Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: reduction of brute force login attempts via SSH through iptables --hashlimit
From: "GroundZero Security" <fd () g-0 org>
Date: Tue, 28 Feb 2006 21:44:12 +0100

Hello,

i made a small bash script last year to block those bruteforce attempts automatically via the firewall.
In case someone is interested, i released it on our website. Someone may have a use for it :-)
http://www.groundzero-security.com/code/bruteforce-block.sh
Have a nice day everyone!

-sk


GroundZero Security Research and Software Development
http://www.groundzero-security.com

Wir widersprechen der Nutzung oder Übermittlung unserer Daten
für Werbezwecke oder für die Markt- oder Meinungsforschung (§ 28 Abs. 4 BDSG).

pub  1024D/69928CB8 2004-09-27 Stefan Klaas <sk () groundzero-security com>
sub  2048g/2A3C7800 2004-09-27

Key fingerprint = A93E 41F8 7E82 5F2C 3E76  41F1 4BCF 3096 6992 8CB8

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBEFX440RBADGTKOgZR9Y9VA/cfNLWTIN/OmXe9l6UZJ6pY8Hqcv6DFE//Kt9
UfQMU470i+I7SvIHZN066Kl4ts4r90sLxXrE4r5VQCLTsJM68cliatrM8MbbZZs+
xf3ldelZrHNvHkXDk4I/n3O56F9M6tZ/S71AIj++raIbFX57fn8Z8NNOnwCgwDr6
LDVP+5N4DML1/+uvXNtoL30D/A/GUXd6lJ8i7MoZMzwKk1uwDsgWwP+Wm0hMwJMr
fR/di9K55pGdlGFNO5P2L3qOl2BaC8raNkLcXaweW+bao3P66nzpdtmecsjCMWq2
tQWgu/O7S1FgzlUAKJSOc2Th5PY9Raum8bXnSv4gnHZCKjNskIdrz8WDxCzEoPtZ
eCssA/9ydHRvNIPjOTmzjXoE+UbJrB/U//u3dpAsLkzclKeSgjV2eYUgHGcqYn+H
cFoubD78yFWqZqYtxfiyjBlItsIn9ls0gAZFKDFHd1XfOLFSa0/NHNpHLxCZGFIA
tQ0Gp47VRmTPkWJ7lB505w0XioNs1H/1K1RSp++7+t1SNkBlobQpU3RlZmFuIEts
YWFzIDxza0Bncm91bmR6ZXJvLXNlY3VyaXR5LmNvbT6IVwQTEQIAFwUCQVfjjQUL
BwoDBAMVAwIDFgIBAheAAAoJEEvPMJZpkoy4AnYAmwTot1PMUty1YoCuMVg6cpr7
HKy1AJ98jyzD365YkIQAEiihXlQJ4zrxBLkCDQRBV+OvEAgAiu75prsTQZdNijtY
eMQhl4tEL8qi8JOFluYGnvPYjDzU0PY9E4mNx/w2BgYcM3lTVzSmaiLEJ1AzeOHn
w+pLDWsorRZuVI9q3+ExW3s2yFX4ppdHAVBMuYsQyVJRkbobCkcwTbUYXr23pKzh
D8WRAJ991k2lNcQHxMgixAN+55XBFLhwLB0Yz7XmhFYLid5dLxdPllLIV3ZHDeY0
SEqMSpw96+gV0QpX7YH9U2VBr3Wz7Ss6qNZkcgHQw1xmk6Yy24QnT4a9oZD06Yjr
cCocXnyI/YLW1wXo/6Hh44UH3b9mKUX6eh8ybn7QCnZDG7AdxbglLiPTkdcx0YoT
NANZBwADBwf8CrjVKiXSzyhUsdH1es1KQCZ/zH6PvPzdxqYuGuVVMzgaJeeOMS2G
4rLfw2ILahAS0fjng6zX2c1ndPVJ6oAq3IygWsqJH6Uh23NmKTlyx3KtSgyW7YsB
Rn/4wobuojArTHTl+X3U4JZTUEb9E4osB9bFjdsgXcxNSwXghQMh1x5eS5/fcjLd
tACNq0x2/zh8zTJFHK+oNCLY2+iBjTUn7K03rEhQo6HqbPYwyc3LUCwBuFHFDVWp
bZqa4knO0H5BBmbiI09kaVPOs0qRLXCAf1oy9PxK5ZBJ4WfQAnMAU+TuNrTuW2SU
NMh92TCELdDpl/pMDbbBGeJdMvXZmY99HIhGBBgRAgAGBQJBV+OvAAoJEEvPMJZp
koy4p1QAoIaYw3VxA0/mixUsMO4R13sXIL/pAJ9zodR+A9+bLqCRlVusG8JhItv1
Ow==
=E0o1
-----END PGP PUBLIC KEY BLOCK-----

Diese E-Mail kann vertrauliche Informationen enthalten. Wenn Sie nicht der
richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren
Sie bitte sofort den Absender und vernichten Sie diese E-Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail oder von
Teilen dieser E-Mail ist nicht gestattet.

This E-mail might contain confidential information. If you are not the right addressee
or you have recived this Mail in error, please inform the Sender as soon as possible
and delete this E-Mail immediately. You are not allowed to make any copies or
relay this E-Mail.
----- Original Message ----- 
From: "Jay Libove" <libove () felines org>
To: <full-disclosure () lists grok org uk>
Sent: Tuesday, February 28, 2006 2:23 AM
Subject: [Full-disclosure] reduction of brute force login attempts via SSH through iptables --hashlimit


Quite some time back, I posted a question here about brute force login
attempts through SSH which had recently become a noticeable annoyance.
There was some discussion here on the list, someone suggested using
hashlimit, and I think the issue of brute force attempts through SSH has
become just one more part of the background noise of the Internet.

I finally got back around to looking at this on my system, and I figured
out why my first attempts at using the hashlimit functionality in iptables
had not worked.  Hopefully late is better than never, so I present it here
to anyone else who was as stupid and/or lazy as I was :) so that it took
me this long to get back to work on it and get it right.

Here is an iptables command to allow inbound SSH with a quite low limit on
the number of connections which may arrive from a specific IP address in a
short period of time. Combined with the default setting of OpenSSH which
drops a connection after just a few failed login attempts, this has
reduced the number of failed logins I am seeing in my nightly logwatch
output from thousands to about ten per day. Since this use of hashlimit
filters on source IP address, it does not create a denial of service
against legitimate SSH connections, unless someone spoofs a very large
range of source addresses and can somehow get those connections to
actually open instead of just consume partly open TCP sessions.  In such a
case, other defenses are needed anyway.

# iptables --table filter -A INPUT --protocol tcp --source 0/0 \
--destination-port ssh -m hashlimit --hashlimit 2/minute \
--hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name ssh \
-m state --state NEW --jump ACCEPT

The stupid thing I did the first time I tried to set this up months ago
was to put a command like the above in, and forget to take out the
original iptables command allowing connections to the SSH port.
hashlimit is a limiter on an iptables rule.  Having one rule with a
hashlimit in it, and a second matching rule with no hashlimit, just
results in all connections being accepted without limit.

Of course, the same thing would work to reduce brute force speeds on
telnet, FTP, &etc by changing the destination port argument.


Please direct all flames to /dev/null, all cash contributions to /dev/me
:) and all constructive comments and enhancement suggestions back to the
list.

Cheers!
-Jay
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault