Fedora Linux Support Community & Resources Center
  #1  
Old 21st April 2014, 03:39 PM
Evil-I Offline
Registered User
 
Join Date: Nov 2004
Posts: 104
linuxfirefox
Using FirewallD to block brute force SSH attacks

Hi All,

Any thoughts on how I could use FirewallD to block brute force SSH attacks?

I've come across several custom rules for IP tables that would seem to do this but not for FirewallD.

I've also looked into Fail2Ban but struggled to get it working properly.

I know in theory I should only allow access to SSH from certain IPs but as this is only a home server and I travel a lot, I'd really like to be able to access it from wherever I happen to be.

Also please note I'm still a bit of a noob at this stuff

Many thanks in advance for any help!

E-I
Reply With Quote
  #2  
Old 21st April 2014, 05:11 PM
beaker_'s Avatar
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,718
windows_xp_2003firefox
Re: Using FirewallD to block brute force SSH attacks

1. Move ssh to an obscure port
2. Don't use passwords
3. Denyroot login

fail2ban is what you really want. With iptables or firewalld; maybe run sshd on eth0, accept input from your local subnet (192.168.1.0/24(?)) and a vpn range (tun# @ 172.16.37.0/24(?), where tun# is an openvpn interface, and drop or deny the rest. Or make ssh available on a vpn only.
Reply With Quote
  #3  
Old 21st April 2014, 05:59 PM
Evil-I Offline
Registered User
 
Join Date: Nov 2004
Posts: 104
linuxfirefox
Re: Using FirewallD to block brute force SSH attacks

Hi Beaker,

Many thanks for the response.

I understand points 1 and 3, but not 2? How can I not use passwords?

I had fail2ban working a while back on FC17 before I upgraded to FC20, but I've struggled getting it working with either Firewalld or iptables. On my last attempt using iptables everything seemed to be installed and configured correctly but it was not banning.

This has been partly prompted by the lovely people based in China and New Mexico who have been trying to hack the box (I did whois on thier IPs and its consistently two IP addresses trying to gain access.). It was when I logged in via ssh and saw several thousand failed logins I realised I had a bit of an issue.... Currently I've just disabled SSH completely on my router while I work out my next steps.

Again, I appreciate the advice and apologise that I don't always understand it, as I'm very much a home user who muddles thorugh.

I'll look into the openvpn side of things, unfortunately my only experience of vpn is being a client on my offices Sonicwall SSL vpn, so I'll need to do a bit of research.

Anyway, the nice thing about this sort of stuff is that I always learn something new!

Thanks,

E-I
Reply With Quote
  #4  
Old 21st April 2014, 08:06 PM
beaker_'s Avatar
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,718
linuxfirefox
Re: Using FirewallD to block brute force SSH attacks

For #2.

http://www.linuxhomenetworking.com/w...OpenSSH_Server
http://docs.fedoraproject.org/en-US/...-keypairs.html

That normally kills them all.

Most of my hits originate in paris texas, atlanta and some town in florida. China and Russia to but they're usually in squid's log. But I digress...

Openvpn's hurtle is tall but, depending how much networking you do, can become the goto tool for securing inherently insecure protocols and applications.
Reply With Quote
  #5  
Old 21st April 2014, 10:47 PM
pete_1967
Guest
 
Posts: n/a
linuxfirefox
Re: Using FirewallD to block brute force SSH attacks

Not familiar with FirewallD, but it is also easy to set up port knocking on Iptables (some great help for that at http://www.portknocking.org/) if you've had issues with fail2ban (a great tool for lot more than just protecting SSH)
Reply With Quote
  #6  
Old 22nd April 2014, 12:04 AM
dobbi Offline
Registered User
 
Join Date: Jan 2011
Posts: 1,116
windows_7firefox
Re: Using FirewallD to block brute force SSH attacks

fail2ban (fedora/20/x86_64 repo) would do that.
Is it not easier?

or you want to learn how to do it?

I think that is one of the best course of actions possible at the moment, scan the logs for failed login attempts and if a pre set number is reached temporarily rewrite the firewall rules to ban that IP from trying which makes it impossible to brute force anything.
Reply With Quote
  #7  
Old 23rd April 2014, 05:48 PM
Evil-I Offline
Registered User
 
Join Date: Nov 2004
Posts: 104
linuxfirefox
Re: Using FirewallD to block brute force SSH attacks

Many thanks for all the replies!

Works got in the way of things the last few days so I haven't had a chance to put any of this into action.

Beaker, thanks for the links, thats good to know and will certainly help.

Pete, I'll look into port Knocking too.

Dobbi, yes Fail2Ban is exactly what I need really, I've just had real issues getting it working in FC20 (had it running fine in FC17). I tried it both with FirewallD and with iptables and had issues with both. I think some of the problem is that the howtos and tutorials I can find are a bit dated and I struggle to make sense of it all (as previoously mentioend, I'm a bit of a noob I'm afraid). I also find the 0.9 version of Fail2bans config file quite confusing....

I'm going to look into OpenVPN and all the other things mentioned, and maybe have another crack at Fasil2Ban too.

ANyway, thanks for all the advice eeveryone, I really appreciate it :-) and I'll let you know how i get on.

E-I
Reply With Quote
Reply

Tags
attacks , block , brute , firewalld , force , ssh

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Remote SSH Brute Force jtang613 Security and Privacy 10 11th August 2008 05:38 AM
Secure my SSH from brute force attacks? Firewing1 Security and Privacy 11 4th February 2006 04:41 AM


Current GMT-time: 08:13 (Sunday, 22-10-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat