Reducing SSH Brute Force attacks in Vyatta

Here's my first real post on this blog...

One of the most annoying things of having an Internet gateway that accepts inbound SSH is the constant barrage of SSH brute force attacks, trying stupid username/passwords and filling up log files and just generally being a nuisance. No, I don't use "root/toor" or other credentials...

I recently moved our home gateway from an ASA5505 to a Vyatta box (will write about it in more detail later) but one of the most rewarding things I found is that it is quite easy to block traffic in Vyatta's firewall code (basically a front-end to iptables) based on recent traffic. To make a long story short, just use rules similar to these ones as part of your "local" firewall policy to severely limit what these SSH brute force bots can do...

 rule 5 { 
     action accept 
     description "Accept Established" 
     state { 
         established enable 
         related enable 
     } 
 } 
 rule 9 { 
     action drop 
     description "Limit inbound SSH connections" 
     destination { 
         port ssh 
     } 
     protocol tcp 
     recent { 
         count 3
         time 30 
     } 
     state { 
         new enable 
     } 
 } 
 rule 10 { 
     action accept 
     description "Accept inbound SSH" 
     destination { 
         port ssh 
     } 
     protocol tcp 
     state { 
         new enable 
     } 
 } 


How to interpret these rules?

• Rule 5 is a typical "allow established" rule for general TCP traffic.
• Rule 9 will drop inbound SSH packets (with TCP SYN flag set) if it sees more than 3 within a 30 second interval.
• Rule 10 will allow inbound SSH packets with TCP SYN flags.

This means that any brute force script will either have to slow down to a crawl or will just annoy you for a couple of entries. All in all, a significant reduction.


Hope this helps...

Introduction

Hi!

Now that I've decided to try some blogging, might as well get started no?

This blog will host the 'professional' side of my opinions, thoughts, ramblings (hence the name) and curious tidbits from my work interests. I've been around security in general and network security specifically since the mid 90s, so there's something to be said for experience - good, bad and ugly.

The non-professional opinions - on topics ranging from politics, religion and personal technology to parenting, golf and geekyness in general - will be on blog.mypuntifications.com.

I look forward to interesting conversations with readers/followers on a variety of topics. While it is never fun to admit one's mistakes, I will do my best to own up to them during our discussions.

Have fun!

Fernando