Mailing List Archive

I take it its a remote attack? If you must leave ssh open, use some
iptables rules to restrict the address space to only those machines that
need to access the port. If you have some inkling of where they might
be coming from, blackhole all in/out traffic to that address/range of
addresses.

BillK

On Thu, 2005-03-31 at 13:32 -0300, Luis Diaz wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???
>
--
William Kenworthy <billk@iinet.net.au>
Home!

--
gentoo-security@gentoo.org mailing list

Re: Protect SSH [ In reply to ]

ericortego at gmail

Mar 31, 2005, 6:06 PM

Post #28 of 49 (8887 views)

phillipberry at blisswebhosting

one word knockd

"knockd is a port-knock server. It listens to all traffic on an
ethernet (or PPP) interface, looking for special "knock" sequences of
port-hits. A client makes these port-hits by sending a TCP (or UDP)
packet to a port on the server. This port need not be open -- since
knockd listens at the link-layer level, it sees all traffic even if
it's destined for a closed port. When the server detects a specific
sequence of port-hits, it runs a command defined in its configuration
file. This can be used to open up holes in a firewall for quick
access. "

its awesome

On Thu, 31 Mar 2005 13:32:12 -0300, Luis Diaz <diazluis@gmail.com> wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???
>
> --
> Luis Diaz - Un obsesivo con proyectos! :oP
> --
> gentoo-security@gentoo.org mailing list
>
>
--
gentoo-security@gentoo.org mailing list

Re: Protect SSH [ In reply to ]

Mar 31, 2005, 7:12 PM

Post #29 of 49 (8913 views)

I found a script online that i hacked to loop through my /var/log/auth.log and
add entries that try to login to invalid users to hosts.deny, it works very
well but it's pretty inefficient.

Its pasted to the bottom of this email.

This is my hosts.deny file after one month

ALL:218.232.120.92,62.193.232.172,63.246.154.78,211.157.108.19,
211.158.7.250,218.78.213.182,218.38.53.30,140.112.110.146,
218.188.2.175,210.127.244.207,218.75.119.120,165.194.84.133,
211.142.64.2,219.238.239.10,202.172.59.84,202.155.199.18,
218.104.128.213,220.95.232.60,62.193.226.4,61.129.33.252,
61.95.128.104,218.188.22.146,218.107.159.131,200.99.34.46,
219.150.171.48,203.122.231.16,221.143.48.240,61.79.228.100,
211.46.216.61,218.232.187.58,210.87.136.171,61.66.208.117,
210.114.175.122,62.193.235.47,61.31.49.130,203.232.151.249,
212.43.199.56,211.58.254.24,218.108.29.74,70.60.92.80,
67.103.15.70,203.63.40.254,221.186.133.106,210.179.155.18,
81.19.77.138,210.99.250.238,209.73.240.230,200.21.18.197,
220.95.215.148,211.115.112.90,220.130.105.9,209.25.160.46,
193.43.234.5,202.181.172.83,211.236.178.95,62.193.236.45,
206.225.82.8,221.239.127.151,218.145.226.85,210.103.67.65,
218.1.127.170,211.176.33.46,210.0.141.89,218.188.9.202,
200.225.159.88,203.236.241.148

#!/usr/bin/php
<?php
// Setup File names
$blacklist_file = '/etc/blacklist';
$secure_file = '/var/log/syslog';
$hosts_deny = '/etc/hosts.deny';

// Get files into an array
$blacklist = read_into_array($blacklist_file);
$secure = read_into_array($secure_file);

// Find 'Illegal' and parse IP from string
foreach($secure as $line){
if(strpos($line,'invalid user')){
$array = explode('from',$line);
$ip = substr(trim($array[1]),0,strpos(trim($array[1])," "));
if(!in_array($ip, $blacklist)){
$blacklist[] = $ip;
}
}
}

// When the blacklist file is read, we get a couple empty array elements
// We remove them here
foreach($blacklist as $arg){
if(strlen($arg >= 7)){ // 7 is minimum IP string length
$final_blacklist[] = $arg;
}
}

// Rewrite the blacklist file
$black = fopen($blacklist_file, 'w');
fwrite($black, implode("\n", $final_blacklist));
fclose($black);

//Rewrite the hosts.deny file
$deny = fopen($hosts_deny, 'w');
fwrite($deny, 'ALL:' . implode(',', $final_blacklist) . "\n\n");
fclose($deny);

// Reads a file into an array
// Had problems with file()
function read_into_array($file){
$resource = fopen($file, 'r');
$return = explode("\n",fread($resource,filesize($file)));
fclose($resource);
return $return;
}

?>

On Friday 01 April 2005 05:07, Ilari Mäkimattila wrote:
> Another question under same topic.
>
> Is it possible to automatically add hosts that try to login as root to
> hosts.deny? If so, how? And also how would I get that to happen on
> everyone who fail to login after certain number of tries?
>
> Thanks.
>
>
> --
> gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list

RE: Protect SSH [ In reply to ]

dave at igroup

Mar 31, 2005, 10:05 PM

Post #30 of 49 (8896 views)

Why not do what we do with our servers?

If you are logging into your server from a fixed ip, then just only allow
access to port 22 from that ip address.
Else if you have a dynamic ip address then only allow access to ur network
range, for example: 165.165.40.0/24

Or create a "login server", For example, we have is 6 internet servers, but
they only allow access to port 22 from the ip address of the login server.
This forces people to first go through the login server, then have to login
to your server.

I find doing this, we never seem to have problems with login attempts from
strange ip addresses.

-Dave-
--------------------------------------------------------------------------
-----Original Message-----
From: Phillip Berry [mailto:phillipberry@blisswebhosting.com]
Sent: 01 April 2005 04:12 AM
To: gentoo-security@robin.gentoo.org
Subject: Re: [gentoo-security] Protect SSH

I found a script online that i hacked to loop through my /var/log/auth.log
and add entries that try to login to invalid users to hosts.deny, it works
very well but it's pretty inefficient.

Its pasted to the bottom of this email.

This is my hosts.deny file after one month

ALL:218.232.120.92,62.193.232.172,63.246.154.78,211.157.108.19,
211.158.7.250,218.78.213.182,218.38.53.30,140.112.110.146,
218.188.2.175,210.127.244.207,218.75.119.120,165.194.84.133,
211.142.64.2,219.238.239.10,202.172.59.84,202.155.199.18,
218.104.128.213,220.95.232.60,62.193.226.4,61.129.33.252,
61.95.128.104,218.188.22.146,218.107.159.131,200.99.34.46,
219.150.171.48,203.122.231.16,221.143.48.240,61.79.228.100,
211.46.216.61,218.232.187.58,210.87.136.171,61.66.208.117,
210.114.175.122,62.193.235.47,61.31.49.130,203.232.151.249,
212.43.199.56,211.58.254.24,218.108.29.74,70.60.92.80,
67.103.15.70,203.63.40.254,221.186.133.106,210.179.155.18,
81.19.77.138,210.99.250.238,209.73.240.230,200.21.18.197,
220.95.215.148,211.115.112.90,220.130.105.9,209.25.160.46,
193.43.234.5,202.181.172.83,211.236.178.95,62.193.236.45,
206.225.82.8,221.239.127.151,218.145.226.85,210.103.67.65,
218.1.127.170,211.176.33.46,210.0.141.89,218.188.9.202,
200.225.159.88,203.236.241.148

#!/usr/bin/php
<?php
// Setup File names
$blacklist_file = '/etc/blacklist';
$secure_file = '/var/log/syslog';
$hosts_deny = '/etc/hosts.deny';

// Get files into an array
$blacklist = read_into_array($blacklist_file);
$secure = read_into_array($secure_file);

// Find 'Illegal' and parse IP from string foreach($secure as $line){
if(strpos($line,'invalid user')){
$array = explode('from',$line);
$ip = substr(trim($array[1]),0,strpos(trim($array[1])," "));
if(!in_array($ip, $blacklist)){
$blacklist[] = $ip;
}
}
}

// When the blacklist file is read, we get a couple empty array elements //
We remove them here foreach($blacklist as $arg){
if(strlen($arg >= 7)){ // 7 is minimum IP string length
$final_blacklist[] = $arg;
}
}

// Rewrite the blacklist file
$black = fopen($blacklist_file, 'w');
fwrite($black, implode("\n", $final_blacklist)); fclose($black);

//Rewrite the hosts.deny file
$deny = fopen($hosts_deny, 'w');
fwrite($deny, 'ALL:' . implode(',', $final_blacklist) . "\n\n");
fclose($deny);

// Reads a file into an array
// Had problems with file()
function read_into_array($file){
$resource = fopen($file, 'r');
$return = explode("\n",fread($resource,filesize($file)));
fclose($resource);
return $return;
}

?>

On Friday 01 April 2005 05:07, Ilari Mäkimattila wrote:
> Another question under same topic.
>
> Is it possible to automatically add hosts that try to login as root to
> hosts.deny? If so, how? And also how would I get that to happen on
> everyone who fail to login after certain number of tries?
>
> Thanks.
>
>
> --
> gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list

Re: Protect SSH [ In reply to ]

krispykringle at gentoo

Mar 31, 2005, 10:12 PM

Post #31 of 49 (8884 views)

On Thu, Mar 31, 2005 at 08:14:47PM +0200, Milus J?nos wrote:
> 2005-03-31, cs keltez??ssel 13.32-kor Luis Diaz ezt ??rta:
> > Some one may have my root password using a keylogger, so even after
> > change the password from other place i would like to make REALLY
> > secure my ssh connection, i already thinked on changing the port from
> > 22 to something like 8080, but i would like to do something like a
> > "trigger" so if a connect to some port then sshd is started...any
> > ideas???
> >
>
> Use smartcard / USB token. If it is in your pocket, nobody can use your
> account. You can get one about 30 euros.

How does this work? If it's a smartcard, you need all machines you'll
log in from to have smartcard readers. USB obviates this, for sure, but
I'm curious how secure those devices are.

To securely integrate them with SSH, one would want to allow only public
key auth and store the secret key on the token, which would itself hash
the nonce and handle the authentication in-hardware without ever
exposing the key to the client computer. I'm skeptical that the
off-the-shelf hardware available on the cheap does this. Does it?

Speaking from curiosity and ignorance here.

--
Dan Margolis
Gentoo Security/Audit

Re: Protect SSH [ In reply to ]

johans at gnu

Mar 31, 2005, 11:44 PM

Post #32 of 49 (8881 views)

2005-04-01, p keltezÃ©ssel 00.12-kor Dan Margolis ezt Ãrta:
> >
> > Use smartcard / USB token. If it is in your pocket, nobody can use your
> > account. You can get one about 30 euros.
>
> How does this work? If it's a smartcard, you need all machines you'll
> log in from to have smartcard readers. USB obviates this, for sure, but
> I'm curious how secure those devices are.
>
> To securely integrate them with SSH, one would want to allow only public
> key auth and store the secret key on the token, which would itself hash
> the nonce and handle the authentication in-hardware without ever
> exposing the key to the client computer. I'm skeptical that the
> off-the-shelf hardware available on the cheap does this. Does it?
>
> Speaking from curiosity and ignorance here.

I have experience with Axalto Cryptoflex 32k e-gate product
( http://www.axalto.com/infosec/egate.asp ) but I think it works the
same way with every openct / opensc supported cards. As you can see in
the Axalto's on-line store, 5 pieces of this card with the token
connectors costs USD $110 + shipping. (The cards are sold in packs of
5).

- This is a real smartcard. When you personalise it the card generates
the RSA key-pair, and the secret key never leaves the card.

- On the server side you need to compile openssh with x509 and ldap
support. You can put your users public keys to an ldap directory
(openldap works well), and ssh can authenticate with it.

- On client side you need to compile ssh with smartcard support, and
need a running openct as well. You start an ssh connection like this:
ssh -I 0 x.x.x.x (-I 0 means use the first smartcard). Of course openct
asks your PIN code before connected. During the authentication the
secret key dosen't leave the card. (Anyway, there are no known methods
to read the secret key itself).

- If you enable agent forwarding, you can go through multiple ssh "hops"
with the smartcard in your desktop computer, so you don't need to add
any user to your authorized_keys. This is useful, when you don't trust
some of the middle hops' administrators. Of course, this is not a
smartcard feature but an ssh feature, and you can use this with the good
old public key authentication as well.

>
--
Ãœdv:
Jo-Hans

--
gentoo-security@gentoo.org mailing list

Re: Protect SSH [ In reply to ]

phil at philkern

Apr 1, 2005, 1:06 AM

Post #33 of 49 (8883 views)

billbalt at eyeofthequark

On 1 Apr 2005, at 08:44, Milus János wrote:
> - If you enable agent forwarding, you can go through multiple ssh
> "hops"
> with the smartcard in your desktop computer, so you don't need to add
> any user to your authorized_keys. This is useful, when you don't trust
> some of the middle hops' administrators. Of course, this is not a
> smartcard feature but an ssh feature, and you can use this with the
> good
> old public key authentication as well.

One question to agent forwarding: Could any of those harmful system
administrators abuse the agent pipe SSH opens on the machines I am
logged in when agent forwarding is enabled? Could the attacker gain any
access to other systems using my public key during the time I am logged
in?

Regards,
Philipp Kern

Re: Protect SSH [ In reply to ]

Apr 1, 2005, 6:57 AM

Post #34 of 49 (8885 views)

martin.zwickel at technotrend

One more quick question.

How easy is it for someone to breakin using ssh?

I, too, am getting bombarded daily by ssh breakin attempts.

I have a very strong passphrase. No one seems to have been able to get
into my system. In fact, the attempts seem rather naive.

I have to log in from publicly available machines, i.e., classroom
machines or internet cafes, so setting up something to use
certificates seems out of the question.

Aside from someone gaining access through stealing my passphrase, are
there ways of exploiting ssh?

Bill Roberts

Re: Protect SSH [ In reply to ]

Apr 1, 2005, 7:03 AM

Post #35 of 49 (8880 views)

martin.zwickel at technotrend

On Fri, 1 Apr 2005 08:57:03 -0500
Bill Roberts <billbalt@eyeofthequark.com> bubbled:

> One more quick question.
>
> How easy is it for someone to breakin using ssh?
>
> I, too, am getting bombarded daily by ssh breakin attempts.
>
> I have a very strong passphrase. No one seems to have been able to get
> into my system. In fact, the attempts seem rather naive.
>
> I have to log in from publicly available machines, i.e., classroom
> machines or internet cafes, so setting up something to use
> certificates seems out of the question.

Why don't you switch to a non default SSH port?

Regards,
Martin

--
MyExcuse:
User was distributing pornography on server; system seized by FBI.

Martin Zwickel <martin.zwickel@technotrend.de>
Research & Development

TechnoTrend AG <http://www.technotrend.de>

Re: Protect SSH [ In reply to ]

Apr 1, 2005, 7:03 AM

Post #36 of 49 (8887 views)

Re: Protect SSH [ In reply to ]

Apr 1, 2005, 9:28 AM

Post #37 of 49 (8888 views)

Martin Zwickel wrote:
> Why don't you switch to a non default SSH port?

That is, again, "security through obscurity" as some like to call it.
But indeed for me it worked; no access attempts on my router (with
dynamic IPs), as I use a port that most likely won't even be scanned on
a normal portscan.

Greetings,
David
--
gentoo-security@gentoo.org mailing list

Re: Protect SSH [ In reply to ]

Apr 1, 2005, 9:28 AM

Post #38 of 49 (8885 views)

Re: Protect SSH [ In reply to ]

Apr 1, 2005, 9:28 AM

Post #39 of 49 (8879 views)

Re: Protect SSH [ In reply to ]

Apr 1, 2005, 9:28 AM

Post #40 of 49 (8883 views)

Re: Protect SSH [ In reply to ]

Apr 1, 2005, 10:07 AM

Post #41 of 49 (8883 views)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill Roberts wrote:
> One more quick question.
>
> How easy is it for someone to breakin using ssh?
>
> I, too, am getting bombarded daily by ssh breakin attempts.
>
> I have a very strong passphrase. No one seems to have been able to get
> into my system. In fact, the attempts seem rather naive.
>
> I have to log in from publicly available machines, i.e., classroom
> machines or internet cafes, so setting up something to use
> certificates seems out of the question.
>
> Aside from someone gaining access through stealing my passphrase, are
> there ways of exploiting ssh?
>
> Bill Roberts

Use a strong passphrase of known good entropy, like using the
http://diceware.com/ technique. a 10 word diceware passphrase used only
from secure computers without keyloggers/trojans (to ensure that, just
boot a Knoppix CD, for example) is just as secure as anything, besides
no one can steal a key file and then get access... (not that key files
don't have their good uses). Since a remote attack on the root password
would involve too much time, even a 5 word diceware passphrase would be
sound enough.

The suggestion to use only a gateway machine is a good one, and the
suggestion to restrict the range of IP addresses allowed to connect is
another. If you want to do both, you can use a known squid proxy as your
"gateway" together with ProxyTunnel (emerge proxytunnel or
proxytunnel.sf.net) and allow connects only from the proxy host.

Best regards,

- ---Venkat.

- --
http://www.rayservers.com/
Computers. Installed Secure. OpenPGP. AES Encrypted HD. Colocation.
Tel:+1-607-546-7300 Fax:+1-607-546-7387 Skype: rayservers
PGP/GPG Key: https://www.rayservers.com/keys/0x12430522.asc
4856 01AB F8BA E0EB F128 A57F 59D9 16FD 1243 0522
Your Privacy and Security are our Business [TM]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCTX++WdkW/RJDBSIRAkiAAKDowHX7Tnrsn7UxQEWH3JOgH73qTACfdV3y
HlQMd7WQ53V2LY4QbqFCDCs=
=0wy1
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list

Re: Protect SSH [ In reply to ]

Apr 1, 2005, 10:07 AM

Post #42 of 49 (8889 views)

Re: Protect SSH [ In reply to ]

Apr 1, 2005, 10:07 AM

Post #43 of 49 (8880 views)

Re: Protect SSH [ In reply to ]

Apr 1, 2005, 10:07 AM

Post #44 of 49 (8883 views)

Re: Protect SSH [ In reply to ]

toby at tjfisher

Apr 1, 2005, 12:31 PM

Post #45 of 49 (8880 views)

I assume you realise this leaves you open to problems if someone manages to
spoof your dns or localhost? I used to get portsentry to do similar things
and decided against it after a useful ip address was spoofed.

----- Original Message -----
From: "Phillip Berry" <phillipberry@blisswebhosting.com>
To: <gentoo-security@robin.gentoo.org>
Sent: Friday, April 01, 2005 3:12 AM
Subject: Re: [gentoo-security] Protect SSH

>I found a script online that i hacked to loop through my /var/log/auth.log
>and
> add entries that try to login to invalid users to hosts.deny, it works
> very
> well but it's pretty inefficient.
>
> Its pasted to the bottom of this email.
>
> This is my hosts.deny file after one month
>
> ALL:218.232.120.92,62.193.232.172,63.246.154.78,211.157.108.19,
> 211.158.7.250,218.78.213.182,218.38.53.30,140.112.110.146,
> 218.188.2.175,210.127.244.207,218.75.119.120,165.194.84.133,
> 211.142.64.2,219.238.239.10,202.172.59.84,202.155.199.18,
> 218.104.128.213,220.95.232.60,62.193.226.4,61.129.33.252,
> 61.95.128.104,218.188.22.146,218.107.159.131,200.99.34.46,
> 219.150.171.48,203.122.231.16,221.143.48.240,61.79.228.100,
> 211.46.216.61,218.232.187.58,210.87.136.171,61.66.208.117,
> 210.114.175.122,62.193.235.47,61.31.49.130,203.232.151.249,
> 212.43.199.56,211.58.254.24,218.108.29.74,70.60.92.80,
> 67.103.15.70,203.63.40.254,221.186.133.106,210.179.155.18,
> 81.19.77.138,210.99.250.238,209.73.240.230,200.21.18.197,
> 220.95.215.148,211.115.112.90,220.130.105.9,209.25.160.46,
> 193.43.234.5,202.181.172.83,211.236.178.95,62.193.236.45,
> 206.225.82.8,221.239.127.151,218.145.226.85,210.103.67.65,
> 218.1.127.170,211.176.33.46,210.0.141.89,218.188.9.202,
> 200.225.159.88,203.236.241.148
>
>
> #!/usr/bin/php
> <?php
> // Setup File names
> $blacklist_file = '/etc/blacklist';
> $secure_file = '/var/log/syslog';
> $hosts_deny = '/etc/hosts.deny';
>
> // Get files into an array
> $blacklist = read_into_array($blacklist_file);
> $secure = read_into_array($secure_file);
>
> // Find 'Illegal' and parse IP from string
> foreach($secure as $line){
> if(strpos($line,'invalid user')){
> $array = explode('from',$line);
> $ip = substr(trim($array[1]),0,strpos(trim($array[1])," "));
> if(!in_array($ip, $blacklist)){
> $blacklist[] = $ip;
> }
> }
> }
>
> // When the blacklist file is read, we get a couple empty array elements
> // We remove them here
> foreach($blacklist as $arg){
> if(strlen($arg >= 7)){ // 7 is minimum IP string length
> $final_blacklist[] = $arg;
> }
> }
>
> // Rewrite the blacklist file
> $black = fopen($blacklist_file, 'w');
> fwrite($black, implode("\n", $final_blacklist));
> fclose($black);
>
> //Rewrite the hosts.deny file
> $deny = fopen($hosts_deny, 'w');
> fwrite($deny, 'ALL:' . implode(',', $final_blacklist) . "\n\n");
> fclose($deny);
>
> // Reads a file into an array
> // Had problems with file()
> function read_into_array($file){
> $resource = fopen($file, 'r');
> $return = explode("\n",fread($resource,filesize($file)));
> fclose($resource);
> return $return;
> }
>
> ?>
>
>
>
>
> On Friday 01 April 2005 05:07, Ilari Mäkimattila wrote:
>> Another question under same topic.
>>
>> Is it possible to automatically add hosts that try to login as root to
>> hosts.deny? If so, how? And also how would I get that to happen on
>> everyone who fail to login after certain number of tries?
>>
>> Thanks.
>>
>>
>> --
>> gentoo-security@gentoo.org mailing list
>
> --
> gentoo-security@gentoo.org mailing list
>

