DA-Kiss - DirectAdmin specific firewall based on Kiss v2.0

[youds]

kiss start
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

I get the above with a clean/fresh CentOS 5.2 64bit install

 

[youds]

I've found the issue; in the later kernel versions some modules have been replaced with newer ones: specifically modules beginning with ipt have been replaced with modules beginning with xt.

I've placed more recent versions at my download page, here.

Jeff

This script solved the problem for me. Thanks

 

[UserName]

Server crash after KISS install

We installed KISS on a CentOS 5.2 64 bit unmanaged server and received the "KISS is running message".

We then started to download DDOS Deflate and the server froze. Now we cannot connect to the server at all - DA or ssh. Reboot did not resolve the issue.

Any ideas before I have to ask the host to reinstall the OS?

edit: no ports are open when I scan the IP.

 

[littleoak]

Why would you have your host reinstall the OS? Have them log in via the console and:

iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Have you tried sshing to the server with another IP address?

 

[UserName]

The host ran:

/etc/init.d/iptables stop

but the problem returned shorty afterwards *& I'm locked out again.

 

[littleoak]

It sounds as though you're running two firewalls at once. That is not normal behavior for iptables. I recommend you get someone to take a look at your server.

 

[UserName]

I have iptables and KISS. Do I have to stop or flush iptables before using KISS?
(this my 1st dedicted)

 

[nobaloney]

No; the first thing KISS does is flush the tables.

Jeff

 

[AndyII]

KISS and IP bans

I have quite a few banned IPs and would like to know how to ban a complete set, like
IP 123.456.789.123, I want to ban all in the range 123.xxx.xxx.xxx
or 123.456.xxx.xxx
every once in a while I will get multiple hits trying ssh, so I ban each IP.
a) Can KISS be setup to "Auto Ban" after x attempts ?
b) Are there any sets of IPs that are known bad and can be added just to be on the safe side?

 

[nobaloney]

a) no. For that you may want to use APF+BFD.

b) Yes, but you'll have to decide which ones. For example, you may want to block China; I don't.

Jeff

 

[AndyII]

Auto Ban

After seeing many attempts from a single IP I would add to host.deny, or in the KISS block list but sometimes they never return so it seems fruitless.
went on a google search and found this, could this be added to KISS in the config?

How to deter SSH brute force login attacks with iptables



Using the iptables recent module it's easy to stop ssh login brute force attacks. Every times a tcp connection to our ssh daemon is torn down, we update our temporary list of IP connecting to our ssh daemon. If the same IP connects more than 4 times during 60 seconds, it will be blocked. Adjust --hitcount and --seconds to fit your needs.



iptables -A INPUT -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK

FIN,ACK --dport 22 -m recent --name sshattack --set



iptables -A INPUT -p tcp -m state --state ESTABLISHED --tcp-flags RST RST

--dport 22 -m recent --name sshattack --set



iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60

--hitcount 4 -m limit --limit 4/minute -j LOG --log-prefix 'SSH attack: '



iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60

--hitcount 4 -j DROP

 

[AndyII]

anyone know how to have DA auto add offending IP's/hosts to the host.deny?
I dont have Python installed , seen a possible script that would work but needs Python.
The post above, seems like a good idea, where x attempts in x time, it would stop the 50 or so bursts I'm getting , like this one

Sep 2 06:57:10 srv2 sshd(pam_unix)[4898]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.115.100.144 user=root
Sep 2 06:57:11 srv2 sshd(pam_unix)[4900]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.115.100.144 user=root
Sep 2 06:57:14 srv2 sshd(pam_unix)[4904]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.115.100.144 user=root
Sep 2 06:57:15 srv2 sshd(pam_unix)[4906]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.115.100.144 user=root

found yet another much simpler code and want to ad to KISS

#$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
#$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

 

[nobaloney]

Try APF+BFD; it already does this.

Jeff

 

[AndyII]

Thank you Jeff,

doesnt seem that the author is around anymore
almost ready to abort KISS and try your recommendation of APF+BFD

 

[littleoak]

I would stop using KISS. It needs to be updated to be useful.

 

[nobaloney]

KISS is exactly what the name implies. A simple firewall. If you need more features, then definitely install something else, or do your firewalling manually.

What doesn't KISS do that you want?

Jeff

 

[AndyII]

Correct KISS is great as a simple FW and it works, I just wanted an addition of code to the iptables to drop excessive attempt on shell, the code I found looks like it would do that, I am not sure where to insert it or if it needs tweaking to be right.

#$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
#$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

 

[AndyII]

well I tried myself, didn't break anything, (the code above)
had another ssh attempt, usually have hundred tries, this one was 28 and then stopped, dont know if they gave up on their own or if new rule had something to do with it.
I placed the code in where the commented out "Provide some syn-flood protection" is, started kiss and have this listed in kiss output

W recent: SET name: SSH side: source
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NE W recent: UPDATE seconds: 60 hit_count: 8 TTL-Match name: SSH side: source

I would believe it would only give 8 tries in 60 seconds, did I place in the wrong area in KISS?

 

[AndyII]

So it seems to work
I like it better than having to add daily to the hosts.deny
several more attempts were made and they got 7 tries before ending.

 

[nobaloney]

You didn't say where you put it. So hard to say if it's in the right place or not .

If it works at all, then I say it's working; it's in the wrong place it wouldn't work at all.

Where did you put it.

Don't forget that KISS is simply an interface to iptables, which is an interface to the kernel's netfilter. So when you do a KISS status all you're really doing is a printout of the current iptables configuration as set by KISS and/or anything else.

Jeff