shell password exclude or prohibit list

[lhj3559]

Kind of an odd query, but I think it'd be useful:

I'd like to have an 'exclude' list of passwords for my users that setup shell accounts.

Similar to how 'passwd' prevents users from selecting dictionary words during regular shell usage, I'd like a list of prohibited words for when a user selects a password through the plesk interface.

Specifically, I'd like to ensure none of my users create shell accounts with passwords of 'none' or 'password' as this seems to be the most frequently used with brute force username ssh scanners that are hitting my box.

As a side note, I've read up a bit on port-rate-limiting (again, for me ssh/22) within iptables (e.g. max 3 tries per minute, then block connect). Any way to put such rules in place through the plesk interface (or for that matter any iptables rule)?

TIA

 

[hardweb]

1. You can enable the Dictionary password check in Plesk -> Server -> Preferences. Weak passwords will not longer be accepted.
2. You can not use advanced features in the Plesk firewall integration.

 

[lhj3559]

Thanks for the tips...
Guess the Dictionary will have to do, and maybe some mystical 'future release' will allow direct manipulation of iptables for those who can...

 

[DeanW]

Hello,

You can very easily set up your own simple firewall script without having to use Plesk's interface. You must be at least able to connect via the SSH shell and modify a text file with the vi (or pico) editor.

I use the following firewall script, entered at /etc/rc.d/init.d/rc.fw

#!/bin/sh
# chain policies
# set default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP

# flush tables
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
# /sbin/iptables -F -t mangle
/sbin/iptables -X

# create DUMP table
/sbin/iptables -N DUMP > /dev/null
/sbin/iptables -F DUMP
/sbin/iptables -A DUMP -p tcp -j LOG
/sbin/iptables -A DUMP -p udp -j LOG
# if you want to disable logs, comment above 2 lines and uncomment below 2 lines
# /sbin/iptables -A DUMP -p tcp
# /sbin/iptables -A DUMP -p udp

/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A DUMP -j DROP

# Stateful table
/sbin/iptables -N STATEFUL > /dev/null
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A STATEFUL -m state --state NEW -i ! eth0 -j ACCEPT
/sbin/iptables -A STATEFUL -j DUMP

# loopback rules
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# drop reserved addresses incoming
/sbin/iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 1.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 5.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 7.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 23.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 27.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 31.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 36.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 39.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 41.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 42.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 58.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 59.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 60.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 197.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 224.0.0.0/3 -j DUMP
/sbin/iptables -A INPUT -i eth0 -s 240.0.0.0/8 -j DUMP

# allow certain inbound ICMP types
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j ACCEPT                                                                         
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT

# opened ports
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 --dport 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 113 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 137:138 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 --dport 137:138 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 8443 -j ACCEPT

# added stuff

# wget [url]FTP://[/url] transfers
/sbin/iptables -A INPUT -p tcp -i eth0 --sport 20 -j ACCEPT

# proftpd passive ports
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 32750:33000 -j ACCEPT

# blocked virii
# MS SQL Server
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 1433 -j DROP

# allow me (not required)
# /sbin/iptables -A INPUT -i eth0 -s 1.2.3.4/4 -j ACCEPT

# remote MySQL from my other server
# /sbin/iptables -A INPUT -p tcp -i eth0 -s 1.2.3.4 --dport 3306 -j ACCEPT

# push everything else to state table
/sbin/iptables -A INPUT -j STATEFUL

# personal ban list
# DoS attack Jan 12 2004 - commented...
# /sbin/iptables -A INPUT -i eth0 -s 12.34.56.78/4 -j DUMP

Set it up with these commands (without the #) from the shell:

# cd /etc/rc.d/init.d
# vi rc.fw
Press INSERT to go into input mode...
PASTE the file as displayed in this message...
Press ESC then type ":wq" (no quotes, WITH the colon) and hit ENTER to write and quit.
# chmod +x /etc/rc.d/init.d/rc.fw
add it to your server bootup:
# echo "/etc/rc.d/init.d/rc.fw" >> /etc/rc.d/init.d/rc.local

Note the lines in the fw script:

# proftpd passive ports
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 32750:33000 -j ACCEPT

You *must* modify /etc/proftpd.conf, possibly after every Plesk upgrade, to contain the following lines at the bottom:

# passiveports
PassivePorts 49152 65534

before

Include /etc/proftpd.include

Final looks like

....
# delay on login off
IdentLookups off
UseReverseDNS off

# passiveports
PassivePorts 49152 65534

Include /etc/proftpd.include

NOW you can apply whatever you like, such as rate limiting (I'm not an expert, sorry) to the port 22 (SSH) line of the firewall script:

/sbin/iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT

Hope that helps!

Regards,

Dean Wiebe
ListMailPRO Developer