Saturday, August 2, 2008

IP tables rule to secure against Brute force Attacks

make sure you read my previous post "How to further secure your sever for SSH" and applying
those tips first and then applying these rules.

The following 2 iptables commands will limit the amount of ssh logins to your server to only 4 allowed per minute from the same ip address
as compared to the default unlimited setting. you can change the numbers to any limits that you wish.

The reason why you would want to do this is to protect against scripts that are written to gain access to your system via brute force attacks to your server.
look at your /var/log/secure log file to see just how often a dictionary of user-names and passwords has been tried to login to your server.
by instating the following 2 iptables rules you secure yourself against these type of brute force login attacks.

change eth0 to whatever Ethernet port your server is connected to the outside world through.

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \--set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m
recent \--update --seconds 60 --hitcount 4 -j DROP

you must then save your rules

/etc/init.d/ iptables save

The --state switch receives a comma separated list of connection states as an argument, by using "--state NEW" this makes sure that only new connections are managed.

The --set parameter in the first rule also insures that the IP address of the host which initiated the connection will be added to the "recent list", where it is then checked if used again in our second rule.

The --update switch in the second rule checks whether the IP address is in the list of recent connections, to port 22, port 22 will be in the list because we used the --set switch to add it in the first rule.

Once it has confirmed that the ip address of the host has indeed connected before, then the --seconds switch is used to insure that the IP address is only going to be flagged if the last connection was within the time frame specified. The --hitcount switch will measure if the count of connection attempts is greater than or equal to the number given.

this rule will drop any connections if The IP address which initiated the connection has previously been added to the list and The IP address has sent a packet in the past 60 seconds and The IP address has sent more than 4 packets in total.

No comments: