[BlueOnyx:01028] Re: Brute Force DOS attackes

Stephanie Sullivan ses at aviaweb.com
Wed Apr 8 12:42:03 -05 2009 

I use IPTABLES mpt_recent to handle brute force attacks on ssh, pop, and
imap. ftp is a little more problematic but can be tuned for most legitimate
clients.

 

This works really well and I've not had a dovecot hang in years.  Hope this
is helpful. I suspect it's a lot less overhead than scanning logs all the
time and catches attacks much sooner. Tuning is in order for your
environment for thresholds. Especially if adapted for pop3 or imap from
clients that have lots of users behind a firewall (single IP).

 

One of the nice features is how long the IP remains blocked - or rather how
short. It automatically unblocks. 

 

It's not without problems - I reload the firewall once a week to clear out
the tables.

 

Hope this is helpful!

 

The snippets for ssh from my firewall script are below. They are not a
monolithic thing. they need to be integrated into the existing IPTABLES.

 

# Uses the module ipt_recent included in Centos on BQ/BX

# http://snowman.net/projects/ipt_recent/

 

# Create a chain for SSH brute force detection

$IPT -N ssh_limit

# Create a chain for SSH blacklisted IP's management

$IPT -N blacklist_ssh

 

############################################################################
###

# ssh_limit Jump from the main TCP input chain

# Be sure to keep a ssh open to an IP where you have access so you don't

# ever get blocked...

#

# This chain is used to allow reasonable inbound connections

$IPT -A tcp_inbound -p TCP -s $YOULANIPS --destination-port 22 -j ACCEPT

$IPT -A tcp_inbound -p TCP  -s 0/0 --destination-port 22 -m state --state
NEW -j ssh_limit

 

 

############################################################################
###

# ssh_limit chain

# This chain is used to allow reasonable inbound connections

# to the system/gateway. It will throtle using the recent filter

echo "Process ssh_limit chain"

 

# if the ip is in the blacklist drop it and make it wait another 60
seconds...

$IPT -A ssh_limit -j LOG  --log-prefix "SSH Connect: "

$IPT -A ssh_limit -m recent --rcheck --name blacklist_ssh --seconds 60
--hitcount 1 -j LOG --log-prefix "SSH Blacklisted:"

$IPT -A ssh_limit -m recent --update --name blacklist_ssh --seconds 60
--hitcount 1 -j DROP

 

# sshd hit lists - update each one

$IPT -A ssh_limit -m recent --set --name ssh_counting1

$IPT -A ssh_limit -m recent --set --name ssh_counting2

$IPT -A ssh_limit -m recent --set --name ssh_counting3

$IPT -A ssh_limit -m recent --set --name ssh_counting4

 

# Our limits are no more than:

#     3 in  30s ssh_counting1

#    10 in   3m ssh_counting2

#    60 in  30m ssh_counting3

#    90 in  60m ssh_counting4

# If a limit is exceeded, blacklist the IP

$IPT -A ssh_limit -m recent --update --name ssh_counting1 --seconds   30
--hitcount   4 -j blacklist_ssh

$IPT -A ssh_limit -m recent --update --name ssh_counting2 --seconds  180
--hitcount  11 -j blacklist_ssh

$IPT -A ssh_limit -m recent --update --name ssh_counting3 --seconds 1800
--hitcount  61 -j blacklist_ssh

$IPT -A ssh_limit -m recent --update --name ssh_counting4 --seconds 3600
--hitcount  91 -j blacklist_ssh

 

# This is where we handle OK SSH connections so accept the connecton if not
rejected so far...

$IPT -A ssh_limit -p TCP --destination-port 22 -j ACCEPT

 

# return now that we have flagged a connection

$IPT -A ssh_limit -p TCP -j RETURN

 

############################################################################
###

# ssh blacklist chain

#

# This chain is used to allow reasonable inbound connections

# to the system/gateway. It will throtle using the recent filter

echo "Process ssh_blacklist chain"

 

#just adds this IP to the blacklist and then drops the connection

$IPT -A blacklist_ssh -m recent --name ssh_blacklist --set

$IPT -A blacklist_ssh -j LOG  --log-prefix "Blacklisted Recent: "

$IPT -A blacklist_ssh -j DROP

 

 

Stephanie Sullivan, President
AVIA web development and hosting
a division of AVIA Consulting, Inc.
GSEC Certified IT Security Consultant
Phone: 508-393-0750
Mobile: 508-954-2842
FAX: 508-975-0118

From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] On
Behalf Of Paul
Sent: Wednesday, April 08, 2009 11:58 AM
To: blueonyx at blueonyx.it
Subject: [BlueOnyx:01023] Brute Force DOS attackes

 

Please can anyone help with advice on stopping brute force attacks and dos
attacks on my home server?

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20090408/4054f5a7/attachment.html>

More information about the Blueonyx mailing list