Keith via plug on 24 Mar 2021 14:36:23 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Web Ass Pfirewall



On 3/24/21 4:38 PM, Fred Stluka wrote:
Keith,

Iptables is still pretty good for blocking / choking traffic.  You can automatically block bad actors / abusive IPs by using the various limit modules.  One of my favorite rules simply blocks SSH ingress based on packets per hour.  You exceed the limit, you get blocked for a certain amount of time.

Can you do that with iptables alone?  Or does it need something
like fail2ban to change the iptables rules dynamically?

Nope, just iptables
It works beautifully and is just one rule.

Care to post the rule?

I can post an example of a rule :) from a security talk I gave in 2018.  The context of that talk was to discuss strategies related to increasing the observeability of cyber-attacks.  As you will see, increasing observeability is done by slowing the rate of packet ingress but the specific mechanism for that is dynamically choking offending source IPs and holding them on a list (which in a larger effort would be sent to a security team for more review / action.

Here is the "before" situation:

Nov  4 11:45:30 <omitted>: Failed password for root from 116.31.116.6 port 45774 ssh2 Nov  4 11:45:34 <omitted>: message repeated 2 times: [ Failed password for root from 116.31.116.6 port 45774 ssh2] Nov  4 11:46:17 <omitted>: Failed password for root from 116.31.116.6 port 62822 ssh2 Nov  4 11:46:20 <omitted>: message repeated 2 times: [ Failed password for root from 116.31.116.6 port 62822 ssh2] Nov  4 11:47:00 <omitted>: Failed password for root from 116.31.116.6 port 47934 ssh2 Nov  4 11:47:05 <omitted>: message repeated 2 times: [ Failed password for root from 116.31.116.6 port 47934 ssh2]

and here is the "after"

Nov  4 12:20:01 <omitted>: Failed password for root from 116.31.116.6 port 22813 ssh2 Nov  4 12:20:04 <omitted>: message repeated 2 times: [ Failed password for root from 116.31.116.6 port 22813 ssh2] Nov  4 12:30:26 <omitted>: Failed password for root from 116.31.116.6 port 36319 ssh2 Nov  4 12:30:31 <omitted>: message repeated 2 times: [ Failed password for root from 116.31.116.6 port 36319 ssh2] Nov  4 12:40:53 <omitted>: Failed password for root from 116.31.116.6 port 53939 ssh2 Nov  4 12:40:58 <omitted>: message repeated 2 times: [ Failed password for root from 116.31.116.6 port 53939 ssh2]

If you look at the timestamps in both sets, you'll see that the below rule chokes the traffic by a factor of 10x (roughly 1 packet every 10 minutes instead of every 1 minute).  Additionally, that IP ends up on a list I can review and then do something cool like run geoiplookup against so I know where the traffic is coming from.  That rule in this case was:

iptables -A FORWARD -p tcp --dport 22 -d <my net> -m state --state NEW -m hashlimit --hashlimit-above 6/hour --hashlimit-mode srcip --hashlimit-burst 1 --hashlimit-name blockedSSH --hashlimit-htable-expire 60000 -j REJECT --reject-with icmp-host-unreachable

This rule will reject the communication and send back an icmp-host-unreachable message (yes, you could just drop) and then add the IP to the "blockedSSH" file in /proc/net/ipt_hashlimit/ for 60000 milliseconds but every hit on this rule would add the IP back so essentially they'll stay on there until the traffic stops or I do something permanent.   :D

--
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Managing Member, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug