IPT_RECENT with IPTables
Well you know that iptables can be configured to block or allow certain hosts for certain services. That is fairly simple.
But we have a problem… ???
Suppose you have allowed SSH access to certain hosts (say x.x.x.x) and denied SSH access to certain hosts (say y.y.y.y) using iptables.. well that is done, no problem. But what will happen if hosts on y.y.y.y network spoof their IP’s to x.x.x.x range and then try to break in using some password cracking applications.
In the case iptables will simple give service to illegitimate hosts. OR another situation is — someone on x.x.x.x is trying to break the password using hit and trial or using some application. In the later case, even iptables will allow that hosts from x.x.x.x range the service prompt everytime he is trying to get in. 😮
Now this is DANGEROUS !! 😯
What is the solution ??
The solution is to use “IPT_RECENT” module with iptables. 😛
By using IPT_RECENT module with iptables you can restrict ANY IP for ANY SERVICE if the number of wrong hits exceeds your defined limit.
So, if a illegitimate user even from the allowed range x.x.x.x is trying to break in using some password breaking software, he will not be able to succeed. As after the certain number of “MISS HITS” his IP will be automatically PICKED by the iptables as a HOSTILE HOST and that service will automatically be BLOCKED for that HOST.
That’s enough talking…. now lets see how to configure IPT_RECENT with IPTables.
STEP #1 – Download IPT_RECENT module (it usually comes in tarball). You can download it from link given.
http://www.snowman.net/projects/ipt_recent/ipt_recent-0.3.1.tar.gz
STEP #2 – Gunzip the tarball
gunzip ipt_recent-0.3.1.tar.gz
STEP #3 – Extract the .tar file
tar -xvf ipt_recent-0.3.1.tar
STEP #4 – Load the module using modproble command
modprobe ipt_recent
STEP #5 – Configure the IPTables
iptables -N SSH_CHECK
iptables -I INPUT -p tcp –dport 22 -m state –state NEW -j SSH_CHECK
iptables -I SSH_CHECK -m state –state NEW -m recent –set –name SSH
iptables -I SSH_CHECK -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –name SSH
iptables -I SSH_CHECK -m state –state NEW -m recent –rcheck –seconds 60 –hitcount 4 –name SSH -j DROP
STEP #6 – Save your configuration
service iptables save
STEP #7 – Reload the IPT_RECENT module
modprobe ipt_recent
STEP #8 – Make IPT_RECENT active after reboots. Put the entry in /etc/rc.d/rc.local file
modprobe ipt_recent
JOB IS DONE!!!
Enjoy your Intelligent Defense System.
God Bless.