GeoIP blocking SSH connections

mellow · February 24, 2021, 4:45pm

Hey everyone, looking to implement some GeoIP blocking for incoming ssh connections. Anyone willing to share a working setup / how to. Because I’m totally confused with Maxmind’s GeoIPupdate and how to get this working with IPtables. Apparently this shouldn’t be hard - but all the guides I’m following lead up to a point that they’re somehow not using Maxminds latest tool geoipupdate… So…

daveteu · February 24, 2021, 7:49pm

if you disabled root login and password login, and require login with privatekey, it should be pretty safe already.

KiekerJan · February 24, 2021, 8:32pm

I used this https://www.axllent.org/docs/ssh-geoip/ as basis for a geoip based SSH filter. Then I added a fail2ban filter on top of that
Like daveteu mentioned, probably overkill, but it gives me some more rest in my mind and it was a nice exercise in learning about new stuff.

daveteu · February 25, 2021, 8:55am

Haha it’s not about being overkill…

I had this script running before, and I had all the DENYs logged as well. For a start… i get stressed when I see so many people trying to access my box, then I realise I cannot do anything about it… then soon I realise all my security are already in place, and these people can’t do anything to my box as well… Then I just become more confident (or complacent) about the security from private keys ssh, and all the necessary firewalls.

alento · February 25, 2021, 1:21pm

Just an interesting anecdote …

Very recently somewhere (on this forum I believe) I had a discussion about changing the default SSH port and was immediately chastised for ‘security by obscurity’ as being a waste of time.

I am running 4 DNS servers on Centos VM’s. Centos reports the number of failed SSH attempts everytime you log in. Yesterday, I had reason to log in to two of those servers for some reason. One of them reported 11 failed log in attempts while the other reported none. My previous log ins were on October 10. So, 3 months and 2 weeks ago. When my SSH port was the default port 22, the number of failed attempts were in the thousands daily.

Just saying …

daveteu · February 25, 2021, 1:37pm

I agree with you, that ‘security by obscurity’ is NOT a waste of time, and changing ssh ports may be desirable for some (though other things like firewall actually take care of this).

It’s only a waste of time, if you are specifically targetted (though unlikely… unless you are running a Bank or something).

I faced the same situation back in those days where I was still running hundreds of Wordpress installation for my clients, and people from forums were talking about “security by obscurity” when I decided to change my /wp-admin path (it’s the admin panel) to something else, in order to hide it.

Unlike SSH, which can be protected by firewall, /wp-admin paths can be exploited, and your entire server could be taken over.

Hey, I never had bots random scanning my /wp-admin path for exploits after i changed it to something random, and none of my sites ever got hacked/exploit all those years. Against the norms? No regrets.

openletter · February 27, 2021, 4:23pm

It is notable that there are only 65,535 ports while there are effectively infinite URL subdirectories, so the tactic of port reassignment is not same as directory random naming.

daveteu · February 28, 2021, 10:10am

It’s also notable that if scanning 10000 machines takes 1 second for open port 22, scanning all 65,535 ports for all 10000 machines will effectively take 18 hours vs 1 second. @alento’s situation is a good proof that not many malware out there will scan all your 65,535 ports to first check it’s open, then check that it accepts a telnet/ssh connection. Changing port effectively bring down your chance of being targetted by 65,535 times (presumedly, not good at statistics).

Hence, I believe, “security by obscurity” is not effective, only if you are specifically targetted by a competitor (for example), and takes the time to find all ways to get into your server. So basic hardening of server is still necessary, changing ports, is just a step up, though many may disagree.

scan your server for open ports https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap#

openletter · February 28, 2021, 2:09pm

I have no idea where this one per second comes from, as I’ve seen 100 per second on my residential IP address, where I once even had a sustained 600 kbps stream of garbage thrown at my network gateway for months.

Easily 10 per second is achievable, which is a couple of hours to scan all ports. Given that people rarely change ports, a library can be made of open ports on IP addresses and distributed in she script kiddie software.

daveteu · February 28, 2021, 2:26pm

i didn’t say one per second. i said scanning 10,000 machines per second. which is a very big number.

600kbps stream of garbage thrown to you is what i meant by targetted, which is almost as good as ddos and different from ssh port scanning to look for unprotected machines.

openletter · February 28, 2021, 2:40pm

Yes, I misread your post. However, you still don’t address the library issue, which is what the bad guys will do.

daveteu · February 28, 2021, 5:16pm

they can’t do anything, the difference between changing ports and not changing ports, is just an additional inconvenience for them.

Changing ports does not mean you forgo your basic security practices like keys and preventing root logins. It’s just one more step to letting the random bots think port 22 is close, okay move on, don’t scan again, and then you have a smaller log file size.