linux poison RSS
linux poison Email

Protect SSH server from dictionary attacks using iptables

iptables is built on top of netfilter, iptables is the packet alteration framework for Linux 2.4.x and 2.6.x. It is a major rewrite of its predecessor ipchains, and is used to control packet filtering, Network Address Translation (masquerading, portforwarding, transparent proxying), and special effects such as packet mangling.

If you are using SSH then you will sooner or later notice someone trying to hack into your box using dictionary attacks. You can use the iptables module recent to limit a minimum time between new connections from the same IP.

To make this work, you should have this commonly used rule (this allows previously established connections and is a normal rule in most firewalls):

 iptables -A INPUT -j ACCEPT -p tcp ! --syn -s 0/0 -d (outer ip/net)
Now, to set the limit:
 iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
 iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT
These two rules makes iptables require 15 seconds between new connections from the same IP on port 22 (the SSH port). Use ACCEPT instead if you are using a firewall that has it's own rule for accepting ssh.

Another way of limiting dictionary attacks is to limit using -m limit --limit like this:
 iptables -A INPUT -p tcp --dport ssh -m limit --limit 3/minute --limit-burst 2 -j ACCEPT
This rule does the trick of setting a limit of 3 connectoins pr minute, but the first two connections will exhaust the limit-burst, so the rule effectively limits the connection attempt rate to 1/minute.


Post a Comment

Related Posts with Thumbnails