Mailing List Archive

On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:
> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop to
> these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.

http://kodu.neti.ee/~risto/sec/

or change ports

--
MaxieZ
maxiez@maxiez.com


When more and more people are thrown out of work, unemployment
results.
-- Calvin Coolidge

> Jeremy Brake wrote:
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop to
> these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.

These are the rules that I'm using.

# Track connections to SSH
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
FIN,ACK \
--dport 22 -m recent --name SSH --set
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \
--dport 22 -m recent --name SSH --set

# Drop if connection rate exceeds 4/minute
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
--rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
"SSH_limit: "
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
--rcheck --seconds 60 --hitcount 4 -j DROP

# Drop if connection rate exceeds 20/hour
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
--rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
"SSH_limit: "
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
--rcheck --seconds 3600 --hitcount 20 -j DROP

-Tad

--
gentoo-security@gentoo.org mailing list

Have a look at the "recent" section of the iptables man page;
maybee you will find it usefull.

On Mon, 2005-10-03 at 10:10 +1300, Jeremy Brake wrote:
> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop to
> these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.
>
> Anyone have any ideas?
>
> Thanks, Jeremy B

--
gentoo-security@gentoo.org mailing list

On Sunday 02 October 2005 23:10, Jeremy Brake wrote:
> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop to
> these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.
>
> Anyone have any ideas?
>
> Thanks, Jeremy B

and what do you do, if they spoof your gateway/router/nameservers ip?
If you use key-based authentifiction, you shouldn't have to fear brute-force
attemps... and as the others wrote, changing the port, may also help a bit.
--
gentoo-security@gentoo.org mailing list

Try DenyHosts http://denyhosts.sourceforge.net/faq.html

~Hassan

-----Original Message-----
From: Jeremy Brake [mailto:gentoolists@lunatic.net.nz]
Sent: Sunday, October 02, 2005 2:10 PM
To: gentoo-security@lists.gentoo.org
Subject: [gentoo-security] [OT?] automatically firewalling off IPs

Hey all,

I'm looking for an app/script which can monitor for failed ssh logins,
and block using IPTables for $time after $number of failed logins (an
exclusion list would be handy as well) so that I can put a quick stop to
these niggly brute-force ssh "attacks" I seem to be getting more and
more often.

Anyone have any ideas?

Thanks, Jeremy B
--
gentoo-security@gentoo.org mailing list

> and what do you do, if they spoof your gateway/router/nameservers ip?
> If you use key-based authentifiction, you shouldn't have to fear brute-force
> attemps... and as the others wrote, changing the port, may also help a bit.

You have exclusions for hosts you obviously don't want blocked.
Key-based auth is not viable for everyone.
--
gentoo-security@gentoo.org mailing list

You wrote:
> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop
> to these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.
>
> Anyone have any ideas?
>
> Thanks, Jeremy B

It's a bad idea trying to automatically drop any $EVILATTEMPT imho,
because worst case scenario would be excluding valid users from
dynIP-ascends / dialup users. One could even try to DOS You by faking
source IPs etc.

A better strategy would be

1.) disabling root-access in sshd-conf and defining valid users. (General
advise.)

2.) setting up a "bastion host" (preferably minimal installation, as
"naked" as "stripped down" could be). To minimize single point of failure
risks one could add / use some more hosts, preferably in different
subnets.

3.) giving that host/those hosts exclusive access to sshd via hosts.access
while denying everbody else via hosts.deny.

No automatisms, plain simple, predictible - while "intransparent" enough
for the $EVILGUYS.

--
Andreas Waschbuesch, GAUniversity KG MA FNZ FK01
eMail: awaschb@gwdg.de

--
gentoo-security@gentoo.org mailing list

I agree. I use an obscure port for ssh as well as only allow key-based
auth (PasswordAuthentication is disabled). I have not have any attempts
on my boxes.

On Sun, 2005-10-02 at 23:37 +0200, Hemmann, Volker Armin wrote:
> On Sunday 02 October 2005 23:10, Jeremy Brake wrote:
> > Hey all,
> >
> > I'm looking for an app/script which can monitor for failed ssh logins,
> > and block using IPTables for $time after $number of failed logins (an
> > exclusion list would be handy as well) so that I can put a quick stop to
> > these niggly brute-force ssh "attacks" I seem to be getting more and
> > more often.
> >
> > Anyone have any ideas?
> >
> > Thanks, Jeremy B
>
> and what do you do, if they spoof your gateway/router/nameservers ip?
> If you use key-based authentifiction, you shouldn't have to fear brute-force
> attemps... and as the others wrote, changing the port, may also help a bit.

--
gentoo-security@gentoo.org mailing list

quoth the Jeremy Brake:
> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop to
> these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.
>
> Anyone have any ideas?
>
> Thanks, Jeremy B

Here is a perl script I wrote to scan my exim and apache logs for miscreants
to ban. It doesn't support $time or $number of login attempts, because I
don't allow 'three strikes', one dumb move and your banned. The length of the
ban lasts until the iptables rules are flushed and reloaded, which you can
either script, or do manually.

Anyway, I've commented the lines you need to change for your specific purpose,
and my script checks 3 logfiles where you will probably only need one, so
I've edited it as such. Hopefully you can edit this to your purpose else,
just give you some ideas of where to start. This script does assume that
iptables has a user-defined chain 'banned' with a policy of 'DROP'....

#########################
#!/usr/bin/perl -w

open ALOG, "/var/log/apache2/error_log"; # change this to your logfile

chomp(@alines = <ALOG>);
foreach $aline (@alines) {
if ($aline =~ m/URI too long/) { # change 'URI too long' to the pattern
@aip = split / /, $aline; # you want to match in your log
my $aip = "$aip[7]\n"; # <-- you may have to edit this
$aip =~ s/[\]]//; # line to match format of your
push(@arbl, $aip); # logs
}
}

close ALOG;
@arbl = sort @arbl;

# just like unix uniq
%seen = ();
foreach $item (@arbl) {
push(@arbls, $item) unless $seen{$item}++;
}

# grab already banned ip addresses.
foreach $rule (`iptables -L banned -n`) {
chomp($rule);
if ($rule =~ m/[0-255]\.[0-255]\.[0-255]\.[0-255]/) {
$rule =~ s/\s+/ /g;
@_ = split / /, $rule;
push (@banned, $_[3]);
}
}

$i = 0;
$already_banned = 0;

foreach $bl (@arbls) {
chomp($bl);
foreach $ip (@banned) {
if ($bl eq $ip) {
$already_banned = 1;
delete $arbls[$i];
}
}
if (!$already_banned) {
print "banning $bl\n";
system "iptables -A banned -s $bl -j DROP";
}
else {
$already_banned = 0;
print "$bl\t already banned\n";
}
$i++;
}
######################

Now set this up as a cron task (I run every 15 minutes)
Hope this helps...
-d
--
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972

MaxieZ said:
> On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:
>> Hey all,
>>
>> I'm looking for an app/script which can monitor for failed ssh logins,
>> and block using IPTables for $time after $number of failed logins (an
>> exclusion list would be handy as well) so that I can put a quick stop to
>> these niggly brute-force ssh "attacks" I seem to be getting more and
>> more often.
>
> http://kodu.neti.ee/~risto/sec/
>
> or change ports

Changing ports does a wonderful job of cutting down on spurious connects.
Going one tiny step further, I like to know if anyone has ever connected
to my sshd. So I do the following:

1. Set loglevel for sshd to verbose
2. cron a connect report to run once an hour. This tells me the IP and
reverse IP address of every host to do a full connect. AFAIK, a full
connect would be necessary to see the banner and identify the port as
running sshd.

My connect-report script is as follows:
echo "Remote SSH Connection report for $HOSTNAME"
echo "------------------------------------------"
echo
egrep "Connection from" < /var/log/auth.log | egrep -o
[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ | sort | uniq | /root/bin/phost

The above script relies on phost; a small helper script (because I
couldn't stand to spend more than 5 minutes trying to figure out which IP
lookups would accept input from stdin):
#!/usr/bin/perl
while (<STDIN>) {
$output = `host $_`;
print $output;
}

I have never seen a connect from an IP I didn't expect, and if I ever do,
I can just move sshd to another port if I am feeling excessively paranoid.


--
gentoo-security@gentoo.org mailing list

Hi!

On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
> These are the rules that I'm using.
>
> # Track connections to SSH
> -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
> FIN,ACK \
> --dport 22 -m recent --name SSH --set
> -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \
> --dport 22 -m recent --name SSH --set
>
> # Drop if connection rate exceeds 4/minute
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
> "SSH_limit: "
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> --rcheck --seconds 60 --hitcount 4 -j DROP
>
> # Drop if connection rate exceeds 20/hour
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
> "SSH_limit: "
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> --rcheck --seconds 3600 --hitcount 20 -j DROP

What about DoS because of these rules? Imagine somebody run SSH
connections to your host every 10 seconds while you don't have
already-opened SSH connection to server...... In this case you never
will have a chance to log in to your server (and fix this issue)?!

--
WBR, Alex.
--
gentoo-security@gentoo.org mailing list

Alex Efros schrieb:

>Hi!
>
>On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
>
>
>>These are the rules that I'm using.
>>
>># Track connections to SSH
>>-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
>>FIN,ACK \
>> --dport 22 -m recent --name SSH --set
>>-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \
>> --dport 22 -m recent --name SSH --set
>>
>># Drop if connection rate exceeds 4/minute
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>> --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
>>"SSH_limit: "
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>> --rcheck --seconds 60 --hitcount 4 -j DROP
>>
>># Drop if connection rate exceeds 20/hour
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>> --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
>>"SSH_limit: "
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>> --rcheck --seconds 3600 --hitcount 20 -j DROP
>>
>>
>
>What about DoS because of these rules? Imagine somebody run SSH
>connections to your host every 10 seconds while you don't have
>already-opened SSH connection to server...... In this case you never
>will have a chance to log in to your server (and fix this issue)?!
>
>
>

iptables -N SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A SSH_WHITELIST -s 217.160.x.x -m recent --remove --name SSH
-j ACCEPT
iptables -A SSH_WHITELIST -s 10.0.0.0/8 -m recent --remove --name SSH
-j ACCEPT
iptables -A SSH_WHITELIST -s 212.184.x.x-m recent --remove --name SSH
-j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix
"SSH_brute_force: "
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

Bye
Marc

I don't know how applicable this is to this list, but lots of the SSH
hacks on my boxes come from China (cn) and Korea (kr). The bad news is
a lot of the ISP's are out of control over there and cannot manage their
networks. Attached are scripts I generate every night to block all
packets from those countries. Depending on your applications, you might
(or not) want to run these.

Brian Micek

On Sun, 2005-10-02 at 17:29 -0500, J Holder wrote:

> MaxieZ said:
> > On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:
> >> Hey all,
> >>
> >> I'm looking for an app/script which can monitor for failed ssh logins,
> >> and block using IPTables for $time after $number of failed logins (an
> >> exclusion list would be handy as well) so that I can put a quick stop to
> >> these niggly brute-force ssh "attacks" I seem to be getting more and
> >> more often.
> >
> > http://kodu.neti.ee/~risto/sec/
> >
> > or change ports
>
> Changing ports does a wonderful job of cutting down on spurious connects.
> Going one tiny step further, I like to know if anyone has ever connected
> to my sshd. So I do the following:
>
> 1. Set loglevel for sshd to verbose
> 2. cron a connect report to run once an hour. This tells me the IP and
> reverse IP address of every host to do a full connect. AFAIK, a full
> connect would be necessary to see the banner and identify the port as
> running sshd.
>
> My connect-report script is as follows:
> echo "Remote SSH Connection report for $HOSTNAME"
> echo "------------------------------------------"
> echo
> egrep "Connection from" < /var/log/auth.log | egrep -o
> [0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ | sort | uniq | /root/bin/phost
>
> The above script relies on phost; a small helper script (because I
> couldn't stand to spend more than 5 minutes trying to figure out which IP
> lookups would accept input from stdin):
> #!/usr/bin/perl
> while (<STDIN>) {
> $output = `host $_`;
> print $output;
> }
>
> I have never seen a connect from an IP I didn't expect, and if I ever do,
> I can just move sshd to another port if I am feeling excessively paranoid.
>
>

Jeremy Brake a écrit :

>Hey all,
>
>I'm looking for an app/script which can monitor for failed ssh logins,
>and block using IPTables for $time after $number of failed logins (an
>exclusion list would be handy as well) so that I can put a quick stop to
>these niggly brute-force ssh "attacks" I seem to be getting more and
>more often.
>
>Anyone have any ideas?
>
>
Yep: emerge fail2ban (http://sourceforge.net/projects/fail2ban).
It's an excellent script written in python that can monitor all
unsuccessfull logins (ssh, apache)
There's a fail2ban.conf file where you can define many options to
protect you from a Dos.

>Thanks, Jeremy B
>
>
Have a nice day.

