My home server, an elderly Mac Mini with Debian 8 was recently exposed to the public Internet on port 22, sshd service. I did that on purpose, so I could use the dynamic DNS addressing so I could open a secure shell from wherever I might be, even if that’s not home.
Of course, with a port opened up like this, I have exposed this Mac Mini to the wilds of the public Internet, and it has been scanned thoroughly. When I looked at /var/log/auth.log, it was full of attempts to login using root, admin, and pi. The last one, pi, is hilarious because the hostname was never changed when the OS was migrated from running on my Raspberry Pi, so people who scan the IP and get the hostname think it’s a Raspberry Pi.
This has led to a curious exploration of how to prevent people from scanning and attempting to brute-force my sshd server running on this machine. The passwords are complex, so I’m not really worried about anyone breaking into the box, but I do want to dissuade people from even trying. So after some research, I came up with this iptables definition:
iptables -N LOGDROP
iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set
iptables -A INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 86400 –hitcount 3 -j LOGDROP
I adapted a bunch of good ideas floating around on other help pages, and these instructions are rather straightforward until the end. I found the LOGDROP chain to be really useful, it will log and then drop traffic in one call, without having to mess around with multiple log and drop jumps. The next keeps any current SSH shell running no matter what, then everything from loopback, and then everything from my internal network. The next sequence sets up a tracking database in the server, if someone attempts to chat up my sshd server more times than three in a day, their IP addresses are installed in a blacklist and their traffic is dropped.
Obviously this is overkill, and my next step is to add 2FA to PAM on this server so that I will need to enter a password and a six digit 2FA code that changes every 30 seconds and never repeats. If anyone else out there is looking for something similar to this, you’re welcome to try it out. Good luck!