IPT_RECENT with IPTables

Well you know that iptables can be configured to block or allow certain hosts for certain services. That is fairly simple.

But we have a problem… ???

Suppose you have allowed SSH access to certain hosts (say x.x.x.x) and denied SSH access to certain hosts (say y.y.y.y) using iptables.. well that is done, no problem. But what will happen if hosts on y.y.y.y network spoof their IP’s to x.x.x.x range and then try to break in using some password cracking applications.

In the case iptables will simple give service to illegitimate hosts. OR another situation is — someone on x.x.x.x is trying to break the password using hit and trial or using some application. In the later case, even iptables will allow that hosts from x.x.x.x range the service prompt everytime he is trying to get in.  😮

Now this is DANGEROUS !!  😯

What is the solution ??

The solution is to use “IPT_RECENT” module with iptables.  😛

By using IPT_RECENT module with iptables you can restrict ANY IP for ANY SERVICE if the number of wrong hits exceeds your defined limit.

So, if a illegitimate user even from the allowed range x.x.x.x is trying to break in using some password breaking software, he will not be able to succeed. As after the certain number of “MISS HITS” his IP will be automatically PICKED by the iptables as a HOSTILE HOST and that service will automatically be BLOCKED for that HOST.

That’s enough talking…. now lets see how to configure IPT_RECENT with IPTables.

STEP #1 – Download IPT_RECENT module (it usually comes in tarball). You can download it from link given.

http://www.snowman.net/projects/ipt_recent/ipt_recent-0.3.1.tar.gz

STEP #2 – Gunzip the tarball

gunzip ipt_recent-0.3.1.tar.gz

STEP #3 – Extract the .tar file

tar -xvf ipt_recent-0.3.1.tar

STEP #4 – Load the module using modproble command

modprobe ipt_recent

STEP #5 – Configure the IPTables

iptables -N SSH_CHECK

iptables -I INPUT -p tcp –dport 22 -m state –state NEW -j SSH_CHECK

iptables -I SSH_CHECK -m state –state NEW -m recent –set –name SSH

iptables -I SSH_CHECK -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –name SSH

iptables -I SSH_CHECK -m state –state NEW -m recent –rcheck –seconds 60 –hitcount 4 –name SSH -j DROP

STEP #6 – Save your configuration

service iptables save

STEP #7 – Reload the IPT_RECENT module

modprobe ipt_recent

STEP #8 – Make IPT_RECENT active after reboots. Put the entry in /etc/rc.d/rc.local file

modprobe ipt_recent

JOB IS DONE!!!

Enjoy your Intelligent Defense System.

God Bless.

Advertisements