Picture of Jürgen Kreileder

Mitigating SSH Brute Force Attacks with ipt_recent

As my SSH server only accepts public key based authentication, I’m not really worried about brute force password attacks. But these scans tend to clobber my auth.log. So after some discussion with Andrew Pollock, I’ve written a few custom actions for my shorewall setup. They use the ipt_recent module which allows to track seen IP addresses and match against them using some criteria.

The Limit action can be used to limit accepted connections per IP and timeframe. The hardcoded limit currently is 6 connections per 60 seconds. If an IP tries to connect more often, the attempts will be DROPed.

The Whitelist action provides some simple port-knocking whitelist. If you know the WHITELIST_PORT and can lift the limits imposed by the Limit action for your IP and 60 seconds by connecting to that port.

Here’s how you can integrate those two actions:

  • Create two empty files:
    • shorewall/action.Limit
    • shorewall/action.Whitelist
  • Copy Limit and Whitelist to the shorewall directory
  • Add Limit and Whitelist to shorewall/actions
  • Set WHITELIST_PORT in shorewall/params
  • Use Limit in shorewall/rules, for instance: 
    Limit:ULOG:SSH    net  fw  tcp  ssh
Limit:ULOG:IMAP   net  fw  tcp  imap,imaps

    Note: You must use the <action>:<log>:<tag> format for the rules. Limit uses the <tag> for the ipt_recent table name.

  • Optionally add a Whitelist rule: 
    Whitelist:ULOG    net  fw

If you’re running OpenSSH 3.9 or later, you additionally might want to set MaxAuthTries to 1 (see sshd_config(5)).

May 9th, 2005: I have found a bug in the ipt_recent module, see this article for more information and a fix.

This article Jürgen Kreileder is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

11 Comments

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post. Both comments and pings are currently closed.

joeyski said

I got here from this link:

http://thread.gmane.org/gmane.linux.gentoo.security/2486

can you make a more noobie friendly with more explanation, step by step guide for this?

Thanks for this guide.

Hal Dougherty said

I second the request. I’ve had someone trying to log in as root and other users for some time now. I use secure passwords, disalow root login and use shorewall to drop or reject multiple login trys, but a working script to limit failed attempts would be fantastic.

Thanks in advance.

Juergen Kreileder said

I’ll post an extended article in the next days.

micah said

Do these DROP’s ever time out? It would be good if they were automatically released a few hours later…

Juergen Kreileder said

Yes, they time out within a minute when the attacker stops sending packets.

The Limit action uses “… -m recent –update –seconds 60 –hitcount 6 -rttl –name SSH -j DROP”. That means: If the source address is in the ipt_recent list named SSH and six or more NEW packets with the same TTL have been received in the last 60 seconds then drop this packet. Once the number of packets received in the last 60 seconds drops below 6 again (ie. if no new packets arrive for some time), the rule won’t hit.

Jonathan said

Hi!

I’m quite new to shorewall, but I’ve been experiencing bruteforce ssh attacks and so I wanted to use your scripts to try and stop them. Unfortunately, when I try to start shorewall again, the command fails with:

ERROR: Invalid TARGET in rule “[ -n “$TAG” ] || fatal_error “TAG not set” ”

And so I’m not sure what’s going wrong …

Jonathan said

… belay that comment.
I’m slightly dumb today and wasn’t reading your instructions correctly.
It all seems to be working now that I correctly followed them.
Thanks for writing the scripts :)

Daniel Andersson said

I’ve been using this tip successfully for, I don’t know, about a year now. A couple of hours ago when I ran a “apt-get dist-upgrade” on my Debian Unstable-machine, Shorewall was upgraded and after that unable to start. It reported an error regarding this very tip.

The solution was found a while later. In the changelog (which I read during installation, just not carefully enough :-) ) it says:

“”
The ‘Limit’ action is now a builtin. If you have ‘Limit’ listed in
/etc/shorewall/actions, remove the entry. Also remove the files
/etc/shorewall/action.Limit and/or /etc/shorewall/Limit if you have
them.
“”
http://www1.shorewall.net/pub/shorewall/development/3.3/shorewall-3.3.3/releasenotes.txt

The answer lies here though: http://www.shorewall.net/PortKnocking.html#Limit . In other words: out with the old, in with the new. On the same page, further up, there is a replacement for the Whitelist-action as well.

Juergen Kreileder said

Yeah, I’ve seen that Limit has been included in the upstream version some time ago. I’ll add a note to the article.

Rommidze said

There is also another one, but more user friendly way to protect ssh, is to use pam-abl:
http://tech.tolero.org/blog/en/linux/ssh-password-brute-force-protection

Yaz Okulu said

does anyone knows if there is any other information about this subject in other languages?