Mailing List Archive

Brian,

Is there a reason that you have to run ssh on the default port of 22?
I haven't run ssh on port 22 in years due to all the menacing kiddies
out there with their scripts.
I know this doesn't answer your question, but just a suggestion.

Gary


On Nov 7, 2004, at 6:10 AM, Brian G. Peterson wrote:

> Can anyone help me out with a simple log scanning script that could
> detect the
> 'illegal user xxx' strings in /var/log/secure and issue the
> "/sbin/iptables -I INPUT -s 221.232.128.2 -j DROP" command to shut
> these
> addresses down.


--
gentoo-security@gentoo.org mailing list

On Sunday 07 November 2004 07:16 am, Gary Nichols wrote:
> Brian,
>
> Is there a reason that you have to run ssh on the default port of 22?
> I haven't run ssh on port 22 in years due to all the menacing kiddies
> out there with their scripts.
> I know this doesn't answer your question, but just a suggestion.

Yes, I frequently travel to and work from client companies with very
restrictive outbound firewalls. Port 22 (and port 8080) are (usually) open
on those firewalls, so my servers listen for ssh connections on those ports.

ssh on my machines is also configured to only allow key-based authentication,
only certain users are allowed to ssh into my boxen remotely from external
IP's, etc..., so this script is *not* really a threat to me.

I just want to shut it down before it totally litters my logs, if possible,
and also perhaps help out people who don't have sshd as locked down as I do.

The Gentoo forum thread here:
http://forums.gentoo.org/viewtopic.php?t=210585
and here:
http://forums.gentoo.org/viewtopic.php?t=210585&postdays=0&postorder=asc&start=36
talks about using iptables to detect port scans, which is what I use
portsentry for. However, in most cases this script isn't doing a port scan,
just attacking on port 22.

> On Nov 7, 2004, at 6:10 AM, Brian G. Peterson wrote:
> > Can anyone help me out with a simple log scanning script that could
> > detect the
> > 'illegal user xxx' strings in /var/log/secure and issue the
> > "/sbin/iptables -I INPUT -s 221.232.128.2 -j DROP" command to shut
> > these addresses down.

Regards,

- Brian

--
gentoo-security@gentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




Yes, this has been discussed in this mailing list some months ago. I
just don't thing there's any reason to become paranoid unless you
administer a box with lots of "dumb users". Because "dumb users" usualy
choose "dumb passwords", you'll proabably have to educate them or force
them to user better passwords.

Myself, I just use strong passwords and a different ssh port just to
keep my logs clean.





Brian G. Peterson wrote:
| I've noticed over the last few months that ssh attack scanning scripts
have
| been proliferating. The scripts attack using a common set of
usernames with
| weak password combinations, and result in a long line of log entries like:
(...)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBjiUdfLPhlaxNQk0RAmLXAJ9f4s2bY7iJwMZlxS7F22HaHPQCmQCfddTX
38i7v9jwwcOnpgwLMP2FZmk=
=Gr67
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list

On Sun, 7 Nov 2004 07:10:21 -0600
"Brian G. Peterson" <brian@braverock.com> wrote:

> Can anyone help me out with a simple log scanning script that could detect the
> 'illegal user xxx' strings in /var/log/secure and issue the
> "/sbin/iptables -I INPUT -s 221.232.128.2 -j DROP" command to shut these
> addresses down.

you should put ssh on an other port, if you are paranoid you can
use port knocking to remove the drop on sshd for your ip

on the port 22 you can put portsentry in stcp/sudp or simply
tcp/udp (consider also atcp and audp) and run the kill command
(eg: iptables drop) instead editing hosts.deny (sshd implements it's
own tcp wrapper and doesn't use tcpd and hosts files)

--
Francesco 'aScii' Ongaro
mail [ascii@ush.it] [ascii@katamail.com]
http [www.ush.it] [www.ush.it/team/ascii] [ascii.ush.it]
machines [asciinb.zapto.org] [asciistation.zapto.org]


