[plug] Port knocking (ish)
Warren Argus
warren at warbel.net
Thu Nov 8 06:36:31 AWST 2018
Hi Brad,
I found that prohibiting password authentication (ssh keys only) and
using fail2ban jails on ssh was pretty effective. Fail2ban would also
blacklist the offending ip address for a period of time (I forget how
long) which would stop further attempts.
Kind regards,
Warren
-----Original Message-----
From: Brad Campbell <brad at fnarfbargle.com>
To: plug at plug.org.au <plug at plug.org.au>
Subject: [plug] Port knocking (ish)
Date: Wed, 7 Nov 2018 21:58:46 +0800
G'day all,
So I've been experimenting on and off with ways of reducing the huge
volumes of various intrusion/scan attempts on a few services (like
ssh,
imap/imaps and some specific http based stuff) for quite a while now.
My folks use an openwrt router as their gateway and dropbear isn't
that
smart about what you can set it up to do. One of the things it is
particularly bad at is allowing multiple attempts at different
usernames
in the one connection. As it sends the syslog to me in real time I was
getting spammed with attempts, so I implemented a simple rule with the
iptables recent match to require 5 attempts in 120 seconds before it'd
let the packet through the firewall.
This is kinda interesting because due to it dropping the packets
rather
than rejecting them, the tcp exponential backoff applies and if you
wait
long enough you'll get 5 syn packets in less than 120 seconds and you
are in.
*however*, scanners don't do this. At most I've recorded 3 packets
before they've given up, so this little 5 in 120 rule has dropped the
ssh attempts to zero. Nice.
Tonight I set about applying that to my server at home. I have 3
exposed
services that really cop a hammering, and applying this rule to those
3
has just killed it _dead_. I'm monitoring the recent matches in real
time and it has become very apparent that all these bots work the same
way. One, maybe 2 syn packets. No response. Give up.
Best of all, precisely *because* tcp will retry with backoff, it
hasn't
in any way impacted my ability to access this stuff from outside short
of adding ~20 seconds of delay to the initial connect (which as I use
them infrequently I'm more than willing to trade).
Just in case it's interesting, here's the firewall snippet for ssh :
#------------------ Port knock SSH --------------------------#
# Require 5 attempts at SSH in 120 seconds to unlock the connection
$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate
NEW
-m recent --set --name SSHP
# If we've met the criteria then Accept
$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate
NEW
-m recent --update --name SSHP --reap --seconds 30 --hitcount 5 -j
ACCEPT
# If we haven't met the criteria then Reject
$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate
NEW
-m recent ! --rcheck --name SSHP --seconds 120 --hitcount 5 -j DROP
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://lists.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.org.au
PLUG Membership: http://www.plug.org.au/membership
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20181108/03acfc74/attachment.html>
More information about the plug
mailing list