attack. - ...But do this by denying access only to the IP that has exhausted the "limit", and not for everyone else who''s using services normally... If anyone has some working model like this, can you please show me an example of how to go about it? Thank you! Levente ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
On 23/03/12 10:22, Peres Levente wrote:> ... > I need to: > > - Protect these services by mitigating the effectiveness of the parallel > brute-force attack. > - ...But do this by denying access only to the IP that has exhausted the > "limit", and not for everyone else who''s using services normally... > > If anyone has some working model like this, can you please show me an > example of how to go about it?If you''re getting useful log messages indicating bad passwords from each subsystem, fail2ban is a natural tool to use to solve this. You could configure it so that, say, 4 bad passwords on any service would trigger the remote IP to be blocked. The vast majority of brute-force worms i''ve seen use random user names, so having a low threshold (say, 2) for invalid user names would probably help a lot as well. Of course, when a user changes their password but their mobile device is still configured to check with the old password, this can create false positives. I would also consider running pam_tally to auto-lock those accounts which are being brute-forced. Paul ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
Good one. Looked around for both possibilities and it will do what''s needed, and it''s fairly straightforward to implement... Thank you! Levente On 03/23/2012 03:19 AM, Paul Gear wrote:> On 23/03/12 10:22, Peres Levente wrote: >> ... >> I need to: >> >> - Protect these services by mitigating the effectiveness of the parallel >> brute-force attack. >> - ...But do this by denying access only to the IP that has exhausted the >> "limit", and not for everyone else who''s using services normally... >> >> If anyone has some working model like this, can you please show me an >> example of how to go about it? > If you''re getting useful log messages indicating bad passwords from each > subsystem, fail2ban is a natural tool to use to solve this. You could > configure it so that, say, 4 bad passwords on any service would trigger > the remote IP to be blocked. The vast majority of brute-force worms > i''ve seen use random user names, so having a low threshold (say, 2) for > invalid user names would probably help a lot as well. > > Of course, when a user changes their password but their mobile device is > still configured to check with the old password, this can create false > positives. > > I would also consider running pam_tally to auto-lock those accounts > which are being brute-forced. > > Paul > > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure