CentOS 5 : preventing brute force attacks with iptables

Based on http://e18.physik.tu-muenchen.de/~tnagel/ipt_recent/

The following example is much simpler, it blocks hosts trying to connect more than 3 times to the SSH server within 60 seconds. If you need something more complex, check out the howto mentionned above.

This is my /etc/sysconfig/iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIMIT_SSH - [0:0]

# accept localhost and related/established traffic
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 

# transfer connections made to tcp/22 to the LIMIT_SSH chain
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j LIMIT_SSH 

# block anything else in the INPUT chain
-A INPUT -j DROP 

# if host has made more than 3 attempts in 60 seconds, drop it
-A LIMIT_SSH -m recent --set --name SSH
-A LIMIT_SSH -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP 
-A LIMIT_SSH -j ACCEPT 

COMMIT

Recent module homepage : http://www.snowman.net/projects/ipt_recent/

Block MSN and other messengers on your network

1. Iptables

This is my iptables config stored under /etc/sysconfig/iptables :
(eth0 = WAN interface, eth1 = LAN interface)

You’ll notice 192.168.1.16 is allowed to connect to any services

You’ll also notice that the default stance for output traffic is ACCEPT.
You can of course set it to DROP and only accept what you specifically define.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Basic protections against syn floods and other stuff
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Block MSN
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j DROP
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j LOG --log-prefix "MESSENGER MSN > "
-I FORWARD -s 192.168.1.16 -p tcp -m tcp --dport 1863 -j ACCEPT

# Block AIM/ICQ
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j DROP
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j LOG --log-prefix "MESSENGER ICQ/AIM > "
-I FORWARD -s 192.168.1.16 -d 64.12.25.0/22 -j ACCEPT

# Block Yahoo IM
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j DROP
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j LOG --log-prefix "MESSENGER YIM > "
-I FORWARD -s 192.168.1.16 -d 216.155.193.0/22 -j ACCEPT

# Allowing anything else
-A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

As soon as the MSN client is not able to connect to the server on port tcp 1863, it’ll try to connect using port tcp 80, which is probably allowed :

Web activity upon connection :
1.10 gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com
1.10 207.46.25.15/gateway/gateway.dll?SessionID=1047611159.2422
1.10 207.46.25.15/gateway/gateway.dll?SessionID=1047611159.1885
1.10 207.46.25.15/gateway/gateway.dll?Action=poll&SessionID=1047611159.24447
1.10 207.46.25.15/gateway/gateway.dll?SessionID=1047611159.7573

2. More firewall rules or Squid web proxy

Now you have two choices :

- making an ACL blocking the microsoft IP ranges… if new ranges are made available, MSN clients would be able to connect again.. this is not an ideal stance, unless you enjoy tracking the IP of MSN servers.

- blocking Internet Explorer (and MSN which uses the Internet Explorer engine) in your web proxy : you’ll need to run a transparent web proxy (Squid does the job pretty well) to block Internet Explorer, so MSN won’t be able to connect to port 80… See here for a short howto

Of course, you’d need something like Firefox installed on your client PC’s if you decide to block IE… you can always make an ACL in Squid allowing safe websites under Internet Explorer… This is not a bad stance as IE is known to have many unfixed security flaws.

Edit june 2007 : I'm blocking the Internet Explorer User Agent which apparently blocks the MSN client as well, but I noticed this page mentions the user agent for MSN is "MSMSGS". Please let me know if the described solution does not work for you.

I’ve not put much efforts into blocking AIM/ICQ/YIM since 99 % of people use MSN in Belgium
The MSN blocking is working well for me, I’m not sure about the other IM’s (the IP ranges can change from times to times)

3. Additional notes

It is reported at many places that the following squid rules are working.. I have tried them and they do NOT work for me.. If they do for you, let me know :)
acl mi_intranet src 192.168.1.0/255.255.255.0
acl msn req_mime_type -i ^application/x-msn-messenger
http_access deny mi_intranet msn
http_access allow mi_intranet

This is a working Squid ACL blocking a bunch of web messenger :
http://.*e-messenger.net/.*

http://193.238.160.*

http://.*meebo.com/.*

http://.*messenger.msn.com/.*

http://.*clientless.net/.*

http://.*wbmsn.net/.*

http://.*msn2go.com/.*

http://64.92.173.*

http://.*iloveim.com/.*

http://info.sytes.net/.*

http://chatenabled.mail.google.com/.*

Block viruses and protect yourself from spammers by blocking port 25 under Linux + iptables (just like ISP’s do !)

Find out viruses on your network and prevent spammers from abusing your wireless network ! With simple iptables rulesets…

OK, let’s calm down, this needs a bit of explanation before proceeding.

ISP’s usually block port 25 :
Unlike many ISP’s, mine doesn’t ! They still allow customers to send emails directly through and to any SMTP servers (tcp/25).

The goal in blocking port 25 is to block viruses from spreading around by sending emails using their own SMTP daemon.
At work, by just reading our email server logs, I know which ISP’s aren’t blocking port TCP/25 (damn Wanadoo and Road Runner).

If your ISP blocks port TCP/25, you need to send emails through their own (usually overwhelmed) SMTP server.

Worst case scenario :
Let’s say someone breaks into my wireless network with a linux laptop (pretty unlikely with WPA2 security but who knows :) ), the attacker would be able to send as much spam as one would like using a local sendmail or postfix server.

To fill that breach, we need to block port tcp/25 for wireless clients.

Continue reading

Loading additional iptables modules under CentOS 4.x

If you need a recurrent iptables modules to be loaded (let’s say the conntracking modules for FTP connections) you can either :
- issue “modprobe ip_conntrack_ftp” at the CLI everytime you need it
- add “modprobe ip_conntrack_ftp” under rc.local
- edit /etc/init.d/iptables and add “modprobe ip_conntrack” under the “start” argument

or

- the proper way : edit /etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_ftp"

Anytime you’ll start or restart iptables, the modules will be loaded :

[root@localhost](1035)# service iptables condrestart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: nat filter                [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_ftp      [  OK  ]

Script : ban a country under iptables

Let’s say you want to completely ban a country from accessing your servers..
E.g. : countries that have very shallow internet laws

Note : in regards to Epe’s comment, this article has been updated with a newer script, which should be doing a better job. Please drop me a comment, I’d love to hear feedback !

This script will parse the RIPE database and generate the iptables rules automatically..

Continue reading