FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 11-12-2011, 09:19 AM
Roger
 
Default iptables in linux

I'm learning about iptables...
I find the same ip address sometimes 100 times or more and trying the
same user name.
After reading and applying much of the help in google I have tried and
failed to achieve a successful result.

for example: /var/log/btmp shows:
user ssh:notty Thu Nov 10 17:10 - 17:10 (00:00) hn.vtc.vn
some 30 times
user ssh:notty Thu Nov 10 17:10 - 00:20 (1+07:10) hn.vtc.vn
3 times with varying duration.
user ssh:notty Thu Nov 10 13:14 - 17:07 (03:53) 58.250.71.43
25 times with varying duration.
and similar page after page.

Is there a way to limit:
-number of log in attempts to 2,
-the duration of a log in attempt to 3 seconds or less
-the number of times a username can be tried, prefer it set at 2 and
then not again for 24 hours if it fails.

Also is there a way to DROP ip addresses after 2 attempts and not allow
that ip address for say 24 hours?

I did not find anything about this in the tutorials.
iptables does not seem difficult to grasp but I am completely stumped on
how to create tighter limits.

in part I have:
DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE
seconds: 90 hit_count: 4 TTL-Match name: SSH1 side: source

And have tried seconds between 5 and 90 but find even login attempts of
2-5 minutes are not dropped.
hit_count set between 1 and 4 I still see 30+ attempts using the same
username attempt.

Help gratefully appreciated
thanks
Roger


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 11-12-2011, 09:29 AM
Itamar Reis Peixoto
 
Default iptables in linux

On Sat, Nov 12, 2011 at 8:19 AM, Roger <arelem@bigpond.com> wrote:
> I'm learning about iptables...
> I find the same ip address sometimes 100 times or more and trying the
> same user name.
> After reading and applying much of the help in google I have tried and
> failed to achieve a successful result.
>
> for example: /var/log/btmp shows:
> user ssh:notty * Thu Nov 10 17:10 - 17:10 *(00:00) * *hn.vtc.vn
> some 30 times
> user ssh:notty * Thu Nov 10 17:10 - 00:20 (1+07:10) * hn.vtc.vn
> 3 times with varying duration.
> user ssh:notty * Thu Nov 10 13:14 - 17:07 *(03:53) * * 58.250.71.43
> 25 times with varying duration.
> and similar page after page.


change your ssh port

------------

Itamar Reis Peixoto
msn, google talk: itamar@ispbrasil.com.br
+55 11 4063 5033 (FIXO SP)
+55 34 9158 9329 (TIM)
+55 34 8806 3989 (OI)
+55 34 3221 8599 (FIXO MG)
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 11-12-2011, 10:03 AM
"T.C. Hollingsworth"
 
Default iptables in linux

On Sat, Nov 12, 2011 at 3:19 AM, Roger <arelem@bigpond.com> wrote:
> Is there a way to limit:
> -number of log in attempts to 2,
> -the duration of a log in attempt to 3 seconds or less
> -the number of times a username can be tried, prefer it set at 2 and
> then not again for 24 hours if it fails.

"NumberOfPasswordPrompts" in /etc/ssh_config takes care of at least
one of those. See "man ssh_config" for details.

> Also is there a way to DROP ip addresses after 2 attempts and not allow
> that ip address for say 24 hours?

Take a look at fail2ban: http://www.fail2ban.org/

It's in the repos: "yum install fail2ban"

-T.C.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 11-12-2011, 11:38 AM
Craig White
 
Default iptables in linux

On Sat, 2011-11-12 at 04:03 -0700, T.C. Hollingsworth wrote:
> On Sat, Nov 12, 2011 at 3:19 AM, Roger <arelem@bigpond.com> wrote:
> > Is there a way to limit:
> > -number of log in attempts to 2,
> > -the duration of a log in attempt to 3 seconds or less
> > -the number of times a username can be tried, prefer it set at 2 and
> > then not again for 24 hours if it fails.
>
> "NumberOfPasswordPrompts" in /etc/ssh_config takes care of at least
> one of those. See "man ssh_config" for details.
>
> > Also is there a way to DROP ip addresses after 2 attempts and not allow
> > that ip address for say 24 hours?
>
> Take a look at fail2ban: http://www.fail2ban.org/
>
> It's in the repos: "yum install fail2ban"
----
or denyhosts - perhaps simpler ambitions than fail2banbut highly
effective at blocking ip addresses with consecutive logon failures.

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 11-12-2011, 06:37 PM
Heinz Diehl
 
Default iptables in linux

On 12.11.2011, Roger wrote:

> Is there a way to limit:
> -number of log in attempts to 2,
> -the duration of a log in attempt to 3 seconds or less
> -the number of times a username can be tried, prefer it set at 2 and
> then not again for 24 hours if it fails.
[....]

Switch off login with password and root login, and only allow login
with RSA key. After that, you can safely ignore the "white noise" :-)


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 11-12-2011, 06:45 PM
Reindl Harald
 
Default iptables in linux

Am 12.11.2011 11:19, schrieb Roger:
> Is there a way to limit:
> -number of log in attempts to 2,
> -the duration of a log in attempt to 3 seconds or less
> -the number of times a username can be tried, prefer it set at 2 and
> then not again for 24 hours if it fails.

trivial

iptables -A INPUT -p tcp --sport 1024: -m state --syn --state NEW --dport 22 -m limit --limit 15/minute
--limit-burst 10 -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: -s YOUR-IP-RANGE --dport 22 -m state --state NEW --syn -j ACCEPT
iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j REJECT

but you should also configrue sshd on a non-standard-port to get rid of 95% of the noises

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 11-12-2011, 08:58 PM
Mike Williams
 
Default iptables in linux

> On 12.11.2011, Roger wrote:
>
>> Is there a way to limit:
>> -number of log in attempts to 2,
>> -the duration of a log in attempt to 3 seconds or less
>> -the number of times a username can be tried, prefer it set at 2 and
>> then not again for 24 hours if it fails.
> [....]

Here is what I use, its slightly different than what you asked for,
but it works.

-A local_input_filter -p tcp -m tcp --dport 22 --tcp-flags
FIN,SYN,RST,ACK SYN -m recent --set --name SSH --rsource
-A local_input_filter -m recent --update --seconds 40 --hitcount 3
--name SSH --rsource -j DROP

If someone tries to login 3 times within 40 seconds then ant further
attempts will be dropped. After 40 seconds they can try three more
times. I prefer this so if I manage to trigger the rule myself I only
have to wait a minute before I can login in again.

Usually scripts that try to break in try repeatedly in rapid succession.

I like to keep my iptables rules separated from the rest or the rules,
so I add a separate chain and jump to that chain at the top of the
iptables file.

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [111266:23783263]
:local_input_filter - [0:0]
-A INPUT -j local_input_filter

Some of the other things suggested in this thread are also good ideas.
Set the ssh port to something other than 22 (some high number like
32291), not allowing root login, requiring a key to login, etc.

I had a system that was subjected to many attempts to connect via ssh,
and adding those two rules, plus moving the ssh port reduced the
attempts to a trickle.

Cheers,

Mike
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 11-12-2011, 11:52 PM
Roger
 
Default iptables in linux

On Sat, 2011-11-12 at 20:37 +0100, Heinz Diehl wrote:
> On 12.11.2011, Roger wrote:
>
> > Is there a way to limit:
> > -number of log in attempts to 2,
> > -the duration of a log in attempt to 3 seconds or less
> > -the number of times a username can be tried, prefer it set at 2 and
> > then not again for 24 hours if it fails.
> [....]
>
> Switch off login with password and root login, and only allow login
> with RSA key. After that, you can safely ignore the "white noise" :-)
>
>
I read about this and am concerned that if my computer dies and I
replace mb or other components, the RSA key could be different and I
won't be able to log in with the previous RSA.
Not understanding the process made me a bit nervous.
Roger

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 11-13-2011, 12:06 AM
Reindl Harald
 
Default iptables in linux

Am 13.11.2011 01:52, schrieb Roger:
> On Sat, 2011-11-12 at 20:37 +0100, Heinz Diehl wrote:
>> On 12.11.2011, Roger wrote:
>>
>>> Is there a way to limit:
>>> -number of log in attempts to 2,
>>> -the duration of a log in attempt to 3 seconds or less
>>> -the number of times a username can be tried, prefer it set at 2 and
>>> then not again for 24 hours if it fails.
>> [....]
>>
>> Switch off login with password and root login, and only allow login
>> with RSA key. After that, you can safely ignore the "white noise" :-)
>>
>>
> I read about this and am concerned that if my computer dies and I
> replace mb or other components, the RSA key could be different and I
> won't be able to log in with the previous RSA.
> Not understanding the process made me a bit nervous.

your /home/user/.ssh/id_rsa belongs to you and not to the system
this is the only interestig one for login

the host-keys are not relevant and only for verify the host to
protect against man-in-the-middle-attacks and will NEVER be
regenrated nor is it a problem import them on a new machine

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 11-13-2011, 12:20 AM
"T.C. Hollingsworth"
 
Default iptables in linux

On Sat, Nov 12, 2011 at 5:52 PM, Roger <arelem@bigpond.com> wrote:
> On Sat, 2011-11-12 at 20:37 +0100, Heinz Diehl wrote:
>> On 12.11.2011, Roger wrote:
>>
>> > Is there a way to limit:
>> > -number of log in attempts to 2,
>> > -the duration of a log in attempt to 3 seconds or less
>> > -the number of times a username can be tried, prefer it set at 2 and
>> > then not again for 24 hours if it fails.
>> [....]
>>
>> Switch off login with password and root login, and only allow login
>> with RSA key. After that, you can safely ignore the "white noise" :-)
>>
>>
> *I read about this and am concerned that if my computer dies and I
> replace mb or other components, the RSA key could be different and I
> won't be able to log in with the previous RSA.
> Not understanding the process made me a bit nervous.

The "key" is just a file on your hard drive. As long as you back it
up you'll be fine.

There's a good overview of how public key authentication works and how
to get it going here:
http://www.ibm.com/developerworks/library/l-keyc/index.html

-T.C.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
J��]��^���a���^��w��9�
 

Thread Tools




All times are GMT. The time now is 01:13 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org