From mboxrd@z Thu Jan  1 00:00:00 1970
From: "J. Bakshi" <joydeep@infoservices.in>
Subject: Re: ssh overflow blacklisting not working properly
Date: Tue, 30 Mar 2010 14:22:36 +0530
Message-ID: <4BB1BBD4.3040906@infoservices.in>
References: <4BB0574A.2060106@infoservices.in>	 <56378e321003290118i2fd96c99l29f2590743e5fb36@mail.gmail.com>	 <4BB08644.1060009@infoservices.in>	 <alpine.LSU.2.01.1003291303410.16683@obet.zrqbmnf.qr>	 <4BB08D76.9010006@infoservices.in>	 <56378e321003290454k3e39a5afo525579d7138c1f40@mail.gmail.com>	 <4BB1AB4F.4060200@infoservices.in> <56378e321003300123j2c2dbc51ld8513483a7ee9753@mail.gmail.com>
Mime-Version: 1.0
Content-Transfer-Encoding: QUOTED-PRINTABLE
Return-path: <netfilter-owner@vger.kernel.org>
In-Reply-To: <56378e321003300123j2c2dbc51ld8513483a7ee9753@mail.gmail.com>
Sender: netfilter-owner@vger.kernel.org
List-ID: <netfilter.vger.kernel.org>
Content-Type: text/plain; charset="utf-8"
To: Richard Horton <arimus.uk@googlemail.com>
Cc: Jan Engelhardt <jengelh@medozas.de>, netfilter@vger.kernel.org

On 03/30/2010 01:53 PM, Richard Horton wrote:
> My bad... you still need a rule to accept ssh traffic...
>
> so add a fourth rule
>
> -A INPUT -p tcp --dport ssh -m state NEW -j ACCEPT
>
> and a fifth
> -A INPUT -p tcp -m state ESTABLISHED,RELATED -j ACCEPT
>
> The fourth rule accepts SSH which hasn't been dropped by the first 3
> rules, the fifth just allows established sessions and related.
>
> You'll need to tighten the fourth rule as appropriate but you don't
> need to add the rate limiting stuff as that's delt with so just
> tighten allowed addresses,ports etc.
>
> (Tip: unless you've moved a service from its usual port you can use
> the name from /etc/services for the port number, and for the -p
> <protoocl> you can use the names from /etc/protocols)
>
>
>  =20

Hello Richard,

many many thanks for your help, clarification and tips, but this time
with all the five rule sets it is no more possible to login through ssh
any more. Hence I ahve kept my earlies one i.e.

Note: I am not running ssh at default port, hence $SSH_PORT is there to
define it at the begging .

```````````````````
iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m
hashlimit \
--hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 =
\
--hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT
`````````````````````````

and here is the iptables-save

`````````````````
# Completed on Tue Mar 30 14:06:11 2010
# Generated by iptables-save v1.4.2 on Tue Mar 30 14:06:11 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [1:40]
:OUTPUT DROP [2:544]
:syn-flood - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -j DROP
-A INPUT -i eth1 -m recent --rcheck --seconds 60 --name blacklist
--rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 60650 -j ACCEPT
-A INPUT -s 122.160.37.80/32 -i eth1 -p icmp -m icmp --icmp-type 8 -j A=
CCEPT
-A INPUT -s 122.160.37.80/32 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 122.176.30.116/32 -i eth1 -j DROP
-A INPUT -s 10.0.0.0/8 -i eth1 -j DROP
-A INPUT -s 172.16.0.0/12 -i eth1 -j DROP
-A INPUT -s 192.168.0.0/16 -i eth1 -j DROP
-A INPUT -s 224.0.0.0/4 -i eth1 -j DROP
-A INPUT -s 240.0.0.0/5 -i eth1 -j DROP
-A INPUT -d 127.0.0.0/8 -i eth1 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 0 -m limit --limit 6/hour
--limit-burst 1 -j LOG --log-prefix "TCP Port 0 OS fingerprint: "
-A INPUT -i eth1 -p udp -m udp --dport 0 -m limit --limit 6/hour
--limit-burst 1 -j LOG --log-prefix "UDP Port 0 OS fingerprint: "
-A INPUT -i eth1 -p tcp -m tcp --dport 0 -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 0 -j DROP
-A INPUT -i eth1 -p tcp -m tcp ! --dport 2049 -m multiport --sports
20,21,22,23,80,110,143,443,993,995 -m limit --limit 6/hour --limit-burs=
t
1 -j LOG --log-prefix "AIF:Possible DRDOS abuse: "
-A INPUT -i eth1 -p udp -m udp ! --dport 2049 -m multiport --sports
20,21,22,23,80,110,143,443,993,995 -m limit --limit 6/hour --limit-burs=
t
1 -j LOG --log-prefix "AIF:Possible DRDOS abuse: "
-A INPUT -i eth1 -p tcp -m tcp ! --dport 2049 -m multiport --sports
20,21,22,23,80,110,143,443,993,995 -j DROP
-A INPUT -i eth1 -p udp -m udp ! --dport 2049 -m multiport --sports
20,21,22,23,80,110,143,443,993,995 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
=46IN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS =
scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
=46IN,PSH,URG -m recent --set --name blacklist --rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
=46IN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Steal=
th
XMAS-PSH scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
=46IN,SYN,RST,ACK,URG -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
=46IN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix
"Stealth XMAS-ALL scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
=46IN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN
-m limit --limit 3/min -j LOG --log-prefix "Stealth FIN scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN
-m recent --set --name blacklist --rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit
--limit 3/min -j LOG --log-prefix "Stealth SYN/RST scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit
--limit 3/min -j LOG --log-prefix "Stealth SYN/FIN scan?: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-m limit --limit 3/min -j LOG --log-prefix "Stealth Null scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-m recent --set --name blacklist --rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DRO=
P
-A INPUT -i eth1 -p tcp -m tcp --dport 1024 ! --tcp-flags
=46IN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "Steal=
th
scan (UNPRIV)?: "
-A INPUT -i eth1 -p tcp -m tcp --dport 1024 ! --tcp-flags
=46IN,SYN,RST,ACK SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 1023 ! --tcp-flags
=46IN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "Steal=
th
scan (PRIV)?: "
-A INPUT -i eth1 -p tcp -m tcp --dport 1023 ! --tcp-flags
=46IN,SYN,RST,ACK SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 1023 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:PRIV connect attempt: "
-A INPUT -i eth1 -p tcp -m tcp --dport 1023 -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 1023 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
-A INPUT -i eth1 -p udp -m udp --dport 1023 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 1024 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