--
gentoo-security@gentoo.org mailing list

Re: Protect SSH [ In reply to ]

zvedzomx at yahoo

Apr 1, 2005, 2:34 PM

Post #46 of 49 (8882 views)

Why dont you use keys with passphrase, instead of password
authentication...just a suggestion

Cheers

Christian

Toby Fisher wrote:

> I assume you realise this leaves you open to problems if someone
> manages to spoof your dns or localhost? I used to get portsentry to
> do similar things and decided against it after a useful ip address was
> spoofed.
>
> ----- Original Message ----- From: "Phillip Berry"
> <phillipberry@blisswebhosting.com>
> To: <gentoo-security@robin.gentoo.org>
> Sent: Friday, April 01, 2005 3:12 AM
> Subject: Re: [gentoo-security] Protect SSH
>
>
>> I found a script online that i hacked to loop through my
>> /var/log/auth.log and
>> add entries that try to login to invalid users to hosts.deny, it
>> works very
>> well but it's pretty inefficient.
>>
>> Its pasted to the bottom of this email.
>>
>> This is my hosts.deny file after one month
>>
>> ALL:218.232.120.92,62.193.232.172,63.246.154.78,211.157.108.19,
>> 211.158.7.250,218.78.213.182,218.38.53.30,140.112.110.146,
>> 218.188.2.175,210.127.244.207,218.75.119.120,165.194.84.133,
>> 211.142.64.2,219.238.239.10,202.172.59.84,202.155.199.18,
>> 218.104.128.213,220.95.232.60,62.193.226.4,61.129.33.252,
>> 61.95.128.104,218.188.22.146,218.107.159.131,200.99.34.46,
>> 219.150.171.48,203.122.231.16,221.143.48.240,61.79.228.100,
>> 211.46.216.61,218.232.187.58,210.87.136.171,61.66.208.117,
>> 210.114.175.122,62.193.235.47,61.31.49.130,203.232.151.249,
>> 212.43.199.56,211.58.254.24,218.108.29.74,70.60.92.80,
>> 67.103.15.70,203.63.40.254,221.186.133.106,210.179.155.18,
>> 81.19.77.138,210.99.250.238,209.73.240.230,200.21.18.197,
>> 220.95.215.148,211.115.112.90,220.130.105.9,209.25.160.46,
>> 193.43.234.5,202.181.172.83,211.236.178.95,62.193.236.45,
>> 206.225.82.8,221.239.127.151,218.145.226.85,210.103.67.65,
>> 218.1.127.170,211.176.33.46,210.0.141.89,218.188.9.202,
>> 200.225.159.88,203.236.241.148
>>
>>
>> #!/usr/bin/php
>> <?php
>> // Setup File names
>> $blacklist_file = '/etc/blacklist';
>> $secure_file = '/var/log/syslog';
>> $hosts_deny = '/etc/hosts.deny';
>>
>> // Get files into an array
>> $blacklist = read_into_array($blacklist_file);
>> $secure = read_into_array($secure_file);
>>
>> // Find 'Illegal' and parse IP from string
>> foreach($secure as $line){
>> if(strpos($line,'invalid user')){
>> $array = explode('from',$line);
>> $ip = substr(trim($array[1]),0,strpos(trim($array[1])," "));
>> if(!in_array($ip, $blacklist)){
>> $blacklist[] = $ip;
>> }
>> }
>> }
>>
>> // When the blacklist file is read, we get a couple empty array elements
>> // We remove them here
>> foreach($blacklist as $arg){
