AutoBlock

From SME Server
Jump to navigation Jump to search

Public SSH Access

Configuring SSH access as public will result in lots of script based login attempts which consume bandwidth, CPU and generate log noise. A new iptables rule which blocks repeated connection attempts to the configured sshd port. See bugzilla: 8257 and bugzilla:8258

It is set to reject connections when there have been 3 or more requests in the previous 15 minutes. The autoblock lapses when there have been fewer than this many requests in the specified times (set by AutoBlockTime).

By design only IP outside your local network will be blocked if too many attempts are done.


  Note:
Affa is incompatible with AutoBlock. Use Fail2ban.


Default values

AutoBlockTime=900           # 900 seconds  (15 minutes).
AutoBlockTries=4            # meaning that 3 Tries are allowed, the fourth trie is blocked.
AutoBlock=disabled          # default for SME Server 8
AutoBlock=enabled           # default for SME Server 9

Set Values

The ipt_recent (SME8) or xt_recent/SSH (SME9) module records the current block status for the last 100 IP addresses seen in /proc/net/ipt_recent/SSH (SME8) or /proc/net/xt_recent/SSH (SME9), i.e. Output from "iptables -L SSH_Autoblock -v" from a system up for 56 days:

Chain SSH_Autoblock (1 references)
pkts bytes target     prot opt in     out     source    destination
29388 1521K            all  --  any    any     anywhere  anywhere    recent: SET name: SSH side: source
19169 1010K denylog    all  --  any    any     anywhere  anywhere    recent: CHECK seconds: 900 hit_count: 4 TTL-Match name: SSH side: source
   3   180 denylog    all  --  any    any     anywhere  anywhere    recent: CHECK seconds: 7200 hit_count: 8 TTL-Match name: SSH side: source

You only have two controls for iptables rule - a time period to consider and a connection attempt threshold for that time period. The default settings have a 900 second (15 minute) time period, during which 3 connection requests may be made without interference. The fourth and subsequent attempts will be counted and blocked. After at most 15 minutes of quiet, the block will expire and you can try again.


  Note:
Setting the AutoBlockTries to a larger number will allow more attempts in whatever interval is selected by AutoBlockTime. Three tries in 15 minutes seems like a reasonable balance between blocking SSH scanners and human frailty.


How to tune hitrates?

db configuration setprop sshd AutoBlockTries {n} # [ignore parentheses, just enter a number]
signal-event remoteaccess-update

How to tune Blocktime?

db configuration setprop sshd AutoBlockTime {s} # [ignore parentheses, just enter a number]
signal-event remoteaccess-update

How to disable/enable SSH_Autoblock?

db configuration setprop sshd AutoBlock disabled

or:

db configuration setprop sshd AutoBlock enabled

followed by:

signal-event remoteaccess-update

Note: if ssh is moved to another port (say 2211) then SSH_Autoblock installs itself on the port number configured for sshd.

How to access the AutoBlock history?

  • For SME8:
cat /proc/net/ipt_recent/SSH
  • For SME9:
cat /proc/net/xt_recent/SSH


  Note:
signal-event remoteaccess-update will result in the AutoBlock history being cleared due to the presence of: masq -> adjust in services2adjust for remoteaccess-update.


the current block status

How to display the current block status for the last 100 IP addresses seen:

iptables -L SSH_Autoblock -v

How clear logs

A local system admin logged as root may clear the SSH_AutoBlock history at any time with the following:

  • For SME8:
echo clear > /proc/net/ipt_recent/SSH    
  • For SME9:
echo "/" > /proc/net/xt_recent/SSH

See the information in the iptables(8) man page for other block list management options.

Similar contribs