Table of Contents
IPTABLES
Statefull and Powerfull Firewall.
Enable for SSH Bruteforce Prevention
This is not a 100% proof setup as it does not block based on the result of authentication.
It just work based on connection.
Simple Rules
iptables -N BRTBLK iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRTBLK iptables -A BRTBLK -m recent --set --name SSH iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP
Rules With Exceptions
Replace <Exception> with your IP.
You can use multiple rules with diff. IP to allow exceptions.
iptables -N BRTBLK iptables -A INPUT -p tcp --dport 22 -s <Exception> -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRTBLK iptables -A BRTBLK -m recent --set --name SSH iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP
Rules to Log Bloked IP
iptables -N BRTBLK iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRTBLK iptables -A BRTBLK -m recent --set --name SSH iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j LOG --log-level info --log-prefix "Bad IP : " iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP
Force SYN packets check
Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Force Fragments packets check
Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.
iptables -A INPUT -f -j DROP
XMAS packets
Incoming malformed XMAS packets drop them:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Drop all NULL packets
Incoming malformed NULL packets:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
xt_recent
In latest version ipt_recent replaced by xt_recent.
there is few change which could break your iptables rules.
In order to make ssh bruteforce protection working please use following rules.
this also effect Fedora 15 and latest iptables / kernel
:SSH - [0:0] :BRTBLK - [0:0] -A INPUT -p tcp -m multiport --dports 21,22 -m recent --update --seconds 8600 --name SSH_BAN --rsource -j DROP -A INPUT -p tcp -m multiport --dports 21,22 -m state --state NEW -j BRTBLK -A SSH -m limit --limit 5/min -j LOG --log-prefix "BAD IP: " --log-level 4 -A SSH -m recent --set --name SSH_BAN --rsource -j DROP -A BRTBLK -m recent --set --name BRT --rsource -A BRTBLK -m recent --update --seconds 600 --hitcount 16 --name BRT --rsource -j SSH -A BRTBLK -m recent --update --seconds 60 --hitcount 4 --name BRT --rsource -j SSH -A BRTBLK -j ACCEPT
Now try to login to box 4 times quickly to test.
For more advanced Options please visit Th4tsG33ky