>> if(strlen($arg >= 7)){ // 7 is minimum IP string length
>> $final_blacklist[] = $arg;
>> }
>> }
>>
>> // Rewrite the blacklist file
>> $black = fopen($blacklist_file, 'w');
>> fwrite($black, implode("\n", $final_blacklist));
>> fclose($black);
>>
>> //Rewrite the hosts.deny file
>> $deny = fopen($hosts_deny, 'w');
>> fwrite($deny, 'ALL:' . implode(',', $final_blacklist) . "\n\n");
>> fclose($deny);
>>
>> // Reads a file into an array
>> // Had problems with file()
>> function read_into_array($file){
>> $resource = fopen($file, 'r');
>> $return = explode("\n",fread($resource,filesize($file)));
>> fclose($resource);
>> return $return;
>> }
>>
>> ?>
>>
>>
>>
>>
>> On Friday 01 April 2005 05:07, Ilari Mäkimattila wrote:
>>
>>> Another question under same topic.
>>>
>>> Is it possible to automatically add hosts that try to login as root to
>>> hosts.deny? If so, how? And also how would I get that to happen on
>>> everyone who fail to login after certain number of tries?
>>>
>>> Thanks.
>>>
>>>
>>> --
>>> gentoo-security@gentoo.org mailing list
>>
>>
>> --
>> gentoo-security@gentoo.org mailing list
>>
>
> --
> gentoo-security@gentoo.org mailing list
>
>

--
gentoo-security@gentoo.org mailing list

Re: Protect SSH [ In reply to ]

zvedzomx at yahoo

Apr 1, 2005, 2:34 PM

Post #47 of 49 (8886 views)

Re: Protect SSH [ In reply to ]

billk at iinet

Apr 1, 2005, 4:31 PM

Post #48 of 49 (8881 views)

phillipberry at blisswebhosting

All such dynamic techniques are vulnerable to DOS. However, being smart
about what you do minimises the chance of this happening and it is a
very useful technique.

In more general terms (not ssh specific), before you actually kill
traffic, test it against a set of criteria including IP's you do not
want dropped for any reason. Also hosts.deny is not the best place for
this (if someone attacks your ssh port, I would think they would also
look at a number of other ports which may be vulnerable via
misconfiguration, bug or the accidental running of an application): I
suspect not all applications respect hosts.deny, better to use a proper
iptables script and sit the dynamic stuff on top.

BillK

On Fri, 2005-04-01 at 20:31 +0100, Toby Fisher wrote:
> I assume you realise this leaves you open to problems if someone manages to
> spoof your dns or localhost? I used to get portsentry to do similar things
> and decided against it after a useful ip address was spoofed.
>
> ----- Original Message -----
> From: "Phillip Berry" <phillipberry@blisswebhosting.com>
> To: <gentoo-security@robin.gentoo.org>
> Sent: Friday, April 01, 2005 3:12 AM
> Subject: Re: [gentoo-security] Protect SSH

>
--
William Kenworthy <billk@iinet.net.au>
Home!

--
gentoo-security@gentoo.org mailing list

Re: Protect SSH [ In reply to ]

Apr 1, 2005, 9:04 PM

Post #49 of 49 (8891 views)