--
Christophe Garault
--
gentoo-security@gentoo.org mailing list

I've been getting hit with similar brute force attacks...usually from Korea
or China......anyway
like the several options listed above I think the less fancy you secure your
box the better....
really if you want to be able to log in from any number of remote clients
like me the best thing
to do is simply change your sshd port. I did that and it solved the problem
rather quickly with
little disruption to myself....I don't want to have a key with me...to log
in with when I travel.
An option that I considered that nobody mentioned yet is leaving port 22
closed completely
and then use port knocking to open up the port for 20 seconds or so on your
IP (however long
you need to log onto the system). The port opens long enough for you to
establish a connection
and then closes automatically to any new connections, but still allows
established traffic through.
Clever idea and pretty simple to impliment...just google for it...I think
there is a gentoo wiki howto
on it as well.

Adios.

On 10/3/05, Christophe Garault <christophe@garault.org> wrote:
>
> Jeremy Brake a écrit :
>
> >Hey all,
> >
> >I'm looking for an app/script which can monitor for failed ssh logins,
> >and block using IPTables for $time after $number of failed logins (an
> >exclusion list would be handy as well) so that I can put a quick stop to
> >these niggly brute-force ssh "attacks" I seem to be getting more and
> >more often.
> >
> >Anyone have any ideas?
> >
> >
> Yep: emerge fail2ban (http://sourceforge.net/projects/fail2ban).
> It's an excellent script written in python that can monitor all
> unsuccessfull logins (ssh, apache)
> There's a fail2ban.conf file where you can define many options to
> protect you from a Dos.
>
> >Thanks, Jeremy B
> >
> >
> Have a nice day.
>
> --
> Christophe Garault
> --
> gentoo-security@gentoo.org mailing list
>
>

I don't have these Problems...

There are two ways to do this:

1) enable "extensions" flag in the USE line in make.conf and I enable the
GEOIP patch for iptables, and also recompile the kernel with the geoip
patch, then you can simply do this:

--------
iptables -A INPUT -p tcp -m geoip ! --src-cc US --dport 22 -j REJECT
--------
That way it will not allow any SSH connections to anyone outside your
country code.

2) Only Allow SSH connections from the IP's you use, for example we on a
static IP address at our office, so I allow connections my external servers
from that IP address, but when I am at home, I am on a dynamic IP. So I
allow access for the entire network that I'm connected to like:

$IPTABLES -A INPUT -p TCP -s 165.146.0.0/16 --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP -s 165.146.0.0/16 --dport 22 -j ACCEPT

The rest of the traffic I drop to port 22, I drop.

I find it a hell of a lot easier to allow only want I want to the server and
drop everything else, than to try and block every individual that tries to
connect to my ssh.


-----Original Message-----
From: Jeremy Brake [mailto:gentoolists@lunatic.net.nz]
Sent: 02 October 2005 11:10 PM
To: gentoo-security@lists.gentoo.org
Subject: [gentoo-security] [OT?] automatically firewalling off IPs

Hey all,

I'm looking for an app/script which can monitor for failed ssh logins, and
block using IPTables for $time after $number of failed logins (an exclusion
list would be handy as well) so that I can put a quick stop to these niggly
brute-force ssh "attacks" I seem to be getting more and more often.

Anyone have any ideas?

Thanks, Jeremy B
--
gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list

This is not firewall specific, but it makes me sleep better at night :)

Add this to /etc/ssh/sshd_config
AllowUsers youruser anotheruser

Put all the users who should be able to ssh into your machine, and no
one but them can log in... :)
pam_tally might be good to take a look at, also.

Good luck

On 10/2/05, Jeremy Brake <gentoolists@lunatic.net.nz> wrote:
> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop to
> these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.
>
> Anyone have any ideas?
>
> Thanks, Jeremy B
> --
> gentoo-security@gentoo.org mailing list
>
>

--
gentoo-security@gentoo.org mailing list

MaxieZ wrote:
> On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:
>
>>Hey all,
>>
>>I'm looking for an app/script which can monitor for failed ssh logins,
>>and block using IPTables for $time after $number of failed logins (an
>>exclusion list would be handy as well) so that I can put a quick stop to
>>these niggly brute-force ssh "attacks" I seem to be getting more and
>>more often.
>
> http://kodu.neti.ee/~risto/sec/

Jeremy,
I agree with MaxieZ, a combination of SEC and Iptables work nicely in
this situation and could be extended to other services like FTP, IMAP,
Web authentication, etc. I personally do not feel that security through
obscurity by changing the port numbers is a viable solution. Here is
what I do:

First, I have SEC scanning my logs using the two rules from the attached
sec.rules file. The first rule looks for connections to the sshd port
that do not send an identification string. If it sees this message in
syslog, it then uses iptables to insert a rule to drop all packets from
the source address. The second rule looks for attempted logins using an
invalid user id. It then creates an iptables rule like the first one.
I added in a commented out action line for both of those rules which
creates a 24 hour context, which after 24 hours will delete the iptable
rule it created for that ip address.