--
gentoo-security@gentoo.org mailing list

On Sun, Nov 07, 2004 at 02:50:42PM +0100, aScii wrote:
> On Sun, 7 Nov 2004 07:10:21 -0600
> "Brian G. Peterson" <brian@braverock.com> wrote:
>
> > Can anyone help me out with a simple log scanning script that could detect the
> > 'illegal user xxx' strings in /var/log/secure and issue the
> > "/sbin/iptables -I INPUT -s 221.232.128.2 -j DROP" command to shut these
> > addresses down.
>

Why not use ssh-keys only (with passphrase min 30 chars long) and maybe block everything on port 22 except from a trusted host (Somewhere you trust and where they update their ssh)

my 2 cents

/Kim

Brian,

Once you start using scripts to write to automate firewall rules you give the hackers control of your firewall. In the case of the ssh weak password exploit it's not quite as much of an issue since it requires a three-way handshake before the username is sent. But consider the following:

Black hat fires off an NMAP scan using your default gateway as a decoy ip, portsentry shuts down your default gateway and you have now DoS'ed yourself.

With your script, a carefully crafted two-pronged attack using a sniffing box and a "noise" box could do the same thing via a login attempt. (Think monkey-in-the-middle).

Unlikely? Maybe, maybe not. I'm sure that's what everyone who gets hacked or DoS'ed thinks before it happens. (I know I did.) Clean a couple machines off the server room floor and you start to think differently.

Personally, I would let that traffic continue to build up in the logs, and use it as ammo when trying to talk to management about the need for a better security budget.

Couldn't hurt.

Sjan Evardsson
Webmaster
Alaska Pacific University

BTW - If it is at all possible, block port 22 at your external firewall. Works great for us. If you need to connect from outside the firewall you can always VPN in first. A little more overhead, but worth it for the added layer of security.



-----Original Message-----
From: Brian G. Peterson [mailto:brian@braverock.com]
Sent: Sunday, November 07, 2004 4:10 AM
To: gentoo-security@lists.gentoo.org
Subject: help blocking automated ssh scanning attack script

I've noticed over the last few months that ssh attack scanning scripts have been proliferating. The scripts attack using a common set of usernames with weak password combinations, and result in a long line of log entries like:

Nov  6 17:44:18 ethos sshd[3808]: Illegal user test from 211.185.202.3 Nov  6 23:06:27 ethos sshd[8521]: Illegal user rolo from 222.47.83.41

The common usernames are admin root webmaster data rolo guest test patrick iceuser www horde wwwrun cyrus courier www-data irc jane pamela cosmin cip51
cip52 sybase oracle mysql master account server henry frank adam george (included here for easier googling on the problem)

I use the excellent portsentry to detect and shut down IP's that do traditional nmap-style portscans of my machines. This attack script isn't a port scan, so it just shows up in my security log summaries every morning.

Can anyone help me out with a simple log scanning script that could detect the 'illegal user xxx' strings in /var/log/secure and issue the "/sbin/iptables -I INPUT -s 221.232.128.2 -j DROP" command to shut these addresses down.

The scan volume is up to about two a day on each of my servers, and I'd like to get this crap out of my logs

Any assistance appreciated: I and many other people would thank anyone who would whip up a script to block this stuff.

Regards,

- Brian

--
gentoo-security@gentoo.org mailing list

Sjan Evardsson wrote:
> Brian,
>
> Once you start using scripts to write to automate firewall rules you
> give the hackers control of your firewall.

Yes, but is this necessarily a bad thing? I'm not convinced this is
necessarily problematic. It takes a reactive defense step, hopefully
mitigating damage before things get too far lost. The risks may well be
acceptable in some environments.

