0

I'm using firewalld with the iptables backend. I added "direct" rules for ssh connection limiting:

sudo firewall-cmd --add-port=22/tcp

sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 \
  -p tcp --dport 22 \
  -m state --state NEW \
  -m recent --name ssh --set \
  -m comment --comment "limit ssh connections per ip"

sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 1 \
  -p tcp --dport 22 \
  -m state --state NEW \
  -m recent --name ssh --update --seconds 61 --hitcount 4 --rttl \
  -j REJECT --reject-with tcp-reset \
  -m comment --comment "limit ssh connections per ip"

# ...similarly for ipv6

I also want logging for rejects and drops, so I ran

$ sudo firewall-cmd --set-log-denied all

That mostly works - when I check sudo journalctl --since today --identifier kernel I see those connections... but not those rejected by my direct rules.

On the repo this was confirmed as expected behaviour, and that I must add more direct rules to log my direct rules:

You have to use the iptables log extension, e.g. -j LOG. ... Unfortunately you'll need two direct rules as iptables doesn't support -j LOG -j ACCEPT.

How do I do that?

lonix
  • 896
  • 10
  • 23

1 Answers1

1

Figured it out. One must add another rule, identical to the REJECT or DROP rule, but which jumps to the "non-terminating" LOG target.

$ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 \
  -p tcp --dport 22 \
  -m state --state NEW \
  -m recent --name ssh --set \
  -m comment --comment "limit ssh connections per ip"

$ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 1 \
  -p tcp --dport 22 \
  -m state --state NEW \
  -m recent --name ssh --update --seconds 61 --hitcount 4 --rttl \
  -m limit --limit "5/min" \
  -j LOG --log-prefix "[REJECT SSH BRUTE FORCE] " --log-level 6 \    # <----------
  -m comment --comment "limit ssh connections per ip"

$ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 2 \
  -p tcp --dport 22 \
  -m state --state NEW \
  -m recent --name ssh --update --seconds 61 --hitcount 4 --rttl \
  -j REJECT --reject-with tcp-reset \
  -m comment --comment "limit ssh connections per ip"

# ...similarly for ipv6

To view logs for those connections:

# all rejected and dropped
$ sudo journalctl --grep 'kernel'

# or just just ssh brute force attempts
$ sudo journalctl --grep 'REJECT SSH BRUTE FORCE'
lonix
  • 896
  • 10
  • 23