Re: locking out sshd break in attempts? - Unix

This is a discussion on Re: locking out sshd break in attempts? - Unix ; In January of this year I asked about ways to lock out sshd break ins. After some digging around on the web, and experimentation, I found that the following works with Mandriva 2007.1, restricting login attempts (as well as actual ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: locking out sshd break in attempts?

  1. Re: locking out sshd break in attempts?

    In January of this year I asked about ways to lock out sshd break ins.
    After some digging around on the web, and experimentation, I found that
    the following works with Mandriva 2007.1, restricting login attempts
    (as well as actual logins) to one per minute. Oddly, the number of hits
    per interval (hitcount) must be 2 to achieve this. If it is 1 then the
    initial connection is dropped. It appears that the connection attempt
    counter is incremented BEFORE the hitcount rule is encountered, so if it
    is set to 2 it sees 1 and is happy to go on, but if it is set to 1, it
    sees 1, and locks out even the first connection attempt. Since usually
    local machines are allowed to login as frequently as desired, there is a
    rule that provides for that before the rule that blocks the restricts
    the remote login rate:


    DO_ONCE=1

    #this reads IP addresses from a list, so that the FOR
    #can pull them out one at a time and assign them to the
    #symbol $IP

    get_ips $SSH_CLIENTS
    for IP in "${IPS[@]}"; do
    echo Processing SSH client $IP...
    #
    # All of these should be done once, even if SSH_CLIENTS is a list.
    #
    if [ "$DO_ONCE" = "1" ]; then
    DO_ONCE=0;
    # create a set of NEW_SSH rules
    $IPTABLEPROG -N NEW_SSH
    # redirect port 22 INPUT to this rule
    $IPTABLEPROG -A INPUT -i $PUB_IFACE -d $PUB_IP \
    -p tcp --dport 22 -m state --state NEW -j NEW_SSH
    # open up unrestricted clients
    $IPTABLEPROG -A NEW_SSH -i $PUB_IFACE -p tcp \
    -s $SSH_CLIENTS_UNRESTRICTED --sport $EPHEMERAL_PORTS \
    -d $PUB_IP --dport 22 -j ACCEPT
    fi
    # The next two rules drop connections of more than 1 per minute
    $IPTABLEPROG -A NEW_SSH -i $PUB_IFACE -p tcp -s $IP \
    --sport $EPHEMERAL_PORTS --dport 22\
    -m state --state NEW -m recent --set
    $IPTABLEPROG -A NEW_SSH -i $PUB_IFACE -p tcp -s $IP \
    --sport $EPHEMERAL_PORTS --dport 22\
    -m state --state NEW -m recent --update \
    --seconds 60 --hitcount 2 -j DROP
    if [ "$CONNECTION_TRACKING" = "1" ]; then
    $IPTABLEPROG -A NEW_SSH -i $PUB_IFACE -p tcp \
    -s $IP --sport $EPHEMERAL_PORTS \
    -d $PUB_IP --dport 22 \
    -m state --state NEW -j ACCEPT
    fi
    $IPTABLEPROG -A NEW_SSH -i $PUB_IFACE -p tcp -s $IP \
    --sport $EPHEMERAL_PORTS \
    -d $PUB_IP --dport 22 -j ACCEPT
    $IPTABLEPROG -A OUTPUT -o $PUB_IFACE -p tcp ! --syn \
    -s $PUB_IP --sport 22 \
    -d $IP --dport $EPHEMERAL_PORTS -j ACCEPT
    done


    This is cut from a script, but here are all the predefined
    symbols:

    PUB_IFACE=eth0
    PUB_IP=a.b.c.d #plug in your machine's IP address here
    SSH_CLIENTS=$PUB_IP/0 #entire net
    SSH_CLIENTS_UNRESTRICTED=$PUB_IP/24 #local subnet
    IPTABLEPROG=iptables
    EPHEMERAL_PORTS=1024:65535 #Unprivileged port range

    Regards,

    David Mathog

  2. Re: locking out sshd break in attempts?

    Sorry, this was supposed to go to alt.os.linux.mandriva.

    David Mathog


+ Reply to Thread