From: Brian Micek <bmicek@speakeasy.net>
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Sun, 02 Oct 2005 22:52:57 -0400 [thread overview]
Message-ID: <1128307977.13615.14.camel@localhost.localdomain> (raw)
In-Reply-To: <42608.192.168.107.31.1128292146.squirrel@simulakrum.com>
[-- Attachment #1.1.1: Type: text/plain, Size: 2178 bytes --]
I don't know how applicable this is to this list, but lots of the SSH
hacks on my boxes come from China (cn) and Korea (kr). The bad news is
a lot of the ISP's are out of control over there and cannot manage their
networks. Attached are scripts I generate every night to block all
packets from those countries. Depending on your applications, you might
(or not) want to run these.
Brian Micek
On Sun, 2005-10-02 at 17:29 -0500, J Holder wrote:
> MaxieZ said:
> > On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:
> >> Hey all,
> >>
> >> I'm looking for an app/script which can monitor for failed ssh logins,
> >> and block using IPTables for $time after $number of failed logins (an
> >> exclusion list would be handy as well) so that I can put a quick stop to
> >> these niggly brute-force ssh "attacks" I seem to be getting more and
> >> more often.
> >
> > http://kodu.neti.ee/~risto/sec/
> >
> > or change ports
>
> Changing ports does a wonderful job of cutting down on spurious connects.
> Going one tiny step further, I like to know if anyone has ever connected
> to my sshd. So I do the following:
>
> 1. Set loglevel for sshd to verbose
> 2. cron a connect report to run once an hour. This tells me the IP and
> reverse IP address of every host to do a full connect. AFAIK, a full
> connect would be necessary to see the banner and identify the port as
> running sshd.
>
> My connect-report script is as follows:
> echo "Remote SSH Connection report for $HOSTNAME"
> echo "------------------------------------------"
> echo
> egrep "Connection from" < /var/log/auth.log | egrep -o
> [0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ | sort | uniq | /root/bin/phost
>
> The above script relies on phost; a small helper script (because I
> couldn't stand to spend more than 5 minutes trying to figure out which IP
> lookups would accept input from stdin):
> #!/usr/bin/perl
> while (<STDIN>) {
> $output = `host $_`;
> print $output;
> }
>
> I have never seen a connect from an IP I didn't expect, and if I ever do,
> I can just move sshd to another port if I am feeling excessively paranoid.
>
>
[-- Attachment #1.1.2: Type: text/html, Size: 3630 bytes --]
[-- Attachment #1.2: block-cn.sh --]
[-- Type: application/x-shellscript, Size: 35712 bytes --]
[-- Attachment #1.3: block-kr.sh --]
[-- Type: application/x-shellscript, Size: 21195 bytes --]
[-- Attachment #1.4: undo-block-cn.sh --]
[-- Type: application/x-shellscript, Size: 35686 bytes --]
[-- Attachment #1.5: undo-block-kr.sh --]
[-- Type: application/x-shellscript, Size: 21169 bytes --]
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2011-10-31 3:55 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
2005-10-02 21:19 ` MaxieZ
2005-10-02 22:29 ` J Holder
2005-10-03 2:52 ` Brian Micek [this message]
2005-10-03 13:01 ` David vasil
2005-10-03 13:18 ` rpfc
2005-10-03 17:06 ` Kirk Hoganson
2005-10-04 16:25 ` boger
2005-10-04 17:16 ` Kirk Hoganson
2005-10-04 18:42 ` boger
2005-10-04 20:30 ` Kirk Hoganson
2005-10-04 20:42 ` boger
2005-10-04 19:45 ` [gentoo-security] Port knocking Tobias Sager
2005-10-04 20:20 ` boger
2005-10-02 21:24 ` [gentoo-security] [OT?] automatically firewalling off IPs Tad Glines
2005-10-02 22:53 ` Alex Efros
2005-10-02 23:02 ` Marc Risse
2005-10-06 1:40 ` Tad Glines
2005-10-06 8:13 ` Matan Peled
2005-10-06 9:15 ` William Kenworthy
2005-10-06 10:19 ` Matan Peled
2005-10-06 12:44 ` William Kenworthy
2005-10-06 21:02 ` Kirk Hoganson
2005-10-06 21:05 ` Brian Micek
2005-10-07 2:37 ` Tad Glines
2005-10-07 18:47 ` Eric Paynter
2005-10-08 13:40 ` RADDS Support Team
2005-10-02 21:33 ` DeadManMoving
2005-10-02 21:37 ` Hemmann, Volker Armin
2005-10-02 21:56 ` Alec Joseph Warner
2005-10-02 22:13 ` xyon
2005-10-02 21:53 ` Hassan El-Masri
2005-10-02 21:57 ` Andreas Waschbuesch
2005-10-02 22:20 ` darren kirby
2005-10-03 7:53 ` Christophe Garault
2005-10-03 8:29 ` Jerry Eastmanhouser
2005-10-03 10:58 ` Dave Strydom [i*]Group
2005-10-03 12:25 ` Oscar Carlsson
2005-10-03 13:29 ` Dan Shookowsky
2005-10-03 23:26 ` Jeremy Brake
2005-10-04 6:15 ` Joerg Mertin
2005-10-04 8:55 ` Dave Strydom
2005-10-04 14:45 ` Kyle Lutze
2005-10-04 14:49 ` Dave Strydom
2005-10-04 17:42 ` Kyle Lutze
2005-10-04 17:52 ` Neil Cherry
2005-10-05 16:46 ` Robert Larson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1128307977.13615.14.camel@localhost.localdomain \
--to=bmicek@speakeasy.net \
--cc=gentoo-security@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox