Help! Block Limit incoming Ping on entire IPranges/ Network and SSH Limit

CristianD · February 18, 2021, 7:47am

Hello,

Yerstaday night i had a strange think on ower network witch was i think ddos i dont truly didnt understand what its hapening because was like 1m icmp on one /23 so i whant somehow to block it or limit it or sompting to avoid this.

In vyos i set this: all-ping disable but the servers/vms stil ping works.

And if someone can provide me a firewall ssh rate limit, protection cuz i`m tired of this:

There were 23632 failed login attempts since the last successful login.

After just 10Min a VM is On

Viacheslav · February 18, 2021, 8:26am

You can use not standard port for ssh, for example 8822, 2222, 64254

set service ssh port '8822'

If possible it will be a best practice to allow only predefined IP for ssh.
Also if possible, use default action DROP for firewall, but it depends. And allow only what you want/know.

An example firewall that allows ssh from 203.0.113.1 and 192.168.122.1
Also, it deny ICMP for network 10.0.0.0/23.
As for me, deny all ICMP it’s a bad idea. But you can try.

set firewall group address-group ALLOW-SSH address '203.0.113.1'
set firewall group address-group ALLOW-SSH address '192.168.122.1'
set firewall group network-group NET network '10.0.0.0/23'
set firewall name WAN-IN default-action 'accept'
set firewall name WAN-IN rule 10 action 'accept'
set firewall name WAN-IN rule 10 destination port '22'
set firewall name WAN-IN rule 10 protocol 'tcp'
set firewall name WAN-IN rule 10 source group address-group 'ALLOW-SSH'
set firewall name WAN-IN rule 20 action 'drop'
set firewall name WAN-IN rule 20 destination port '22'
set firewall name WAN-IN rule 20 protocol 'tcp'
set firewall name WAN-FW-IN default-action 'accept'
set firewall name WAN-FW-IN rule 10 action 'drop'
set firewall name WAN-FW-IN rule 10 destination group network-group 'NET'
set firewall name WAN-FW-IN rule 10 protocol 'icmp'
set interfaces ethernet eth0 firewall in name 'WAN-FW-IN'
set interfaces ethernet eth0 firewall local name 'WAN-IN'

CristianD · February 18, 2021, 8:41am

Hello,

Regarding the ssh we never use default ports on ower VM-s, Or Servers, Or on VYos, this is what i dont understand, they still do brute force.
Ccustomers they do use port 22 cuz they dont know to change it or its just nothink special for them to change it.

Not necesary to block it but limit it, example ping coming from an IP and it keeps ping it for h.

Viacheslav · February 18, 2021, 9:19am

You can use “recent count” and “recent time”
Select the parameters you need for these values.

set firewall name WAN-IN default-action 'accept'
set firewall name WAN-IN rule 10 action 'accept'
set firewall name WAN-IN rule 10 state established 'enable'
set firewall name WAN-IN rule 10 state related 'enable'
set firewall name WAN-IN rule 20 action 'drop'
set firewall name WAN-IN rule 20 destination port '22'
set firewall name WAN-IN rule 20 protocol 'tcp'
set firewall name WAN-IN rule 20 recent count '5'
set firewall name WAN-IN rule 20 recent time '120'
set interfaces ethernet eth0 firewall local name 'WAN-IN'

As you can see it blocked source if it trying to connect to port 22 more than 5 times per 120 sec

vyos@r2-roll:~$ curl 192.168.122.14:22
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
Protocol mismatch.
curl: (56) Recv failure: Connection reset by peer
vyos@r2-roll:~$ curl 192.168.122.14:22
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
Protocol mismatch.
curl: (56) Recv failure: Connection reset by peer
vyos@r2-roll:~$ 
vyos@r2-roll:~$ curl 192.168.122.14:22
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
Protocol mismatch.
curl: (56) Recv failure: Connection reset by peer
vyos@r2-roll:~$ 
vyos@r2-roll:~$ curl 192.168.122.14:22
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
Protocol mismatch.
curl: (56) Recv failure: Connection reset by peer
vyos@r2-roll:~$ 
vyos@r2-roll:~$ curl 192.168.122.14:22
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
Protocol mismatch.
curl: (56) Recv failure: Connection reset by peer
vyos@r2-roll:~$ 
vyos@r2-roll:~$ curl 192.168.122.14:22
^C
vyos@r2-roll:~$ curl 192.168.122.14:22
^C
vyos@r2-roll:~$ curl 192.168.122.14:22

FIrewall statistics:

IPv4 Firewall "WAN-IN":

 Active on (eth0,LOCAL)

rule  packets   bytes     action  source              destination
----  -------   -----     ------  ------              -----------
10    939       70.49K    ACCEPT  0.0.0.0/0           0.0.0.0/0           
20    68        4.92K     DROP    0.0.0.0/0           0.0.0.0/0           
10000 34        2.33K     ACCEPT  0.0.0.0/0           0.0.0.0/0

CristianD · February 18, 2021, 9:46am

Shoud i set this to ISP interface or Switch Interface ?

eth0 ISP
eth1.2288 ISP
eth2.2299 ISP

eth5 10GB > Switch

For how long it will block the source ?

Viacheslav · February 18, 2021, 1:18pm

It depends, where you want to block incoming or forwarding traffic

CristianD · February 18, 2021, 1:41pm

I set on the ISP is working all ok.

How about the ping ?

Viacheslav · February 18, 2021, 3:15pm

As I mentioned above, You can use “recent count” and “recent time”