Anyone who administers boxes which are always-online is familiar with the experience of finding their logs clogged with script-kiddie attempts to brute-force passwords. Despite being pretty unsophisticated, and unlikely to prove a serious security problem (provided you’re enforcing a reasonable password policy), they’re still a nuisance. This article discusses a very good way of limiting connections via iptables, using the ‘recent’ module, so that clients who try to connect too many times in a short space of time are denied access.
I’ve been using this for somewhere between 6 and 12 months, and been very happy with it. However, after a recent upgrade, ssh started to act up on certain machines - all connections, even from machines on the local subnet, were refused. Experimentation revealed that this was due to the iptables ‘recent’ rules.
There’s a discussion of exactly what happens here, and it’s also been reported as a Debian bug (however, I can confirm that it also affects at least RHEL4 on its current kernel). Looking at the files in /proc/net/ipt_recent (which is
where the module keeps track of the relevant data), this is exactly what I was experiencing.
It’s been fixed in 2.6.12 and upwards; unfortunately, the current Debian stable kernel is 2.6.8 (the current RHEL4 is 2.6.9). Solutions: either remove the ‘recent’ rule for the moment and live with the script-kiddies (as mentioned above, you should be enforcing decent password policies…); or use apt-get pinning (on Debian) to upgrade your kernel; or be prepared to reboot every 25 days…
Thanks, good article.
Another option is to use DenyHosts, so you don't have to mess with iptables rules at all. It's easy and effective and very configurable. A nice howto here:
http://www.enterprisenetworkingplanet.com/netos/article.php/3553111
Ditto on DenyHosts; I'm using it on RubyForge and it's made my logwatch emails much shorter. Notes on my setup are here, too.
as a novice sysadmin i wrote a gawk script to track failed logins in securelog and firewall them after five failed login attempts using the conntrack module. my solution is at http://www.60hertz.com/tech.html#gawkingsecurelog - it works okay an RHEL4 like box. logrotate is tripping things up once a week so it can do with some tweaks (such as running it as a demon somehow).
Thanks Carla - I've implemented this now instead.
Only problem I encountered was that the purging of denied hosts doesn't seem to work well when running it as a daemon - at least not if you are (as I am) wanting to purge every 5 or 10 minutes. I've got around this with a cronjob, so all is functioning now.
ipt_recent users might be interested in my alternative to denyhost which
doesn't involve log tailing: pam_recent is a tiny pam module that
removes/adds the client ip from/to any ipt_recent list on successful login (as a session management function).
bennies: no extra daemons or logfiles, only needs recent and pam, tiny
at 150 lines of C. downsides: needs recent, thus iptables, thus some idea
of what you're doing.
more info here.
Why reboot every 25 days!? This is linux ;-)
I just added `/etc/rc.d/init.d/iptables restart` into /etc/cron.weekly to flush the tables :-)
you might want to consider the iptables "limit" module which also comes with RHEL4 (and probably with Debian too):
-A NEWSSH -m limit --limit 3/min --limit-burst 3 -j ACCEPT
-A NEWSSH -j DROP
where NEWSSH is a chain created to deal with NEW state connections for SSH (or other restricted ports).