iptables 不阻止 ssh 暴力破解吗?

iptables 不阻止 ssh 暴力破解吗?

我有以下 iptables 文件:

# Generated by iptables-save v1.4.21 on Sat Jul  8 11:48:38 2017
*raw
:PREROUTING ACCEPT [75178374:102748773110]
:OUTPUT ACCEPT [48791071:12009917336]
COMMIT
# Completed on Sat Jul  8 11:48:38 2017
# Generated by iptables-save v1.4.21 on Sat Jul  8 11:48:38 2017
*nat
:PREROUTING ACCEPT [30891:2719901]
:POSTROUTING ACCEPT [102225:7602312]
:OUTPUT ACCEPT [85794:6945072]
COMMIT
# Completed on Sat Jul  8 11:48:38 2017
# Generated by iptables-save v1.4.21 on Sat Jul  8 11:48:38 2017
*mangle
:PREROUTING ACCEPT [75178374:102748773110]
:INPUT ACCEPT [75177630:102748652126]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48791071:12009917336]
:POSTROUTING ACCEPT [48791629:12010008074]
COMMIT
# Completed on Sat Jul  8 11:48:38 2017
# Generated by iptables-save v1.4.21 on Sat Jul  8 11:48:38 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [260:167959]
:FILTER - [0:0]
:LOGDROP - [0:0]
:SERVICE - [0:0]
:SSH - [0:0]
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 10/min -m comment --comment "Throttle pings to 10/m" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Drop pings over threshold" -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow all established connections" -j ACCEPT
-A INPUT -i lo -m comment --comment "Allow loopback traffic" -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -m comment --comment "Drop invalid packets" -j DROP
-A INPUT -p tcp -m conntrack --ctstate NEW -m comment --comment "Pass TCP traffic to FILTER chain" -j FILTER
-A INPUT -p udp -m conntrack --ctstate NEW -m comment --comment "Pass UDP traffic to FILTER chain" -j FILTER
-A INPUT -m comment --comment "Reject other protocols" -j REJECT --reject-with icmp-proto-unreachable
-A FILTER -p tcp -m recent --update --seconds 60 --name BLACKLIST --rsource -m comment --comment "Block SYN scans" -j REJECT --reject-with tcp-reset
-A FILTER -p udp -m recent --update --seconds 60 --name BLACKLIST --rsource -m comment --comment "Block UDP scans" -j REJECT --reject-with icmp-port-unreachable
-A FILTER -m comment --comment "Pass traffic to SERVICE chain to check for valid service port" -j SERVICE
-A FILTER -p tcp -m recent --set --name BLACKLIST --rsource -m comment --comment "Blacklist SYN scans" -j REJECT --reject-with tcp-reset
-A FILTER -p udp -m recent --set --name BLACKLIST --rsource -m comment --comment "Blacklist UDP scans" -j REJECT --reject-with icmp-port-unreachable
-A LOGDROP -j LOG
-A LOGDROP -j DROP
-A SERVICE -i venet0 -p tcp -m tcp --dport 1984 -m comment --comment "Pass SSH to SSH chain" -j SSH
-A SERVICE -i venet0 -p tcp -m tcp --dport 443 -m comment --comment "Allow data HTTPS on 443" -j ACCEPT
-A SSH -m recent --rcheck --seconds 15 --hitcount 3 --rttl --name BRUTEFORCE --rsource -m comment --comment "Block SSH > 3 in 15s" -j LOGDROP
-A SSH -m recent --rcheck --seconds 900 --hitcount 10 --rttl --name BRUTEFORCE --rsource -m comment --comment "Block SSH > 10 in 900s" -j LOGDROP
-A SSH -m recent --set --name BRUTEFORCE --rsource -m comment --comment "Allow SSH not blacklisted" -j ACCEPT
COMMIT
# Completed on Sat Jul  8 11:48:38 2017

SSH 从 TCP INPUT 传递到 tcp FILTER 链,然后传递到 SERVICE 链,然后再传递到 SSH 链,理论上应该根据设置删除并记录任何 ssh 失败吗?

当我通过 ssh 连接到主机并不断输入错误的 root 密码时,在拒绝之前允许尝试 6 次,而不是 3 或 15 个选项?

根据上述规则,SSH 链设置正确还是我错过了一些东西

谢谢

答案1

问题已解决,问题在于 vps 主机将内核消息记录到 /proc/kmsg

添加$ModLoad imklog.so到 rsyslog.conf 现在我可以看到 iptables 删除日志

所以配置工作正常,只是没有在 vps 主机上正确记录

谢谢

相关内容