Loading ...
Sorry, an error occurred while loading the content.

Re: [nslu2-linux] NSLU2 Cracked?

Expand Messages
  • Yann E. MORIN
    Rudy, All, ... I m using iptables to kinda block brute force attacks. The concept is: - _I_ know my password, and can mis-type it no more than a few times in a
    Message 1 of 13 , Mar 7, 2007
    View Source
    • 0 Attachment
      Rudy,
      All,

      On Wednesday 07 March 2007 155, Brian Wood wrote:
      > > So, was my NSLU2 cracked or is this something more innocuous?

      I'm using iptables to kinda block brute force attacks. The concept is:

      - _I_ know my password, and can mis-type it no more than a few times in a row,
      => this tells me that I log in successfully at the first ssh connection

      - _I_ won't disconnect and reconnect in a short period of time
      => this tells me that new TCP connections in a row are attacks

      So I'm using iptables' recent match:
      iptables -N recent_rule
      iptables -A INPUT -p tcp -m state --state NEW -j recent_rule
      iptables -A recent_rule -m recent --name recent_ssh --update --seconds 60 --hitcount 5 -j DROP
      iptables -A recent_rule -p tcp --dport 22 -m recent --name recent_ssh --set -j ACCEPT

      (Plus a few others, such as setting policy to DROP, and ACCEPTing from local
      met, etc...)

      This does:
      - add a new chain named "recent_rule",
      - on all new TCP connection, jump to the "recent_rule" chain,
      - IPs that have been in the "recent_ssh" list at least 5 times in the 60 last
      minutes gets DROPed, and update the time last seen,
      - IPs attempting a connection on port 22 are added to the "recent_ssh" list,
      and ACCEPTed.

      Note that the order of the "recent" rules are important. If you reverse the
      order of the last two rules, you end up adding IPs to the "recent_ssh" list
      and ACCEPTing them without testing the list ever!

      With this set of rules, any one attempting more than 5 TCP connections on port
      22 (ssh) in the last 60 seconds are totaly denied acces to the machine on any
      port.

      That has cut the brute force attacks down to zero, except for the 5 first
      attempts, which I tolerate for my accessing the machine. You can further
      restrict access down to 1 attempt if you're sure you will never have to
      reconnect in a short period of time, and you don't mis-type your password.

      To be more secure, I've disabled password authentication, allowing only
      key-based authentication.

      HTH!

      Regards,
      Yann E. MORIN.

      --
      .-----------------.--------------------.------------------.--------------------.
      | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
      | +0/33 662376056 | Software Designer | \ / CAMPAIGN | ^ |
      | --==< °_° >==-- °------------.-------: X AGAINST | /e\ There is no |
      | http://ymorin.is-a-geek.org/ | (*_*) | / \ HTML MAIL | """ conspiracy. |
      °------------------------------°-------°------------------°--------------------°
    • jll370
      ... recent_ssh --set -j ACCEPT I switched to a port other than 22. After I did that, all script-kiddie attacks ceased. The ssh/sshd config files make it easy
      Message 2 of 13 , Mar 7, 2007
      View Source
      • 0 Attachment
        > iptables -A recent_rule -p tcp --dport 22 -m recent --name
        recent_ssh --set -j ACCEPT

        I switched to a port other than 22. After I did that, all
        script-kiddie attacks ceased. The ssh/sshd config files make it easy
        to configure and use other ports.

        Unless you need password authentication, turn it off. It leaves
        you as vulnerable as the weakest password. By contrast, RSA keys are
        always long and obscure. I haven't heard of crackers even trying to
        guess RSA keys.

        John
      • Rudy
        Wow, Yann, thank you! That s a great iptables script. I like keeping this all inside of iptables, but don t understand the scripting system well enough to
        Message 3 of 13 , Mar 7, 2007
        View Source
        • 0 Attachment
          Wow, Yann, thank you! That's a great iptables script. I like keeping
          this all inside of iptables, but don't understand the scripting system
          well enough to write these myself at the moment.

