859
edits
Changes
From SME Server
Jump to navigationJump to searchSSH Filtering with IPTables (view source)
Revision as of 18:46, 6 February 2019
, 18:46, 6 February 2019Created page with "==Introduction== After a recent rise in the amount of SSH attacks I decided to have a look at other methods of blocking SSH attacks. ===DenyHosts=== DenyHosts works well: h..."
==Introduction==
After a recent rise in the amount of SSH attacks I decided to have a look at other methods of blocking SSH attacks.
===DenyHosts===
DenyHosts works well:
https://wiki.contribs.org/Denyhosts
However, it was sending me a lot of mails. Yes, I could disable them.
However, it has to check the logs and find failed logins and then create a list for ssh to check against. SO it will allow at least one connection.
I wanted something a bit quicker that would bulk block a lot of IPs immediately.
===Fail2ban===
Fail2ban works as well:
https://wiki.contribs.org/Fail2ban
However, it needs 3 attempts and required quite a bit of processing so can be a bit cumbersome.
What I really wanted was to block some IPs outright using GeoIP blocking.
Fail2ban can do this as per this:
https://thecustomizewindows.com/2016/11/fail2ban-geoip-action-script-block-ssh-country/
However, I wanted a something a bit lighter and faster and an instant block. The above link show you how to create a script that you can use with hosts/allow to block with GeoIP
===Xtables===
There are some xtables RPMs floating about that work with GeoIP v1 DBs but not sure about v2 DBs. Needs investigation
===hosts.allow===
This approach is very brute force and ignorance. You are highly likely to lock yourself out, so be prepared. Preferably keep an extra terminal open and logged in as a backup.
Make sure other SSH blocking features like denyhosts etc are disabled
mkdir -p /etc/e-smith/templates-custom/etc/hosts.allow
cp /etc/e-smith/templates/etc/hosts.allow/sshd /etc/e-smith/templates-custom/etc/hosts.allow
Open the custom template with your favourite editor.
Remove any other lines and then add this line where a.b.c.d is the IP
sshd: a.b.c.d: allow
You can add more than one address, and subnets too - there is plenty of information online about this.
sshd: a.b.c.d w.x.y.: allow
The only down side is it leaves a lot of mess in your messages log and so far I can't find out how to shift the messages elsewhere.
It is very effective though.
===SSH Filter with GeoIP blocking===
Another approach is one I found here originally:
https://www.axllent.org/docs/view/ssh-geoip
However, CentOS does not use aclexec.
I looked for a replacement and found this site, and a relevant comment below
https://tecadmin.net/allow-server-access-based-on-country/
"For all CentOS users, spawn or aclexec does not work, the hint is already given by using iptables to block the user.
The iptables command given appends (-A) so the connection might still go through, to really block the IP you have to insert (-I) the block rule at rule #1.
You can use my altered script for a working CentOS/RHEL version:
https://github.com/chiel1980/scripts/blob/master/ipfilter.sh"
So I grabbed a copy of the script but found I had to do a little work for it to run with SME.
====Installation====
Here is how to install the geoip blocking script.
====Prerequisites====
OK, running GeoIP2 databases is a prerequisite. Please see smeserver-geoip2 here https://wiki.contribs.org/GeoIP
Make sure you disable denyhosts so it doesn't interfere with this script in hosts.allow
====Installing====
Make sure you can get results with the geoiplookup tool
Get the main script:
wget https://www.reetspetit.com/Other/sshfilter.sh -O /usr/local/bin/sshfilter.sh
chmod 0755 /usr/local/bin/sshfilter.sh
Edit the file with your favourite editor.
Add the countries you want to ALLOW in:
ALLOW_COUNTRIES
They are currently set to GB ES FR but you can use any country code/s.
Create a masq iptables fragment to handle the blocks
touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40sshFilter
Add this:
# A blacklist chain for sshFilter
/sbin/iptables --new-chain BLOCKDYN
/sbin/iptables -A INPUT -j BLOCKDYN
Create a hosts.allow custom fragment as above with the following contents:
sshd: ALL : spawn /usr/local/bin/sshfilter.sh %a %d
Now we can expand the templates and restart the masq service:
expand-template /etc/rc.d/init.d/masq
expand-template /etc/hosts/allow
service masq restart
Now you can look at iptables to see your handiwork
iptables -L BLOCKDYN
====Notes====
Testing - please see the comments in the script for how to test.
/usr/local/bin/sshfilter.sh 1.2.3.4 ssh DE BLOCKDYN
echo "" | /usr/local/bin/sshfilter.sh 8.8.8.8 ssh DE BLOCKDYN
====Issues====
Logging.
All the logging goes to /var/log/secure. Errors should really go elsewhere. Needs some thought. See my comments:
# This will log to /var/log/secure
LOGDENY_FACILITY="authpriv.info"
# This should go to /var/log/messages but doesn't. Need to figure that out
LOGDENY_FACILITY_ERR="authpriv.error"
IPTables
The table can get big quickly.
