iptables: Stop Bruteforce attacks

What is iptables?

A simple wiki definition goes as “iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.

It is a tool that allows sysadmins to manipulate linux kernel firewall for security. I have used iptables to secure webserver from any anomaliies that may occur from intruders.

Before proceeding to the iptables firewall, Please follow the basic server configuration which consists of basic security configs.

Linux Server Configuration Best Practices

Basic rules, only open port 22 (ssh), 80 (http) and 443 (https)

You can write a similar script to run during boot up of the server.

iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT                    
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptabels -A INPUT -P tcp --dport 443 -j ACCEPT
iptables -P INPUT DROP

This example will close all the ports except ssh and www ports. However, this script will not block brute force attacks. Lets move forward and add some more rules that will only permite a certain number of connections to the server from some specific IPs.

Stop brute force attacks

Add these lines after the rules above.

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 -j DROP
iptables -P INPUT DROP

Lets verify now and run # sudo iptables -L

This is the output

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW recent: UPDATE seconds: 600 hit_count: 2 name: DEFAULT side: source
           tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW recent: SET name: DEFAULT side: source
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere
anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

The first two rules we got from iptables -L command is the main tricky part.

This line:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

Starts a table with each IP that starts a connection to ss

h port.

And this one:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
 --update --seconds 600 --hitcount 2 -j DROP

Counts the number of connections that IP makes to our server in time frame of 600 seconds, if the number of connections passed 2 (hit count). The server will not accept any more connections from that IP for 600 seconds.

You can change the values as necessary.

For port 80 and 443, Add the rules below:

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 60/minute --limit -burst 5 -j ACCEPT

iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m limit --limit 60/minute --limit -burst 5 -j ACCEPT

Make it automatic

In Debian/Ubuntu run:

sudo /etc/init.d/iptables save

In Arch Linux run:

sudo /etc/rc.d/iptables save

And add iptables to the daemons part in the /etc/rc.conf file.

Logging the connections

If you want to keep a log of the failed connections add the rule:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 -j LOG

You can see the logs you just enabled In the /var/log/messages or /var/log/iptables.log depending on your Linux distribution

Leave a Reply

Your email address will not be published. Required fields are marked *