-1

To stop brute force attacks on my server (OS is CentOS 6) I want to

  1. block for 1 minute everyone who makes more than 4 login attempts during last minute
  2. block for 1 day everyone who makes more than 100 login attempts during last day

When I add iptables rules for item (1)

#--- SSH brutforce atack prevention ------------------------------             
# Create SSH attack chains                                                     
-N SSH_CHECK                                                                   
-N SSH_ATTACKED                                                                
# Capture SSH connections                                                      
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSH_CHECK            
# Define SSH_CHECK chain                                                       
-A SSH_CHECK -m recent --set --name SSH                                        
-A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j SSH_ATTACKED
-A SSH_CHECK -j ACCEPT                                                         
# Define SSH_ATTACKED chain                                                    
-A SSH_ATTACKED -j LOG --log-prefix "SSH anti-brutforce: " --log-level 1       
-A SSH_ATTACKED -j REJECT --reject-with icmp-host-prohibited                   
#----------------------------------------------------------------

iptables accepts it and works as expected. But when I try to add rules for item (2) above:

#--- SSH brutforce atack prevention ------------------------------             
# Create SSH attack chains                                                     
-N SSH_CHECK                                                                   
-N SSH_ATTACKED                                                                
# Capture SSH connections                                                      
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSH_CHECK            
# Define SSH_CHECK chain                                                       
-A SSH_CHECK -m recent --set --name SSH    
-A SSH_CHECK -m recent --set --name SSH2                                      
-A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j SSH_ATTACKED
# Next line causes an error
-A SSH_CHECK -m recent --update --seconds 86400 --hitcount 100 --rttl --name SSH2 -j SSH_ATTACKED
-A SSH_CHECK -j ACCEPT                                                         
# Define SSH_ATTACKED chain                                                    
-A SSH_ATTACKED -j LOG --log-prefix "SSH anti-brutforce: " --log-level 1       
-A SSH_ATTACKED -j REJECT --reject-with icmp-host-prohibited                   
#-----------------------------------------------------------------

it causes an error. I have made some experiments and it seems that it refuses to add two rules with --hitcount option to SSH_CHECK chain.

What am I doing wrong? Below is my current /etc/sysconfig/iptables file.

*filter                                                                        
:INPUT ACCEPT [0:0]                                                            
:FORWARD ACCEPT [0:0]                                                          
:OUTPUT ACCEPT [0:0]                                                           
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT                        
-A INPUT -p icmp -j ACCEPT                                                     
-A INPUT -i lo -j ACCEPT                                                       

#--- SSH brutforce atack prevention ------------------------------             
# Create SSH attack chains                                                     
-N SSH_CHECK                                                                   
-N SSH_ATTACKED                                                                
# Capture SSH connections                                                      
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSH_CHECK            
# Define SSH_CHECK chain                                                       
-A SSH_CHECK -m recent --set --name SSH                                        
-A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j SSH_ATTACKED   
-A SSH_CHECK -j ACCEPT                                                         
# Define SSH_ATTACKED chain                                                    
-A SSH_ATTACKED -j LOG --log-prefix "SSH anti-brutforce: " --log-level 1       
-A SSH_ATTACKED -j REJECT --reject-with icmp-host-prohibited                   
#-----------------------------------------------------------------             


# NTP                                                                          
-A INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT              
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT              

-A INPUT -j REJECT --reject-with icmp-host-prohibited                          
-A FORWARD -j REJECT --reject-with icmp-host-prohibited                        
-A INPUT -j LOG                                                                
COMMIT

Edit:

I've been asked about error messages. It just doesn't say anything that could help (IMHO).

iptables-restore /etc/sysconfig/iptables

says 

iptables-restore: line ## failed

where ## is number of last line in /etc/sysconfig/iptables

iptables -I SSH_CHECK 3 -m recent --update --seconds 86400 --hitcount 100 --rttl --name SSH2 -j SSH_ATTACKED

says 

iptables: Invalid argument. Run `dmesg' for more information.

dmesg contains nothing about it

Fedor Kotov
  • 9
  • 2
  • Gah! What error does it generate? How can you not think that is important information to convey? – womble May 05 '12 at 06:37
  • 1
    It just doesn't say anything that could help. iptables-restore /etc/sysconfig/iptables says "iptables-restore: line ## failed" where ## is number of last line in /etc/sysconfig/iptables iptables -I SSH_CHECK 3 -m recent --update --seconds 86400 --hitcount 100 --rttl --name SSH2 -j SSH_ATTACKED says iptables: Invalid argument. Run `dmesg' for more information. – Fedor Kotov May 05 '12 at 07:17
  • How can you know that? You don't know enough to solve the problem yourself, and yet you're *absolutely*, 100% certain that the error message could not *possibly* be of *any* help to *anyone* else who might have an interest in helping you solve your problem? – womble May 05 '12 at 07:19
  • Yes. You are right. I often overestimate my abilities. I added info about error messagees to question body. – Fedor Kotov May 05 '12 at 07:26

2 Answers2

1

You're missing a line with --set --name SSH2 somewhere before the one that's listed in the error message.

The --rttl option requres there to be a --set option for the same list. You have one for the SSH list but not for the SSH2 list.

The error message could be a little clearer about this.

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
  • But `iptables-restore /etc/sysconfig/iptables` fails after replacing anti-bruteforce rules in `/etc/sysconfig/iptables` with second fragment of code (see question body) . It contains `-A SSH_CHECK -m recent --set --name SSH2` line before `-A SSH_CHECK -m recent --update --seconds 86400 --hitcount 100 --rttl --name SSH2 -j SSH_ATTACKED`. – Fedor Kotov May 05 '12 at 08:13
  • I was only looking at your current `/etc/sysconfig/iptables` file and the command you ran at the end. I see the `--set --name SSH2` in the earlier section now. The command at the bottom has `-I SSH_CHECK 3` which may be its problem depending on what rules are already in place. What I would recommend is finding the smallest/simplest set of rules that still cause the error and update your question with that set of rules if still required. – Ladadadada May 05 '12 at 13:27
1

Default max number of --hitcount is set to 20

You can verify this: cat /sys/module/xt_recent/parameters/ip_pkt_list_tot

You need to reload module with extra parameters: modprobe xt_recent ip_pkt_list_tot=500

List of available parameters: modinfo xt_recent

Aleksander
  • 11
  • 2