Difference between revisions of "AutoBlock"

From SME Server
Jump to navigationJump to search
Line 1: Line 1:
Place holder page WIP
+
===Public SSH Acess===
 +
Configuring SSH access as public will result in lots of script based login attempts which consume bandwidth, CPU and generate log noise. A new iptables rule which blocks repeated connection attempts to the configured sshd port. See [[bugzilla 8257]] and [[bugzilla:8258]]
  
New SME feature: [http://bugs.contribs.org/show_bug.cgi?id=8308 AutoBlock SSH]
+
It is set to reject connections when there have been 3 or more requests in the previous 15 minutes. The autoblock lapses when there have been fewer than this many requests in the specified times (set by AutoBlockTime).
  
Current work-in-progress documentation: [http://bugs.contribs.org/attachment.cgi?id=4578 here]
+
By design only IP outside your local network will blocked if too many attempts are done.
 +
===Default values===
 +
 
 +
AutoBlockTime=900          # 900 seconds  (15 minutes).
 +
AutoBlockTries=4            # meaning that 3 Tries are allowed, the fourth trie is blocked.
 +
AutoBlock=disabled          # default for SME Server 8
 +
AutoBlock=enabled          # default for SME Server 9
 +
 
 +
===Set Values===
 +
 
 +
The ipt_recent (SME8) or xt_recent/SSH (SME9) module records the current block status for the last 100 IP addresses seen in /proc/net/ipt_recent/SSH (SME8) or /proc/net/xt_recent/SSH (SME9), i.e. Output from "iptables -L SSH_Autoblock -v" from a system up for 56 days:
 +
 
 +
Chain SSH_Autoblock (1 references)
 +
pkts bytes target    prot opt in     out    source    destination
 +
29388 1521K            all  --  any    any    anywhere  anywhere    recent: SET name: SSH side: source
 +
19169 1010K denylog    all  --  any    any    anywhere  anywhere    recent: CHECK seconds: 900 hit_count: 4 TTL-Match name: SSH side: source
 +
    3  180 denylog    all  --  any    any    anywhere  anywhere    recent: CHECK seconds: 7200 hit_count: 8 TTL-Match name: SSH side: source
 +
 
 +
You only have two controls for iptables rule - a time period to consider and a connection attempt threshold for that time period. The default settings have a 900 second (15 minute) time period, during which 3 connection requests may be made without interference. The fourth and subsequent attempts will be counted and blocked. After at most 15 minutes of quiet, the block will expire and you can try again.
 +
 
 +
{{Note box|Setting the AutoBlockTries to a larger number will allow more attempts in whatever interval is selected by AutoBlockTime. Three tries in 15 minutes seems like a reasonable balance between blocking SSH scanners and human frailty.
 +
}}
 +
 
 +
====How to tune hitrates?====
 +
 
 +
db configuration setprop sshd AutoBlockTries {n} # [ignore parentheses, just enter a number]
 +
signal-event remoteaccess-update
 +
 
 +
====How to tune Blocktime?====
 +
 
 +
db configuration setprop sshd AutoBlockTime {s} # [ignore parentheses, just enter a number]
 +
signal-event remoteaccess-update
 +
 
 +
====How to disable/enable SSH_Autoblock?====
 +
 
 +
db configuration setprop sshd AutoBlock disabled
 +
or:
 +
db configuration setprop sshd AutoBlock enabled
 +
 
 +
followed by:
 +
signal-event remoteaccess-update
 +
 
 +
Note: if ssh is moved to another port (say 2211) then SSH_Autoblock installs itself on the port number configured for sshd.
 +
 
 +
 
 +
===How to access the AutoBlock history?===
 +
 
 +
*For SME8:
 +
cat /proc/net/ipt_recent/SSH
 +
 
 +
*For SME9:
 +
cat /proc/net/xt_recent/SSH
 +
 
 +
{{Note box|signal-event remoteaccess-update will result in the AutoBlock history being cleared due to the presence of: masq -> adjust in services2adjust for remoteaccess-update.}}
 +
 
 +
====the current block status====
 +
 
 +
How to display the current block status for the last 100 IP addresses seen:
 +
iptables -L SSH_Autoblock -v"
 +
 
 +
====How clear logs====
 +
 
 +
A local system admin logged as root may clear the SSH_AutoBlock history at any time with the following:
 +
 
 +
* For SME8:
 +
echo clear > /proc/net/ipt_recent/SSH   
 +
 
 +
* For SME9:
 +
echo "/" > /proc/net/xt_recent/SSH
 +
 
 +
See the information in the iptables(8) man page for other block list management options.
 +
 
 +
 
 +
[[Category:Howto]]

Revision as of 17:42, 22 April 2014

Public SSH Acess

Configuring SSH access as public will result in lots of script based login attempts which consume bandwidth, CPU and generate log noise. A new iptables rule which blocks repeated connection attempts to the configured sshd port. See bugzilla 8257 and bugzilla:8258

It is set to reject connections when there have been 3 or more requests in the previous 15 minutes. The autoblock lapses when there have been fewer than this many requests in the specified times (set by AutoBlockTime).

By design only IP outside your local network will blocked if too many attempts are done.

Default values

AutoBlockTime=900           # 900 seconds  (15 minutes).
AutoBlockTries=4            # meaning that 3 Tries are allowed, the fourth trie is blocked.
AutoBlock=disabled          # default for SME Server 8
AutoBlock=enabled           # default for SME Server 9

Set Values

The ipt_recent (SME8) or xt_recent/SSH (SME9) module records the current block status for the last 100 IP addresses seen in /proc/net/ipt_recent/SSH (SME8) or /proc/net/xt_recent/SSH (SME9), i.e. Output from "iptables -L SSH_Autoblock -v" from a system up for 56 days:

Chain SSH_Autoblock (1 references)
pkts bytes target     prot opt in     out     source    destination
29388 1521K            all  --  any    any     anywhere  anywhere    recent: SET name: SSH side: source
19169 1010K denylog    all  --  any    any     anywhere  anywhere    recent: CHECK seconds: 900 hit_count: 4 TTL-Match name: SSH side: source
   3   180 denylog    all  --  any    any     anywhere  anywhere    recent: CHECK seconds: 7200 hit_count: 8 TTL-Match name: SSH side: source

You only have two controls for iptables rule - a time period to consider and a connection attempt threshold for that time period. The default settings have a 900 second (15 minute) time period, during which 3 connection requests may be made without interference. The fourth and subsequent attempts will be counted and blocked. After at most 15 minutes of quiet, the block will expire and you can try again.


Important.png Note:
Setting the AutoBlockTries to a larger number will allow more attempts in whatever interval is selected by AutoBlockTime. Three tries in 15 minutes seems like a reasonable balance between blocking SSH scanners and human frailty.


How to tune hitrates?

db configuration setprop sshd AutoBlockTries {n} # [ignore parentheses, just enter a number]
signal-event remoteaccess-update

How to tune Blocktime?

db configuration setprop sshd AutoBlockTime {s} # [ignore parentheses, just enter a number]
signal-event remoteaccess-update

How to disable/enable SSH_Autoblock?

db configuration setprop sshd AutoBlock disabled

or:

db configuration setprop sshd AutoBlock enabled

followed by:

signal-event remoteaccess-update

Note: if ssh is moved to another port (say 2211) then SSH_Autoblock installs itself on the port number configured for sshd.


How to access the AutoBlock history?

  • For SME8:
cat /proc/net/ipt_recent/SSH
  • For SME9:
cat /proc/net/xt_recent/SSH


Important.png Note:
signal-event remoteaccess-update will result in the AutoBlock history being cleared due to the presence of: masq -> adjust in services2adjust for remoteaccess-update.


the current block status

How to display the current block status for the last 100 IP addresses seen:

iptables -L SSH_Autoblock -v"

How clear logs

A local system admin logged as root may clear the SSH_AutoBlock history at any time with the following:

  • For SME8:
echo clear > /proc/net/ipt_recent/SSH    
  • For SME9:
echo "/" > /proc/net/xt_recent/SSH

See the information in the iptables(8) man page for other block list management options.