Beat Bruteforcing with IpTables

Saturday, August 27, 2011

Symptoms:

Here's an example of the auth.log file. You can see that even as I'm writing this article bots are trying different account combinations to get into my server:

impala sshd[10855]: Illegal user office from 213.191.xx.xxx
impala sshd[10855]: Failed password for illegal user office from 213.191.xx.xx
impala sshd[10857]: Illegal user samba from 213.191.xx.xxx
impala sshd[10857]: Failed password for illegal user samba from 213.191.xx.xxx
impala sshd[10859]: Illegal user tomcat from 213.191.xx.xxx
impala sshd[10859]: Failed password for illegal user tomcat from 213.191.xx.xxx
impala sshd[10861]: Illegal user webadmin from 213.191.xx.xxx
impala sshd[10861]: Failed password for illegal user webadmin from 213.191.xx.xxx

Do you see the rate at which this is happening? Nowadays' connection speeds allow for crackers to try an enormous amount of combinations every second! It's time to stop this before someone hits the jackpot and my server is compromised.

About iptables

Iptables is the standard Linux firewall and though I use Ubuntu, it should be installed by default on any modern distribution. But it doesn't do anything yet. It's just sitting there, so we need to teach it some rules to prevent brute force attacks.

There are tools available to do this for us like fail2ban. Though it's a great piece of software and certainly has it's advantages, in this article I'd like to stick with iptables because fail2ban parses log files to detect brute force attacks at a certain interval, whereas iptables works directly on the kernel level. Besides I don't think many people know about iptables' full capabilities, and it comes preinstalled!
Easy setup - just 2 rules

Because iptables comes standard with every Linux distribution we'll skip right to setting up the specific firewall rules we need. In depth configuring of iptables takes a bit of understanding and is not within the scope of this article, but let's take a look at these two statements:

sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

The -i eth0 is the network interface to which ssh connections are made. Typically this is eth0, but maybe you need to change it.

That's it! Together they will rate-limit all incoming SSH connections to 8 in a one minute window. Normal users will have no trouble logging in, but the brute force attacks will be dropped, limiting the number of possible account combinations from unlimited, to 8. That's awesome!

Failsafe:

While you're still testing, you might want to add the following line to your crontab


*/10 * * * * /sbin/iptables -F

This will flush all the rules every 10 minutes, just in case you lock yourself out. When you're happy with the results of your work, remove the line from your crontab, and you're in business.

How to setup a SSH Tunnel

Tuesday, August 16, 2011

How to: Setup a SSH Tunnel
The aim of an ssh tunnel is to enable some security on the information you are sending while on a possible un-secure network. From your current computer to another secure computer and from then on to wherever you want to go.

Free USA VPN - 100GB/Month

Sunday, August 7, 2011

There are quite a few free VPN service providers but all of them have very restrictive limits on free accounts, Hostizzle is a new VPN service provider offering free US based IP anonymity service with a very generous quota of 100 GB monthly data usage on a 1GBps port. Using secure OpenVPN protocol with 1024-bit SSL/TLS certificates and Blowfish encryption the service is surely going to lure users looking for online anonymity, bypassing internet-censorship and country specific content block.

Apart from offering the generous free usage quota the service also creates custom OpenVPN installer with built-in user certificates, so all you need to do is to enter your email address and download a ready-to-use OpenVPN setup requiring no settings to work.

To get your personal free vpn account with 100GB traffic allowance simply visit http://hostizzle.com/download/

SSH Tunnelling, How to.

Monday, August 1, 2011

How to use a SSH Tunnel

One simple command and thats all you need to do, besides from pointing your programs to use the correct port is:
ssh -ND 50000 username@yoursexylocation.com
-N: Means that it will not execute the ssh session to your destination. So if you were going to only have a proxy connection and did not need a shell to open up, then you would add this. I would also suggest running it in a screen so it can run ssh in the background. Allowing you to have a running proxy and no need for terminal to stay up.

-D: This is where all the magic happens. The correct usage is > "[ip:]port" and if no ip is used then just the port. This is great for when you need to have multiple connections and enabling you to possible run a proxy through 1 network connection, and enable your system to run through the other network card.

Notes:
Mind you, this is only for the people who would like to ssh from a unsecure network to a more "secure" network. Because after the tunnel has ended, the security the ssh tunnel enforces are lost at the other end.

Okay so that is how to use it. Next is how to set one up.
Enjoy!