Limit bogus ssh logins solved (at least for me)

tr21_de · November 30, 2006, 2:05pm

Hello to everybody,

I have searched the board and found that some users had the same problem then I faced:
MT doesn’t limit false logins via blacklist and there are a lot of attempts to break into the router via ssh. since it is not always an option to lock ssh in firewall, or you simply don’t want to use port knocking for sake of simplicity her is what you can do to limit logins attempts via ssh:

/ ip firewall filter 
add chain=input protocol=tcp dst-port=22 connection-limit=1,32 \
    action=add-src-to-address-list address-list=ssh_logins \
    address-list-timeout=2m comment="" disabled=no 
add chain=input protocol=tcp dst-port=22 src-address-list=!ssh_logins \
    action=accept comment="" disabled=no

Place above code BEFORE any “accept established or related” rules!
So actually this one has proven to limit false logins due to the following fact (might not always work, but hey take your chances): hackers try to open as many connections as possible to try many logins real fast.
The above code stops them as soon as the have opened up the second connection and blacklists their IP for 2 minutes.
The ssh kicks them from the 1 established connection as soon as they have entered the wrong pass more than x times. Therefore they need to wait at least two minutes to try again. Most scripts hackers use don’t do that, but rather give up.
For me the above code took 99% of all login attemps from my routers.
(I am lazy and have ssh always open to the public).

Perhaps this is useful for somebody, else admin can take this post of it he wants to.

Regards
Markus

normis · November 30, 2006, 2:13pm

you could simply change the ssh port and allow access only from certain locations

tr21_de · November 30, 2006, 2:28pm

Hi normis.

Sure you can, but people are soooo lazy , like me its so much easier to type: ssh router1 instead of bothering with ports. Also restrict it to ips is not an option if you are behind dynamic IPs all the time.
using vpn is great as long as you don’t break up the config when playing with configuration from remote. Personaly I use ssh as “last fallback” which gives me access to my far away machines (got 50 of them to maintain) if nothing else is working anymore.

But sure, there are a million other ways to secure the router, that’s just one flavour.

Regards
Markus

GotNet · November 30, 2006, 2:49pm

Markus, thanks for sharing.

bjohns · December 1, 2006, 1:15am

I was going to work out something similar to that, but I’m lazy

Thanks, I’ll stick that into the configs.

firebat · December 1, 2006, 9:29am

Thanks Markus. That’s pretty slick. I’ll try it out.

I guess you could do something similiar for FTP logins also.

tr21_de · December 1, 2006, 12:10pm

Thanks for all that response. Seems its of use for someone
In reply to the ftp thing:
That might not work that well, since many ftp clients will try to open more than one connection per default to speed up transfers. So you would lock off even the good ones.
Better to have the ftp server taking care about this.
But if you REALY attempt to block that on the router, use the “content” feature as matcher!
I have got the following in foreward chain (at the first position):

add chain=forward src-address=192.168.1.10 protocol=tcp src-port=21 content="password incorrect" action=add-dst-to-address-list \
    address-list=ftp_logins address-list-timeout=1m comment="" disabled=no 
add chain=forward src-address-list=ftp_logins action=drop comment="" disabled=no

And on my ftp (FileZilla) Server I set login time to max 20 sec. that’s enough to repeat password 2 or 3 times until it kicks you off (with the first connection you made) Remember it’s not very clean just another “take your chances”.

Also note that content might differ with your server, if not sure use packet sniffer (I found it that way) to find content string.

Markus

firebat · December 2, 2006, 2:37am

I placed this above accept releated and established connetions but it looks like it just continuing to flow through the chain and accept the connection. Do I need to delete one of the other rules?

tr21_de · December 2, 2006, 12:41pm

Hello,

which one? ftp or ssh?
ssh: This one makes the first connection always work. It blocks only if you establish the second connection while the first is still running.
And the first one is not interrupted (router kicks you if you enter password wrong to often). Also it is only in input chain, meaning that it only filters logins to the router.

If ftp:
Have you adopted the content string to your server? Not all ftp reply with the same string on false logins. Also be sure that you have changed the adress 192.168.1.10 to whatever your ftp server is.
This rule is in foreward chain meaning not to block ftp to the router itself but to an ftp server located at your LAN.
If you realy want to open the ftp port on the router for the public then change chain to input leaving address field of the rule blank.

Hope that helped.

markus

firebat · December 2, 2006, 8:49pm

The SSH doesn’t work. My log is still full of attempts from the same IP. I added another rule to ensure that the IPs performing SSH get added to the an address list OK and they are.

The rule says accept if not in the SSH_logins address list. Do the packets get dropped at that point in the firewall then if not accepted? You could probably say drop if in the ssh_login (more intuitive to me).

For the FTP logins, I would just want to block the attempts to ftp to the router through the public interface. I guess I could just drop all FTP traffic to the router on this interface to solve the problem. Does the router use FTP to download the Winbox client when you attmept access from amachine without the client?

firebat · December 5, 2006, 10:00am

??