HackFest Series: Quick IPTABLES, SSHUTOUT Script Kiddie Protection

Lisa Kachold lisakachold at obnosis.com
Mon Oct 20 21:11:45 MST 2008 

Many of us are constantly plagued with port knocking and script kiddies from places like the Amazon Cloud.

With security issues, the procedural recommended post encroachment steps per CERT are:

1) Remove the computer from your network (probably not workable if this is a server) [use IPtables to protect it initially]
2) Gather log information about specific times, ports and ip addresses (both source and destination)
3) Report to the SWIP authorities including the correct time zones for each exploit.
4) Optional - load BackTrack and run forensics on the system if you CAN reboot it.
5) Optional - setup a honeypot trap for the users including network alerting and logging.

Using IPtables:

Generally,
since you can't always drop large numbers of IPADDRESSES into your IPtables
& the script kiddies just DHCP a new source address, so this is a temporary measure.

First
drop in a basicIP table - here's a good basic example (season to
taste):  [Do this while sitting in front of the machine so you don't
accidently shut yourself out]

You going to need iptables (you should have it already):

# dpkg -l iptables
iptables 1.2.11-10 Linux kernel 2.4+ iptables administration to

# rpm -qa | grep iptablesiptables-xxxxx
Check to see if it's there:



# which iptables
/sbin/iptables

If the utility is missing you can install it like so:

APT


# apt-get update && apt-get install iptables
RPM


# rpm -Uvh iptables-xxxx.rpm
Preparing ################################# [100%]

NEXT: Drop in a basic configuration:

# /etc/init.d/iptables start
Cut and copy this basic table example to /root/iptables/iptables.first

This
example only allows port 22, 80 and 443  and does some time based allow log and drop (which might break if you have extensive scp jobs) (season to taste - for
instance if you need another port add it; or you have eth1 change this).
# Generated by iptables-save on Sun Oct 19 23 05:32:09 2008
*filter
:INPUT ACCEPT [273:55355]
:FORWARD ACCEPT [0:0]
:LOGNDROP - [0:0]
:OUTPUT ACCEPT [92376:20668252]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Optional log and drop limits
-A INPUT -j LOGNDROP
-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: " --log-level 7
-A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level 7
-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: " --log-level 7
-A LOGNDROP -j DROP
COMMIT
# Completed on Sun Oct 19 05:32:09 2008Next import it:

# /sbin/iptables-restore </root/iptables/iptables.first
Test - okay?  

Borked?

# /etc/init.d/iptables stop
# /sbin/iptables -F

Edit and try again....

Protect from/to a host:

Once you have a basic config in place you can do command line drops:

# /sbin/iptables -A INPUT -s 192.168.1.10 -d 10.1.15.1 -p tcp --dport 22 -j DROP

-A  Tells iptables to 'append' this rule to the INPUT Chain

-s  Source Address. This rule only pertains to
traffic coming FROM this IP. Substitute with the IP address you are
SSHing from.

-d Destination Address. This rule only pertains to traffic going TO this IP. Substitute with the IP of this server.

-p Protocol. Specifying traffic which is TCP.

--dport Destination Port. Specifying traffic which is for TCP Port 22 (SSH)

-j Jump. If everything in this rule matches then 'jump' to DROP
Saving and Editing your tables:

As a precaution enter /sbin/iptables-save to be sure it's right (and check it via output)
You
can save and restore via crontabs the last iptables (Debian and Redhat
vary as to commands for persistent tables [see references]

# /sbin/iptables-save >/root/iptables/iptables.last
You can hand edit this with vi or joe
# /sbin/iptables-restore </root/iptables/iptables.last

SSH Brute force and Dictionary Attacks:

NOTE:
If your port 22 (or VNC or port 80 webserver) is being hit, you can
write a quick log protection script or use SSHUTOUT (which wraps ssh
and watches for brute force and dictionary attacks), by automagically
dropping to iptables deny anyone who meets the configuration critieria.

Drop
in something like this for now for quick and dirty iptables: (edit your
tables and place these lines under the loopback command replacing your
-A INPUT for ssh above.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m recent --update --hitcount 2 --seconds 60 --name SSHIN -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m recent --set --name SSHIN -j ACCEPT
COMMIT
If you are getting a TON of port 22 knocking - GET a wrapper like SSHOUT:

[if you need to shutout 22]:  http://www.techfinesse.com/sshutout/sshutout.html (use this great program)

References:  http://www.howtoforge.com/linux_iptables_sarge

http://wapedia.mobi/en/Obnosis |  http://en.wiktionary.org/wiki/Citations:obnosis | Obnosis.com (503)754-4452
Laugh at this MSN Footer


_________________________________________________________________
When your life is on the go—take your life with you.
http://clk.atdmt.com/MRT/go/115298558/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20081021/996dc62d/attachment.htm

More information about the PLUG-discuss mailing list