Second, I have three normal iptables rules which rate limit the number
of connections to port 22. This is to defend against brute force
attacks on a valid account.

# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m
recent --update --seconds 600 --hitcount 2 -j LOG --log-level 4
--log-prefix "iptables-drop: "
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m
recent --update --seconds 600 --hitcount 2 -j DROP
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m
recent --set

I highly recommend SEC for this type of log monitoring.

-dave

> Jeremy,
> I agree with MaxieZ, a combination of SEC and Iptables work nicely
> in this situation and could be extended to other services like FTP,
> IMAP, Web authentication, etc. I personally do not feel that
> security through obscurity by changing the port numbers is a viable
> solution.

Changing port numbers in this case is not for "security". It's just a simple
solution against automated ssh attacks. If the attack is made by a
cracker that
really wants to attack a specific target, he will find the port.

Anyway, I change ports not for security purposes but only for stopping
automated
attacks filling up my logs. ;)





--
gentoo-security@gentoo.org mailing list

There's a python script that I've been using effectively for a while
http://www.aczoom.com/cms/blockhosts/

It requires a little tweaking in the configuration file for Gentoo, but does
a good job of curbing abuse.

On 10/2/05, Jeremy Brake <gentoolists@lunatic.net.nz> wrote:
>
> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop to
> these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.
>
> Anyone have any ideas?
>
> Thanks, Jeremy B
> --
> gentoo-security@gentoo.org mailing list
>
>

>
>> Jeremy,
>> I agree with MaxieZ, a combination of SEC and Iptables work nicely
>> in this situation and could be extended to other services like FTP,
>> IMAP, Web authentication, etc. I personally do not feel that security
>> through obscurity by changing the port numbers is a viable solution.
>


A port knocker of some sort is a much more secure solution that will
allow you to block all unwanted IP's but still allow for dynamic
addresses. There are port knockers that listen on various ports and
work like a combination lock to open the port, and there are others that
use a more secure one time pad "magic packet" kind of authentication to
open the port for your IP. It is more work to setup, but it is more
secure than just changing the port. Remember a few years ago when ssh
had a remote exploit? You probably shouldn't leave that port open.
--
gentoo-security@gentoo.org mailing list

Thanks for all the great input guys.
Theres a lot of reading to do before I can decide ona the most suitable
option for me, but I'll get through it all.

While i'm getting my head around everything to impliment a permanent
solution, what about this? (sorry, not great with iptables just yet..)
Leave sshd listening on port 22, but firewall off everything except my
trusted IP's (localhost, home, girlfriend, work subnet, internal subnet,
flatmates server) .
Add an IPTables rule to port forward $ambiguous_external_port through to
port 22 on localhost (or if its safer, the 10.x.x.x IP assigned to the
machine) , and log the instance.
My thinking is that this would make it harder for someone to find my
open ssh port, but leave me the convenience of not having to specify a
port when I connect from my regular connections, dozens of times a day.
Or is it just going to open up an IP spoofing exploit on port 22, and
achieve practically nothing?

Presumably this would eliminate the need for my original idea of
search-and-destroy on the brute force scripts, but I'll probably look at
implimenting something along those lines when I get my ftpd going (i'm
using SCP for everything now, but theres a need to change that. ) and
will still look at using the idea for my permanent SSH solution.

I like the sound of of SEC, the IPTables' "recent" option, and port
knocking. Because NZ IPs are assigned from the APNIC ranges, I'm not
sure how well the GEOIP patch would work, but i'll look into it.
(otherwise I would have blacklisted all of Asia already)
I'm going to read through all the rules and scripts posted, once i've
researched the available tools, and i'll go from there.


Cheers
Jeremy B

Jeremy Brake wrote:

> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop
> to these niggly brute-force ssh "attacks" I seem to be getting more
> and more often.
>
> Anyone have any ideas?
>
> Thanks, Jeremy B


--
gentoo-security@gentoo.org mailing list

Hi mate,

I attached a little script I'm using to do that in conjunction with shorewall.
To use it - configure shorewall to use the blacklist file on the related
interface. I have added 2 exceptions - when failed logins are coming from
10.0.2.* and 192.168.2.* subnets. Search for these and adapt to your network.

