[plug] Port knocking (ish)

Brad Campbell brad at fnarfbargle.com
Wed Nov 7 21:58:46 AWST 2018

G'day all,

So I've been experimenting on and off with ways of reducing the huge 
volumes of various intrusion/scan attempts on a few services (like ssh, 
imap/imaps and some specific http based stuff) for quite a while now.

My folks use an openwrt router as their gateway and dropbear isn't that 
smart about what you can set it up to do. One of the things it is 
particularly bad at is allowing multiple attempts at different usernames 
in the one connection. As it sends the syslog to me in real time I was 
getting spammed with attempts, so I implemented a simple rule with the 
iptables recent match to require 5 attempts in 120 seconds before it'd 
let the packet through the firewall.

This is kinda interesting because due to it dropping the packets rather 
than rejecting them, the tcp exponential backoff applies and if you wait 
long enough you'll get 5 syn packets in less than 120 seconds and you 
are in.

*however*, scanners don't do this. At most I've recorded 3 packets 
before they've given up, so this little 5 in 120 rule has dropped the 
ssh attempts to zero. Nice.

Tonight I set about applying that to my server at home. I have 3 exposed 
services that really cop a hammering, and applying this rule to those 3 
has just killed it _dead_. I'm monitoring the recent matches in real 
time and it has become very apparent that all these bots work the same 
way. One, maybe 2 syn packets. No response. Give up.

Best of all, precisely *because* tcp will retry with backoff, it hasn't 
in any way impacted my ability to access this stuff from outside short 
of adding ~20 seconds of delay to the initial connect (which as I use 
them infrequently I'm more than willing to trade).

Just in case it's interesting, here's the firewall snippet for ssh :
#------------------ Port knock SSH --------------------------#
# Require 5 attempts at SSH in 120 seconds to unlock the connection
$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate NEW 
-m recent --set --name SSHP
# If we've met the criteria then Accept
$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate NEW 
-m recent --update --name SSHP --reap --seconds 30 --hitcount 5 -j ACCEPT
# If we haven't met the criteria then Reject
$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate NEW 
-m recent ! --rcheck --name SSHP --seconds 120 --hitcount 5 -j DROP

More information about the plug mailing list