[CentOS] One approach to dealing with SSH brute force attacks.
mouss
mouss at netoyen.net
Sat Feb 2 21:30:49 UTC 2008
Jay Leafey wrote:
>>
>> What I would I like to do is:
>>
>> - allow 22 from specific IPs
>> - allow another port (redirected) from anywhere. this port is then
>> redirected to 22.
>>
>
> I do exactly this with a combination of SSH config options and
> iptables rules. In your /etc/ssh/sshd_config file, find the "Port 22"
> statement and add a "Port" statement for the desired port, something
> like:
>
> <snip>
> Port 22
> Port 20022
> Protocol 2
> <snip>
>
> Then, in iptables, add the appropriate rules to let incoming
> connections to port 22 from only specific addresses and to allow port
> 20022 (or whatever you pick) to be available worldwide. Assuming you
> wanted port 22 access for a local subnet like 192.169.1.0/24, add the
> following to the /etc/sysconfig/iptables file before the REJECT
> statement at the end of the file:
>
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
>> 192.168.1.0/24 --dport 22 -j ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
>> 20022 -j ACCEPT
>
> After restarting SSH and reloading iptables you should have just what
> you want. I use this, in addition to blockhosts
> (http://www.aczoom.com/cms/blockhosts/), on several production systems
> and the result has been almost total elimination of brute-force
> attacks. on those systems.
>
> Another possibility is a variation on port-knocking using PKI
> authentication or a shared secret. The project is called fwknop
> (http://www.cipherdyne.org/fwknop/) and has the potential to almost
> completely eliminate brute-force attacks.
>
> Essentially, the target port (22 in the case of SSH) is not open at
> all normally, but a daemon monitors the network interface for a
> specific packet signed using either a shared secret or a
> pre-authorized PGP key. When it sees the packet, it opens up the
> appropriate port for a specified time (usually just a few seconds) to
> the IP address the packet comes from. This allows a very short time
> window for the client system to complete its connection before the
> port gets closed down. I've set this up on a couple of systems so far
> with excellent results.
>
> Your mileage may vary!
I didn't think about adding the port in ssh. Thanks for the hint.
I was however looking for a way to implement this without touching sshd
ports. After playing a little, I found the following to work
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 12345 -j REDIRECT
--to-ports 22
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 12345 -j MARK
--set-mark 0x22
iptables -A INPUT -m mark --mark 0x22 -j ACCEPT
seems to do it. (12345 is not the real port).
More information about the CentOS
mailing list