<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Add two factor auth (e.g., google authenticator) for more
security.</p>
<p>The port rate rules have been around for awhile and there are
scans that use a low rate of scanning (e.g., thousands of hosts to
scan, but send only one attempt an hour over months to each one -
the only systems that seem to pick that up are ones using large
scale correlation across a lot of sensors e.g., Cisco etc.)</p>
<p>fail2ban is a lot more tunable and flexible than simple iptables
rules.</p>
<p><br>
</p>
<p>Bill K.</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 08/11/18 06:36, Warren Argus wrote:<br>
</div>
<blockquote type="cite"
cite="mid:071235087bd37da60318dd2b81d260d03a8574d4.camel@warbel.net">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div>Hi Brad,</div>
<div><br>
</div>
<div>I found that prohibiting password authentication (ssh keys
only) and using fail2ban jails on ssh was pretty effective.
Fail2ban would also blacklist the offending ip address for a
period of time (I forget how long) which would stop further
attempts.</div>
<div><br>
</div>
<div>Kind regards,</div>
<div><br>
</div>
<div>Warren</div>
<div><br>
</div>
<div>-----Original Message-----</div>
<div>From: Brad Campbell <<a href="mailto:brad@fnarfbargle.com"
moz-do-not-send="true">brad@fnarfbargle.com</a>></div>
<div>To: <a href="mailto:plug@plug.org.au" moz-do-not-send="true">plug@plug.org.au</a>
<<a href="mailto:plug@plug.org.au" moz-do-not-send="true">plug@plug.org.au</a>></div>
<div>Subject: [plug] Port knocking (ish)</div>
<div>Date: Wed, 7 Nov 2018 21:58:46 +0800</div>
<div><br>
</div>
<div>G'day all,</div>
<div><br>
</div>
<div>So I've been experimenting on and off with ways of reducing
the huge </div>
<div>volumes of various intrusion/scan attempts on a few services
(like ssh, </div>
<div>imap/imaps and some specific http based stuff) for quite a
while now.</div>
<div><br>
</div>
<div>My folks use an openwrt router as their gateway and dropbear
isn't that </div>
<div>smart about what you can set it up to do. One of the things
it is </div>
<div>particularly bad at is allowing multiple attempts at
different usernames </div>
<div>in the one connection. As it sends the syslog to me in real
time I was </div>
<div>getting spammed with attempts, so I implemented a simple rule
with the </div>
<div>iptables recent match to require 5 attempts in 120 seconds
before it'd </div>
<div>let the packet through the firewall.</div>
<div><br>
</div>
<div>This is kinda interesting because due to it dropping the
packets rather </div>
<div>than rejecting them, the tcp exponential backoff applies and
if you wait </div>
<div>long enough you'll get 5 syn packets in less than 120 seconds
and you </div>
<div>are in.</div>
<div><br>
</div>
<div>*however*, scanners don't do this. At most I've recorded 3
packets </div>
<div>before they've given up, so this little 5 in 120 rule has
dropped the </div>
<div>ssh attempts to zero. Nice.</div>
<div><br>
</div>
<div>Tonight I set about applying that to my server at home. I
have 3 exposed </div>
<div>services that really cop a hammering, and applying this rule
to those 3 </div>
<div>has just killed it _dead_. I'm monitoring the recent matches
in real </div>
<div>time and it has become very apparent that all these bots work
the same </div>
<div>way. One, maybe 2 syn packets. No response. Give up.</div>
<div><br>
</div>
<div>Best of all, precisely *because* tcp will retry with backoff,
it hasn't </div>
<div>in any way impacted my ability to access this stuff from
outside short </div>
<div>of adding ~20 seconds of delay to the initial connect (which
as I use </div>
<div>them infrequently I'm more than willing to trade).</div>
<div><br>
</div>
<div>Just in case it's interesting, here's the firewall snippet
for ssh :</div>
<div>#------------------ Port knock SSH
--------------------------#</div>
<div># Require 5 attempts at SSH in 120 seconds to unlock the
connection</div>
<div>$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack
--ctstate NEW </div>
<div>-m recent --set --name SSHP</div>
<div># If we've met the criteria then Accept</div>
<div>$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack
--ctstate NEW </div>
<div>-m recent --update --name SSHP --reap --seconds 30 --hitcount
5 -j ACCEPT</div>
<div># If we haven't met the criteria then Reject</div>
<div>$IPTABLES -A INPUT -i $DMZ -p tcp --dport ssh -m conntrack
--ctstate NEW </div>
<div>-m recent ! --rcheck --name SSHP --seconds 120 --hitcount 5
-j DROP</div>
<div><br>
</div>
<div>_______________________________________________</div>
<div>PLUG discussion list: <a href="mailto:plug@plug.org.au"
moz-do-not-send="true">plug@plug.org.au</a></div>
<div><a href="http://lists.plug.org.au/mailman/listinfo/plug"
moz-do-not-send="true">http://lists.plug.org.au/mailman/listinfo/plug</a></div>
<div>Committee e-mail: <a href="mailto:committee@plug.org.au"
moz-do-not-send="true">committee@plug.org.au</a></div>
<div>PLUG Membership: <a href="http://www.plug.org.au/membership"
moz-do-not-send="true">http://www.plug.org.au/membership</a></div>
<div><br>
</div>
<div><br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
PLUG discussion list: <a class="moz-txt-link-abbreviated" href="mailto:plug@plug.org.au">plug@plug.org.au</a>
<a class="moz-txt-link-freetext" href="http://lists.plug.org.au/mailman/listinfo/plug">http://lists.plug.org.au/mailman/listinfo/plug</a>
Committee e-mail: <a class="moz-txt-link-abbreviated" href="mailto:committee@plug.org.au">committee@plug.org.au</a>
PLUG Membership: <a class="moz-txt-link-freetext" href="http://www.plug.org.au/membership">http://www.plug.org.au/membership</a></pre>
</blockquote>
<br>
</body>
</html>