[PLUG] Re: iptables firewalling...

Jeff Moore Jeff.Moore at chemeketa.edu
Tue Sep 5 19:52:21 UTC 2006 

> On 9/5/06, Carlos Konstanski <ckonstanski at pippiandcarlos.com> wrote:
> > Another thought on ports and security.  here's something I need to
> do,
> > right this minute.  I have port 22 open, but I accept password
> > authentication for SSH.  I need to take away password auth
> immediately,
> > and require authorized keys instead.  You should see the syslog
> entries
> > - thousands of attempts to guess usernames and passwords.  Of all
> the
> > logs I see, this one worries me the most.
> >
> > Carlos Konstanski
> 
> Using keys will add extra security, but it won't stop the log files
> from filling up.  Lately it seems a whole dictionary is being used for
> these attacks (it used to be just a dozen words at a time: root,
> admin, apache, john, etc.).  I guess using a whole dictionary has been
> more successful for these guys.
> 
> At least it seemed to work for one client's server.  He created a user
> account using a common name and used the same name as the password.
> There were about 3GB of outgoing e-mail choked up in the spool, by the
> time I got there (SMTP port was blocked).  Apparently when these
> attempts are successful, the attacking script just pushes another
> generic mailer script out and kicks it off blind.  (Was a simple Perl
> script.)
> 
> But back to the log files...  The only way to stop these attacks from
> filling up your log files is to block port 22.  You can do this and
> open up the port for just a few specific IP addresses.  Or you can
> close it for all IP addresses and dynamically open it up for specific
> ones using port knocking.
> 
> Some would say port knocking isn't a worthy security measure.  Perhaps
> so.  However, having clean log files is still a wonderful thing. ;-)
> 
> Here's a shameless plug for a port-knocking technique you can use
> anywhere iptables is available: http://www.soloport.com/iptables.html 

   I agree that portknocking alone is weak but all good security has
layers. When portknocking is used in combination with rsa authentication
and strong username and passwords it certainly helps. If portknocking
allows you to be invisible to 90% of the script kiddies out there then
all the better. Plus your logs will thank you...
   Below is a little variation of the same portknocking idea. Its a bit
more simplistic but I like it that way. If I don't have to build scripts
to knock from remote hosts then I am happy. Just telnet to the central
port and boom you're in. If a fella wanted to build scripts to connect
and make it difficult then he might as well do encrypted icmp
portknocking or something fancy like that. I am all about simplicity
myself and yes I have to connect from other systems like windows boxes.
   Funny thing is I originally got it from the same website. Can't find
the old link though... 
   Keep in mind that you will want to have the --remove statements above
and below the port number you use for access. This way if there are any
crawling access attempts they will end up closing the port no matter
which direction they scan.
   To use just telnet to the unlock port(6423) and break the telnet
connection. This will open 22 for your ip address. Then when you are
done just telnet to the lock port(either 6422 or 6424).

#SSH PORTKNOCKING:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m
recent --rcheck --name SSHAccess -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 6422 -m
recent --name SSHAccess --remove -j DROP
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 6423 -m
recent --name SSHAccess --set -j DROP
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 6424 -m
recent --name SSHAccess --remove -j DROP

More information about the PLUG mailing list