Thursday, June 26, 2008

Securing SSH with Iptables

So you want to open up port 22 on the WAN side of your router for remote access. Is it really a legitimate concern that someone could try to get in through SSH? I mean it's SSH right?

Well yes and no, yes you should be concerned with any open port available to the world, even if it's SSH. There was a brief time where there were some SSH exploits publicly available, those were quickly patched and most systems have been upgraded since then.

However there's always the chance someone could try and brute force your SSH credentials, and for those of you who allow logging in as root this is even more scary. Your first line of defense is obviously your password, there are tons of websites and utilities out there to help you generate a good password and you should always use a password consisting of at minimum 8 characters, at least 1 number, and 1 special type of character like a !, @, or #, etc.

With IPtables it's actually quite easy to setup rate-limiting for any traffic coming in on port 22, or any TCP/UDP port really.
  • You want to make sure you compiled or included the "recent" option with IPtables
  • Next you want to add the rules to Iptables manually and verify they're functioning correctly.
  • iptables -t nat -A prerouting_wan -p tcp --dport 22 -m state --state NEW -m recent --name SSH_BRUTEFORCE --rsource --update --seconds 180 --hitcount 6 -j DROP
  • iptables -t nat -A prerouting_wan -p tcp --dport 22 -m state --state NEW -m recent --name SSH_BRUTEFORCE --rsource --set
  • iptables -A input_wan -p tcp --dport 22 -m state --state NEW -j ACCEPT
You can hit up http://www.grc.com/ and use the ShieldsUP! port scanning service if you don't have access to a remote shell to test with. I just entered port 22 and clicked "User Specified Custom Port Probe" 6 times to test it.

Trying to test Iptables rules from inside your LAN isn't a smart way to test firewall rules since they're coming in on the LAN side and not the WAN side.

You can tweak how quickly it rate-limits the packets with the --seconds and --hitcount options, I set it for 900 seconds and 6 packets. Meaning if you hit port 22 more then 6 times within 900 seconds (15 minutes) it drops all packets from your source IP for 15 minutes. And I chose 6 packets because by default SSH lets you try 3 times per log entry/disconnect, so 2 "attempts" to login.Once you're satisfied everything is working correctly, add the 3 lines to the bottom of your /etc/firewall.user and issue a /etc/rc.d/S45firewall restart (might be different depending on your version of OpenWrt/X-Wrt).

References:
http://www.netfilter.org/
http://www.openwrt.org/
http://www.snowman.net/projects/ipt_recent/

Similar:
There's also a script available that will monitor your logs for malicious SSH activity and block IPs that way, check it out.. http://www.pettingers.org/code/sshblack.html

I hope you find the information provided helpful in some way, you can show your appreciation by clicking on an Ad or two. Or if you'd like to hire me and have me secure your system you can click on the oDesk Ad on the site as well.

~Matt
Posted by Matt at 4:58 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)