Managing brute-force attacks with Shorewall
A consequence of providing Internet-facing services is that they will be subjected to brute-force password cracking attacks. A common defence for these attacks is to employ solutions like fail2ban or sshguard on the affected systems.
Unfortunately, I am running our services within systemd-nspawn containers which exhibit the characteristic that kernel features cannot be modified. As fail2ban and sshguard make use of firewall tables to implement IP address blocking this is not an option for me.
I employ Shorewall to provide firewalling and routing functions within the host operating system and it has a few features useful for blocking these attacks although they require manual configuration.
At this point I should acknowledge that Postfix and Shorewall permit rate-limiting of incoming traffic. While this has the effect of slowing the progress of a brute-force attack, it doesn't provide a preventative solution - only by blocking the offender can safety be assured.
Shorewall provides the facility to drop or reject incoming packets from either a single IP address, an IP address subnet or a range of IP addresses. The former of these can be performed on the command line while the latter two require the editing of a configuration file and reloading of the Shorewall daemon.
To block a single IP address you can execute the following command on the firewall host:
shorewall drop nnn.nnn.nnn.nnn
To block a subnet of IP addresses the following can be entered into /etc/shorewall/blrules:
BLACKLIST net:nnn.nnn.nnn.nnn/24
To block a range of IP addresses the following can be entered into /etc/shorewall/blrules:
BLACKLIST net:sss.sss.sss.sss-eee.eee.eee.eee all
Further configuration of /etc/shorewall/shorewall.conf is required to use these methods i.e. DYNAMIC_BLACKLIST=Yes is required for blocking single IP addresses using the shorewall command line method. Similarly, BLACKLIST_DISPOSITION=DROP and, optionally, BLACKLIST_LOG_LEVEL determine how IP address subnets and ranges are handled and whether logging is performed.
Using both of these methods I block single, perhaps transient, offending IP addresses with the command line method. Firewall rules added using this method don't persist when Shorewall is stopped/started again unless they are explicitly saved. More persistent attacks from single IP addresses, subnets or ranges of IP addresses are added to /etc/shorewall/blrules for longer-term application.
While not as convenient as fail2ban or sshguard with their automation of blocking actions, Shorewall does provide an effective means of mitigating brute-force password cracking attacks - provided you are proactive in monitoring your service log files and take appropriate action to update Shorewall with the offending IP addresses.