Re: [Devil-Linux-discuss] Bugreport for 1.2.13: /usr/lib/iptables/libipt_recent.so is still missing

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Bruce Smith wrote:
>> I'm not commenting on the problem here, but a possible enhancement for 
>> the default firewall script of DL.  See below:
>>
>> # Rate limit ssh connection attempts to 3 per 5 minutes per IP.
>> iptables -A INPUT -p tcp --dport 22 -i eth0 -m state \
>>    --state NEW -m recent --set
>> iptables -A INPUT -p tcp --dport 22 -i eth0 -m state \
>>    --state NEW -m recent --update --seconds 300 --hitcount 3 -j DROP
>>
>> This one does not create an additional queue like most other solutions 
>> for this common problem.  I've found these 2 lines at the end of 
>> firewall script to be rather effective, yet problemless.
>>
>> No more brute-force-attack-trash in ssh log files.  You might want to 
>> increase 300 seconds to 1800 for 30 minutes.
> 
> I've done similar things in some of my firewall scripts to combat the
> brute-force ssh attacks.
> 
> The main problem occurs if you do a lot of scp's.  Each scp initiates a
> new ssh connection, and you end up locking yourself out for the time
> period.

Mmm..  So true.  I haven't seen it happen, but that is a limitation.

Architecture change would limit damages here: only push a semaphore to 
the remote servers containing a timestamp when they will begin a pull of 
files from a central sharepoint.  It is more complicated, but the world 
is :-)

On sharepoint you obviously don't have those two iptables lines in fw 
script.

> The best way I've found to harden ssh against the brute-force attacks is
> to have ssh listen on a high/non-standard port number, and do not allow
> password authentication (ssh keys only).  

Agree.  Nowadays I default to ssh-keys-only setup.

> I've never had a brute force attacker find one of my non-standard ssh
> ports, and even if they did, they could never login because they are
> trying passwords (which I don't allow).
> 
> A better solution (IMO) would be a modification to openssh so it shuts
> down an IP for a [configurable] period of time, after a [configurable]
> number of bad authentication attempts.  I even suggested that to one of
> the openssh developers I once had a small email thread with.

You are not talking approximately about this: denyhosts.sourceforge.net

I considered it, but I don't like any extra daemons lurking there 
(watching ssh log for bad login attempts).

It can also act as an wrapper, so it will control openssh daemon. It 
restarts it if it has to block an IP, or something.

iptables, even with the scp problem you discussed above, is independent, 
protocol neutral, wrapper/daemon-free solution.  I like it that way, and 
I do understand it is a matter of taste.

>  - BS