          I hope you don't mind, but I took the liberty of adding this script
          with a reference to your message onto the NSLU2's Firewall page on the
          wiki.

          Here's a far simpler question: do you have a script that will allow
          samba connections (port 139, I think) and uPnP (no clue) from the
          local subnet and localhost, but not from anywhere else?

          Thanks,
          Rudy

          --- In nslu2-linux@yahoogroups.com, "Yann E. MORIN"
          <yann.morin.1998@...> wrote:
          >
          > Rudy,
          > All,
          >
          > On Wednesday 07 March 2007 155, Brian Wood wrote:
          > > > So, was my NSLU2 cracked or is this something more innocuous?
          >
          > I'm using iptables to kinda block brute force attacks. The concept is:
          >
          > - _I_ know my password, and can mis-type it no more than a few
          times in a row,
          > => this tells me that I log in successfully at the first ssh
          connection
          >
          > - _I_ won't disconnect and reconnect in a short period of time
          > => this tells me that new TCP connections in a row are attacks
          >
          > So I'm using iptables' recent match:
          > iptables -N recent_rule
          > iptables -A INPUT -p tcp -m state --state NEW -j recent_rule
          > iptables -A recent_rule -m recent --name recent_ssh --update
          --seconds 60 --hitcount 5 -j DROP
          > iptables -A recent_rule -p tcp --dport 22 -m recent --name
          recent_ssh --set -j ACCEPT
          >
          > (Plus a few others, such as setting policy to DROP, and ACCEPTing
          from local
          > met, etc...)
          >
          > This does:
          > - add a new chain named "recent_rule",
          > - on all new TCP connection, jump to the "recent_rule" chain,
          > - IPs that have been in the "recent_ssh" list at least 5 times in
          the 60 last
          > minutes gets DROPed, and update the time last seen,
          > - IPs attempting a connection on port 22 are added to the
          "recent_ssh" list,
          > and ACCEPTed.
          >
          > Note that the order of the "recent" rules are important. If you
          reverse the
          > order of the last two rules, you end up adding IPs to the
          "recent_ssh" list
          > and ACCEPTing them without testing the list ever!
          >
          > With this set of rules, any one attempting more than 5 TCP
          connections on port
          > 22 (ssh) in the last 60 seconds are totaly denied acces to the
          machine on any
          > port.
          >
          > That has cut the brute force attacks down to zero, except for the 5
          first
          > attempts, which I tolerate for my accessing the machine. You can further
          > restrict access down to 1 attempt if you're sure you will never have to
          > reconnect in a short period of time, and you don't mis-type your
          password.
          >
          > To be more secure, I've disabled password authentication, allowing only
          > key-based authentication.
          >
          > HTH!
          >
          > Regards,
          > Yann E. MORIN.
          >
          > --
          >
          .-----------------.--------------------.------------------.--------------------.
          > | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics'
          conspiracy: |
          > | +0/33 662376056 | Software Designer | \ / CAMPAIGN | ^
          |
          > | --==< °_° >==-- °------------.-------: X AGAINST | /e\
          There is no |
          > | http://ymorin.is-a-geek.org/ | (*_*) | / \ HTML MAIL | """
          conspiracy. |
          >
          °------------------------------°-------°------------------°--------------------°
          >
        • Yann E. MORIN
          Rudy, All, ... iptables is not that easy. I do errors more often than seldom. :-( ... That s OK. :-) ... iptables -t filter -F iptables -t filter -X # Safe
          Message 4 of 13 , Mar 7, 2007
          View Source
          • 0 Attachment
            Rudy,
            All,

            On Wednesday 07 March 2007 203, Rudy wrote:
            > Wow, Yann, thank you! That's a great iptables script. I like keeping
            > this all inside of iptables, but don't understand the scripting system
            > well enough to write these myself at the moment.

            iptables is not that easy. I do errors more often than seldom. :-(

            > I hope you don't mind, but I took the liberty of adding this script
            > with a reference to your message onto the NSLU2's Firewall page on the
            > wiki.

            That's OK. :-)

            > Here's a far simpler question: do you have a script that will allow
            > samba connections (port 139, I think) and uPnP (no clue) from the
            > local subnet and localhost, but not from anywhere else?

            Simple question, long answer. Here is my firewalling script (with comments):

            ----8<----
            iptables -t filter -F
            iptables -t filter -X
            # Safe behavior by default:
            iptables -P INPUT DROP
            iptables -P OUTPUT DROP
            iptables -P FORWARD DROP
            # custom rules:
            iptables -N input_rule
            iptables -N output_rule
            iptables -N forward_rule
            iptables -N recent_rule

            # Populate INPUT rule
            # ACCEPT all from local machine
            iptables -A INPUT -s 127.0.0.1 -j ACCEPT
            # DROP invalid packets (avoids "christmas tree" atacks)
            iptables -A INPUT -m state --state INVALID -j DROP
            # ACCEPT established/related connections
            iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
            # I found that one somewhere, can't remember...
            iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
            # ACCEPT icmp packets (ping)
            iptables -A INPUT -p icmp -j ACCEPT
            # Jump to custom input rules for packets not yet handled
            iptables -A INPUT -j input_rule

            # Populate OUTPUT rule
            # ACCEPT all to local machine
            iptables -A INPUT -d 127.0.0.1 -j ACCEPT
            # DROP invalid out going packets (in case a valid incoming packet
            # made the reply invalid)
            iptables -A OUTPUT -m state --state INVALID -j DROP
            # ACCEPT all established/related connections
            iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
            # Jump to custom output rule for packets not yet handled
            iptables -A OUTPUT -j output_rule
            # Fall back to ACCEPTing everything going out
            iptables -A OUTPUT -j ACCEPT

            # Populate FORWARD rule
            # This is not a router, but I keep that in case...
            iptables -A FORWARD -j forward_rule

            # Populate custom rules
            # Allow local net everything
            iptables -A input_rule -s 192.168.0.0/24 -j ACCEPT
            # People trying to establish a connection go there first
            iptables -A input_rule -p tcp -m state --state NEW -j recent_rule
            # See the /etc/network/firewall file below
            for rule in `cat /etc/network/firewall`; do
            chain=`echo ${rule} |cut -d , -f 1`_rule
            proto=`echo ${rule} |cut -d , -f 2`
            ports=`echo ${rule} |cut -d , -f 3`
            target=`echo ${rule} |cut -d , -f 4`
            iptables -A ${chain} -p ${proto} --dport ${ports} -j ${target}
            done

            # The recent rule
            # What we do here:
            # - the second rule, will memorise all connections to port 22 (ssh)
            # in the list recent_ssh, but accept the connection
            # - the first rule will scan the recent_ssh list, and for those
            # attempting too many connections too fast (5conn/minute), drop
            # the packet
            iptables -A recent_rule -m recent --name recent_ssh --update --seconds 60 --hitcount 5 -j DROP
            iptables -A recent_rule -p tcp --dport 22 -m recent --name recent_ssh --set -j ACCEPT
            ----8<----

            And the /etc/network/firewall data (!! Remove the comments before using it!!):
            ----8<----
            # Allow DHCP requests (for internal)
            input,udp,67:68,ACCEPT
            # Alow HTTP
            input,tcp,80,ACCEPT
            # Allow FTP
            input,tcp,20:21,ACCEPT
            # Allow my passive FTP port range:
            input,tcp,16000:16256,ACCEPT
            ----8<----
            The syntax is:
            rule,proto,port,target
            rule,proto,port:range,target

            where:
            - rule is one of input, output or forward
            - proto is one of all, tcp or udp
            - port or port:range is a valid port number or port range
            - target is one of ACCEPT, DROP

            With the setup above, you will trust your local network for everything, but
            limit the outside world to certain services (HTTP, FTP, SSH) limiting those
            trying to do SSH attacks (Note to self: also limit FTP attacks).

