One of the most annoying things of having an Internet gateway that accepts inbound SSH is the constant barrage of SSH brute force attacks, trying stupid username/passwords and filling up log files and just generally being a nuisance. No, I don't use "root/toor" or other credentials...
I recently moved our home gateway from an ASA5505 to a Vyatta box (will write about it in more detail later) but one of the most rewarding things I found is that it is quite easy to block traffic in Vyatta's firewall code (basically a front-end to iptables) based on recent traffic. To make a long story short, just use rules similar to these ones as part of your "local" firewall policy to severely limit what these SSH brute force bots can do...
rule 5 {
action accept
description "Accept Established"
state {
established enable
related enable
}
}
rule 9 {
action drop
description "Limit inbound SSH connections"
destination {
port ssh
}
protocol tcp
recent {
count 3
time 30
}
state {
new enable
}
}
rule 10 {
action accept
description "Accept inbound SSH"
destination {
port ssh
}
protocol tcp
state {
new enable
}
}
How to interpret these rules?
- Rule 5 is a typical "allow established" rule for general TCP traffic.
- Rule 9 will drop inbound SSH packets (with TCP SYN flag set) if it sees more than 3 within a 30 second interval.
- Rule 10 will allow inbound SSH packets with TCP SYN flags.
Hope this helps...
No comments:
Post a Comment