5/26/07

Firewall with iptables

This post is how to set iptables rule as a linux firewall to avoid brute force attack. Few days ago on my old fedora core4 server, When I monitored in /var/log/messages to verify does my cronjob still running? I found something like..

May 23 15:04:18 fedev sshd(pam_unix)[6037]: check pass; user unknown
May 23 15:04:18 fedev sshd(pam_unix)[6037]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-70-248-31-102.dsl.snantx.swbell.net
May 23 15:04:23 fedev sshd(pam_unix)[6040]: check pass; user unknown
May 23 15:04:23 fedev sshd(pam_unix)[6040]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-70-248-31-102.dsl.snantx.swbell.net
May 23 15:04:29 fedev sshd(pam_unix)[6043]: check pass; user unknown
May 23 15:04:29 fedev sshd(pam_unix)[6043]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-70-248-31-102.dsl.snantx.swbell.net

and in /var/log/secure
May 23 15:04:15 fedev sshd[6035]: Failed password for invalid user develop from ::ffff:70.248.31.102 port 47109 ssh2
May 23 15:04:18 fedev sshd[6037]: Invalid user webdeveloper from ::ffff:70.248.31.102
May 23 15:04:20 fedev sshd[6037]: Failed password for invalid user webdeveloper from ::ffff:70.248.31.102 port 47529 ssh2
May 23 15:04:23 fedev sshd[6040]: Invalid user services from ::ffff:70.248.31.102
May 23 15:04:26 fedev sshd[6040]: Failed password for invalid user services from ::ffff:70.248.31.102 port 47941 ssh2
May 23 15:04:29 fedev sshd[6043]: Invalid user ircd from ::ffff:70.248.31.102

uhh.. look like I'm under attack.

Many one who use the public ip address server always face with this problem. These two iptables command will reject any request that make more than 3 new connection from same address every 5 mins.
[root@fedev ~]# iptables -I INPUT -p tcp -i eth+ --dport 22 -m state --state NEW -m recent --set
[root@fedev ~]# iptables -I INPUT -p tcp -i eth+ --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 3 -j DROP

However, the rules that I just apply will lost after restart. To make it permanent you can put above commands into /etc/rc.local or use command "service iptables save" that will save rules to /etc/sysconfig/iptables
[root@fedev ~]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@fedev ~]#

Note:
iptables-saves and iptables-restore command are used to save and restore iptables rules to STDIN and from STDOUT[we can redirect to file]. Following are examples.
[root@fedev ~]# mkdir /backup
[root@fedev ~]# iptables-save > /backup/iptables.nobrute
[root@fedev ~]# cat /backup/iptables.nobrute
# Generated by iptables-save v1.2.11 on Fri May 25 18:24:00 2007
*filter
:INPUT ACCEPT [1923:874178]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1380:533607]
-A INPUT -i eth+ -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 3 --name DEFAULT --rsource -j DROP
-A INPUT -i eth+ -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
COMMIT
# Completed on Fri May 25 18:24:00 2007
[root@fedev ~]# iptables-restore < /backup/iptables.backup


Note: In ubuntu I'm not see iptables service in /etc/init.d so we need to manually create script file to run those two commands.

0 comments: