[UFO Chicago] Tripwire to shut off ssh access to a host?

Jordan Bettis jordanb at hafd.org
Thu Nov 16 15:46:41 PST 2006 

On Mon, Nov 13, 2006 at 01:18:15PM -0500, Nate Riffe wrote:
> Jordan Bettis said this (probably recently):
> > ISTR a program that uses netfilter to automatically
> > block hosts that fail login to ssh x number of
> > times. It's not 'tripwire' though, which would
> > be the obvious, that does something entirely
> > different.
> > 
> > Does anyone know what that program is, as I
> > can not find it now in debian stable.
> 
> It's not a "program," it's just these four rules, the second of which
> is optional if you don't want to log blocked connections and the last
> of which is optional if you are not otherwise blocking access to port
> 22:

Nate, this rocks my world. I had to switch to the linnode 2.6 series 
kernels to make it go, but after that it went in and has been spot-on
perfect for several days now. I'm now putting it in my init.d.

I decided to decode how it works:

> iptables -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

If the packet recieved is opening a new connection on port 22, add the 
ip address of the originating host to ipt_recent's recent table with 
the name "SSH."

> iptables -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rtt --name SSH -j ULOG --ulog-prefix "SSH brute force"

If more than four new connections come in the course of sixty seconds, send
a log message via the ULOG module. This uses the netlink module which
I don't know how to use, so for me I guess this line does nothing.

> iptables -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rtt --name SSH -j DROP

If four new connections come in the course of 60 seconds, drop all 
subsequent packets from the host. Furthermore, restart the 60 second
counter each time a new attempt is made. 

> iptables -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Obvious.

If you make four ssh connections in 60 seconds, it will blacklist you, but
the blacklist will expire in a minute if you don't try to make another 
connection and reset the counter before it expires.

Appearently there's a bug in the hitcount portion of ipt_recent that makes
things go hairy after a few tens of days of uptime. It was fixed? or at
least there is a patch for it. I can't figure out if my kernel (2.6.18)
is vunerable or not but I don't think it is. I guess I'll find out in
a few more days.

-- 
Jordan Bettis -- Chicago Il.
  <http://neighborhoods.chicago.il.us>                  
    Photographs of Life in the Neighborhoods of Chicago

More information about the ufo mailing list