This shows you the differences between two versions of the page.
iptables [2011/09/22 02:06] k2patel [xt_recent] |
iptables [2020/08/10 02:35] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== IPTABLES ====== | ||
- | Statefull and Powerfull Firewall.\\ | ||
- | |||
- | ==== Enable for SSH Bruteforce Prevention ==== | ||
- | This is not a 100% proof setup as it does not block based on the result of authentication.\\ | ||
- | It just work based on connection.\\ | ||
- | |||
- | === Simple Rules === | ||
- | <code bash> | ||
- | iptables -N BRTBLK | ||
- | iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRTBLK | ||
- | iptables -A BRTBLK -m recent --set --name SSH | ||
- | iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP | ||
- | </code> | ||
- | |||
- | === Rules With Exceptions === | ||
- | Replace <Exception> with your IP.\\ | ||
- | You can use multiple rules with diff. IP to allow exceptions. | ||
- | |||
- | <code bash> | ||
- | iptables -N BRTBLK | ||
- | iptables -A INPUT -p tcp --dport 22 -s <Exception> -j ACCEPT | ||
- | iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRTBLK | ||
- | iptables -A BRTBLK -m recent --set --name SSH | ||
- | iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP | ||
- | </code> | ||
- | |||
- | === Rules to Log Bloked IP === | ||
- | |||
- | <code bash> | ||
- | iptables -N BRTBLK | ||
- | iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRTBLK | ||
- | iptables -A BRTBLK -m recent --set --name SSH | ||
- | iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j LOG --log-level info --log-prefix "Bad IP : " | ||
- | iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP | ||
- | </code> | ||
- | |||
- | ==== Force SYN packets check ==== | ||
- | Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them: | ||
- | |||
- | <code bash> | ||
- | iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | ||
- | </code> | ||
- | |||
- | ==== Force Fragments packets check ==== | ||
- | Packets with incoming fragments drop them. This attack result into Linux server panic such data loss. | ||
- | |||
- | <code bash> | ||
- | iptables -A INPUT -f -j DROP | ||
- | </code> | ||
- | |||
- | ==== XMAS packets ==== | ||
- | Incoming malformed XMAS packets drop them: | ||
- | |||
- | <code bash> | ||
- | iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | ||
- | </code> | ||
- | |||
- | ==== Drop all NULL packets ==== | ||
- | Incoming malformed NULL packets: | ||
- | |||
- | <code bash> | ||
- | iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | ||
- | </code> | ||
- | |||
- | |||
- | ==== xt_recent ==== | ||
- | |||
- | In latest version ipt_recent replaced by xt_recent.\\ | ||
- | there is few change which could break your iptables rules.\\ | ||
- | In order to make ssh bruteforce protection working please use following rules.\\ | ||
- | this also effect Fedora 15 and latest iptables / kernel | ||
- | |||
- | <code bash> | ||
- | :SSH - [0:0] | ||
- | :BRTBLK - [0:0] | ||
- | |||
- | |||
- | -A INPUT -p tcp -m multiport --dports 21,22 -m recent --update --seconds 8600 --name SSH_BAN --rsource -j DROP | ||
- | -A INPUT -p tcp -m multiport --dports 21,22 -m state --state NEW -j BRTBLK | ||
- | |||
- | -A SSH -m limit --limit 5/min -j LOG --log-prefix "BAD IP: " --log-level 4 | ||
- | -A SSH -m recent --set --name SSH_BAN --rsource -j DROP | ||
- | |||
- | -A BRTBLK -m recent --set --name BRT --rsource | ||
- | -A BRTBLK -m recent --update --seconds 600 --hitcount 16 --name BRT --rsource -j SSH | ||
- | -A BRTBLK -m recent --update --seconds 60 --hitcount 4 --name BRT --rsource -j SSH | ||
- | -A BRTBLK -j ACCEPT | ||
- | </code> | ||
- | |||
- | Now try to login to box 4 times quickly to test. |