Sunday, January 9, 2011

Reducing SSH Brute Force attacks in Vyatta

Here's my first real post on this blog...

One of the most annoying things of having an Internet gateway that accepts inbound SSH is the constant barrage of SSH brute force attacks, trying stupid username/passwords and filling up log files and just generally being a nuisance. No, I don't use "root/toor" or other credentials...

I recently moved our home gateway from an ASA5505 to a Vyatta box (will write about it in more detail later) but one of the most rewarding things I found is that it is quite easy to block traffic in Vyatta's firewall code (basically a front-end to iptables) based on recent traffic. To make a long story short, just use rules similar to these ones as part of your "local" firewall policy to severely limit what these SSH brute force bots can do...

 rule 5 { 
     action accept 
     description "Accept Established" 
     state { 
         established enable 
         related enable 
     } 
 } 
 rule 9 { 
     action drop 
     description "Limit inbound SSH connections" 
     destination { 
         port ssh 
     } 
     protocol tcp 
     recent { 
         count 3
         time 30 
     } 
     state { 
         new enable 
     } 
 } 
 rule 10 { 
     action accept 
     description "Accept inbound SSH" 
     destination { 
         port ssh 
     } 
     protocol tcp 
     state { 
         new enable 
     } 
 } 



How to interpret these rules?
  • Rule 5 is a typical "allow established" rule for general TCP traffic.
  • Rule 9 will drop inbound SSH packets (with TCP SYN flag set) if it sees more than 3 within a 30 second interval.
  • Rule 10 will allow inbound SSH packets with TCP SYN flags.
This means that any brute force script will either have to slow down to a crawl or will just annoy you for a couple of entries. All in all, a significant reduction.


Hope this helps...