Sometimes, I take the liberty of looking through the log files of my server. Invariably, there's something like the following at the bottom:
Sample SSH log file
This is repeated for a few hundred lines, and is followed a few hours later by another batch of attacks from another IP. It gets tiresome for one's bandwidth to be taken up by these attempts at logins, especially when the server only has one valid user, as is the case for my setup.
I decided to put an end to this, by implementing a whitelist: allowing
specific IPs through at the firewall, and blocking all others. Fortunately,
I run an OpenWRT installation on my Internet router, which provides Linux's
iptables infrastructure for the manipulation of firewall rules.
In this article, I'll detail how I set up my whitelist system, and how you
can do the same.
What you'll need
My network consists of a Linksys WRT54G wireless router hosting the firewall, and a webserver running a distribution of Linux. For the purposes of this setup, the particulars of the webserver aren't an issue, but you will need:
- My Linksys router has been reflashed with OpenWRT Whiterussian, which
iptablesfirewall, along with simplification scripts for the firewall rules. Any Linux box can act as the firewall, as long as you can pull the appropriate formatting together for the rules.
- PHP with PECL-SSH2:
- OpenWRT provides SSH access to the router, which allows for direct editing of the firewall configuration file. We'll be using this to our advantage, by programmatically adding IPs to the whitelist using PHP.
- An external computer:
- The easiest way to test the whitelist setup is by using a computer that's outside the LAN; this will allow you to check that packets are being appropriately blocked at the router, which will not necessarily be the case if you're going between computers inside the LAN.
The OpenWRT Firewall
OpenWRT provides a simple wrapper over the Linux
awk to rewrite the contents of a configuration
file into filtering and NAT rules, which are then applied by an init script.
There's also a wrapper on top of that, which constitutes the Web interface
to the firewall; it is this interface that most people associate with the
The major issues with the Web interface are that it's relatively clunky, especially when it comes to changing the order of firewall rules; new rules are added to the bottom of the list, and moving them to the top involves an arduous series of clicks and page loads. For most purposes, direct editing of the configuration file makes more sense.
A simple configuration may contain among its rules the following:
OpenWRT's /etc/config/firewall: A sample
This sample script will allow the firewall to
requests from inside the LAN,
forward SSH and HTTP to a server
at 192.168.0.1, and
drop everything else. The parameters to each
rule are parsed out by the init script, and built into
Just as with
iptables, these rules are processed in order,
and the first rule to match the incoming packet is applied. By using this
principle, it's simple to put together a ruleset which will act as a
whitelist for SSH:
Whitelisting SSH: firewall ruleset
In this example, any SSH packets coming from specific external IPs will be forwarded to the SSH server, and any other SSH packets will be dropped at the firewall. This is the behaviour which allows a whitelist: the next problem is how to add IPs to the list.
Adding IPs to the Whitelist
There are two ways to add addresses to this firewall ruleset. The first is to SSH into the OpenWRT router, edit the configuration file to add the appropriate rule, and then restarting the firewall service:
Manually updating the whitelist
The problems with this method are two-fold:
- Ease of use:
- This manual method of updating the list doesn't constitute the most user-friendly interface to addition of IPs, and it can get tiresome to add IPs months or years after the whitelist is initially put into place.
- Almost exclusively, access to the router's SSH port is only available from inside the LAN. From an external viewpoint, this availability will only exist by connecting from the accessible SSH server residing on the LAN. This in turn is governed by the whitelist, held on the router. The eponymous Catch-22 situation is an apt description of this problem.
Instead of using a manual process to update the list, it's possible to provide an externally-accessible interface to add IPs. In my case, I have a Web server (which happens to be my SSH server), so I can use a Web script to provide this interface; for the purposes of this article, PHP has been used as the language doing the work.
PHP doesn't have an interface to SSH version 2 by default: this is
provided by a PECL extension named
ssh2. Once this has been
put in place, a variety of methods are exposed to allow for SSH connections
to be made. These can be used to perform work on the OpenWRT router:
Use PECL_ssh2 to connect to the router
As an aside, if you don't like having the router's root password lying around in a PHP file, the PECL ssh2 extension also provides a public key authentication mechanism, and the SSH server on an OpenWRT installation allows addition of public keys in the same manner as OpenSSH.
Using PHP to automatically add IPs
Opening an interactive shell with
ssh2_shell allows more
than one command to be executed, which means we can do the file
manipulation required to add an address to the list. We can combine
everything, to produce the following script.
ssh.php: Add an IP to the router's whitelist
All that's required now is to navigate to this script, put an IP into the box, and wait 10 seconds. When this process has completed, the IP has automatically been added to the top of the firewall script, and the firewall restarted.
That should be everything you need to set up your own whitelist access list for SSH. No more brute-force attacks against your server!
Copyright Imran Nazar <firstname.lastname@example.org>, 2008
Article dated: 9th May 2008