There's an awful lot of "intrusion prevention" or "active response IDS"
[and insert your favorite en-vogue terminology] out there in the market,
and people buy it. The real question is what are the goals, the
acceptable losses, and the actual assessment of what risks are involved.
What Brian's talking about is a host-based network "hostility"
detector with an active response.

I am currently testing some code that does this (and, no, it's not ready
for release or for production).. but the reason it's written is not to
solve the general problem. Rather, it's addressing a very limited
subset of problems, based entirely on what the defensive stance is and
needs to be to accomplish business goals.

THAT'S what you really need to take to your senior management... and
that's how you get funding. How do I know? Before I started my
company, I was the management that people were talking to for this kind
of thing for a very large entity. And, by the way, I raised more than
twice my salary in actual new funds while I was there, plus savings due
to security measures. Security is only there to protect business value,
mitigate risks, and ensure that any losses are actually acceptable to
the business.

-Bill
--
William Yang
wyang@gcfn.net

--
gentoo-security@gentoo.org mailing list

On Tue, 2004-11-09 at 15:43, William Yang wrote:
> There's an awful lot of "intrusion prevention" or "active response IDS"
> [and insert your favorite en-vogue terminology] out there in the market,
> and people buy it.

Yes. But the software you mentioned doesn't block your own hosts as a
simple shellscript would do. That's what the original poster wanted... a
more or less ``simple'' script to parse /var/log/secure and block the
IPs using iptables.

Regards,
Philipp Kern


--
gentoo-security@gentoo.org mailing list

Philipp Kern wrote:
> On Tue, 2004-11-09 at 15:43, William Yang wrote:
>
>>There's an awful lot of "intrusion prevention" or "active response IDS"
>>[and insert your favorite en-vogue terminology] out there in the market,
>>and people buy it.
>
>
> Yes. But the software you mentioned doesn't block your own hosts as a
> simple shellscript would do. That's what the original poster wanted... a
> more or less ``simple'' script to parse /var/log/secure and block the
> IPs using iptables.

Uhm... I suppose I read the request a little less literally. It seems
pretty clear -- at least to me -- that the original poster's idea is to
limit ssh port probing using the features of the kernel-level firewall.
"Simple" seems to be a somewhat relative term here. I take simple to
be "the smallest amount of logic needed to accomplish the goal with the
fewest adverse effects" rather than "the smallest amount of logic possible."

-Bill
--
William Yang
wyang@gcfn.net

--
gentoo-security@gentoo.org mailing list

On Tuesday 09 November 2004 02:52 pm, William Yang wrote:
> Philipp Kern wrote:
> > On Tue, 2004-11-09 at 15:43, William Yang wrote:
> >>There's an awful lot of "intrusion prevention" or "active response IDS"
> >>[and insert your favorite en-vogue terminology] out there in the market,
> >>and people buy it.
> >
> > Yes. But the software you mentioned doesn't block your own hosts as a
> > simple shellscript would do. That's what the original poster wanted... a
> > more or less ``simple'' script to parse /var/log/secure and block the
> > IPs using iptables.
>
> Uhm... I suppose I read the request a little less literally. It seems
> pretty clear -- at least to me -- that the original poster's idea is to
> limit ssh port probing using the features of the kernel-level firewall.
> "Simple" seems to be a somewhat relative term here. I take simple to
> be "the smallest amount of logic needed to accomplish the goal with the
> fewest adverse effects" rather than "the smallest amount of logic
> possible."

That would be correct. SSH and the iptables rules are already configured to
do sojme handling on spoofed packets, so the utility of this type of active
defense as a DoS attack is pretty limited. I suppose if I really wanted to
avoid possible DoS, I could add a rule chain before the INPUT chain that
explicitly allowed my IP's and sent all the packets past the INPUT chain to
the rule chain that defines more fine-grained access corntrol. I jsut don't
see DoS as a real threat, since the packets need to hadshake before the login
can progress anyway, wihch requires a real routable address, presumably
outside my network.

- Brian

--
gentoo-security@gentoo.org mailing list