You are not logged in.

Pages: 1

#1 2015-12-12 08:32:41

pirateofms
Member
Registered: 2010-05-10
Posts: 23

iptables not using sshguard rules [SOLVED]

Sorry if I'm missing something obvious, but I've been having some trouble with brute force attacks on my home server, and it seems to be an issue with my iptables rules.  I was constantly getting hit on random ports from 43.229.53.30 until I added the top rule.  Notice that it's already in sshguard's chain, but for some reason it's not actually using it, so I'm guessing something is accepting them before it gets that far, but I don't understand what.  Any help?

sudo iptables -L:

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  43.229.53.30         anywhere           
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     ipv6 --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request ctstate NEW
UDP        udp  --  anywhere             anywhere             ctstate NEW
TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable
sshguard   tcp  --  anywhere             anywhere             tcp
IN_SSH     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain IN_SSH (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             recent: CHECK seconds: 10 hit_count: 3 TTL-Match name: sshbf side: source mask: 255.255.255.255
DROP       all  --  anywhere             anywhere             recent: CHECK seconds: 1800 hit_count: 4 TTL-Match name: sshbf side: source mask: 255.255.255.255
ACCEPT     all  --  anywhere             anywhere             recent: SET name: sshbf side: source mask: 255.255.255.255

Chain TCP (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:50000:60000 state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:6890:iatp-normalpri
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:6881
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:xmltec-xmlmail
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sunrpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:shilp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:mountd

Chain UDP (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:6881
ACCEPT     udp  --  anywhere             anywhere             udp dpt:sunrpc
ACCEPT     udp  --  anywhere             anywhere             udp dpt:shilp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:mountd

Chain sshguard (1 references)
target     prot opt source               destination         
DROP       all  --  211.216.48.205       anywhere           
DROP       all  --  115.248.186.3        anywhere           
DROP       all  --  43.229.53.30         anywhere           
DROP       all  --  60.12.21.162         anywhere           
DROP       all  --  mail.gratika.co.id   anywhere           
DROP       all  --  61.135.137.2         anywhere           
DROP       all  --  43.229.53.71         anywhere           
...
...
etc.

Last edited by pirateofms (2015-12-13 06:21:16)

Offline

#2 2015-12-12 13:10:51

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: iptables not using sshguard rules [SOLVED]

Well, of course you're going to get confused, if you look at *that*, because it's hiding essential info, e.g. the *order* of the rules.

Instead, show the output of:  iptables-save

Offline

#3 2015-12-12 17:08:16

pirateofms
Member
Registered: 2010-05-10
Posts: 23

Re: iptables not using sshguard rules [SOLVED]

Oops.  Sorry, it was late.

iptables-save gives me this.  The sshguard entries continute until the end.

Generated by iptables-save v1.4.21 on Sat Dec 12 09:03:49 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3020:1078346]
:IN_SSH - [0:0]
:TCP - [0:0]
:UDP - [0:0]
:sshguard - [0:0]
-A INPUT -s 43.229.53.30/32 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -s 103.41.124.25/32 -p tcp -j DROP
-A INPUT -p tcp -m tcp -j sshguard
-A INPUT -s 43.229.53.30/32 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH
-A IN_SSH -m recent --rcheck --seconds 10 --hitcount 3 --rttl --name sshbf --mask 255.255.255.255 --rsource -j DROP
-A IN_SSH -m recent --rcheck --seconds 1800 --hitcount 4 --rttl --name sshbf --mask 255.255.255.255 --rsource -j DROP
-A IN_SSH -m recent --set --name sshbf --mask 255.255.255.255 --rsource -j ACCEPT
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp --dport 21 -j ACCEPT
-A TCP -p tcp -m tcp --dport 50000:60000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A TCP -p tcp -m tcp --dport 6890:6999 -j ACCEPT
-A TCP -p tcp -m tcp --dport 6881 -j ACCEPT
-A TCP -p tcp -m tcp --dport 9091 -j ACCEPT
-A TCP -p tcp -m tcp --dport 111 -j ACCEPT
-A TCP -p tcp -m tcp --dport 2049 -j ACCEPT
-A TCP -p tcp -m tcp --dport 20048 -j ACCEPT
-A UDP -p udp -m udp --dport 6881 -j ACCEPT
-A UDP -p udp -m udp --dport 111 -j ACCEPT
-A UDP -p udp -m udp --dport 2049 -j ACCEPT
-A UDP -p udp -m udp --dport 20048 -j ACCEPT
-A sshguard -s 211.216.48.205/32 -j DROP
-A sshguard -s 115.248.186.3/32 -j DROP
-A sshguard -s 43.229.53.30/32 -j DROP
-A sshguard -s 60.12.21.162/32 -j DROP
-A sshguard -s 222.124.185.194/32 -j DROP
-A sshguard -s 61.135.137.2/32 -j DROP
-A sshguard -s 43.229.53.71/32 -j DROP
...
...
etc.

Offline

#4 2015-12-12 19:59:41

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: iptables not using sshguard rules [SOLVED]

-A INPUT -j REJECT --reject-with icmp-proto-unreachable   <-- This rejects all input
-A INPUT -s 103.41.124.25/32 -p tcp -j DROP               <-- So this rule will never get hit
-A INPUT -p tcp -m tcp -j sshguard                        <-- Nor this

Last edited by brebs (2015-12-12 20:00:06)

Offline

#5 2015-12-13 03:52:42

branch
Member
Registered: 2014-03-16
Posts: 209

Re: iptables not using sshguard rules [SOLVED]

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP

This rule sends all new tcp connections to the TCP chain where connections to your services are accepted. Note this rule is before the jump to the sshguard chain.

Offline

#6 2015-12-13 06:20:45

pirateofms
Member
Registered: 2010-05-10
Posts: 23

Re: iptables not using sshguard rules [SOLVED]

Ok, It looks like it's working now.  Thanks everyone.

Offline

Pages: 1

Board footer

Powered by FluxBB