
Need help understanding iptables. tcp dpt:ssh state NEW recent: SET name: SSH side: source tcp dpt:ssh state NEW recent: UPDATE seconds: 90 hit_count: 4 TTL-Match name: SSH side: source should reduce brute force attack to 4 hits in 90 seconds but last -d reports hundreds of hits per ip all within a second, it then changes ip and starts again. I've not played with iptables until a week ago. I've read up on the ubuntu, centos and fedora iptables info but still the problem. Can someone please point me in a direction to stop attacks from ip addresses after a couple of attempts. Many thanks Roger

I suspect what you're really after is a solution like fail2ban. Check out http://www.fail2ban.org/wiki/index.php/Main_Page otherwise there will be a guide to setting this up easily somewhere on the web. If you still need help with iptables after having a look at f2b post back. Regards, Edward On Tue, Nov 1, 2011 at 5:03 PM, Roger <arelem3@bigpond.com> wrote:
Need help understanding iptables.
tcp dpt:ssh state NEW recent: SET name: SSH side: source tcp dpt:ssh state NEW recent: UPDATE seconds: 90 hit_count: 4 TTL-Match name: SSH side: source should reduce brute force attack to 4 hits in 90 seconds but last -d reports hundreds of hits per ip all within a second, it then changes ip and starts again.
I've not played with iptables until a week ago. I've read up on the ubuntu, centos and fedora iptables info but still the problem. Can someone please point me in a direction to stop attacks from ip addresses after a couple of attempts. Many thanks Roger
_______________________________________________ luv-main mailing list luv-main@lists.luv.asn.au http://lists.luv.asn.au/listinfo/luv-main

Roger <arelem3@bigpond.com> wrote:
Need help understanding iptables.

On Tue, 1 Nov 2011 05:03:56 PM Roger wrote:
Need help understanding iptables.
tcp dpt:ssh state NEW recent: SET name: SSH side: source tcp dpt:ssh state NEW recent: UPDATE seconds: 90 hit_count: 4 TTL-Match name: SSH side: source should reduce brute force attack to 4 hits in 90 seconds but last -d reports hundreds of hits per ip all within a second, it then changes ip and starts again.
This might help as it appears to talk about the sort of thing you are trying to do.. http://blog.andrew.net.au/2005/02/16#ipt_recent_and_ssh_attacks -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC This email may come with a PGP signature as a file. Do not panic. For more info see: http://en.wikipedia.org/wiki/OpenPGP

Chris Samuel wrote:
On Tue, 1 Nov 2011 05:03:56 PM Roger wrote:
Need help understanding iptables.
tcp dpt:ssh state NEW recent: SET name: SSH side: source tcp dpt:ssh state NEW recent: UPDATE seconds: 90 hit_count: 4 TTL-Match name: SSH side: source should reduce brute force attack to 4 hits in 90 seconds but last -d reports hundreds of hits per ip all within a second, it then changes ip and starts again.
This might help as it appears to talk about the sort of thing you are trying to do..
http://blog.andrew.net.au/2005/02/16#ipt_recent_and_ssh_attacks
See also http://cyber.com.au/~twb/doc/iptab

I have just switched to using my ADSL modem in bridging mode and had to institute my own firewall and wanted to put ssh on a different port for external access to avoid these attacks. I didn't want to change the default port for internal access but the only way I could make it work was to do a trick like: iptables -t nat -I PREROUTING -p tcp --dport X -j DNAT :22 iptables -t nat -I PREROUTING -p tcp --dport 22 -j DNAT :X where X is the new external "ssh" external port. That way external ssh traffic is sent to port 22 internal and external port 22 traffic is sent to the other port X which can be dropped. It seems a bit clunky (I was worried that it might lead to a loop initially) - is there a better way to do this? Also is there a better site to external scan your machine than the "Shields Up" site? I've heard people complain about it - presumably it's marketing but it does appear to do a convenient job for quickly scanning your ports for free. Andrew

Andrew Worsley <amworsley@gmail.com> wrote:
iptables -t nat -I PREROUTING -p tcp --dport X -j DNAT :22 iptables -t nat -I PREROUTING -p tcp --dport 22 -j DNAT :X
where X is the new external "ssh" external port. That way external ssh traffic is sent to port 22 internal and external port 22 traffic is sent to the other port X which can be dropped.
It seems a bit clunky (I was worried that it might lead to a loop initially) - is there a better way to do this?
An alternative would be to run two instances of sshd, bind one to the internal interface and the other to the external interface. This would involve changing startup scripts and having separate configurations - more administrative work and not necessarily a superior solution to your iptables approach.
Also is there a better site to external scan your machine than the "Shields Up" site? I've heard people complain about it - presumably it's marketing but it does appear to do a convenient job for quickly scanning your ports for free.
If you have access to an external Linux host with nmap installed, you can run it against your own machine.

Andrew Worsley wrote:
I have just switched to using my ADSL modem in bridging mode and had to institute my own firewall and wanted to put ssh on a different port for external access to avoid these attacks. I didn't want to change the default port for internal access but the only way I could make it work was to do a trick like:
iptables -t nat -I PREROUTING -p tcp --dport X -j DNAT :22 iptables -t nat -I PREROUTING -p tcp --dport 22 -j DNAT :X
If you have a problem, and you use NAT, you will have two problems. 1. tell sshd to bind to both *:22 and *:1234; 2. set up a default deny firewall; and 3. allow 1234 from the internet (but not 22).
Also is there a better site to external scan your machine than the "Shields Up" site?
Never heard of it. Just run nmap and openvas, from outside the target network.
participants (6)
-
Andrew Worsley
-
Chris Samuel
-
Edward Savage
-
Jason White
-
Roger
-
Trent W. Buck