It may be worth having running an iptables flush from cron periodically
You can do it manually
iptables -F BLOCKDYN
It may be worth looking at adding a specific AllowHosts section in the chain, or somewhere in masq to Allow Specific hosts, but block the rest of a country.
[[Category:SSH]]
After a recent rise in the amount of SSH attacks I decided to have a look at other methods of blocking SSH attacks.
===DenyHosts===
DenyHosts works well:
https://wiki.contribs.org/Denyhosts
However, it was sending me a lot of mails. Yes, I could disable them.
However, it has to check the logs and find failed logins and then create a list for ssh to check against. SO it will allow at least one connection.
I wanted something a bit quicker that would bulk block a lot of IPs immediately.
===Fail2ban===
Fail2ban works as well:
https://wiki.contribs.org/Fail2ban
However, it needs 3 attempts and required quite a bit of processing so can be a bit cumbersome.
What I really wanted was to block some IPs outright using GeoIP blocking.
Fail2ban can do this as per this:
https://thecustomizewindows.com/2016/11/fail2ban-geoip-action-script-block-ssh-country/
However, I wanted a something a bit lighter and faster and an instant block. The above link show you how to create a script that you can use with hosts/allow to block with GeoIP
===Xtables===
There are some xtables RPMs floating about that work with GeoIP v1 DBs but not sure about v2 DBs. Needs investigation
===hosts.allow===
This approach is very brute force and ignorance. You are highly likely to lock yourself out, so be prepared. Preferably keep an extra terminal open and logged in as a backup.
Make sure other SSH blocking features like denyhosts etc are disabled
mkdir -p /etc/e-smith/templates-custom/etc/hosts.allow
cp /etc/e-smith/templates/etc/hosts.allow/sshd /etc/e-smith/templates-custom/etc/hosts.allow
Open the custom template with your favourite editor.
Remove any other lines and then add this line where a.b.c.d is the IP
sshd: a.b.c.d: allow
You can add more than one address, and subnets too - there is plenty of information online about this.
sshd: a.b.c.d w.x.y.: allow
The only down side is it leaves a lot of mess in your messages log and so far I can't find out how to shift the messages elsewhere.
It is very effective though.
===SSH Filter with GeoIP blocking===
Another approach is one I found here originally:
https://www.axllent.org/docs/view/ssh-geoip
However, CentOS does not use aclexec.
I looked for a replacement and found this site, and a relevant comment below
https://tecadmin.net/allow-server-access-based-on-country/
"For all CentOS users, spawn or aclexec does not work, the hint is already given by using iptables to block the user.
The iptables command given appends (-A) so the connection might still go through, to really block the IP you have to insert (-I) the block rule at rule #1.
You can use my altered script for a working CentOS/RHEL version:
https://github.com/chiel1980/scripts/blob/master/ipfilter.sh"
So I grabbed a copy of the script but found I had to do a little work for it to run with SME.
====Installation====
Here is how to install the geoip blocking script.
====Prerequisites====
OK, running GeoIP2 databases is a prerequisite. Please see smeserver-geoip2 here https://wiki.contribs.org/GeoIP
Make sure you disable denyhosts so it doesn't interfere with this script in hosts.allow
====Installing====
Make sure you can get results with the geoiplookup tool
Get the main script:
wget https://www.reetspetit.com/Other/sshfilter.sh -O /usr/local/bin/sshfilter.sh
chmod 0755 /usr/local/bin/sshfilter.sh
Edit the file with your favourite editor.
Add the countries you want to ALLOW in:
ALLOW_COUNTRIES
They are currently set to GB ES FR but you can use any country code/s.
Create a masq iptables fragment to handle the blocks
touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40sshFilter
Add this:
# A blacklist chain for sshFilter
/sbin/iptables --new-chain BLOCKDYN
/sbin/iptables -A INPUT -j BLOCKDYN
Create a hosts.allow custom fragment as above with the following contents:
sshd: ALL : spawn /usr/local/bin/sshfilter.sh %a %d
Now we can expand the templates and restart the masq service:
expand-template /etc/rc.d/init.d/masq
expand-template /etc/hosts/allow
service masq restart
Now you can look at iptables to see your handiwork
iptables -L BLOCKDYN
====Notes====
Testing - please see the comments in the script for how to test.
/usr/local/bin/sshfilter.sh 1.2.3.4 ssh DE BLOCKDYN
echo "" | /usr/local/bin/sshfilter.sh 8.8.8.8 ssh DE BLOCKDYN
====Issues====
Logging.
All the logging goes to /var/log/secure. Errors should really go elsewhere. Needs some thought. See my comments:
# This will log to /var/log/secure
LOGDENY_FACILITY="authpriv.info"
# This should go to /var/log/messages but doesn't. Need to figure that out
LOGDENY_FACILITY_ERR="authpriv.error"
IPTables
The table can get big quickly.
It may be worth having running an iptables flush from cron periodically
You can do it manually
iptables -F BLOCKDYN
It may be worth looking at adding a specific AllowHosts section in the chain, or somewhere in masq to Allow Specific hosts, but block the rest of a country.
[[Category:SSH]]
