[plug] Port knocking (ish)

Bill Kenworthy billk at iinet.net.au
Thu Nov 8 10:58:50 AWST 2018

Add two factor auth (e.g., google authenticator) for more security.

The port rate rules have been around for awhile and there are scans that
use a low rate of scanning (e.g., thousands of hosts to scan, but send
only one attempt an hour over months to each one - the only systems that
seem to pick that up are ones using large scale correlation across a lot
of sensors e.g., Cisco etc.)

fail2ban is a lot more tunable and flexible than simple iptables rules.

Bill K.

On 08/11/18 06:36, Warren Argus wrote:
> Hi Brad,
> I found that prohibiting password authentication (ssh keys only) and
> using fail2ban jails on ssh was pretty effective. Fail2ban would also
> blacklist the offending ip address for a period of time (I forget how
> long) which would stop further attempts.
> Kind regards,
> Warren
> -----Original Message-----
> From: Brad Campbell <brad at fnarfbargle.com <mailto:brad at fnarfbargle.com>>
> To: plug at plug.org.au <mailto:plug at plug.org.au> <plug at plug.org.au
> <mailto:plug at plug.org.au>>
> Subject: [plug] Port knocking (ish)
> Date: Wed, 7 Nov 2018 21:58:46 +0800
> G'day all,
> So I've been experimenting on and off with ways of reducing the huge 
> volumes of various intrusion/scan attempts on a few services (like ssh, 
> imap/imaps and some specific http based stuff) for quite a while now.
> My folks use an openwrt router as their gateway and dropbear isn't that 
> smart about what you can set it up to do. One of the things it is 
> particularly bad at is allowing multiple attempts at different usernames 
> in the one connection. As it sends the syslog to me in real time I was 
> getting spammed with attempts, so I implemented a simple rule with the 
> iptables recent match to require 5 attempts in 120 seconds before it'd 
> let the packet through the firewall.
> This is kinda interesting because due to it dropping the packets rather 
> than rejecting them, the tcp exponential backoff applies and if you wait 
> long enough you'll get 5 syn packets in less than 120 seconds and you 
> are in.
> *however*, scanners don't do this. At most I've recorded 3 packets 
> before they've given up, so this little 5 in 120 rule has dropped the 
> ssh attempts to zero. Nice.
> Tonight I set about applying that to my server at home. I have 3 exposed 
> services that really cop a hammering, and applying this rule to those 3 
> has just killed it _dead_. I'm monitoring the recent matches in real 
> time and it has become very apparent that all these bots work the same 
> way. One, maybe 2 syn packets. No response. Give up.
> Best of all, precisely *because* tcp will retry with backoff, it hasn't 
> in any way impacted my ability to access this stuff from outside short 
> of adding ~20 seconds of delay to the initial connect (which as I use 
> them infrequently I'm more than willing to trade).
> Just in case it's interesting, here's the firewall snippet for ssh :
> #------------------ Port knock SSH --------------------------#
> # Require 5 attempts at SSH in 120 seconds to unlock the connection
> $IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate NEW 
> -m recent --set --name SSHP
> # If we've met the criteria then Accept
> $IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate NEW 
> -m recent --update --name SSHP --reap --seconds 30 --hitcount 5 -j ACCEPT
> # If we haven't met the criteria then Reject
> $IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate NEW 
> -m recent ! --rcheck --name SSHP --seconds 120 --hitcount 5 -j DROP
> _______________________________________________
> PLUG discussion list: plug at plug.org.au <mailto:plug at plug.org.au>
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au <mailto:committee at plug.org.au>
> PLUG Membership: http://www.plug.org.au/membership
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20181108/12c6d75f/attachment.html>

More information about the plug mailing list