tenshi.420

WARNING: Site contains;
Contents of Girls (including NSFW), Weed, and Linux coding, personal blog/news, and this blog serves purely out of personal and storage content-needs. By visiting and reading this you automatically are accepting these facts stated above.

Home
Archive
Ask me anything
Random post

 

MY SSH Brute Blues

(this method has not been verified yet, will update when possible!)


Well, noticed after ‘directadmin’ logs kept spamming me (in a respective way) about brute force towards ” admin and root ” type of login, i did some research, and this is what i am able to come up with.

Method: Using iptables;

Easy setup - just 2 rules

Because iptables comes standard with every Linux distribution we’ll skip right to setting up the specific firewall rules we need. In depth configuring of iptables takes a bit of understanding and is not within the scope of this article, but let’s take a look at these two statements:

[ http://pastebin.com/raw.php?i=TCT3yYPT ]

The -i eth0 is the network interface to which ssh connections are made. Typically this is eth0, but maybe you need to change it.

That’s it! Together they will rate-limit all incoming SSH connections to 8 in a one minute window. Normal users will have no trouble logging in, but the brute force attacks will be dropped, limiting the number of possible account combinations from unlimited, to 8. That’s awesome!

Failsafe!

While you’re still testing, you might want to add the following line to your crontab

*/10 * * * * /sbin/iptables -F

This will flush all the rules every 10 minutes, just in case you lock yourself out. When you’re happy with the results of your work, remove the line from your crontab, and you’re in business.

Advanced Setup - want more?

> Restore on boot >

You will find that on your next reboot, the rules are lost. Damn! You probably want these 2 brute force protection rules automatically restored, right? The most elegant way would probably be to restore the iptables rules when your network interface comes back online. Here how I would this on Ubuntu. Let’s get the following content in a file: /etc/network/if-up.d/bfa_protection

[ http://pastebin.com/raw.php?i=0Sc9JFwG ]

Savee the file and make it executable:

chmod u+x /etc/network/if-up.d/bfa_protection

Now every time your interface comes up, the rules are added to iptables. Sweet.

Remove on shutdown

But to do this really clean, we need to have a script that removes the rules as well for when the interface goes down. Just to make sure the rules are never added twice. So let’s also create a file: /etc/network/if-down.d/bfa_protection 

[ http://pastebin.com/raw.php?i=51dK5Bru ]

-D removes a rule whereas -A adds one. Anyway. Let’s save this file and make it executable:

chmod u+x /etc/network/if-down.d/bfa_protection

That’s it! We’re in business!

  1. tenshico posted this