Starting it through cron every 2 minutes (which IMHO is enough).
*/2 * * * * root /etc/shorewall/hosts_reject.sh

the file /etc/cron.d/hosts_reject.
This script is not real-time - however - after some month of running - I have
only 1 per month average trying to probe my ssh-logins - as it seems the
drone-systems are blacklisted (Having 153 IP's in my blacklist right now).
You'll require the logtail program to trim the lodfiles ;)

BTW - the system will send you a mail-report when a new IP has been found
probing your Network.

Drawback: if you're loging in from outside and miswrite your login-name - the
system will most probably lock you out. MAke sure you log in from a different
IP-Address.

Cheers

Joerg

On Tuesday 04 October 2005 01:26, Jeremy Brake wrote:
> Thanks for all the great input guys.
> Theres a lot of reading to do before I can decide ona the most suitable
> option for me, but I'll get through it all.
>
> While i'm getting my head around everything to impliment a permanent
> solution, what about this? (sorry, not great with iptables just yet..)
> Leave sshd listening on port 22, but firewall off everything except my
> trusted IP's (localhost, home, girlfriend, work subnet, internal subnet,
> flatmates server) .
> Add an IPTables rule to port forward $ambiguous_external_port through to
> port 22 on localhost (or if its safer, the 10.x.x.x IP assigned to the
> machine) , and log the instance.
> My thinking is that this would make it harder for someone to find my
> open ssh port, but leave me the convenience of not having to specify a
> port when I connect from my regular connections, dozens of times a day.
> Or is it just going to open up an IP spoofing exploit on port 22, and
> achieve practically nothing?
>
> Presumably this would eliminate the need for my original idea of
> search-and-destroy on the brute force scripts, but I'll probably look at
> implimenting something along those lines when I get my ftpd going (i'm
> using SCP for everything now, but theres a need to change that. ) and
> will still look at using the idea for my permanent SSH solution.
>
> I like the sound of of SEC, the IPTables' "recent" option, and port
> knocking. Because NZ IPs are assigned from the APNIC ranges, I'm not
> sure how well the GEOIP patch would work, but i'll look into it.
> (otherwise I would have blacklisted all of Asia already)
> I'm going to read through all the rules and scripts posted, once i've
> researched the available tools, and i'll go from there.
>
>
> Cheers
> Jeremy B
>
> Jeremy Brake wrote:
> > Hey all,
> >
> > I'm looking for an app/script which can monitor for failed ssh logins,
> > and block using IPTables for $time after $number of failed logins (an
> > exclusion list would be handy as well) so that I can put a quick stop
> > to these niggly brute-force ssh "attacks" I seem to be getting more
> > and more often.
> >
> > Anyone have any ideas?
> >
> > Thanks, Jeremy B

--
A witty saying proves nothing, but saying something pointless gets
people's attention.
------------------------------------------------------------------------
| Joerg Mertin : smurphy@solsys.org (Home)|
| in Forchheim/Germany : smurphy@linux.de (Alt1)|
| Stardust's LiNUX System : |
| Web: http://www.solsys.org |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A

You know what would be seriously awesome, is if they have a type of RBL
listing for this kind of thing, and you could just link your iptables up to
the rbl listings.

(for those of you who don't know how rbl's work)

Example, I see this in my auth.log:
-------------------------------------------
Sep 28 03:20:42 cerberus sshd[20136]: Address
209.50.253.203<http://209.50.253.203>maps to
srv.warofthering.net <http://srv.warofthering.net>, but this does not map
back to the address - POSSIBLE BREAKIN ATTEM
PT!
Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from
209.50.253.203<http://209.50.253.203>
Sep 28 03:20:43 cerberus sshd[20141]: Address
209.50.253.203<http://209.50.253.203>maps to
srv.warofthering.net <http://srv.warofthering.net>, but this does not map
back to the address - POSSIBLE BREAKIN ATTEM
PT!
Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from
209.50.253.203<http://209.50.253.203>
Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from
209.50.253.203<http://209.50.253.203>
Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from
209.50.253.203<http://209.50.253.203>
-------------------------------------------

I could then submit the IP address to a RBL listing site, and then all
people who plugin to the rbl listing could update their firewalls with the
latest listing.

Just an idea, i dont know how hard it would be to do?

Dave

================