From: "J. Bakshi" <joydeep@infoservices.in>
To: Richard Horton <arimus.uk@googlemail.com>
Cc: Jan Engelhardt <jengelh@medozas.de>, netfilter@vger.kernel.org
Subject: Re: ssh overflow blacklisting not working properly
Date: Tue, 30 Mar 2010 14:22:36 +0530 [thread overview]
Message-ID: <4BB1BBD4.3040906@infoservices.in> (raw)
In-Reply-To: <56378e321003300123j2c2dbc51ld8513483a7ee9753@mail.gmail.com>
On 03/30/2010 01:53 PM, Richard Horton wrote:
> My bad... you still need a rule to accept ssh traffic...
>
> so add a fourth rule
>
> -A INPUT -p tcp --dport ssh -m state NEW -j ACCEPT
>
> and a fifth
> -A INPUT -p tcp -m state ESTABLISHED,RELATED -j ACCEPT
>
> The fourth rule accepts SSH which hasn't been dropped by the first 3
> rules, the fifth just allows established sessions and related.
>
> You'll need to tighten the fourth rule as appropriate but you don't
> need to add the rate limiting stuff as that's delt with so just
> tighten allowed addresses,ports etc.
>
> (Tip: unless you've moved a service from its usual port you can use
> the name from /etc/services for the port number, and for the -p
> <protoocl> you can use the names from /etc/protocols)
>
>
>
Hello Richard,
many many thanks for your help, clarification and tips, but this time
with all the five rule sets it is no more possible to login through ssh
any more. Hence I ahve kept my earlies one i.e.
Note: I am not running ssh at default port, hence $SSH_PORT is there to
define it at the begging .
```````````````````
iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m
hashlimit \
--hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \
--hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT
`````````````````````````
and here is the iptables-save
`````````````````
# Completed on Tue Mar 30 14:06:11 2010
# Generated by iptables-save v1.4.2 on Tue Mar 30 14:06:11 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [1:40]
:OUTPUT DROP [2:544]
:syn-flood - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -j DROP
-A INPUT -i eth1 -m recent --rcheck --seconds 60 --name blacklist
--rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 60650 -j ACCEPT
-A INPUT -s 122.160.37.80/32 -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 122.160.37.80/32 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 122.176.30.116/32 -i eth1 -j DROP
-A INPUT -s 10.0.0.0/8 -i eth1 -j DROP
-A INPUT -s 172.16.0.0/12 -i eth1 -j DROP
-A INPUT -s 192.168.0.0/16 -i eth1 -j DROP
-A INPUT -s 224.0.0.0/4 -i eth1 -j DROP
-A INPUT -s 240.0.0.0/5 -i eth1 -j DROP
-A INPUT -d 127.0.0.0/8 -i eth1 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 0 -m limit --limit 6/hour
--limit-burst 1 -j LOG --log-prefix "TCP Port 0 OS fingerprint: "
-A INPUT -i eth1 -p udp -m udp --dport 0 -m limit --limit 6/hour
--limit-burst 1 -j LOG --log-prefix "UDP Port 0 OS fingerprint: "
-A INPUT -i eth1 -p tcp -m tcp --dport 0 -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 0 -j DROP
-A INPUT -i eth1 -p tcp -m tcp ! --dport 2049 -m multiport --sports
20,21,22,23,80,110,143,443,993,995 -m limit --limit 6/hour --limit-burst
1 -j LOG --log-prefix "AIF:Possible DRDOS abuse: "
-A INPUT -i eth1 -p udp -m udp ! --dport 2049 -m multiport --sports
20,21,22,23,80,110,143,443,993,995 -m limit --limit 6/hour --limit-burst
1 -j LOG --log-prefix "AIF:Possible DRDOS abuse: "
-A INPUT -i eth1 -p tcp -m tcp ! --dport 2049 -m multiport --sports
20,21,22,23,80,110,143,443,993,995 -j DROP
-A INPUT -i eth1 -p udp -m udp ! --dport 2049 -m multiport --sports
20,21,22,23,80,110,143,443,993,995 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -m recent --set --name blacklist --rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth
XMAS-PSH scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix
"Stealth XMAS-ALL scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN
-m limit --limit 3/min -j LOG --log-prefix "Stealth FIN scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN
-m recent --set --name blacklist --rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit
--limit 3/min -j LOG --log-prefix "Stealth SYN/RST scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit
--limit 3/min -j LOG --log-prefix "Stealth SYN/FIN scan?: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-m limit --limit 3/min -j LOG --log-prefix "Stealth Null scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-m recent --set --name blacklist --rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 1024 ! --tcp-flags
FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth
scan (UNPRIV)?: "
-A INPUT -i eth1 -p tcp -m tcp --dport 1024 ! --tcp-flags
FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 1023 ! --tcp-flags
FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth
scan (PRIV)?: "
-A INPUT -i eth1 -p tcp -m tcp --dport 1023 ! --tcp-flags
FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 1023 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:PRIV connect attempt: "
-A INPUT -i eth1 -p tcp -m tcp --dport 1023 -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 1023 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
-A INPUT -i eth1 -p udp -m udp --dport 1023 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 1024 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
-A INPUT -i eth1 -p udp -m udp --dport 1024 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-option 64 -m limit --limit 3/min
--limit-burst 1 -j LOG --log-prefix "Bad TCP flag(64): "
-A INPUT -i eth1 -p tcp -m tcp --tcp-option 64 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-option 128 -m limit --limit 3/min
--limit-burst 1 -j LOG --log-prefix "Bad TCP flag(128): "
-A INPUT -i eth1 -p tcp -m tcp --tcp-option 128 -j DROP
-A INPUT -i eth1 -p tcp -m state --state INVALID -m limit --limit 1/min
--limit-burst 2 -j LOG --log-prefix "AIF:INVALID TCP: "
-A INPUT -i eth1 -p udp -m state --state INVALID -m limit --limit 1/min
--limit-burst 2 -j LOG --log-prefix "AIF:INVALID UDP: "
-A INPUT -i eth1 -m state --state INVALID -j DROP
-A INPUT -s 4.2.2.2/32 -i eth1 -p udp -m udp --sport 53 -m state --state
ESTABLISHED -j ACCEPT
-A INPUT -s 208.67.222.222/32 -i eth1 -p udp -m udp --sport 53 -m state
--state ESTABLISHED -j ACCEPT
-A INPUT -s 208.67.220.220/32 -i eth1 -p udp -m udp --sport 53 -m state
--state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m hashlimit
--hashlimit-upto 3/min --hashlimit-burst 1 --hashlimit-mode srcip
--hashlimit-name sshlimit --hashlimit-htable-expire 180000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 60021 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 62222:63333 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
-A INPUT -i eth1 -j syn-flood
-A INPUT -i eth1 -p udp -m limit --limit 3/min -j LOG --log-prefix
"UDP-IN-Notallowed: " --log-level 7
-A INPUT -i eth1 -p udp -j DROP
-A INPUT -i eth1 -p icmp -m limit --limit 3/min -j LOG --log-prefix
"ICMP-IN-Notallowed: "
-A INPUT -i eth1 -p icmp -j DROP
-A INPUT -i eth1 -p tcp -m limit --limit 3/min -j LOG --log-prefix
"TCP-IN-Notallowed: " --log-level 7
-A INPUT -i eth1 -p tcp -j DROP
-A INPUT -i eth1 -m limit --limit 3/min -j LOG --log-prefix
"PROTOCOL-X-IN-Notallowed: " --log-level 7
-A INPUT -i eth1 -j DROP
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW
-j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth1 -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 4.2.2.2/32 -o eth1 -p udp -m udp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 208.67.222.222/32 -o eth1 -p udp -m udp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 208.67.220.220/32 -o eth1 -p udp -m udp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --sport 32769:65535 --dport 33434:33523
-m state --state NEW -j ACCEPT
-A OUTPUT -d 66.35.250.209/32 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -d 213.133.106.107/32 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -d 80.237.136.138/32 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -d 204.174.223.204/32 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m limit --limit 3/min -j LOG --log-prefix
"UDP-OUT-Notallowed: " --log-level 7
-A OUTPUT -o eth1 -p udp -j DROP
-A OUTPUT -o eth1 -p icmp -m limit --limit 3/min -j LOG --log-prefix
"ICMP-OUT-Notallowed: "
-A OUTPUT -o eth1 -p icmp -j DROP
-A OUTPUT -o eth1 -p tcp -m limit --limit 3/min -j LOG --log-prefix
"TCP-OUT-Notallowed: " --log-level 7
-A OUTPUT -o eth1 -p tcp -j DROP
-A OUTPUT -o eth1 -p tcp -m limit --limit 3/min -j LOG --log-prefix
"TCP-OUT-Notallowed: " --log-level 7
-A OUTPUT -o eth1 -p tcp -j DROP
-A OUTPUT -o eth1 -m limit --limit 3/min -j LOG --log-prefix
"PROTOCOL-X-OUT-Notallowed: " --log-level 7
-A OUTPUT -o eth1 -j DROP
-A syn-flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit
--hashlimit-upto 4/sec --hashlimit-burst 4 --hashlimit-mode srcip
--hashlimit-name testlimit --hashlimit-htable-expire 300000 -j RETURN
-A syn-flood -m recent --set --name blacklist --rsource -j DROP
COMMIT
# Completed on Tue Mar 30 14:06:11 2010
--
জয়দীপ বক্সী
prev parent reply other threads:[~2010-03-30 8:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-29 7:31 ssh overflow blacklisting not working properly J. Bakshi
2010-03-29 8:18 ` Richard Horton
2010-03-29 10:51 ` J. Bakshi
2010-03-29 11:05 ` Jan Engelhardt
2010-03-29 11:22 ` J. Bakshi
2010-03-29 11:22 ` J. Bakshi
2010-03-29 11:54 ` Richard Horton
2010-03-29 15:10 ` J. Bakshi
2010-03-30 7:42 ` J. Bakshi
2010-03-30 8:23 ` Richard Horton
2010-03-30 8:52 ` J. Bakshi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BB1BBD4.3040906@infoservices.in \
--to=joydeep@infoservices.in \
--cc=arimus.uk@googlemail.com \
--cc=jengelh@medozas.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.