[plug] Port knocking (ish)

Warren Argus warren at warbel.net
Thu Nov 8 06:36:31 AWST 2018

Hi Brad,

I found that prohibiting password authentication (ssh keys only) and
using fail2ban jails on ssh was pretty effective. Fail2ban would also
blacklist the offending ip address for a period of time (I forget how
long) which would stop further attempts.

Kind regards,


-----Original Message-----
From: Brad Campbell <brad at fnarfbargle.com>
To: plug at plug.org.au <plug at plug.org.au>
Subject: [plug] Port knocking (ish)
Date: Wed, 7 Nov 2018 21:58:46 +0800

G'day all,

So I've been experimenting on and off with ways of reducing the huge 
volumes of various intrusion/scan attempts on a few services (like
imap/imaps and some specific http based stuff) for quite a while now.

My folks use an openwrt router as their gateway and dropbear isn't
smart about what you can set it up to do. One of the things it is 
particularly bad at is allowing multiple attempts at different
in the one connection. As it sends the syslog to me in real time I was 
getting spammed with attempts, so I implemented a simple rule with the 
iptables recent match to require 5 attempts in 120 seconds before it'd 
let the packet through the firewall.

This is kinda interesting because due to it dropping the packets
than rejecting them, the tcp exponential backoff applies and if you
long enough you'll get 5 syn packets in less than 120 seconds and you 
are in.

*however*, scanners don't do this. At most I've recorded 3 packets 
before they've given up, so this little 5 in 120 rule has dropped the 
ssh attempts to zero. Nice.

Tonight I set about applying that to my server at home. I have 3
services that really cop a hammering, and applying this rule to those
has just killed it _dead_. I'm monitoring the recent matches in real 
time and it has become very apparent that all these bots work the same 
way. One, maybe 2 syn packets. No response. Give up.

Best of all, precisely *because* tcp will retry with backoff, it
in any way impacted my ability to access this stuff from outside short 
of adding ~20 seconds of delay to the initial connect (which as I use 
them infrequently I'm more than willing to trade).

Just in case it's interesting, here's the firewall snippet for ssh :
#------------------ Port knock SSH --------------------------#
# Require 5 attempts at SSH in 120 seconds to unlock the connection
$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate
-m recent --set --name SSHP
# If we've met the criteria then Accept
$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate
-m recent --update --name SSHP --reap --seconds 30 --hitcount 5 -j
# If we haven't met the criteria then Reject
$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate
-m recent ! --rcheck --name SSHP --seconds 120 --hitcount 5 -j DROP

PLUG discussion list: plug at plug.org.au
Committee e-mail: committee at plug.org.au
PLUG Membership: http://www.plug.org.au/membership

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20181108/03acfc74/attachment.html>

More information about the plug mailing list