            Note that DHCP is also present because the match for local network is done
            on a IP-basis, and DHCP requests have no IP yet! My firewall is blocking
            entrant DHCP requests.

            Of course, the "custom rules" part is not really generic, but that's enough
            for my usage.

            HTH.

            Regards,
            Yann E. MORIN.

            --
            .-----------------.--------------------.------------------.--------------------.
            | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
            | +0/33 662376056 | Software Designer | \ / CAMPAIGN | ^ |
            | --==< °_° >==-- °------------.-------: X AGAINST | /e\ There is no |
            | http://ymorin.is-a-geek.org/ | (*_*) | / \ HTML MAIL | """ conspiracy. |
            °------------------------------°-------°------------------°--------------------°
          • Thomas Boehne
            ... You may also take a look at sshguard, it does basically the same thing but requires less iptables knowledge:
            Message 5 of 13 , Mar 8, 2007
            View Source
            • 0 Attachment
              Yann E. MORIN wrote:
              > So I'm using iptables' recent match:
              > iptables -N recent_rule
              > iptables -A INPUT -p tcp -m state --state NEW -j recent_rule
              > iptables -A recent_rule -m recent --name recent_ssh --update --seconds
              > 60 --hitcount 5 -j DROP
              > iptables -A recent_rule -p tcp --dport 22 -m recent --name recent_ssh
              > --set -j ACCEPT

              You may also take a look at sshguard, it does basically the same thing but requires less iptables knowledge:

              http://www.linux.com/article.pl?sid=07/02/27/1957242
              http://sshguard.sourceforge.net/

              Thomas
            • Yann E. MORIN
              Rudy, All, Sorry for the re-post, but my previous message has not yet arrived after almost 24 hours. So here we go again... :-/ ... iptables is not that easy.
              Message 6 of 13 , Mar 8, 2007
              View Source
              • 0 Attachment
                Rudy,
                All,

                Sorry for the re-post, but my previous message has not yet arrived after
                almost 24 hours. So here we go again... :-/

                On Wednesday 07 March 2007 203, Rudy wrote:
                > Wow, Yann, thank you! That's a great iptables script. I like keeping
                > this all inside of iptables, but don't understand the scripting system
                > well enough to write these myself at the moment.

                iptables is not that easy. I do errors more often than seldom. :-(

                > I hope you don't mind, but I took the liberty of adding this script
                > with a reference to your message onto the NSLU2's Firewall page on the
                > wiki.

                That's OK. :-)

                > Here's a far simpler question: do you have a script that will allow
                > samba connections (port 139, I think) and uPnP (no clue) from the
                > local subnet and localhost, but not from anywhere else?

                Look at the embedded script and file.

                Syntax of the "/etc/network/firewall" file:
                rule,proto,port,target
                rule,proto,port:range,target

                where:
                - rule is one of input, output, forward or recent
                - proto is one of all, tcp or udp (no icmp support)
                - port or port:range is a valid port number or port range
                - target is one of ACCEPT, DROP

                With this setup, you will trust your local network for everything, but limit
                the outside world to certain services (HTTP, FTP, SSH) limiting those trying
                to do SSH or FTP attacks.

                Note that DHCP is also present because the match for local network is done on
                an IP-basis, and DHCP requests have no IP yet! My HW firewall is blocking
                incoming DHCP requests.

                Of course, the "custom rules" part is not really generic, but that's enough
                for my usage.

                Regards,
                Yann E. MORIN.

                --
                .-----------------.--------------------.------------------.--------------------.
                | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
                | +0/33 662376056 | Software Designer | \ / CAMPAIGN | ^ |
                | --==< °_° >==-- °------------.-------: X AGAINST | /e\ There is no |
                | http://ymorin.is-a-geek.org/ | (*_*) | / \ HTML MAIL | """ conspiracy. |
                °------------------------------°-------°------------------°--------------------°
              Your message has been successfully submitted and would be delivered to recipients shortly.