-A INPUT -i eth1 -p udp -m udp --dport 1024 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-option 64 -m limit --limit 3/min
--limit-burst 1 -j LOG --log-prefix "Bad TCP flag(64): "
-A INPUT -i eth1 -p tcp -m tcp --tcp-option 64 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-option 128 -m limit --limit 3/min
--limit-burst 1 -j LOG --log-prefix "Bad TCP flag(128): "
-A INPUT -i eth1 -p tcp -m tcp --tcp-option 128 -j DROP
-A INPUT -i eth1 -p tcp -m state --state INVALID -m limit --limit 1/min
--limit-burst 2 -j LOG --log-prefix "AIF:INVALID TCP: "
-A INPUT -i eth1 -p udp -m state --state INVALID -m limit --limit 1/min
--limit-burst 2 -j LOG --log-prefix "AIF:INVALID UDP: "
-A INPUT -i eth1 -m state --state INVALID -j DROP
-A INPUT -s 4.2.2.2/32 -i eth1 -p udp -m udp --sport 53 -m state --stat=
e
ESTABLISHED -j ACCEPT
-A INPUT -s 208.67.222.222/32 -i eth1 -p udp -m udp --sport 53 -m state
--state ESTABLISHED -j ACCEPT
-A INPUT -s 208.67.220.220/32 -i eth1 -p udp -m udp --sport 53 -m state
--state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m hashlimit
--hashlimit-upto 3/min --hashlimit-burst 1 --hashlimit-mode srcip
--hashlimit-name sshlimit --hashlimit-htable-expire 180000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 60021 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 62222:63333 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-f=
lood
-A INPUT -i eth1 -j syn-flood
-A INPUT -i eth1 -p udp -m limit --limit 3/min -j LOG --log-prefix
"UDP-IN-Notallowed: " --log-level 7
-A INPUT -i eth1 -p udp -j DROP
-A INPUT -i eth1 -p icmp -m limit --limit 3/min -j LOG --log-prefix
"ICMP-IN-Notallowed: "
-A INPUT -i eth1 -p icmp -j DROP
-A INPUT -i eth1 -p tcp -m limit --limit 3/min -j LOG --log-prefix
"TCP-IN-Notallowed: " --log-level 7
-A INPUT -i eth1 -p tcp -j DROP
-A INPUT -i eth1 -m limit --limit 3/min -j LOG --log-prefix
"PROTOCOL-X-IN-Notallowed: " --log-level 7
-A INPUT -i eth1 -j DROP
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW
-j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth1 -p icmp -m state --state NEW,RELATED,ESTABLISHED -j A=
CCEPT
-A OUTPUT -d 4.2.2.2/32 -o eth1 -p udp -m udp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 208.67.222.222/32 -o eth1 -p udp -m udp --dport 53 -m stat=
e
--state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 208.67.220.220/32 -o eth1 -p udp -m udp --dport 53 -m stat=
e
--state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --sport 32769:65535 --dport 33434:33523
-m state --state NEW -j ACCEPT
-A OUTPUT -d 66.35.250.209/32 -o eth1 -p tcp -m tcp --dport 80 -j ACCEP=
T
-A OUTPUT -d 213.133.106.107/32 -o eth1 -p tcp -m tcp --dport 80 -j ACC=
EPT
-A OUTPUT -d 80.237.136.138/32 -o eth1 -p tcp -m tcp --dport 80 -j ACCE=
PT
-A OUTPUT -d 204.174.223.204/32 -o eth1 -p tcp -m tcp --dport 80 -j ACC=
EPT
-A OUTPUT -o eth1 -p udp -m limit --limit 3/min -j LOG --log-prefix
"UDP-OUT-Notallowed: " --log-level 7
-A OUTPUT -o eth1 -p udp -j DROP
-A OUTPUT -o eth1 -p icmp -m limit --limit 3/min -j LOG --log-prefix
"ICMP-OUT-Notallowed: "
-A OUTPUT -o eth1 -p icmp -j DROP
-A OUTPUT -o eth1 -p tcp -m limit --limit 3/min -j LOG --log-prefix
"TCP-OUT-Notallowed: " --log-level 7
-A OUTPUT -o eth1 -p tcp -j DROP
-A OUTPUT -o eth1 -p tcp -m limit --limit 3/min -j LOG --log-prefix
"TCP-OUT-Notallowed: " --log-level 7
-A OUTPUT -o eth1 -p tcp -j DROP
-A OUTPUT -o eth1 -m limit --limit 3/min -j LOG --log-prefix
"PROTOCOL-X-OUT-Notallowed: " --log-level 7
-A OUTPUT -o eth1 -j DROP
-A syn-flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit
--hashlimit-upto 4/sec --hashlimit-burst 4 --hashlimit-mode srcip
--hashlimit-name testlimit --hashlimit-htable-expire 300000 -j RETURN
-A syn-flood -m recent --set --name blacklist --rsource -j DROP
COMMIT
# Completed on Tue Mar 30 14:06:11 2010

--=20
=E0=A6=9C=E0=A7=9F=E0=A6=A6=E0=A7=80=E0=A6=AA =E0=A6=AC=E0=A6=95=E0=A7=8D=
=E0=A6=B8=E0=A7=80