[PLUG] TCP Wrappers and IPs

Carla Schroder carla at bratgrrl.com
Tue Feb 21 21:36:39 UTC 2006


On Tuesday 21 February 2006 11:49, Roderick A. Anderson wrote:
> Paul Mullen wrote:
> > On Tue, Feb 21, 2006 at 07:58:58AM -0800, Ed Sawicki wrote:
> >>A far easier solution is to move ssh to a non-standard port.
> >
> > That doesn't help when you're behind a firewall that blocks any
> > non-standard ports.

But aren't you the boss of the firewall, since you're creating these rules? 
Anyway, your iptables hack is very excellent.

> >
> > I just recently began using a nifty iptables trick that limits the
> > rate of new incoming SSH connections (three/minute in this case):
>
> Very nice.  Question ( as I'm an iptables neophite ) is this total
> connections or per connecting IP?  Say 5 people, that should be
> connecting, try in the same one minute period.  Do they all get in if
> they make the connection in the first try?
>
> Terrible phrasing and terminology ... I know.  Hopefully it gets my
> question across.

 It does not discriminate on the basis of source address. It simply 
rate-limits the number of new connections per minute from anywhere. So if 
your limit is 4/minute, and 5 people try to connect, the last one will be 
blocked, and will have to wait. OpenSSH keeps trying

>   iptables -N SSH_LIMIT
>   iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_LIMIT
>   iptables -A SSH_LIMIT -m state --state NEW -m recent --set --name SSH
>   iptables -A SSH_LIMIT -m state --state NEW -m recent --update --seconds 60 
--hitcount 4 --name SSH
>   iptables -A SSH_LIMIT -m state --state NEW -m recent --rcheck --seconds 60 
--hitcount 4 --name SSH -j DROP

You might want to create an allow rule if you log in from the same remote 
address a lot. Something like this that puts no restrictions on SSH traffic 
from a particular address:

iptables -A INPUT -p tcp -s 12.34.56.78 --dport 22 –sport 1024:65535 -m state 
--state NEW -j ACCEPT

Put this rule way high up in your script, to come before any other rules. This 
example restricts the source ports because anything coming from a privileged 
port is probably trouble, like from a compromised host using a spoofed IP.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Carla Schroder
 check out my "Linux Cookbook", the ultimate Linux user's
 and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



More information about the PLUG mailing list