Saturday 9 July 2005

Tweaks and Filters

Been poking at Friday this week. I was getting a USB extension cord for work so I picked up one that glows red and hooked that up to Friday. It's sweet! And then the old plain one went to work. I also poked at GDM until I figured out how to change the login screen for Friday. My login screen now proudly displays the MDM flag! Heh, it's nice.

The other thing I dug up was firewall rules to block those stupid SSH dictionary attacks that keep flying around. Basically, a compromised host on the Internet attempts to login via SSH using a large number of common user names and presumably either no password or some guessable password (like "password"). If you check your logs you'll find that the attacks come in a big burst and generally all within 5-10 seconds.

So it turns out that the simple way to deal with this in a fairly effective manner is to rate-limit the number of new SSH connections accepted by the host with iptables. The rate-limiting allows a minimal number of malicious login attempts and also has a minimal likelyhood that it can be used for a DoS attack. The rules I use allow a burst of 5 (the default) and then a maximum rate of 10 logins per minute. The effect is that the attacker gets 5 login attempts then the rest get dropped until 6 seconds have elapsed and then the attacker gets 1 more login attempt every 6 seconds. During this time, a legitimate user may get rejected but they just have to wait a minute and things will be back to normal.

-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/min -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable


I've been using the above rules on both Siona and Nikita for a week or so now and it's been very effective and mitigating those attacks. It's NICE!

No comments:

Post a Comment

Popular Posts