nftables: drop ssh brute force with ip block

nftables: drop ssh brute force with ip block

[Irwin L.]

As subject says.

tcp dport {22} counter limit rate 3/minute counter accept comment "avoid 
brute force"

I've tried something like this, but it seems to limit ALL ips.
I would prefer to block the ip address for 24 hours or something.

Please suggest

Irwin

Re: nftables: drop ssh brute force with ip block

[Pablo Neira Ayuso]

On Mon, Jun 20, 2016 at 02:24:11AM +0800, Irwin L. wrote:
> As subject says.
> 
> tcp dport {22} counter limit rate 3/minute counter accept comment "avoid
> brute force"
> 
> I've tried something like this, but it seems to limit ALL ips.
> I would prefer to block the ip address for 24 hours or something.

Try something like:

# nft add rule x y tcp dport 22 \
        flow table ssh-bruteforce { ip saddr limit rate 3/minute } \
                accept comment \"avoid brute force\"

This is ratelimiting based on the source IP address.

You can consult the content of this flow table via:

# nft list flow table x ssh-bruteforce
...

The current output of this specific command is not stable,

You require a relatively recent kernel and nft 0.6 to get this
working.

BTW, please don't use:

        tcp dport { 22}

The curly braces have very specific semantics, ie. they are requesting
the kernel to create a set. In this specific case, this is overkill
since this will create a set with *only one single element*. Thus:

        tcp dport 22

is better.

Re: nftables: drop ssh brute force with ip block

[Irwin L.]

On 2016-06-23 18:34, Pablo Neira Ayuso wrote:
> On Mon, Jun 20, 2016 at 02:24:11AM +0800, Irwin L. wrote:
>> As subject says.
>>
>> tcp dport {22} counter limit rate 3/minute counter accept comment "avoid
>> brute force"
>>
>> I've tried something like this, but it seems to limit ALL ips.
>> I would prefer to block the ip address for 24 hours or something.
> Try something like:
>
> # nft add rule x y tcp dport 22 \
>          flow table ssh-bruteforce { ip saddr limit rate 3/minute } \
>                  accept comment \"avoid brute force\"
>
> This is ratelimiting based on the source IP address.
>
> You can consult the content of this flow table via:
>
> # nft list flow table x ssh-bruteforce
> ...
>
> The current output of this specific command is not stable,
>
> You require a relatively recent kernel and nft 0.6 to get this
> working.
>
> BTW, please don't use:
>
>          tcp dport { 22}
>
> The curly braces have very specific semantics, ie. they are requesting
> the kernel to create a set. In this specific case, this is overkill
> since this will create a set with *only one single element*. Thus:
>
>          tcp dport 22
>
> is better.
I currently use:
tcp dport {22222,40022,42222} ct state new counter flow table bruteforce 
{ ip saddr limit rate 3/minute } counter accept comment "limit bruteforce"

Is this ok?

I wanted to ban spamming ips altogether, but I've since learned that 
this is the job of 'fail2ban'

Thanks!

Re: nftables: drop ssh brute force with ip block

[Pablo Neira Ayuso]

On Thu, Jun 23, 2016 at 06:39:46PM +0800, Irwin L. wrote:
> I currently use:
> tcp dport {22222,40022,42222} ct state new counter flow table bruteforce {
> ip saddr limit rate 3/minute } counter accept comment "limit bruteforce"
> 
> Is this ok?

Looks good to me. I would probably check for ct state new in first
place, given that this only matches the first packet a new TCP
connections. It will save you the tcp dport set lookup.

Note that you can even limit this per port, ie.

        ct state new tcp dport {22222,40022,42222} counter \
                flow table bruteforce { ip saddr . tcp dport limit rate 3/minute } \
                        counter accept comment "limit bruteforce"

using the 'ip saddr . tcp dport' concatenation. But I guess you want
globally ban anyone spamming you to those ports anyway.

> I wanted to ban spamming ips altogether, but I've since learned that this is
> the job of 'fail2ban'

fail2ban is nice to have to simplify this administrative hassle, but I
think it is still using iptables (it's been a while a I didn't look at
that code), we can do much better now with nft to resolve this problem.

Re: nftables: drop ssh brute force with ip block

[Irwin L.]

On 2016-06-23 18:48, Pablo Neira Ayuso wrote:
> On Thu, Jun 23, 2016 at 06:39:46PM +0800, Irwin L. wrote:
>> I currently use:
>> tcp dport {22222,40022,42222} ct state new counter flow table bruteforce {
>> ip saddr limit rate 3/minute } counter accept comment "limit bruteforce"
>>
>> Is this ok?
> Looks good to me. I would probably check for ct state new in first
> place, given that this only matches the first packet a new TCP
> connections. It will save you the tcp dport set lookup.
>
> Note that you can even limit this per port, ie.
>
>          ct state new tcp dport {22222,40022,42222} counter \
>                  flow table bruteforce { ip saddr . tcp dport limit rate 3/minute } \
>                          counter accept comment "limit bruteforce"
>
> using the 'ip saddr . tcp dport' concatenation. But I guess you want
> globally ban anyone spamming you to those ports anyway.
>
>> I wanted to ban spamming ips altogether, but I've since learned that this is
>> the job of 'fail2ban'
> fail2ban is nice to have to simplify this administrative hassle, but I
> think it is still using iptables (it's been a while a I didn't look at
> that code), we can do much better now with nft to resolve this problem.

By that do you mean "counter ct state new" instead of "counter flow table" ?

Thing is with this method, it only limits, I wonder if nft can blacklist 
the ip for 1 day or even 1 week with the option of manually removing 
blacklisted ips manually.

Re: nftables: drop ssh brute force with ip block

[Pablo Neira Ayuso]

On Thu, Jun 23, 2016 at 06:55:31PM +0800, Irwin L. wrote:
> On 2016-06-23 18:48, Pablo Neira Ayuso wrote:
> >On Thu, Jun 23, 2016 at 06:39:46PM +0800, Irwin L. wrote:
> >>I currently use:
> >>tcp dport {22222,40022,42222} ct state new counter flow table bruteforce {
> >>ip saddr limit rate 3/minute } counter accept comment "limit bruteforce"
> >>
> >>Is this ok?
> >Looks good to me. I would probably check for ct state new in first
> >place, given that this only matches the first packet a new TCP
> >connections. It will save you the tcp dport set lookup.
> >
> >Note that you can even limit this per port, ie.
> >
> >         ct state new tcp dport {22222,40022,42222} counter \
> >                 flow table bruteforce { ip saddr . tcp dport limit rate 3/minute } \
> >                         counter accept comment "limit bruteforce"
> >
> >using the 'ip saddr . tcp dport' concatenation. But I guess you want
> >globally ban anyone spamming you to those ports anyway.
> >
> >>I wanted to ban spamming ips altogether, but I've since learned that this is
> >>the job of 'fail2ban'
>
> >fail2ban is nice to have to simplify this administrative hassle, but I
> >think it is still using iptables (it's been a while a I didn't look at
> >that code), we can do much better now with nft to resolve this problem.
> 
> By that do you mean "counter ct state new" instead of "counter flow table" ?
> 
> Thing is with this method, it only limits, I wonder if nft can blacklist the
> ip for 1 day or even 1 week with the option of manually removing blacklisted
> ips manually.
>

I mean, instead of:

        tcp dport {22222,40022,42222} ct state new counter

use this:

        ct state new tcp dport {22222,40022,42222} counter

so just place the 'ct state new' check in first place, as most packets
will not go further in the rule evaluation, given that the rule
evaluation happens from left to right. If one of the statements
evaluates false, we stop evaluating and look at the next rule.