search

jtesta / ssh-audit

SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
MIT License
3.43k stars 177 forks source link

add nftables variant for dheat attack mitigation #305

Closed antoson closed 3 weeks ago

antoson commented 3 weeks ago

Hi, thank you for this project, it's very useful.

I got excited to try implement the dheat mitigation with nftables instead of iptables. Nftables is the default firewall framework since Debian 10 Buster.

My progress so far:

#!/usr/sbin/nft -f

flush ruleset

table ip filter {

      set attackers_ip4 {
             type ipv4_addr
             timeout 10s
             flags dynamic
      }

      chain input {
             # drop everything by default, unless accepted by rules below
             type filter hook input priority 0; policy drop;

             # Log ssh packets with conntrack info
             tcp dport 22 log prefix dheat:  flags all

             # Add IPs that hit the limit to the attackers set
             ct state new tcp dport 22 update @attackers_ip4 { ip saddr limit rate over 1/second burst 25 packets }

             # drop packets from IPs in attackers set
             ip saddr @attackers_ip4 drop

             # accept all other ssh packets
             tcp dport 22 accept

             # accept established connections
             ct state established, related accept

             # accept everything on loopback interface
             iif lo accept
      }

}

Testing dheater on fresh Debian 12 in QEMU/KVM: Nftables service disabled:

https://github.com/user-attachments/assets/7adb3d26-e804-4027-90af-adc65e14f467

Nftables service enabled with ruleset above:

https://github.com/user-attachments/assets/f781e5a6-5684-464c-997b-a823af58f538

Dheater crashes, and i'm not sure if that's intended behaviour. Anyway, the firewall seems to prevent the DoS.

AFAIK, there is no equivalent of "10 conns per 10 sec" rule in nftables, so i tried couple variants of 1/sec + burst N. N=25 was the lowest one which did not disrupt a genuine ssh connection.

I'm still learning. Would you be interested in a PR from me?

jtesta commented 3 weeks ago

Hi, thank you for this project, it's very useful.

I'm very glad you've found it useful!

Testing dheater on fresh Debian 12 in QEMU/KVM:

The implementation from https://gitlab.com/dheatattack/dheater was made by someone else, FYI.

Dheater crashes

Looks like that's a crash in the other implementation, not in ssh-audit.

Would you be interested in a PR from me?

Might you be able to describe this PR a bit more? ssh-audit doesn't directly include any instructions on rate limiting; instead, it simply links to the hardening guides (https://www.ssh-audit.com/hardening_guides.html).

antoson commented 3 weeks ago

The PR would add an nftables ruleset to the hardening guides as an alternative to iptables ruleset.

jtesta commented 3 weeks ago

Ahh. Well in that case, the hardening guides are not in any public repository, so you wouldn't be able to submit a PR to them.

antoson commented 3 weeks ago

I thought they are part of this repository, my bad. You're welcome to use the ruleset above for your own use.