Topic: Help with firewall (Bruteforce protection)

The content of this topic has been archived on 17 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

selepo

1 Feb 2009, 15:01

Hi, I have had a few attempts on my router to bruteforce the password over port 22 (SSH). [I assume thats what tehy are trying since I get a number of connections on port 22 from the same IP in my log).

So I thought I would make it a bit harder to get in: I am attempting to open port 443 instead of port 22 from WAN, and to limit the number of connections from the same host within a timeframe. Redirecting works like a charm and to honest I have very little problems with hacking attempts from this only, but my attempts to limit number of connections from the same host are unsuccesful. It seems the rules do not work. (I think it's because of the redirect.) Here are my firewall.user:

### INIT
insmod ipt_LOG

### Log Traffic
# Log traffic incoming from WAN on open port (443)
iptables -t nat -A prerouting_wan -p tcp --dport 443 -j LOG --log-prefix "FW Incoming: "

### SSH (Dropbear running on port 22, WAN redirect from port 443)
## SSH: Rules for new incoming connection on tcp-22
# Block direct access to port 22 from WAN
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j DROP
# Redirect port 443 from WAN to port 22
iptables -t nat -A prerouting_wan -p tcp --dport 443 -j DNAT --to :22
# Drop repeated connection attempts to WAN
# Port 22
iptables -t nat -A prerouting_wan -p tcp --dport 22 -m state --state NEW -m recent --set --name ATTACKER_SSH
iptables -t nat -A prerouting_wan -p tcp --dport 22 -m state --state NEW -m recent --update --name ATTACKER_SSH --seconds 300 --hitcount 1 -j LOG --log-prefix "FW SSH Attack on port22: "
iptables -t nat -A prerouting_wan -p tcp --dport 22 -m state --state NEW -m recent --update --name ATTACKER_SSH --seconds 300 --hitcount 1 -j DROP
# Port 443
iptables -t nat -A prerouting_wan -p tcp --dport 443 -m state --state NEW -m recent --set --name ATTACKER_SSH2
iptables -t nat -A prerouting_wan -p tcp --dport 443 -m state --state NEW -m recent --update --name ATTACKER_SSH --seconds 180 --hitcount 3 -j LOG --log-prefix "FW Attack on port 8022: "
iptables -t nat -A prerouting_wan -p tcp --dport 443 -m state --state NEW -m recent --update --name ATTACKER_SSH2 --seconds 180 --hitcount 3 -j DROP
# Accept if connection doesn't hit the limit
iptables -A input_wan -p tcp --dport 22 -m state --state NEW -j ACCEPT

Can anybody see what I am doing wrong ?

/Selepo

Post #2

ebishop

6 Feb 2009, 02:39

Yeah, I see the problem. First, you're dropping packets for port 22 right away. They're dead, you never get to the ATTACKER_SSH rules. You have a similar problem with the ATTACKER_SSH2 rules -- as soon as you match the DNAT target (which all incoming packets on port 443 will), you stop traversing the chain. So, if any packets match either port, they never hit your rules meant to prevent multiple connection attempts!

Post #3

knox

6 Feb 2009, 11:19

I am sorry to take your thread slightly off-topic but i have to ask:

selepo wrote:

open port 443 instead of port 22 from WAN ... Redirecting works like a charm ...
# Redirect port 443 from WAN to port 22
iptables -t nat -A prerouting_wan -p tcp --dport 443 -j DNAT --to :22

I am trying the same but it doesnt work for me (see here). Which kernel version and which kamikaze revision are you using?

Post #4

selepo

14 Feb 2009, 19:50

8.09 RC1, with 2.4 kernel...
/Selepo

Post #5

alexsamad

14 Feb 2009, 20:34

silly question but wy not get sshd (dropbear) to listen on 443

Post #6

knox

16 Feb 2009, 09:51

selepo wrote:

8.09 RC1, with 2.4 kernel...

Have you tried the same rules with 8.09 RC2 and kernel 2.4?

Post #7

selepo

17 Feb 2009, 20:01

Actually there is no reason to not set dropbear to listen to port 443 instead...
No I haven't tried RC2 yet, I haven't decided yet if I should or if I will wait for the final version. (this is my first real experience of linux, even if I have always been a linux user wannabe ).

/selepo

Post #8

knox

14 Oct 2009, 09:16

It's an old post, but for the records i post two variants of ssh bruteforce protection confirmed to be working with Kamikaze 8.09.2-RC2. Put this in /etc/firewall.user

# ssh bruteforce protection - variant A
iptables -N SSH_CHECK
iptables -I zone_wan -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 300 --hitcount 3 --name SSH -j DROP

# ssh bruteforce protection - variant B
iptables -N ssh_flood
iptables -A ssh_flood -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix "alert (ssh brute-force): "
iptables -A ssh_flood -j DROP
iptables -N ssh_check
iptables -A ssh_check -m recent --update --seconds 300 --rttl --hitcount 3 --name SSH -j ssh_flood
iptables -A ssh_check -m recent --set --name SSH -j RETURN
iptables -I zone_wan -p tcp --dport 22 -m state --state NEW -j ssh_check

The discussion might have continued from here.

Page 1 of 1