When I was making rules for the firewall earlier this week, I set up logging for when people attempted to connect to our network using automated tools. Many times people who know nothing about the underlying ports and protocols will use automated tools to try and break into a computer on the Internet; they’re called “script kiddies” They connect to a machine that has a Secure Shell server running and repeatedly connect to it trying different passwords hundreds if not thousands of times hoping to guess the password. I have the rules set up so that I connect in case I need to connect from the outside, but if someone uses one of these tools the packets get dropped on the floor. This is what this set of rules looks like:
### ALLOW SSH FROM RED INTERNET
# Limit external attempts to connect to SSH to 3 per minute
$IPT -A INPUT -p tcp -i $RED –dport 22 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp -i $RED –dport 22 -m tcp –syn -m recent –set
$IPT -A INPUT -p tcp -i $RED –dport 22 -m tcp –syn -m recent –update –seconds 600 –hitcount 4 \
-j LOG –log-prefix “SSH_EXT_GT3PKTS: ”
$IPT -A INPUT -p tcp -i $RED –dport 22 -m tcp –syn -m recent –update –seconds 600 –hitcount 4 -j DROP
$IPT -A INPUT -p tcp -i $RED –dport 22 -m tcp –syn -j ACCEPT
I chopped stuff out of the log file but kept stuff for analysis. There are some interesting things in this log excerpt that can be further used to create rules for the firewall. I’ll explain after:
Oct 6 01:35:06 SRC=61.158.99.224 TTL=43 SPT=47787 DPT=22 SYN URGP=0
Oct 6 01:35:09 SRC=61.158.99.224 TTL=43 SPT=47787 DPT=22 SYN URGP=0
Oct 6 01:35:15 SRC=61.158.99.224 TTL=43 SPT=47787 DPT=22 SYN URGP=0
Oct 6 18:14:22 SRC=218.108.0.68 TTL=43 SPT=3091 DPT=22 SYN URGP=0
Oct 6 18:14:25 SRC=218.108.0.68 TTL=43 SPT=3091 DPT=22 SYN URGP=0
Oct 6 18:14:31 SRC=218.108.0.68 TTL=43 SPT=3091 DPT=22 SYN URGP=0
Oct 6 20:46:34 SRC=206.172.28.171 TTL=55 SPT=60242 DPT=22 SYN URGP=0
Oct 6 20:46:34 SRC=206.172.28.171 TTL=55 SPT=60340 DPT=22 SYN URGP=0
Oct 6 20:46:37 SRC=206.172.28.171 TTL=55 SPT=60242 DPT=22 SYN URGP=0
Oct 6 20:46:37 SRC=206.172.28.171 TTL=55 SPT=60340 DPT=22 SYN URGP=0
Oct 6 20:46:38 SRC=206.172.28.171 TTL=55 SPT=36291 DPT=22 SYN URGP=0
Oct 6 20:46:41 SRC=206.172.28.171 TTL=55 SPT=36291 DPT=22 SYN URGP=0
Oct 6 20:46:43 SRC=206.172.28.171 TTL=55 SPT=60242 DPT=22 SYN URGP=0
Oct 6 20:46:43 SRC=206.172.28.171 TTL=55 SPT=60340 DPT=22 SYN URGP=0
Oct 6 20:46:45 SRC=206.172.28.171 TTL=55 SPT=44009 DPT=22 SYN URGP=0
Oct 6 20:46:47 SRC=206.172.28.171 TTL=55 SPT=36291 DPT=22 SYN URGP=0
Oct 6 20:46:48 SRC=206.172.28.171 TTL=55 SPT=44009 DPT=22 SYN URGP=0
Oct 6 20:46:53 SRC=206.172.28.171 TTL=55 SPT=53125 DPT=22 SYN URGP=0
Oct 6 20:46:54 SRC=206.172.28.171 TTL=55 SPT=44009 DPT=22 SYN URGP=0
Oct 6 20:46:56 SRC=206.172.28.171 TTL=55 SPT=53125 DPT=22 SYN URGP=0
Oct 6 20:47:02 SRC=206.172.28.171 TTL=55 SPT=53125 DPT=22 SYN URGP=0
Oct 6 20:47:06 SRC=206.172.28.171 TTL=55 SPT=38358 DPT=22 SYN URGP=0
Oct 6 20:47:09 SRC=206.172.28.171 TTL=55 SPT=38358 DPT=22 SYN URGP=0
Oct 6 20:47:15 SRC=206.172.28.171 TTL=55 PT=38358 DPT=22 SYN URGP=0
Oct 7 06:19:15 SRC=212.150.184.184 TTL=51 SPT=36483 DPT=22 SYN URGP=0
Oct 7 06:19:18 SRC=212.150.184.184 TTL=51 SPT=36483 DPT=22 SYN URGP=0
Oct 7 06:19:24 SRC=212.150.184.184 TTL=51 SPT=36483 DPT=22 SYN URGP=0
Oct 7 07:28:50 SRC=211.118.104.11 TTL=53 SPT=38767 DPT=22 SYN URGP=0
Oct 7 07:28:53 SRC=211.118.104.11 TTL=53 SPT=38767 DPT=22 SYN URGP=0
Oct 7 07:28:59 SRC=211.118.104.11 TTL=53 SPT=38767 DPT=22 SYN URGP=0
Oct 8 09:20:54 SRC=60.191.222.84 TTL=52 SPT=39716 DPT=22 SYN URGP=0
Oct 8 09:20:57 SRC=60.191.222.84 TTL=52 SPT=39716 DPT=22 SYN URGP=0
Oct 8 09:21:03 SRC=60.191.222.84 TTL=52 SPT=39716 DPT=22 SYN URGP=0
If you look at the timing:
Packet 1, 2, and 3 are received before logging occurs
Packet 4 is dropped, the tool waits 2 or 3 seconds and sends another packet from the same source port
Packet 5 is dropped, the tool waits 5 or 6 seconds and sends another packet from the same source port
Packet 6 is dropped, the tool gives up
I don’t know how long the network stack on the far end waits before clearing the dropped attempts from their network queues but it’s pretty effective at reducing the number of brute force password guesses on my machine. Also if you look at the log you notice that 206.172.28.171 made numerous attempts from numerous source ports. Looks to me like 6 attempts from 6 different source ports; I think my rule treats attempts from an address on different source ports as separate entities. Will keep things posted here as I learn more on how this stuff works.