As my SSH server only accepts public key based authentication, I’m not really worried about brute force password attacks. But these scans tend to clobber my auth.log
. So after some discussion with Andrew Pollock, I’ve written a few custom actions for my shorewall setup. They use the ipt_recent module which allows to track seen IP addresses and match against them using some criteria.
The Limit
action can be used to limit accepted connections per IP and timeframe. The hardcoded limit currently is 6 connections per 60 seconds. If an IP tries to connect more often, the attempts will be DROPed.
The Whitelist
action provides some simple port-knocking whitelist. If you know the WHITELIST_PORT
and can lift the limits imposed by the Limit
action for your IP and 60 seconds by connecting to that port.
Here’s how you can integrate those two actions:
- Create two empty files:
-
shorewall/action.Limit
shorewall/action.Whitelist
-
- Copy
Limit
andWhitelist
to theshorewall
directory - Add
Limit
andWhitelist
toshorewall/actions
- Set
WHITELIST_PORT
inshorewall/params
- Use
Limit
inshorewall/rules
, for instance:Limit:ULOG:SSH net fw tcp ssh Limit:ULOG:IMAP net fw tcp imap,imaps
Note: You must use the <action>:<log>:<tag> format for the rules.
Limit
uses the <tag> for the ipt_recent table name. - Optionally add a
Whitelist
rule:Whitelist:ULOG net fw
If you’re running OpenSSH 3.9 or later, you additionally might want to set MaxAuthTries
to 1 (see sshd_config(5)
).
May 9th, 2005: I have found a bug in the ipt_recent module, see this article for more information and a fix.
The Kills just released a new album: No Wow. I like the title. Until I find a better name, this blog will be called now wow :-)