<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div>Hi Brad,</div><div><br></div><div>I found that prohibiting password authentication (ssh keys only) and using fail2ban jails on ssh was pretty effective. Fail2ban would also blacklist the offending ip address for a period of time (I forget how long) which would stop further attempts.</div><div><br></div><div>Kind regards,</div><div><br></div><div>Warren</div><div><br></div><div>-----Original Message-----</div><div>From: Brad Campbell <<a href="mailto:brad@fnarfbargle.com">brad@fnarfbargle.com</a>></div><div>To: <a href="mailto:plug@plug.org.au">plug@plug.org.au</a> <<a href="mailto:plug@plug.org.au">plug@plug.org.au</a>></div><div>Subject: [plug] Port knocking (ish)</div><div>Date: Wed, 7 Nov 2018 21:58:46 +0800</div><div><br></div><div>G'day all,</div><div><br></div><div>So I've been experimenting on and off with ways of reducing the huge </div><div>volumes of various intrusion/scan attempts on a few services (like ssh, </div><div>imap/imaps and some specific http based stuff) for quite a while now.</div><div><br></div><div>My folks use an openwrt router as their gateway and dropbear isn't that </div><div>smart about what you can set it up to do. One of the things it is </div><div>particularly bad at is allowing multiple attempts at different usernames </div><div>in the one connection. As it sends the syslog to me in real time I was </div><div>getting spammed with attempts, so I implemented a simple rule with the </div><div>iptables recent match to require 5 attempts in 120 seconds before it'd </div><div>let the packet through the firewall.</div><div><br></div><div>This is kinda interesting because due to it dropping the packets rather </div><div>than rejecting them, the tcp exponential backoff applies and if you wait </div><div>long enough you'll get 5 syn packets in less than 120 seconds and you </div><div>are in.</div><div><br></div><div>*however*, scanners don't do this. At most I've recorded 3 packets </div><div>before they've given up, so this little 5 in 120 rule has dropped the </div><div>ssh attempts to zero. Nice.</div><div><br></div><div>Tonight I set about applying that to my server at home. I have 3 exposed </div><div>services that really cop a hammering, and applying this rule to those 3 </div><div>has just killed it _dead_. I'm monitoring the recent matches in real </div><div>time and it has become very apparent that all these bots work the same </div><div>way. One, maybe 2 syn packets. No response. Give up.</div><div><br></div><div>Best of all, precisely *because* tcp will retry with backoff, it hasn't </div><div>in any way impacted my ability to access this stuff from outside short </div><div>of adding ~20 seconds of delay to the initial connect (which as I use </div><div>them infrequently I'm more than willing to trade).</div><div><br></div><div>Just in case it's interesting, here's the firewall snippet for ssh :</div><div>#------------------ Port knock SSH --------------------------#</div><div># Require 5 attempts at SSH in 120 seconds to unlock the connection</div><div>$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate NEW </div><div>-m recent --set --name SSHP</div><div># If we've met the criteria then Accept</div><div>$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate NEW </div><div>-m recent --update --name SSHP --reap --seconds 30 --hitcount 5 -j ACCEPT</div><div># If we haven't met the criteria then Reject</div><div>$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack --ctstate NEW </div><div>-m recent ! --rcheck --name SSHP --seconds 120 --hitcount 5 -j DROP</div><div><br></div><div>_______________________________________________</div><div>PLUG discussion list: <a href="mailto:plug@plug.org.au">plug@plug.org.au</a></div><div><a href="http://lists.plug.org.au/mailman/listinfo/plug">http://lists.plug.org.au/mailman/listinfo/plug</a></div><div>Committee e-mail: <a href="mailto:committee@plug.org.au">committee@plug.org.au</a></div><div>PLUG Membership: <a href="http://www.plug.org.au/membership">http://www.plug.org.au/membership</a></div><div><br></div><div><br></div></body></html>