« previous 1 2 3 4

Recent

'Recent', an iptables module, is able to count TCP connection attempts to services at the packet level in real time and to block further attacks from a given IP address once a set threshold has been exceeded. This module is part of the Linux kernel and is loaded at runtime.

Recent is, however, unable to distinguish between successful and failed logins. Since real users do not repeatedly login and then log straight back out, a window of three attempts to establish an SSH connection within 60 seconds is a reasonable threshold, above which a brute force attack can be assumed. Individual settings will depend on the risk posed by targeted attacks on the server in question. With just two attempts per minute, an attacker can still try out 2880 passwords per day. A daily limit of, say, 30 can be useful in this kind of situation.

In our tests, setting the option MaxAuthTries 3 in /etc/ssh/sshd_config and defining the following iptables rules (suitable for a system with no existing iptables rules) worked well:

iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state ESTABLISHED -m recent --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset

The first rule uses the option --set to write and time stamp the IP address of a new connection on port 22 to the proc file /proc/net/ipt_recent/DEFAULT. The second rule uses --update to add a further time stamp and checks whether there are two time stamps within the previous 60 seconds. If this is the case, the connection is dropped. Access to the SSH server is then blocked for one minute, after which three further login attempts are permitted. In contrast to the wrapper method, these rules block SSH access only, leaving all other services accessible to attackers.

Packets registered by the 'recent' module can be viewed (with timestamps) in the /proc file system.

The combination of NEW and ESTABLISHED reduces the risk of spoofing attacks, in which some 'funster' fills the recent list with fake IP addresses, which may include legitimate addresses which are then blocked by the firewall. cat /proc/net/ipt_recent/DEFAULT can be used to see what addresses the firewall has seen and how often. The entire list can be deleted using echo clear > proc/net/ipt_recent/DEFAULT. Individual addresses can be removed using echo -<ip-addresse> > proc/net/ipt_recent/DEFAULT]. These functions can be combined with log analysis.

Summary

Although running DenyHosts on a system over a period of several months did not reduce the number of attempted intrusions, it did reduce their duration to less than a minute. The attackers presumably then moved on to the next system. There were no stability problems and DenyHosts offers excellent quick protection. Blocker implementation with the iptables module Recent is, however, more deterministic and more reliable. It can, however, sometimes be tricky to integrate into existing firewall rule sets.

Attackers are increasingly getting round the limit for logins from individual IP addresses by using botnets to carry out brute force attacks. In this case, each bot gets to try out the maximum permitted number of failed logins before being blocked by the system. Individual bots are able to try out passwords for one or more accounts either in parallel or sequentially. A botnet consisting of 10,000 PCs would, for example, be able to try out 30,000 passwords on a system which allowed three login attempts. The importance of selecting a password which is difficult to guess therefore remains.

The MaxStartups sshd parameter allows limiting the number of parallel connections, which at least prevents large numbers of simultaneous login attempts. This offers no help where bots try their luck sequentially, but doing so does require a much larger investment of time on the part of the attacker

Alternatively, users can move their SSH servers out of the line of fire by switching them from the standard TCP port 22 to an unusual port such as 54321. The switch to authentication by public key eliminates the risk posed by brute force attacks entirely and this is by far the most secure method of authentication. It is also, of course, the least flexible, as it requires a user always to have their key with them. One-time passwords may offer a middle way. The article One-time passwords for home users describes how to set up a server to use one-time passwords.

(dab)

« previous 1 2 3 4