[CentOS] One approach to dealing with SSH brute force attacks.

mouss mouss at netoyen.net
Sat Feb 2 21:30:49 UTC 2008


Jay Leafey wrote:
>>
>> What I would I like to do is:
>>
>> - allow 22 from specific IPs
>> - allow another port (redirected) from anywhere. this port is then 
>> redirected to 22.
>>
>
> I do exactly this with a combination of SSH config options and 
> iptables rules.  In your /etc/ssh/sshd_config file, find the "Port 22" 
> statement and add a "Port" statement for the desired port, something 
> like:
>
> <snip>
> Port 22
> Port 20022
> Protocol 2
> <snip>
>
> Then, in iptables, add the appropriate rules to let incoming 
> connections to port 22 from only specific addresses and to allow port 
> 20022 (or whatever you pick) to be available worldwide.  Assuming you 
> wanted port 22 access for a local subnet like 192.169.1.0/24, add the 
> following to the /etc/sysconfig/iptables file before the REJECT 
> statement at the end of the file:
>
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 
>> 192.168.1.0/24 --dport 22 -j ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 
>> 20022 -j ACCEPT
>
> After restarting SSH and reloading iptables you should have just what 
> you want.  I use this, in addition to blockhosts 
> (http://www.aczoom.com/cms/blockhosts/), on several production systems 
> and the result has been almost total elimination of brute-force 
> attacks. on those systems.
>
> Another possibility is a variation on port-knocking using PKI 
> authentication or a shared secret.  The project is called fwknop 
> (http://www.cipherdyne.org/fwknop/) and has the potential to almost 
> completely eliminate brute-force attacks.
>
> Essentially, the target port (22 in the case of SSH) is not open at 
> all normally, but a daemon monitors the network interface for a 
> specific packet signed using either a shared secret or a 
> pre-authorized PGP key.  When it sees the packet, it opens up the 
> appropriate port for a specified time (usually just a few seconds) to 
> the IP address the packet comes from.  This allows a very short time 
> window for the client system to complete its connection before the 
> port gets closed down.  I've set this up on a couple of systems so far 
> with excellent results.
>
> Your mileage may vary!

I didn't think about adding the port in ssh. Thanks for the hint.

I was however looking for a way to implement this without touching sshd 
ports. After playing a little, I found the following to work

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 12345 -j REDIRECT 
--to-ports 22
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 12345 -j MARK 
--set-mark 0x22
iptables -A INPUT -m mark --mark 0x22 -j ACCEPT

seems to do it. (12345 is not the real port).



More information about the CentOS mailing list