Counting remote accessed hosts

FlorinMarian

Active Member
Nov 13, 2017
73
2
28
27
Hello!
I own a hosting company and I often face the situation where my clients using weak passwords end up being broken and at the same time my VPSs become the source of scans on other hosting companies.
I managed to block through Suricata the situation in which a client scans a certain IP address for several ports or several passwords for the SSH port.
What I fail to do is prevent a client from sending TCP or UDP packets to detect on a subnet /24 which IP addresses have port 22 or another specific port open.
I recently tried iptables using the "hashlimit" module but from what I've tested, hashlimit doesn't make the difference between accessing 3 times the same 4 IP addresses in the last x seconds and accessing 12 different IP addresses in the same time frame.
Any help is welcome.
Thanks!
 
Last edited:

oguz

Proxmox Staff Member
Retired Staff
Nov 19, 2018
5,207
680
118
What I fail to do is prevent a client from sending TCP or UDP packets to detect on a subnet /24 which IP addresses have port 22 or another specific port open.
you can write a rule for suricata, something along the lines of this:
Code:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
(taken from [0])

for your case you can adjust the count and seconds for the threshold, and you'll have to swap the $EXTERNAL_NET and $HOME_NET (since you're trying to detect outbound scans).

though be aware that there are definitely ways to get around these filters, for example by running a slower and more patient scan. therefore i wouldn't depend on it too much.

[0]: https://rules.emergingthreats.net/open/suricata/rules/emerging-scan.rules
 
  • Like
Reactions: FlorinMarian

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!