firewall ip address if it tries to login as a specified user

[djlangford]

Sorry for the newb question, but this topic is the perfect answer to my needs, but I have a stupid problem, all of the IP Addresses in (FC2 box) are pre-pended with ::ffff: So, the $10 variable isn't right. I tired sed, but was not sucessful. Is there something I need to do in sshd_conf or in the exec statement?

Thanks, and again sorry fo the stupid question.

[Muso]

Hi, I have some questions to this kind of setup.

I have swatch running and it's adding the IPs to iptables.

1. How do I get rid of those added IPs after a while or do you just keep them forever?

2. About iptables: Do I need to start this thing or are those tables used by the kernel anyway?

Sorry, if this sounds dumb but I'm just not a guru Linux admin.

[JimDog]

I was noticing ssh login attempts as well and came up with this solution using the recent module for iptables...

modprobe ipt_recent ip_list_tot=200

iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS
-d $IPADDR --dport 22 -m state --state NEW -m recent --rcheck
--hitcount 3 --seconds 60 --name SSH_PROBERS
-j LOG --log-prefix "Adaptive-FW SSH Prober: "

iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS
-d $IPADDR --dport 22 -m state --state NEW -m recent
--update --hitcount 3 --seconds 60 --name SSH_PROBERS
-j DROP

iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS
-d $IPADDR --dport 22 -m state --state NEW -m recent
--set --name SSH_PROBERS -j ACCEPT

SWEET. I started to download swatch but decided to try your way instead. I left out the -i, -sport and -d parameters but it still appears to work as wanted. Is there any reason I should not leave those out. I tested it by trying to SSH in to my box from my wife's computer with "bogus" and made sure it blocked her computer after several tries.....while that computer was blocked I tried to SSH in with a legit user from another computer and it let me in. So it appears to only block the bad ip....and just for a while (60 seconds if I'm understanding correctly how it works).

I think this is the best solution. I just need to make sure I'm not creating a problem down the line by not having those other parameters in the rules. Thanks!!!

[Wolfmans Brother]

With the ipset extensions to iptables you can added a single rule that says "block all IPs in the set called 'abc'", and you can then add or remove IP to that set without having to add more and more iptables rules. You can even arrange that the IP addresses are automatically removed from the set after a time interval you specifiy.

[Oppie]

Well you have always heard of portsentry.
And you should disable root logins for ssh.
There is a setting in sshd.conf for that.
Get out your manuals and read up on it.

[Muso]

With the ipset extensions to iptables you can added a single rule that says "block all IPs in the set called 'abc'", and you can then add or remove IP to that set without having to add more and more iptables rules. You can even arrange that the IP addresses are automatically removed from the set after a time interval you specifiy.

I took a look at the IPSET stuff. Sounds really cool but as I understand it, it requires a kernel patch. That's something I can't do on my production machine. Is there a way to check if the current kernel might support IPSET as is?

[Wolfmans Brother]

With the ipset extensions to iptables you can added a single rule that says "block all IPs in the set called 'abc'", and you can then add or remove IP to that set without having to add more and more iptables rules. You can even arrange that the IP addresses are automatically removed from the set after a time interval you specifiy.

I took a look at the IPSET stuff. Sounds really cool but as I understand it, it requires a kernel patch. That's something I can't do on my production machine. Is there a way to check if the current kernel might support IPSET as is?

Sure: just try "modprobe ipt_set", and "ipset -N testset iphash". If both of these work, you're ready to rumble.

[kaelthas]

I wanted to be sure to cover root in my automatic blocking, as well as permablock the brats (just for fun). Maybe someone else will find this helpful. You first need to create a file (/etc/swatch_rejects below) which you can source from your firewall script somewhere, or separately, after iptables is reset for whatever reason (like a reboot). So I have this for my swatchrc (yes I changed the email address)

#Add firewall rules for bad login attempts
watchfor /Invalid user test|Invalid user guest|Invalid user admin|Invalid user web|Invalid user ftp|Invalid user oracle/
mail=email@domain.com,subject="swatch match: $10 firewall rule added"
exec "/sbin/iptables -A swatch_rejects -s $10 -j DROP"
exec "echo '/sbin/iptables -A swatch_rejects -s $10 -j DROP' >> /etc/swatch_rejects"
continue
watchfor /User root from/
mail=email@domain.com,subject="swatch match: $9 firewall rule added"
exec "/sbin/iptables -A swatch_rejects -s $9 -j DROP"
exec "echo '/sbin/iptables -A swatch_rejects -s $9 -j DROP' >> /etc/swatch_rejects"

Luckily I'm the only one accessing this server via ssh, and only have one non-root non-common account configured to connect, which is there only for me to su.