Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Page 2 of 2 < 1 2
Topic Options
#316969 - 04/12/2008 18:38 Re: A botnet is attacking my server [Re: mlord]
LittleBlueThing
addict

Registered: 11/01/2002
Posts: 612
Loc: Reading, UK
I'm also thinking that the last line (well. after you accept established connections really) should be along the lines of:
Code:
 $ipt -I INPUT -p tcp -m recent --name ssh_knock --remove

Otherwise all I need to do is portscan and then ssh in...

Also see http://www.debian-administration.org/articles/268 for a multi-port knock using ipt_recent
(Which also -I think - has the failing that multiple portscans will open the hole)


Edited by LittleBlueThing (04/12/2008 18:39)
_________________________
LittleBlueThing Running twin 30's

Top
#316973 - 04/12/2008 20:03 Re: A botnet is attacking my server [Re: LittleBlueThing]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
Originally Posted By: LittleBlueThing
I'm also thinking that the last line (well. after you accept established connections really) should be along the lines of:
Code:
 $ipt -I INPUT -p tcp -m recent --name ssh_knock --remove

Otherwise all I need to do is portscan and then ssh in...


Eh? Plain english, please!

Top
#316977 - 04/12/2008 21:23 Re: A botnet is attacking my server [Re: mlord]
LittleBlueThing
addict

Registered: 11/01/2002
Posts: 612
Loc: Reading, UK
I thought it was wink

Well, when ipt sees the IP hit port $KNOCK it jumps to ssh_add
That adds the IP to the ssh_knock list
If the IP tries port 22 it goes to the ssh_filter which checks if the IP is in the ssh_knock list.
If it is then the rule succeeds.

What doesn't happen is that the IP is *removed* from the ssh_knock list if it hits any other port between hitting the $KNOCK port and port 22.

So If I do a portscan, hitting ports 1-65534 port 22 opens and stays open for a short while.

What you really want is for port 22 to be closed if the IP hits any other port after hitting $KNOCK and before hitting 22.

Hmm, even better would be if hitting $KNOCK and !22 put the IP onto a pre-KNOCK DROP blacklist for a short while - that would stop/slow brute force attacks too.
_________________________
LittleBlueThing Running twin 30's

Top
#316979 - 04/12/2008 22:47 Re: A botnet is attacking my server [Re: LittleBlueThing]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
Thanks. Gotta be a bit careful there, though, as somebody could be accessing our web server legitimately from the same IP as I'm using to connect to SSH. Say, both of us behind the same hotel/corporate NAT firewall.

But yeah, good idea for ports with nothing public on them.

Something like this line, after the existing -j ssh_add line:

ipt -A INPUT -p tcp --syn -m recent --name ssh_knock --rcheck -j ssh_del

Cheers!


Edited by mlord (05/12/2008 10:33)
Edit Reason: Added --syn for correctness

Top
#316988 - 05/12/2008 08:10 Re: A botnet is attacking my server [Re: mlord]
LittleBlueThing
addict

Registered: 11/01/2002
Posts: 612
Loc: Reading, UK
I used -I by mistake since my chain doesn't exist in your example, sorry. Actually I just did:
ipt -A tcp_packets -m recent --name ssh_knock --remove
which is just what you used but without the logging.

In my rules this is at the end of the tcp_packets/tcp_filter list before the default DROP.

Ensuring it comes after any 'accept' ports and 'established' should do what you want though.
_________________________
LittleBlueThing Running twin 30's

Top
#316990 - 05/12/2008 10:31 Re: A botnet is attacking my server [Re: LittleBlueThing]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
Originally Posted By: LittleBlueThing
Ensuring it comes after any 'accept' ports and 'established' should do what you want though.

Yup, that's where it is in the script here now, too.
Nice little improvement over the original, that is.

Cheers!

Top
#316999 - 05/12/2008 13:27 Re: A botnet is attacking my server [Re: mlord]
DWallach
carpal tunnel

Registered: 30/04/2000
Posts: 3810
Curiously, the connection attempts on my ssh port have completely stopped. Do you suppose they gave up after I went public-key-auth-only?

Top
Page 2 of 2 < 1 2