HowTo:Kernel/Block SSH Scans

From NOC

SSH Brute forcing is a problem if you run a publicly available SSH server, the problem is worse if you run SSH on the default port 22. I own two Linksys NSLU2s which do not have a lot of resources to spare to script kiddies attempting to break in, therefore I run SSH on a non standard port and I have now employed some iptables rules to block out the pests that still try to get in. I am using the recent module of iptables which as I understand is not available by default in quite a few distributions, Debian and Ubuntu are fine though.

[edit] Requirements

• A computer running the Linux kernel 2.6
• iptables w/ ipt_recent

[edit] Assumptions

• Running Debian or Ubuntu
• Using sudo otherwise modify commands to suit

[edit] Instructions

• sudo editor /etc/network/if-up.d/iptables-ssh

#!/bin/dash
 
[ "${METHOD}" != "loopback" ] || exit 0
 
CHAIN=SSHSCAN
PORT=22
WHITELIST="$IF_ADDRESS/$IF_NETMASK 10.0.0.0"
TIME=300 # seconds
COUNT=3
 
if [ "${MODE}" = "start" ]; then
	iptables -N $CHAIN 2> /dev/null && (
		iptables -A $CHAIN -m recent --set --name SSH
		iptables -A $CHAIN -m recent --update --seconds $TIME --hitcount $COUNT --name SSH -j LOG --log-level info --log-prefix "SSH SCAN blocked: "
		iptables -A $CHAIN -m recent --update --seconds $TIME --hitcount $COUNT --name SSH -j DROP
	)
 
	for WHITE in $WHITELIST; do
		iptables -A INPUT -d $IF_ADDRESS -p tcp --dport $PORT -s $WHITE -j ACCEPT
	done
 
	iptables -A INPUT -d $IF_ADDRESS -p tcp --dport $PORT -m state --state NEW -j SSHSCAN
else
	for WHITE in $WHITELIST; do
		iptables -D INPUT -d $IF_ADDRESS -p tcp --dport $PORT -s $WHITE -j ACCEPT
	done
 
	iptables -D INPUT -d $IF_ADDRESS -p tcp --dport $PORT -m state --state NEW -j SSHSCAN
fi

• sudo ln -s ../if-up.d/iptables-ssh /etc/network/if-down.d/iptables-ssh

That is it.

[edit] Notes

Be aware that this recipe will block all new connections from an IP address that makes 3 connection attempts on port 22 within 300 seconds (5 minutes). You may need to adjust WHITELISTM currently it whitelists the interfaces local network, this should be suitable if you are running the SSH server behind a NAT gateway.

I use this system on both of my NSLU2 devices due to their low memory and processing power, fully blown solutions like fail2ban are impractical and cumbersome at best.

[edit] References

• http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/
• http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/