I P T A B L E S with S S H
There are lots of other things you can do to help secure your web server’s ssh port, but one of the most powerful and flexible is to bring iptables into the mix. Iptables is an applicaiton which comes preinstalled on most modern GNU/Linux distros and which provides instructions to the Linux kernel firewall. It is not a firewall in and of itself; rather, it provides a (relatively) easy way to view and modify the way the system’s built-in firewall tracks, filters, and transforms the network packets it receives.
In this particular use case, we care about iptables’s ability to perform actions on incoming ssh packets, based on parameters we define. Specifically, we’re going to use it to track all incoming ssh requests, and then block any host that tries to connect too many times. This is a simpler and more robust approach than the one DenyHosts takes, and the advantages are that it is self-maintaining and not dependent on log file parsing to work.
To list the IPTABLES default output in Linux distro we can see several chains.
$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
In the example above, there are only the three default iptables chains defined, and no specific rules other than the default ACCEPT policy, meaning that if a packet matches none of the chain’s defined rules, it is accepted and allowed past the firewall. Since we haven’t set up any rules, right now iptables is doing nothing and letting all packets through.
If you were already using your web server’s firewall as its actual perimeter defense, you would likely want the chains’ policies to be default deny instead of accept; however, if you were already using the firewall like that it’s very likely you wouldn’t be reading this article because you’d already know what you’re doing.
Our goal here is to make iptables watch ssh traffic, which we’ll be receiving on TCP port 22, and if there are too many connection attempts within a certain period of time—I’m going to use one minute in this example, though you can use whatever interval makes you happy—then we want to log the host that’s trying to connect and then drop all of its packets. As soon as sixty seconds have elapsed between connection attempts, iptables will forget the remote host and it will be allowed to try to connect again.
To accomplish this, we need to add three rules to the INPUT chain, and we also need to create a new chain to handle the logging and dropping and then add a couple of rules to it as well. Additionally, we need a method of making the rules and chains persistent between reboots
To create a INPUT chain rule we can use a simple syntax.
$ sudo iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
The syntax is a little archaic, but the line tells iptables that you want to append a rule onto the existing INPUT chain. The -p tcp argument indicates that this rule will apply only to TCP packets. Most of the rest of the arguments rely on the -m option, which stands for match and tells iptables that the rule applies to packets which match the specific attributes we’re looking for. Here, the rule will be applied to packets that signal the start of new connections headed for TCP port 22. If a packet matches those attributes, iptables will note the remote host’s address in a temporary list.
Iptables is now able to watch incoming ssh connections and drop packets from hosts which try to connect too often in too short a period of time.
Simple and powerfull scripting Firewall to be used with other security features Linux Distros offer.
Feel free to comment.
No comments:
Post a Comment