[CentOS] [WTA] Automatically blocking on failed login

Tue May 25 09:18:32 UTC 2010
Tom Yates <madhatter at teaparty.net>

On Tue, 25 May 2010, David wrote:

> I would like to use CentOS for all. I've a transparent firewall (CentOS 
> + iptables) and I want to use it as a filter. I've been using iptables 
> on the server machine (not in transparent firewall), and I want to get 
> the job done by the firewall. Is it possible if my firewall to do this 
> task? while being attacked is different computer?

sort of, yes.  after some investigation and thought, i decided to protect 
my ssh servers with rate-limiting, using iptables.

rate-limiting doesn't care whether a login succeeded or failed, it just 
detects repeated attempts to connect from the same source address to the 
same destination port, and blocks any past the first two in a rolling 
60-second window (both parameters are of course configurable).  this makes 
it suitable for use on the firewall rather than the endpoint, and i 
suspect it can be extended to IMAP and similar services (though mail 
clients that wish to continually make new connections rather than keeping 
existing ones open and reusing them will run into problems).

for sshd, analysis of last week's logs shows that the number of connection 
attempts rejected this way each day varies from 2,200 to 82,000, while the 
number of failed logins on sshd varies daily from 2 to 25 - so you can see 
that this is somewhere between 99% and 99.997% effective at preventing 
people from getting as far as a password-guessing attack.  server load has 
*substantially* decreased.

if this is of interest to you i wrote it the details up at 
http://www.teaparty.net/technotes/ssh-rate-limiting.html .


-- 

   Tom Yates  -  http://www.teaparty.net