Re: ssh howto for debian?

To: debian-user@lists.debian.org
Subject: Re: ssh howto for debian?
From: Kevin Philp <kevin@cybercolloids.net>
Date: Wed, 28 Jan 2009 15:48:50 +0000
Message-id: <[🔎] 49807E62.7050105@cybercolloids.net>
In-reply-to: <[🔎] 200901281035.30131.ale@pcartwright.com>
References: <[🔎] 20090128031536.GA1985@debian-hp.lan> <[🔎] 20090128063537.b1929b1e.raquel@thericehouse.net> <[🔎] 49807315.6070302@cybercolloids.net> <[🔎] 200901281035.30131.ale@pcartwright.com>

Paul Cartwright wrote:

On Wed January 28 2009, Kevin Philp wrote:

Even easier and better add the following to your iptables firewall. This
monitors your connections to the ssh port and drops the connection if
they try more than 4 connections in 10 minutes. I have been using this
for a while - works a treat.

references at :

http://www.la-samhna.de/library/brutessh.html
http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks
/

/sbin/iptables -A ssh-connection -i $EXT -p tcp --dport 22 -m recent
--update --seconds 600 --hitcount 4 --rttl --name SSH -j LOG
--log-prefix "SSH_brute_force "

# /sbin/iptables -A ssh-connection -i $EXT -p tcp --dport 22 -mrecent --update --seconds 600 --hitcount 4 --rttl --name SSH -jLOG --log-prefix "SSH_brute_force "

Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.

Sorry wasn't clear - this was cut from our firewall script - Here is a alonger section. It should work and give you what you need.


#!/bin/bash

###### Variables #####################################
INT=eth0
EXT=eth1
IPTABLES=/sbin/iptables

###### Flush old rules ################################
$IPTABLES -F
$IPTABLES -X

###### Set defaults    ################################
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

###### Modified SSH brute force blocker with anti spoofing ##########
$IPTABLES -N ssh-connection
$IPTABLES -F ssh-connection

$IPTABLES -A ssh-connection -i $EXT -p tcp --dport 22 -m recent --update--seconds 600 --hitcount 4 --rttl --name SSH -j LOG --log-prefix"SSH_brute_force "$IPTABLES -A ssh-connection -i $EXT -p tcp --dport 22 -m recent --update--seconds 600 --hitcount 4 --rttl --name SSH -j DROP$IPTABLES -A ssh-connection -p tcp --dport 22 -m state --state NEW -mrecent --set --name SSH -j ACCEPT


###### Set local access on INT only ###################
$IPTABLES -N internal-connection
$IPTABLES -F internal-connection
$IPTABLES -A internal-connection -s 127.0.0.1 -i ! $EXT -j ACCEPT

$IPTABLES -A internal-connection -s 192.168.100.0/255.255.255.0 -i !$EXT -j ACCEPT


###### Set access to related connections ###############
$IPTABLES -N allowed-connection
$IPTABLES -F allowed-connection

$IPTABLES -A allowed-connection -p tcp -m state --stateESTABLISHED,RELATED -j ACCEPT$IPTABLES -A allowed-connection -p udp -m state --stateESTABLISHED,RELATED -j ACCEPT


####### Jump INPUT to filter chains
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -j allowed-connection
$IPTABLES -A INPUT -j internal-connection
$IPTABLES -A INPUT -j ssh-connection

###### Jump FORWARD to filter chains
$IPTABLES -A FORWARD -o lo -j ACCEPT
$IPTABLES -A FORWARD -j allowed-connection
$IPTABLES -A FORWARD -j internal-connection
$IPTABLES -A FORWARD -j ssh-connection

Reply to:

References:
- ssh howto for debian?
  - From: Daniel Dalton <d.dalton@iinet.net.au>
- Re: ssh howto for debian?
  - From: Raquel <raquel@thericehouse.net>
- Re: ssh howto for debian?
  - From: Kevin Philp <kevin@cybercolloids.net>
- Re: ssh howto for debian?
  - From: Paul Cartwright <ale@pcartwright.com>

Prev by Date: Re: ssh howto for debian?
Next by Date: Re: How to remove automatically installed packages when nothing depends on them?
Previous by thread: Re: ssh howto for debian?
Next by thread: Re: ssh howto for debian?
Index(es):
- Date
- Thread