SSH brute-force attacks riseup labs

If you look at your logs (and you should), you can't help but notice the increase in brute-force SSH scanning going on, your auth.log is probably filled with people trying every character in the alphabet, common logins (such as test, guest, root) and just general annoying behavior exhibited by people who are running scripts.

Juergen Kreileder came up with a good way to deal with these using shorewall and the ipt_recent kernel module that tracks recently seen IP addresses and allows you to match against them.

If an IP tries to connect more than 6 times per 60 seconds the IP is automatically DROPed. If no new packets arrive for a while (the number drops below 6 in 60 seconds again), then the IP is no longer dropped. Additionally, there is a secret backdoor that you can knock on in case you acidentally get locked out to put your IP in a whitelist. Even sneakier, if you are scanning ports you will hit one port below and/or one port above the secret back-door port and be re-added to the DROP list.

To set this up just follow these steps:

1. Get the files into place:

# touch /etc/shorewall/{action.Limit,action.Whitelist}


# cd /etc/shorewall


# wget http://deb.riseup.net/networking/firewall/ssh-brute--force-attacks/Limit


# wget http://deb.riseup.net/networking/firewall/ssh-brute--force-attacks/Whitelist

NOTE: the action.Limit and action.Whitelist are supposed to just be empty files, and the scripts that you wget are different filenames on purpose.

If you already have an actions and/or a params file in /etc/shorewall don't copy over them, otherwise do the following:

# cp /usr/share/doc/shorewall/default-config/{actions,params} /etc/shorewall

2. Edit the files

Edit /etc/shorewall/actions and add the following to the end:

Limit


Whitelist

Edit /etc/shorewall/params and add the following to the end:

WHITELIST_PORT=2222

Edit /etc/shorewall/rules so that you are limiting ssh, allowing a Whitelist action to occur, and allowing the port-knocking to happen, for example:

Limit:info:SSH          net     fw      tcp     ssh


Whitelist:info          net     fw


ACCEPT  net             fw              tcp     ssh,2222

or if you are using ULOG for your logging:

Limit:$LOG:SSH          net     fw      tcp     ssh


Whitelist:$LOG          net     fw


ACCEPT  net             fw              tcp     ssh,2222

3. Restart shorewall and test things

# /etc/init.d/shorewall stop; /etc/init.d/shorewall start

then from a remote host fire up 7 separate ssh connections while watching your firewall log. You will notice that the 7th connection will never get a Password: prompt and your firewall log will note this:

Oct 20 10:28:19 localhost kernel: Shorewall:Limit:DROP:SSH IN=eth0 OUT= MAC=00:30:48:29:84:b0:00:0c:ce:b3:ef:00:08:00 SRC=216.66.98.138 DST=69.90.134.225 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=5676 DF PROTO=TCP SPT=33502 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

Then try knocking on the secret port by telnetting to port 2222 on the remote host. You will then be able to ssh in again, and your firewall log will have:

Oct 20 09:41:59 localhost kernel: Shorewall:WhitelistAdd:DROP:IN=eth0 OUT= MAC=00:30:48:29:84:b0:00:0c:ce:b3:ef:00:08:00 SRC=67.85.190.129 DST=69.90.134.220 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=31559 PROTO=TCP SPT=59611 DPT=2222 WINDOW=5808 RES=0x00 SYN URGP=0