|
Gerry Reno wrote:
> My SSH Highport solution has been working well (see last post), so now I
> need to setup some firewall rules for rate-limiting so that I can expose
> the port to the internet and not permit huge dictionary attacks against
> the port. So I setup some iptables rules and ... it doesn't work. I
> found a bunch of examples of doing this and I followed them very closely
> but no luck. So I'm wondering if there is something about using the
> directors that is causing problems with these rules.
>
> On the directors here's what I have:
>
> # iptables -L -n --line-numbers
> ...
> Chain RH-Firewall-1-INPUT (1 references)
> ...
> 16 tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:33322 recent: SET name:
> DEFAULT side: source
> 17 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:33322 recent:
> UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: source
> 18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:33322
> 19 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
>
After much testing what I found was that for whatever reason the
rate-limiting firewall rules for port 33322 do not work when installed
on the directors. So what I did was to put the rules on the realservers
(which I was trying to avoid) for port 22. This works because the
realservers map 33322 to 22. The best solution would be to get these
rules working on the directors. But for now there is the realserver
solution. I'll sleep a lot better knowing that no one can mount a
high-speed dictionary attack on the exposed port. I've also set a very
restricted set of allowed ssh users for that port to prevent default
password attacks on well-known user accounts.
Gerry
|
