Monitor and block SSH connection attempts

-

Monitor and block SSH connection attempts.

Here is a simple guide for iptables...
This will set iptables to default:
........
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
Then flush the rules:
sudo iptables -F INPUT
sudo iptables -F OUTPUT
sudo iptables -F FORWARD
This allows you to view your current rules:
$ sudo iptables -L
........
Install iptables-persistent package to save tables on reboot.
$ sudo apt-get install iptables-persistent
During the installation, you will asked if you want to save your current firewall rules.
If you update your firewall rules and want to save the changes, run this command:
$ sudo netfilter-persistent save
$ sudo netfilter-persistent reload
........
With the following, an attacker is allowed to produce exactly 3 faulty logins in 2 minutes. Afterwards, they will be blocked for 120 seconds.
1) Add the following line to /etc/ssh/sshd_config
MaxAuthTries 1
This will allow only 1 login attempt per connection. Restart the ssh server.
2) Add the following firewall rules:
Create a new chain:
$ sudo iptables -N SSHATTACK
$ sudo iptables -A SSHATTACK -j LOG --log-prefix "Possible SSH attack! " --log-level 7
$ sudo iptables -A SSHATTACK -j DROP
If you need to ever remove or flush the chain, use these commands:
$ sudo iptables -D SSHATTACK
$ sudo iptables --flush SSHATTACK
$ sudo iptables -X SSHATTACK
$ sudo iptables -L
In case of the forth connection attempt, the request gets delegated to the SSHATTACK chain, which is responsible for logging the possible ssh attack and dropping the request.
You may need to change wlan0 to eth0 or whatever network interface you are using. Also make sure your port number is correct. It is 22 in this case.
$ sudo iptables -A INPUT -i wlan0 -p tcp -m state --dport 22 --state NEW -m recent --set
$ sudo iptables -A INPUT -i wlan0 -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 120 --hitcount 4 -j SSHATTACK
3) See log entries of possible shh- attacks in /var/log/syslog
....
This will only allow 4 TCP/SYN packets to port 22 from an IP address in 5 minutes. If more attempts are made, the door will be closed for 5 minutes.
$ sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 --rttl --name SSH -j DROP

 

Comments

Post a Comment

Popular posts from this blog

Cheat Sheet : Wireshark

-
 Now that you know some command line packet sniffing, lets go over some wireshark display filters: * If you want to filter by a protocol, just type it in, like arp, dns, etc.   * If you click the analyze tab you can filter here as well   * If you did it by tp, you can go to preferences/protocols/tcp and take the check out of “relative sequence numbers” and they will show the real seq numbers   * Right click a packet and follow tcp stream to see the whole conversation between the client and the server . if you do this and you close out of the window you will see that the filter is listed for these packets   * A source filter can be applied to restrict the packet view in wireshark to only those packets that have source IP as mentioned in the filter. The filter applied in the example below is: ip.src == 10.10.10.5   * A destination filter can be applied to restrict the packet view in wireshark to only those packets that have destination IP as m...
Read more

Cheat Sheet : NetCat

-
Netcat is known by most hackers as the swiss army knife of hacking. Its a great tool to setup backdoors or just plain and simple tcp or udp connections. Heres a few examples of how you can use netcat: Lets do some exercises with it in Kali linux. Our VMs today are a kali linux  and a windows 7. First start by looking at the help file nc -h  1. Lets check to see what ports are listening,(first start the apache2 service) type: nc -v 80  2. If you had started the apache service on kali linux you should see it shows there as open  3. You can also set up a listener port, type: nc -lvp 1234  4. The l here is for listen, the v is for verbose, the p is to specify the port to listen on  5. Lets open up a second terminal window and use netcat to connect to the listener  6. In the second terminal type: nc 10.0.0.100 1234 and hit enter  7. The first terminal should show you connected  8. Now lets chat from the second terminal b...
Read more