| Monday May 30th 2016

HOWTO: Use iptables to Block Brute Force Attacks

I left a linux machine online with ssh open for a day. It dropped incoming login attempts after the username was entered. These are the usernames the “hacker(s)” tried:
account adam adine adm admin admin1 admin2 administrator admissions advice ahmed airport akademik alan albert alberto alex alfred ali alias alice allan alpha alumni amanda american andi andres andrew angel angela angie anita ann anna anny apache apache2 arch arch aron arthur asp asplinux austin autumn azure backup banana barbara bart ben beny bert beta bhaven bin bind black blue bob bobby bom brands brazil bret brett brian brown bruce build calendar canna carl cesar cha china choco chocolate clamav clark clarkconnect class class2005 clinton club com comercial company conectiva connect consol control corinna cpanel craig crimson custom customer cvs cvsuser cyan daemon danny dark darkblue data dave david db dbadmin debian dedicated delta demo demolinux demos desktop dexter dick distribution distro dmin2 doc dovecot earl ed eddie edgar ellen ema emil energy enzo e-shop eti exim export family faq fax felix firewall format forsale france francis fred freebsd ftp ftpuser games gamma gamma gate gateway george gibraltar gnats gold gopher gray green grey guest guest3 haba harry horde host html http httpd ian ice icepack ident identd iesse immunix import india indigo info infokom internet irc ircd ismail iso italy itservice ivory jack james jaray jblinux jeff jesse jihye jim jimmy jobs john joy k12 k12linux karl keuangan kim kmem kung l1nux lance larry lee library lilkim linex linux linuxis linuxiso lisa list lists lp lucas lycoris magenta magic mail mailbox mailman mailnull majordomo man manager mandrake mandriva maroon maroon martin master matt michael michelle mike monica monitor mouse myra mysql nagios named nang nasa natcha navy nay net netbsd netdump netshell news nfsnobody nicole nobody notepad ns07 ns08 omega operator oracle orange org pack paul paula pcap peanut peanutlinux peru pete peter pgsql phil philip photo picture pid pink pop popa3d poq port position post1 postfix postgres promo proxy purple qmaill qmailp qmailq qmailr qmails r00t r00t redbull reseller resin richard rock rocklinux roland romania romanian root rootalias rpc rpcuser rpm sales sally samba samir sammy samuel scan school sean sells send server share sharon shaun shell shell1 shop sim simple sims simulation simulator site siteadmin sites slack slackware smart smith smith smmsp snow sol solaris sorcerer sot spring squid squirrelmail sshd stephen steve steven student student4 students students summer supa support suse sven sya syariah sync sys sysadmin sysmanager system tads tech telnetd temp test test01 test03 test1 testbox teste teste01 tested tester testing thegame tim tip tong tony toor trial tty turbo turbolinux uk umum unitedlinux unix unknown unreal uplink upload usa user user1 username uucp var vcsa vector vectorlinux view virtual wang wannamas ware web webadmin webalizer webmaster websites winter www-data wwwrun xerox xfs yellow yellowdog zephyr zzz
How can we prevent this? We can use the iptables recent module to write some iptables rules that can block brute force attacks. In order to use this method you need a kernel and iptables installation that includes ipt_recent. If your linux distribution doesn’t include the ipt_recent module or you are using a custom compiled kernel you might need to first include the iptables recent patch that can be found on the author’s website or in the iptables patch-o-matic area. If you are using Debian/Ubuntu you don’t need to do anything special as this is already included in your system.

Let’s see how we can use the iptables recent module to block brute force attacks agains ssh. Let’s see a simple example:

iptables -N SSHSCAN
iptables -A INPUT -p tcp --dport 22 -m state –state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent –set –name SSH
iptables -A SSHSCAN -m recent –update –seconds 300 –hitcount 3 –name SSH -j DROP

This will basically allow only 3 NEW connections (as matched by the state NEW) in the timeframe of 300sec (5min). Any new connection will be automatically dropped.

The main disadvantage of using this method is that it will not make any distinction between successful and failed logins. If you are not careful and open too many connections yourself you might found yourself locked out. One walk-around for this issue is to whitelist our own administrative ips (still if we can do this for all the locations that need to connect to the system, then we can protect ourselves with simple firewall rules and we don’t need this added complexity). So at least for the hosts that we can (static ips) we should do this (replace with as many lines needed containing $WHITE_LIST_IP):

iptables -N SSHSCAN
iptables -A INPUT -p tcp –dport 22 -s $WHITE_LIST_IP -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent –set –name SSH
iptables -A SSHSCAN -m recent –update –seconds 300 –hitcount 3 –name SSH -j DROP

Even if we lock ourselves out, our existing connections will remain up since we are matching only on NEW connections. If needed we can take appropriate actions.

In case we want to have the blocked hosts logged, then we will have to add another iptables rule:

iptables -N SSHSCAN
iptables -A INPUT -p tcp --dport 22 -s $WHITE_LIST_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent --set --name SSH
iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name SSH -j LOG --log-level info --log-prefix "SSH SCAN blocked: "
iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name SSH -j DROP

You can peek at the internal database kept by the module, by looking inside: /proc/net/ipt_recent/* (DEFAULT will contain default matches; in our example the name of the file is SSHSCAN):

cat /proc/net/ipt_recent/SSHSCAN

This solution is very effective and easy to implement. You just add the needed iptables rules to your existing firewall setup and you are set. Still, it has many limitations when compared with the other methods shown: like limited time frames, it will not differentiate against failed/successful logins, etc.


Related Posts: On this day...

Reader Feedback

One Response to “HOWTO: Use iptables to Block Brute Force Attacks”

  1. Earl Nowakowski says:

    Intimately, the post is genuinely the sweetest on this worthwhile subject. I fit in with your conclusions and will eagerly glimpse forward in your coming updates. Just saying thanks will not just be sufficient, for your fantastic clarity in your writing. I am going to instantly grab your rss feed to stay privy of any updates. Great operate and very much success in your business dealings!

Leave a Reply

You must be logged in to post a comment.