Re: DenyHosts
Hi.
On Sat, 16 Jan 2016 00:49:17 -0500
Steve Matzura <number6@noisynotes.com> wrote:
> Reco:
>
> All of this is an excellent learning opportunity for me. Please bear
> with me just a bit as I ask the following:
>
> On Sat, 16 Jan 2016 01:55:38 +0300, you wrote:
>
> >A simple solution:
> >
> >iptables -I INPUT -p dcp -s 59.46.71.0/24 -j DROP
>
> `-p dcp'? manpages says:
>
> [!] -p, --protocol protocol
> The protocol of the rule or of the packet to check. The
> specified protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp,
> ah, sctp, mh or the special keyword "all", or it can
> be a numeric value, representing one of these protocols or a
> different one. A protocol name from /etc/protocols is also allowed.
> ...
My mistake. I meant "tcp". SSH is tcp, after all.
> >A complex one:
> >
> >iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
> > -m hashlimit --hashlimit 1/hour --hashlimit-burst 16 \
> > --hashlimit-mode srcip --hashlimit-name ssh \
> > --hashlimit-htable-expire 60000 -j ACCEPT
>
> -m, --match match
> Specifies a match to use, that is, an extension
> module that tests for a specific property. The set of matches make up
> the condition under which a target is invoked. Matches are evaluated
> first to last as specified on the command line and work in
> short-circuit fashion, i.e. if one extension yields false, evaluation
> will stop.
>
> If I understand the above, in this command you are doing something
> with two rule `conntrack' and `hashlimit'. But what? Adding them?
> Setting rule behavior?
This rule allows 16 connections to tcp:22 from a single IP address
(source IP) within an hour.
Conntrack is used to match NEW connections.
Hashlimit is used to hash source IP and store the result in a kernel
hashtable called ssh (see /proc/net/ipt_hashlimit/ssh for the result).
Once 16 connection limit is exceeded, netfilter will stop using this
rule for an hour, and move to a following one.
Of course, "16" and "1 hour" are arbitrary values, and can be changed.
> >iptables -I INPUT -p tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \
> > -j DROP
>
> -j, --jump target
> This specifies the target of the rule; i.e., what to do
> if the packet matches it. The target can be a user-defined
> chain (other than the one this rule is in), one of the special builtin
> targets which decide the fate of the packet
> immediately, or an extension (see EXTENSIONS below). If this option
> is omitted in a rule (and -g is not used), then matching the rule
> will have no effect on the packet's fate, but the counters on the rule
> will be incremented.
>
> So if the inbound packet has some property which matches any of those
> specified in the `--tcp-flags' list, drop it?
This rule simply drops all incoming NEW connections to tcp:22.
By itself, this rule is evil as it forbids to connect via ssh to anyone.
But with conjunction with the previous one it implements the following
policy:
- anyone can connect up to 16 times via ssh.
- anyone exceeding the connection limit is tarpitted, and must wait
for an hour to try again.
>
> Questions:
>
> How do these commands function to lock out specific addresses or
> address ranges?
The current implementation works with single source IPs.
Modifying the rules to work with IP ranges is an exercise left for the
reader :)
> In the `--tcp-flags' list, why is `SYN' mentioned twice?
It's simple. There's absolutely no need for these rules to apply once
the connection is established.
Removing SYN match would effecively limit any ssh session to 16 packets
total, which will break ssh in a most curious ways.
Reco
Reply to: