public inbox for gentoo-security@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-security] [OT?] automatically firewalling off IPs
@ 2005-10-02 21:10 Jeremy Brake
  2005-10-02 21:19 ` MaxieZ
                   ` (11 more replies)
  0 siblings, 12 replies; 47+ messages in thread
From: Jeremy Brake @ 2005-10-02 21:10 UTC (permalink / raw
  To: gentoo-security

Hey all,

I'm looking for an app/script which can monitor for failed ssh logins, 
and block using IPTables for $time after $number of failed logins (an 
exclusion list would be handy as well) so that I can put a quick stop to 
these niggly brute-force ssh "attacks" I seem to be getting more and 
more often.

Anyone have any ideas?

Thanks, Jeremy B
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
@ 2005-10-02 21:19 ` MaxieZ
  2005-10-02 22:29   ` J Holder
  2005-10-03 13:01   ` David vasil
  2005-10-02 21:24 ` [gentoo-security] [OT?] automatically firewalling off IPs Tad Glines
                   ` (10 subsequent siblings)
  11 siblings, 2 replies; 47+ messages in thread
From: MaxieZ @ 2005-10-02 21:19 UTC (permalink / raw
  To: gentoo-security

[-- Attachment #1: Type: text/plain, Size: 581 bytes --]

On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:
> Hey all,
> 
> I'm looking for an app/script which can monitor for failed ssh logins, 
> and block using IPTables for $time after $number of failed logins (an 
> exclusion list would be handy as well) so that I can put a quick stop to 
> these niggly brute-force ssh "attacks" I seem to be getting more and 
> more often.

http://kodu.neti.ee/~risto/sec/

or change ports

-- 
MaxieZ
maxiez@maxiez.com


When more and more people are thrown out of work, unemployment
results.
		-- Calvin Coolidge

[-- Attachment #2: Type: application/pgp-signature, Size: 193 bytes --]

^ permalink raw reply	[flat|nested] 47+ messages in thread

* RE: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
  2005-10-02 21:19 ` MaxieZ
@ 2005-10-02 21:24 ` Tad Glines
  2005-10-02 22:53   ` Alex Efros
  2005-10-02 21:33 ` DeadManMoving
                   ` (9 subsequent siblings)
  11 siblings, 1 reply; 47+ messages in thread
From: Tad Glines @ 2005-10-02 21:24 UTC (permalink / raw
  To: gentoo-security

> Jeremy Brake wrote:
> 
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop to
> these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.

These are the rules that I'm using.

# Track connections to SSH
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
FIN,ACK \
   --dport 22 -m recent --name SSH --set
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \
   --dport 22 -m recent --name SSH --set

# Drop if connection rate exceeds 4/minute
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
"SSH_limit: "
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 60 --hitcount 4 -j DROP

# Drop if connection rate exceeds 20/hour
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
"SSH_limit: "
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 3600 --hitcount 20 -j DROP

-Tad

-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
  2005-10-02 21:19 ` MaxieZ
  2005-10-02 21:24 ` [gentoo-security] [OT?] automatically firewalling off IPs Tad Glines
@ 2005-10-02 21:33 ` DeadManMoving
  2005-10-02 21:37 ` Hemmann, Volker Armin
                   ` (8 subsequent siblings)
  11 siblings, 0 replies; 47+ messages in thread
From: DeadManMoving @ 2005-10-02 21:33 UTC (permalink / raw
  To: gentoo-security

Have a look at the "recent" section of the iptables man page;
maybee you will find it usefull.

On Mon, 2005-10-03 at 10:10 +1300, Jeremy Brake wrote:
> Hey all,
> 
> I'm looking for an app/script which can monitor for failed ssh logins, 
> and block using IPTables for $time after $number of failed logins (an 
> exclusion list would be handy as well) so that I can put a quick stop to 
> these niggly brute-force ssh "attacks" I seem to be getting more and 
> more often.
> 
> Anyone have any ideas?
> 
> Thanks, Jeremy B

-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
                   ` (2 preceding siblings ...)
  2005-10-02 21:33 ` DeadManMoving
@ 2005-10-02 21:37 ` Hemmann, Volker Armin
  2005-10-02 21:56   ` Alec Joseph Warner
  2005-10-02 22:13   ` xyon
  2005-10-02 21:53 ` Hassan El-Masri
                   ` (7 subsequent siblings)
  11 siblings, 2 replies; 47+ messages in thread
From: Hemmann, Volker Armin @ 2005-10-02 21:37 UTC (permalink / raw
  To: gentoo-security

On Sunday 02 October 2005 23:10, Jeremy Brake wrote:
> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop to
> these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.
>
> Anyone have any ideas?
>
> Thanks, Jeremy B

and what do you do, if they spoof your gateway/router/nameservers ip?
If you use key-based authentifiction, you shouldn't have to fear brute-force 
attemps... and as the others wrote, changing the port, may also help a bit.
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* RE: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
                   ` (3 preceding siblings ...)
  2005-10-02 21:37 ` Hemmann, Volker Armin
@ 2005-10-02 21:53 ` Hassan El-Masri
  2005-10-02 21:57 ` Andreas Waschbuesch
                   ` (6 subsequent siblings)
  11 siblings, 0 replies; 47+ messages in thread
From: Hassan El-Masri @ 2005-10-02 21:53 UTC (permalink / raw
  To: gentoo-security

[-- Attachment #1: Type: text/plain, Size: 691 bytes --]


	Try DenyHosts http://denyhosts.sourceforge.net/faq.html

~Hassan

-----Original Message-----
From: Jeremy Brake [mailto:gentoolists@lunatic.net.nz] 
Sent: Sunday, October 02, 2005 2:10 PM
To: gentoo-security@lists.gentoo.org
Subject: [gentoo-security] [OT?] automatically firewalling off IPs

Hey all,

I'm looking for an app/script which can monitor for failed ssh logins, 
and block using IPTables for $time after $number of failed logins (an 
exclusion list would be handy as well) so that I can put a quick stop to 
these niggly brute-force ssh "attacks" I seem to be getting more and 
more often.

Anyone have any ideas?

Thanks, Jeremy B
-- 
gentoo-security@gentoo.org mailing list


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 4536 bytes --]

^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:37 ` Hemmann, Volker Armin
@ 2005-10-02 21:56   ` Alec Joseph Warner
  2005-10-02 22:13   ` xyon
  1 sibling, 0 replies; 47+ messages in thread
From: Alec Joseph Warner @ 2005-10-02 21:56 UTC (permalink / raw
  To: gentoo-security


> and what do you do, if they spoof your gateway/router/nameservers ip?
> If you use key-based authentifiction, you shouldn't have to fear brute-force 
> attemps... and as the others wrote, changing the port, may also help a bit.

You have exclusions for hosts you obviously don't want blocked. 
Key-based auth is not viable for everyone.
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
                   ` (4 preceding siblings ...)
  2005-10-02 21:53 ` Hassan El-Masri
@ 2005-10-02 21:57 ` Andreas Waschbuesch
  2005-10-02 22:20 ` darren kirby
                   ` (5 subsequent siblings)
  11 siblings, 0 replies; 47+ messages in thread
From: Andreas Waschbuesch @ 2005-10-02 21:57 UTC (permalink / raw
  To: gentoo-security

You wrote:
> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop
> to these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.
>
> Anyone have any ideas?
>
> Thanks, Jeremy B

It's a bad idea trying to automatically drop any $EVILATTEMPT imho, 
because worst case scenario would be excluding valid users from 
dynIP-ascends / dialup users. One could even try to DOS You by faking 
source IPs etc.

A better strategy would be

1.) disabling root-access in sshd-conf and defining valid users. (General 
advise.)

2.) setting up a "bastion host" (preferably minimal installation, as 
"naked" as "stripped down" could be). To minimize single point of failure 
risks one could add / use some more hosts, preferably in different 
subnets.

3.) giving that host/those hosts exclusive access to sshd via hosts.access 
while denying everbody else via hosts.deny.

No automatisms, plain simple, predictible - while "intransparent" enough 
for the $EVILGUYS.

-- 
Andreas Waschbuesch, GAUniversity KG MA FNZ FK01
eMail: awaschb@gwdg.de

-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:37 ` Hemmann, Volker Armin
  2005-10-02 21:56   ` Alec Joseph Warner
@ 2005-10-02 22:13   ` xyon
  1 sibling, 0 replies; 47+ messages in thread
From: xyon @ 2005-10-02 22:13 UTC (permalink / raw
  To: gentoo-security

I agree. I use an obscure port for ssh as well as only allow key-based
auth (PasswordAuthentication is disabled). I have not have any attempts
on my boxes.

On Sun, 2005-10-02 at 23:37 +0200, Hemmann, Volker Armin wrote:
> On Sunday 02 October 2005 23:10, Jeremy Brake wrote:
> > Hey all,
> >
> > I'm looking for an app/script which can monitor for failed ssh logins,
> > and block using IPTables for $time after $number of failed logins (an
> > exclusion list would be handy as well) so that I can put a quick stop to
> > these niggly brute-force ssh "attacks" I seem to be getting more and
> > more often.
> >
> > Anyone have any ideas?
> >
> > Thanks, Jeremy B
> 
> and what do you do, if they spoof your gateway/router/nameservers ip?
> If you use key-based authentifiction, you shouldn't have to fear brute-force 
> attemps... and as the others wrote, changing the port, may also help a bit.

-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
                   ` (5 preceding siblings ...)
  2005-10-02 21:57 ` Andreas Waschbuesch
@ 2005-10-02 22:20 ` darren kirby
  2005-10-03  7:53 ` Christophe Garault
                   ` (4 subsequent siblings)
  11 siblings, 0 replies; 47+ messages in thread
From: darren kirby @ 2005-10-02 22:20 UTC (permalink / raw
  To: gentoo-security

[-- Attachment #1: Type: text/plain, Size: 2887 bytes --]

quoth the Jeremy Brake:
> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop to
> these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.
>
> Anyone have any ideas?
>
> Thanks, Jeremy B

Here is a perl script I wrote to scan my exim and apache logs for miscreants 
to ban. It doesn't support $time or $number of login attempts, because I 
don't allow 'three strikes', one dumb move and your banned. The length of the 
ban lasts until the iptables rules are flushed and reloaded, which you can 
either script, or do manually.

Anyway, I've commented the lines you need to change for your specific purpose, 
and my script checks 3 logfiles where you will probably only need one, so 
I've edited it as such. Hopefully you can edit this to your purpose else, 
just give you some ideas of where to start. This script does assume that 
iptables has a user-defined chain 'banned' with a policy of 'DROP'....

#########################
#!/usr/bin/perl -w

open ALOG, "/var/log/apache2/error_log"; # change this to your logfile

chomp(@alines = <ALOG>);
foreach $aline (@alines) {
    if ($aline =~ m/URI too long/) {  # change 'URI too long' to the pattern
        @aip = split / /, $aline;            # you want to match in your log
        my $aip = "$aip[7]\n";          #  <-- you may have to edit this 
        $aip =~ s/[\]]//;                     #  line to match format of your  
        push(@arbl, $aip);                 #  logs
        }
    }

close ALOG;
@arbl = sort @arbl;

# just like unix uniq
%seen = ();
foreach $item (@arbl) {
    push(@arbls, $item) unless $seen{$item}++;
    }

# grab already banned ip addresses.
foreach $rule (`iptables -L banned -n`) {
    chomp($rule);
    if ($rule =~ m/[0-255]\.[0-255]\.[0-255]\.[0-255]/) {
        $rule =~ s/\s+/ /g;
        @_ = split / /, $rule;
        push (@banned, $_[3]);
        }
    }

$i = 0;
$already_banned = 0;

foreach $bl (@arbls) {
    chomp($bl);
    foreach $ip (@banned) {
        if ($bl eq $ip) {
            $already_banned = 1;
            delete $arbls[$i];
            }
        }
    if (!$already_banned) {
        print "banning $bl\n";
        system "iptables -A banned -s $bl -j DROP";
        }
    else {
        $already_banned  = 0;
        print "$bl\t already banned\n";
        }
    $i++;
    }
######################

Now set this up as a cron task (I run every 15 minutes)
Hope this helps...
-d
-- 
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:19 ` MaxieZ
@ 2005-10-02 22:29   ` J Holder
  2005-10-03  2:52     ` Brian Micek
  2005-10-03 13:01   ` David vasil
  1 sibling, 1 reply; 47+ messages in thread
From: J Holder @ 2005-10-02 22:29 UTC (permalink / raw
  To: gentoo-security

MaxieZ said:
> On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:
>> Hey all,
>>
>> I'm looking for an app/script which can monitor for failed ssh logins,
>> and block using IPTables for $time after $number of failed logins (an
>> exclusion list would be handy as well) so that I can put a quick stop to
>> these niggly brute-force ssh "attacks" I seem to be getting more and
>> more often.
>
> http://kodu.neti.ee/~risto/sec/
>
> or change ports

Changing ports does a wonderful job of cutting down on spurious connects. 
Going one tiny step further, I like to know if anyone has ever connected
to my sshd.  So I do the following:

1. Set loglevel for sshd to verbose
2. cron a connect report to run once an hour.  This tells me the IP and
reverse IP address of every host to do a full connect.  AFAIK, a full
connect would be necessary to see the banner and identify the port as
running sshd.

My connect-report script is as follows:
echo "Remote SSH Connection report for $HOSTNAME"
echo "------------------------------------------"
echo
egrep "Connection from" < /var/log/auth.log | egrep -o
[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ | sort | uniq | /root/bin/phost

The above script relies on phost; a small helper script (because I
couldn't stand to spend more than 5 minutes trying to figure out which IP
lookups would accept input from stdin):
#!/usr/bin/perl
while (<STDIN>) {
  $output = `host $_`;
    print $output;
}

I have never seen a connect from an IP I didn't expect, and if I ever do,
I can just move sshd to another port if I am feeling excessively paranoid.


-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:24 ` [gentoo-security] [OT?] automatically firewalling off IPs Tad Glines
@ 2005-10-02 22:53   ` Alex Efros
  2005-10-02 23:02     ` Marc Risse
  2005-10-06  1:40     ` Tad Glines
  0 siblings, 2 replies; 47+ messages in thread
From: Alex Efros @ 2005-10-02 22:53 UTC (permalink / raw
  To: gentoo-security

Hi!

On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
> These are the rules that I'm using.
> 
> # Track connections to SSH
> -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
> FIN,ACK \
>    --dport 22 -m recent --name SSH --set
> -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \
>    --dport 22 -m recent --name SSH --set
> 
> # Drop if connection rate exceeds 4/minute
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>    --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
> "SSH_limit: "
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>    --rcheck --seconds 60 --hitcount 4 -j DROP
> 
> # Drop if connection rate exceeds 20/hour
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>    --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
> "SSH_limit: "
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>    --rcheck --seconds 3600 --hitcount 20 -j DROP

What about DoS because of these rules? Imagine somebody run SSH
connections to your host every 10 seconds while you don't have
already-opened SSH connection to server...... In this case you never
will have a chance to log in to your server (and fix this issue)?!

-- 
			WBR, Alex.
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 22:53   ` Alex Efros
@ 2005-10-02 23:02     ` Marc Risse
  2005-10-06  1:40     ` Tad Glines
  1 sibling, 0 replies; 47+ messages in thread
From: Marc Risse @ 2005-10-02 23:02 UTC (permalink / raw
  To: gentoo-security

[-- Attachment #1: Type: text/plain, Size: 2051 bytes --]

Alex Efros schrieb:

>Hi!
>
>On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
>  
>
>>These are the rules that I'm using.
>>
>># Track connections to SSH
>>-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
>>FIN,ACK \
>>   --dport 22 -m recent --name SSH --set
>>-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \
>>   --dport 22 -m recent --name SSH --set
>>
>># Drop if connection rate exceeds 4/minute
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>>   --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
>>"SSH_limit: "
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>>   --rcheck --seconds 60 --hitcount 4 -j DROP
>>
>># Drop if connection rate exceeds 20/hour
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>>   --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
>>"SSH_limit: "
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>>   --rcheck --seconds 3600 --hitcount 20 -j DROP
>>    
>>
>
>What about DoS because of these rules? Imagine somebody run SSH
>connections to your host every 10 seconds while you don't have
>already-opened SSH connection to server...... In this case you never
>will have a chance to log in to your server (and fix this issue)?!
>
>  
>

 iptables -N SSH_WHITELIST
 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent 
--set --name SSH
 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
 iptables -A SSH_WHITELIST -s 217.160.x.x -m recent --remove --name SSH 
-j ACCEPT
 iptables -A SSH_WHITELIST -s 10.0.0.0/8 -m recent --remove --name SSH 
-j ACCEPT
 iptables -A SSH_WHITELIST -s 212.184.x.x-m recent --remove --name SSH 
-j ACCEPT
 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent 
--update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix 
"SSH_brute_force: "
 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent 
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

Bye
Marc




[-- Attachment #2: Type: text/html, Size: 2492 bytes --]

^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 22:29   ` J Holder
@ 2005-10-03  2:52     ` Brian Micek
  0 siblings, 0 replies; 47+ messages in thread
From: Brian Micek @ 2005-10-03  2:52 UTC (permalink / raw
  To: gentoo-security


[-- Attachment #1.1.1: Type: text/plain, Size: 2178 bytes --]

I don't know how applicable this is to this list, but lots of the SSH
hacks on my boxes come from China (cn) and Korea (kr).  The bad news is
a lot of the ISP's are out of control over there and cannot manage their
networks.  Attached are scripts I generate every night to block all
packets from those countries.  Depending on your applications, you might
(or not) want to run these.

Brian Micek

On Sun, 2005-10-02 at 17:29 -0500, J Holder wrote:

> MaxieZ said:
> > On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:
> >> Hey all,
> >>
> >> I'm looking for an app/script which can monitor for failed ssh logins,
> >> and block using IPTables for $time after $number of failed logins (an
> >> exclusion list would be handy as well) so that I can put a quick stop to
> >> these niggly brute-force ssh "attacks" I seem to be getting more and
> >> more often.
> >
> > http://kodu.neti.ee/~risto/sec/
> >
> > or change ports
> 
> Changing ports does a wonderful job of cutting down on spurious connects. 
> Going one tiny step further, I like to know if anyone has ever connected
> to my sshd.  So I do the following:
> 
> 1. Set loglevel for sshd to verbose
> 2. cron a connect report to run once an hour.  This tells me the IP and
> reverse IP address of every host to do a full connect.  AFAIK, a full
> connect would be necessary to see the banner and identify the port as
> running sshd.
> 
> My connect-report script is as follows:
> echo "Remote SSH Connection report for $HOSTNAME"
> echo "------------------------------------------"
> echo
> egrep "Connection from" < /var/log/auth.log | egrep -o
> [0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ | sort | uniq | /root/bin/phost
> 
> The above script relies on phost; a small helper script (because I
> couldn't stand to spend more than 5 minutes trying to figure out which IP
> lookups would accept input from stdin):
> #!/usr/bin/perl
> while (<STDIN>) {
>   $output = `host $_`;
>     print $output;
> }
> 
> I have never seen a connect from an IP I didn't expect, and if I ever do,
> I can just move sshd to another port if I am feeling excessively paranoid.
> 
> 

[-- Attachment #1.1.2: Type: text/html, Size: 3630 bytes --]

[-- Attachment #1.2: block-cn.sh --]
[-- Type: application/x-shellscript, Size: 35712 bytes --]

[-- Attachment #1.3: block-kr.sh --]
[-- Type: application/x-shellscript, Size: 21195 bytes --]

[-- Attachment #1.4: undo-block-cn.sh --]
[-- Type: application/x-shellscript, Size: 35686 bytes --]

[-- Attachment #1.5: undo-block-kr.sh --]
[-- Type: application/x-shellscript, Size: 21169 bytes --]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
                   ` (6 preceding siblings ...)
  2005-10-02 22:20 ` darren kirby
@ 2005-10-03  7:53 ` Christophe Garault
  2005-10-03  8:29   ` Jerry Eastmanhouser
  2005-10-03 10:58 ` Dave Strydom [i*]Group
                   ` (3 subsequent siblings)
  11 siblings, 1 reply; 47+ messages in thread
From: Christophe Garault @ 2005-10-03  7:53 UTC (permalink / raw
  To: gentoo-security

Jeremy Brake a écrit :

>Hey all,
>
>I'm looking for an app/script which can monitor for failed ssh logins, 
>and block using IPTables for $time after $number of failed logins (an 
>exclusion list would be handy as well) so that I can put a quick stop to 
>these niggly brute-force ssh "attacks" I seem to be getting more and 
>more often.
>
>Anyone have any ideas?
>  
>
Yep: emerge fail2ban (http://sourceforge.net/projects/fail2ban).
It's an excellent script written in python that can monitor all 
unsuccessfull logins (ssh, apache)
There's a fail2ban.conf file where you can define many options to 
protect you from a Dos.

>Thanks, Jeremy B
>  
>
Have a nice day.

-- 
Christophe Garault
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-03  7:53 ` Christophe Garault
@ 2005-10-03  8:29   ` Jerry Eastmanhouser
  0 siblings, 0 replies; 47+ messages in thread
From: Jerry Eastmanhouser @ 2005-10-03  8:29 UTC (permalink / raw
  To: gentoo-security

[-- Attachment #1: Type: text/plain, Size: 1894 bytes --]

I've been getting hit with similar brute force attacks...usually from Korea
or China......anyway
like the several options listed above I think the less fancy you secure your
box the better....
really if you want to be able to log in from any number of remote clients
like me the best thing
to do is simply change your sshd port. I did that and it solved the problem
rather quickly with
little disruption to myself....I don't want to have a key with me...to log
in with when I travel.
An option that I considered that nobody mentioned yet is leaving port 22
closed completely
and then use port knocking to open up the port for 20 seconds or so on your
IP (however long
you need to log onto the system). The port opens long enough for you to
establish a connection
and then closes automatically to any new connections, but still allows
established traffic through.
Clever idea and pretty simple to impliment...just google for it...I think
there is a gentoo wiki howto
on it as well.

Adios.

On 10/3/05, Christophe Garault <christophe@garault.org> wrote:
>
> Jeremy Brake a écrit :
>
> >Hey all,
> >
> >I'm looking for an app/script which can monitor for failed ssh logins,
> >and block using IPTables for $time after $number of failed logins (an
> >exclusion list would be handy as well) so that I can put a quick stop to
> >these niggly brute-force ssh "attacks" I seem to be getting more and
> >more often.
> >
> >Anyone have any ideas?
> >
> >
> Yep: emerge fail2ban (http://sourceforge.net/projects/fail2ban).
> It's an excellent script written in python that can monitor all
> unsuccessfull logins (ssh, apache)
> There's a fail2ban.conf file where you can define many options to
> protect you from a Dos.
>
> >Thanks, Jeremy B
> >
> >
> Have a nice day.
>
> --
> Christophe Garault
> --
> gentoo-security@gentoo.org mailing list
>
>

[-- Attachment #2: Type: text/html, Size: 2367 bytes --]

^ permalink raw reply	[flat|nested] 47+ messages in thread

* RE: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
                   ` (7 preceding siblings ...)
  2005-10-03  7:53 ` Christophe Garault
@ 2005-10-03 10:58 ` Dave Strydom [i*]Group
  2005-10-03 12:25 ` Oscar Carlsson
                   ` (2 subsequent siblings)
  11 siblings, 0 replies; 47+ messages in thread
From: Dave Strydom [i*]Group @ 2005-10-03 10:58 UTC (permalink / raw
  To: gentoo-security

 
I don't have these Problems...

There are two ways to do this:

1) enable "extensions" flag in the USE line in make.conf and I enable the
GEOIP patch for iptables, and also recompile the kernel with the geoip
patch, then you can simply do this:

--------
iptables -A INPUT -p tcp -m geoip ! --src-cc US --dport 22 -j REJECT
--------
That way it will not allow any SSH connections to anyone outside your
country code.

2) Only Allow SSH connections from the IP's you use, for example we on a
static IP address at our office, so I allow connections my external servers
from that IP address, but when I am at home, I am on a dynamic IP. So I
allow access for the entire network that I'm connected to like:

$IPTABLES -A INPUT -p TCP -s 165.146.0.0/16 --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP -s 165.146.0.0/16 --dport 22 -j ACCEPT

The rest of the traffic I drop to port 22, I drop.

I find it a hell of a lot easier to allow only want I want to the server and
drop everything else, than to try and block every individual that tries to
connect to my ssh.


-----Original Message-----
From: Jeremy Brake [mailto:gentoolists@lunatic.net.nz] 
Sent: 02 October 2005 11:10 PM
To: gentoo-security@lists.gentoo.org
Subject: [gentoo-security] [OT?] automatically firewalling off IPs

Hey all,

I'm looking for an app/script which can monitor for failed ssh logins, and
block using IPTables for $time after $number of failed logins (an exclusion
list would be handy as well) so that I can put a quick stop to these niggly
brute-force ssh "attacks" I seem to be getting more and more often.

Anyone have any ideas?

Thanks, Jeremy B
--
gentoo-security@gentoo.org mailing list

-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
                   ` (8 preceding siblings ...)
  2005-10-03 10:58 ` Dave Strydom [i*]Group
@ 2005-10-03 12:25 ` Oscar Carlsson
  2005-10-03 13:29 ` Dan Shookowsky
  2005-10-03 23:26 ` Jeremy Brake
  11 siblings, 0 replies; 47+ messages in thread
From: Oscar Carlsson @ 2005-10-03 12:25 UTC (permalink / raw
  To: gentoo-security

This is not firewall specific, but it makes me sleep better at night :)

Add this to /etc/ssh/sshd_config
AllowUsers youruser anotheruser

Put all the users who should be able to ssh into your machine, and no
one but them can log in... :)
pam_tally might be good to take a look at, also.

Good luck

On 10/2/05, Jeremy Brake <gentoolists@lunatic.net.nz> wrote:
> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop to
> these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.
>
> Anyone have any ideas?
>
> Thanks, Jeremy B
> --
> gentoo-security@gentoo.org mailing list
>
>

-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:19 ` MaxieZ
  2005-10-02 22:29   ` J Holder
@ 2005-10-03 13:01   ` David vasil
  2005-10-03 13:18     ` rpfc
  1 sibling, 1 reply; 47+ messages in thread
From: David vasil @ 2005-10-03 13:01 UTC (permalink / raw
  To: gentoo-security

[-- Attachment #1: Type: text/plain, Size: 1983 bytes --]

MaxieZ wrote:
> On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:
> 
>>Hey all,
>>
>>I'm looking for an app/script which can monitor for failed ssh logins, 
>>and block using IPTables for $time after $number of failed logins (an 
>>exclusion list would be handy as well) so that I can put a quick stop to 
>>these niggly brute-force ssh "attacks" I seem to be getting more and 
>>more often.
> 
> http://kodu.neti.ee/~risto/sec/

Jeremy,
   I agree with MaxieZ, a combination of SEC and Iptables work nicely in 
this situation and could be extended to other services like FTP, IMAP, 
Web authentication, etc.  I personally do not feel that security through 
obscurity by changing the port numbers is a viable solution.  Here is 
what I do:

First, I have SEC scanning my logs using the two rules from the attached 
sec.rules file.  The first rule looks for connections to the sshd port 
that do not send an identification string.  If it sees this message in 
syslog, it then uses iptables to insert a rule to drop all packets from 
the source address.  The second rule looks for attempted logins using an 
invalid user id.  It then creates an iptables rule like the first one. 
I added in a commented out action line for both of those rules which 
creates a 24 hour context, which after 24 hours will delete the iptable 
rule it created for that ip address.

Second, I have three normal iptables rules which rate limit the number 
of connections to port 22.  This is to defend against brute force 
attacks on a valid account.

# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m 
recent   --update --seconds 600 --hitcount 2 -j  LOG --log-level 4 
--log-prefix "iptables-drop: "
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m 
recent   --update --seconds 600 --hitcount 2 -j DROP
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m 
recent   --set

I highly recommend SEC for this type of log monitoring.

-dave

[-- Attachment #2: sec.rules --]
[-- Type: text/plain, Size: 1631 bytes --]

# kill IP address trying to log in with invalid account
# Sep 19 05:40:25 apathy sshd[13234]: Did not receive identification string from 69.60.114.13
type= single
continue= dontcont
ptype= regexp
pattern= sshd\[[0-9]+\]: Did not receive identification string from ([A-z0-9._-]+)
desc= ssh_no_ident_$1
action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $1 -j DROP; write /var/log/sec.log "%t iptables-insert: dropping all traffic from $1 because no identification string was given"
# Use this action instead if you would like contexts to automatically be cleaned after 24 hours
#action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $1 -j DROP; write /var/log/sec.log "%t iptables-insert: dropping all traffic from $1 because no identification string was given"; create ssh_no_ident_$1 86400 shellcmd /sbin/iptables -D INPUT -i eth0 -s $1 -j DROP

# Sep 19 05:50:23 apathy sshd[13252]: Invalid user foto from 69.60.114.13
type= single
continue= dontcont
ptype= regexp
pattern= sshd\[[0-9]+\]: Invalid user ([A-z0-9._-]+) from ([A-z0-9._-]+)
desc= ssh_invalid_user_$1_$2
action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $2 -j DROP; write /var/log/sec.log "%t iptables-insert: dropping all traffic from $2 because attempted to log in with invalid user $1"
# Use this action instead if you would like contexts to automatically be cleaned after 24 hours
#action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $2 -j DROP; write /var/log/sec.log "%t iptables-insert: dropping all traffic from $2 because attempted to log in with invalid user $1"; create ssh_invalid_user_$1_$2 86400 shellcmd /sbin/iptables -D INPUT -i eth0 -s $2 -j DROP

^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-03 13:01   ` David vasil
@ 2005-10-03 13:18     ` rpfc
  2005-10-03 17:06       ` Kirk Hoganson
  0 siblings, 1 reply; 47+ messages in thread
From: rpfc @ 2005-10-03 13:18 UTC (permalink / raw
  To: gentoo-security, David vasil


> Jeremy,
>   I agree with MaxieZ, a combination of SEC and Iptables work nicely 
> in this situation and could be extended to other services like FTP, 
> IMAP, Web authentication, etc.  I personally do not feel that 
> security through obscurity by changing the port numbers is a viable 
> solution.

Changing port numbers in this case is not for "security". It's just a simple
solution against automated ssh attacks. If the attack is made by a 
cracker that
really wants to attack a specific target, he will find the port.

Anyway, I change ports not for security purposes but only for stopping 
automated
attacks filling up my logs. ;)





-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
                   ` (9 preceding siblings ...)
  2005-10-03 12:25 ` Oscar Carlsson
@ 2005-10-03 13:29 ` Dan Shookowsky
  2005-10-03 23:26 ` Jeremy Brake
  11 siblings, 0 replies; 47+ messages in thread
From: Dan Shookowsky @ 2005-10-03 13:29 UTC (permalink / raw
  To: gentoo-security

[-- Attachment #1: Type: text/plain, Size: 718 bytes --]

There's a python script that I've been using effectively for a while
http://www.aczoom.com/cms/blockhosts/

It requires a little tweaking in the configuration file for Gentoo, but does
a good job of curbing abuse.

On 10/2/05, Jeremy Brake <gentoolists@lunatic.net.nz> wrote:
>
> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop to
> these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.
>
> Anyone have any ideas?
>
> Thanks, Jeremy B
> --
> gentoo-security@gentoo.org mailing list
>
>

[-- Attachment #2: Type: text/html, Size: 1124 bytes --]

^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-03 13:18     ` rpfc
@ 2005-10-03 17:06       ` Kirk Hoganson
  2005-10-04 16:25         ` boger
  0 siblings, 1 reply; 47+ messages in thread
From: Kirk Hoganson @ 2005-10-03 17:06 UTC (permalink / raw
  To: gentoo-security


> 
>> Jeremy,
>>   I agree with MaxieZ, a combination of SEC and Iptables work nicely 
>> in this situation and could be extended to other services like FTP, 
>> IMAP, Web authentication, etc.  I personally do not feel that security 
>> through obscurity by changing the port numbers is a viable solution.
> 


A port knocker of some sort is a much more secure solution that will 
allow you to block all unwanted IP's but still allow for dynamic 
addresses.  There are port knockers that listen on various ports and 
work like a combination lock to open the port, and there are others that 
use a more secure one time pad "magic packet" kind of authentication to 
open the port for your IP.  It is more work to setup, but it is more 
secure than just changing the port.  Remember a few years ago when ssh 
had a remote exploit?  You probably shouldn't leave that port open.
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
                   ` (10 preceding siblings ...)
  2005-10-03 13:29 ` Dan Shookowsky
@ 2005-10-03 23:26 ` Jeremy Brake
  2005-10-04  6:15   ` Joerg Mertin
  11 siblings, 1 reply; 47+ messages in thread
From: Jeremy Brake @ 2005-10-03 23:26 UTC (permalink / raw
  To: gentoo-security

Thanks for all the great input guys.
Theres a lot of reading to do before I can decide ona the most suitable 
option for me, but I'll get through it all.

While i'm getting my head around everything to impliment a permanent 
solution, what about this? (sorry, not great with iptables just yet..)
Leave sshd listening on port 22, but firewall off everything except my 
trusted IP's (localhost, home, girlfriend, work subnet, internal subnet, 
flatmates server) .
Add an IPTables rule to port forward $ambiguous_external_port through to 
port 22 on localhost (or if its safer, the  10.x.x.x IP assigned to the 
machine) , and log the instance.
My thinking is that this would make it harder for someone to find my 
open ssh port, but leave me the convenience of not having to specify a 
port when I connect from my regular connections, dozens of times a day. 
Or is it just going to open up an IP spoofing exploit on port 22, and 
achieve practically nothing?

Presumably this would eliminate the need for my original idea of 
search-and-destroy on the brute force scripts, but I'll probably look at 
implimenting something along those lines when I get my ftpd going (i'm 
using SCP for everything now, but theres a need to change that. ) and 
will still look at using the idea for my permanent SSH solution.

I like the sound of of SEC, the IPTables' "recent" option, and port 
knocking. Because NZ IPs are assigned from the APNIC ranges, I'm not 
sure how well the GEOIP patch would work, but i'll look into it. 
(otherwise I would have blacklisted all of Asia already)
I'm going to read through all the rules and scripts posted, once i've 
researched the available tools, and i'll go from there.


Cheers
Jeremy B

Jeremy Brake wrote:

> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins, 
> and block using IPTables for $time after $number of failed logins (an 
> exclusion list would be handy as well) so that I can put a quick stop 
> to these niggly brute-force ssh "attacks" I seem to be getting more 
> and more often.
>
> Anyone have any ideas?
>
> Thanks, Jeremy B


-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-03 23:26 ` Jeremy Brake
@ 2005-10-04  6:15   ` Joerg Mertin
  2005-10-04  8:55     ` Dave Strydom
  0 siblings, 1 reply; 47+ messages in thread
From: Joerg Mertin @ 2005-10-04  6:15 UTC (permalink / raw
  To: gentoo-security

[-- Attachment #1: Type: text/plain, Size: 3860 bytes --]

Hi mate,

I attached a little script I'm using to do that in conjunction with shorewall.
To use it - configure shorewall to use the blacklist file on the related 
interface. I have added 2 exceptions - when failed logins are coming from 
10.0.2.* and 192.168.2.* subnets. Search for these and adapt to your network.

Starting it through cron every 2 minutes (which IMHO is enough).
*/2 * * * * root /etc/shorewall/hosts_reject.sh

the file /etc/cron.d/hosts_reject.
This script is not real-time - however - after some month of running - I have 
only 1 per month average trying to probe my ssh-logins - as it seems the 
drone-systems are blacklisted (Having 153 IP's in my blacklist right now).
You'll require the logtail program to trim the lodfiles ;)

BTW - the system will send you a mail-report when a new IP has been found 
probing your Network.

Drawback: if you're loging in from outside and miswrite your login-name - the 
system will most probably lock you out. MAke sure you log in from a different 
IP-Address.

Cheers

Joerg

On Tuesday 04 October 2005 01:26, Jeremy Brake wrote:
> Thanks for all the great input guys.
> Theres a lot of reading to do before I can decide ona the most suitable
> option for me, but I'll get through it all.
>
> While i'm getting my head around everything to impliment a permanent
> solution, what about this? (sorry, not great with iptables just yet..)
> Leave sshd listening on port 22, but firewall off everything except my
> trusted IP's (localhost, home, girlfriend, work subnet, internal subnet,
> flatmates server) .
> Add an IPTables rule to port forward $ambiguous_external_port through to
> port 22 on localhost (or if its safer, the  10.x.x.x IP assigned to the
> machine) , and log the instance.
> My thinking is that this would make it harder for someone to find my
> open ssh port, but leave me the convenience of not having to specify a
> port when I connect from my regular connections, dozens of times a day.
> Or is it just going to open up an IP spoofing exploit on port 22, and
> achieve practically nothing?
>
> Presumably this would eliminate the need for my original idea of
> search-and-destroy on the brute force scripts, but I'll probably look at
> implimenting something along those lines when I get my ftpd going (i'm
> using SCP for everything now, but theres a need to change that. ) and
> will still look at using the idea for my permanent SSH solution.
>
> I like the sound of of SEC, the IPTables' "recent" option, and port
> knocking. Because NZ IPs are assigned from the APNIC ranges, I'm not
> sure how well the GEOIP patch would work, but i'll look into it.
> (otherwise I would have blacklisted all of Asia already)
> I'm going to read through all the rules and scripts posted, once i've
> researched the available tools, and i'll go from there.
>
>
> Cheers
> Jeremy B
>
> Jeremy Brake wrote:
> > Hey all,
> >
> > I'm looking for an app/script which can monitor for failed ssh logins,
> > and block using IPTables for $time after $number of failed logins (an
> > exclusion list would be handy as well) so that I can put a quick stop
> > to these niggly brute-force ssh "attacks" I seem to be getting more
> > and more often.
> >
> > Anyone have any ideas?
> >
> > Thanks, Jeremy B

-- 
A witty saying proves nothing, but saying something pointless gets
people's attention.
------------------------------------------------------------------------
| Joerg Mertin              :  smurphy@solsys.org                (Home)|
| in Forchheim/Germany      :  smurphy@linux.de                  (Alt1)|
| Stardust's LiNUX System   :                                          |
| Web: http://www.solsys.org                                           |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A

[-- Attachment #2: hosts_reject.sh.gz --]
[-- Type: application/x-gzip, Size: 2086 bytes --]

^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-04  6:15   ` Joerg Mertin
@ 2005-10-04  8:55     ` Dave Strydom
  2005-10-04 14:45       ` Kyle Lutze
  2005-10-05 16:46       ` Robert Larson
  0 siblings, 2 replies; 47+ messages in thread
From: Dave Strydom @ 2005-10-04  8:55 UTC (permalink / raw
  To: gentoo-security

[-- Attachment #1: Type: text/plain, Size: 1448 bytes --]

You know what would be seriously awesome, is if they have a type of RBL
listing for this kind of thing, and you could just link your iptables up to
the rbl listings.

(for those of you who don't know how rbl's work)

Example, I see this in my auth.log:
-------------------------------------------
Sep 28 03:20:42 cerberus sshd[20136]: Address
209.50.253.203<http://209.50.253.203>maps to
srv.warofthering.net <http://srv.warofthering.net>, but this does not map
back to the address - POSSIBLE BREAKIN ATTEM
PT!
Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from
209.50.253.203<http://209.50.253.203>
Sep 28 03:20:43 cerberus sshd[20141]: Address
209.50.253.203<http://209.50.253.203>maps to
srv.warofthering.net <http://srv.warofthering.net>, but this does not map
back to the address - POSSIBLE BREAKIN ATTEM
PT!
Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from
209.50.253.203<http://209.50.253.203>
Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from
209.50.253.203<http://209.50.253.203>
Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from
209.50.253.203<http://209.50.253.203>
-------------------------------------------

I could then submit the IP address to a RBL listing site, and then all
people who plugin to the rbl listing could update their firewalls with the
latest listing.

Just an idea, i dont know how hard it would be to do?

Dave

================

[-- Attachment #2: Type: text/html, Size: 1644 bytes --]

^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-04  8:55     ` Dave Strydom
@ 2005-10-04 14:45       ` Kyle Lutze
  2005-10-04 14:49         ` Dave Strydom
  2005-10-05 16:46       ` Robert Larson
  1 sibling, 1 reply; 47+ messages in thread
From: Kyle Lutze @ 2005-10-04 14:45 UTC (permalink / raw
  To: gentoo-security

[-- Attachment #1: Type: text/plain, Size: 1929 bytes --]

Dave Strydom wrote:

> You know what would be seriously awesome, is if they have a type of 
> RBL listing for this kind of thing, and you could just link your 
> iptables up to the rbl listings.
>
> (for those of you who don't know how rbl's work)
>
> Example, I see this in my auth.log:
> -------------------------------------------
> Sep 28 03:20:42 cerberus sshd[20136]: Address 209.50.253.203 
> <http://209.50.253.203> maps to srv.warofthering.net 
> <http://srv.warofthering.net>, but this does not map back to the 
> address - POSSIBLE BREAKIN ATTEM
> PT!
> Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from 
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:43 cerberus sshd[20141]: Address 209.50.253.203 
> <http://209.50.253.203> maps to srv.warofthering.net 
> <http://srv.warofthering.net>, but this does not map back to the 
> address - POSSIBLE BREAKIN ATTEM
> PT!
> Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from 
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from 
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from 
> 209.50.253.203 <http://209.50.253.203>
> -------------------------------------------
>
> I could then submit the IP address to a RBL listing site, and then all 
> people who plugin to the rbl listing could update their firewalls with 
> the latest listing.
>
> Just an idea, i dont know how hard it would be to do?
>
> Dave

That will never happen. The reason being stated plenty of times over, 
but I'll state them again:

* Many of those addresses are from dynamic IPs

* Some may be using fake IPs that you login from, it would suck to have 
you banned from your own server

* if anybody can submit to an RBL you would have the whole world added 
to that RBL in no time because somebody will get the bright idea to do so.

In short, bad idea.

Kyle

[-- Attachment #2: Type: text/html, Size: 2427 bytes --]

^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-04 14:45       ` Kyle Lutze
@ 2005-10-04 14:49         ` Dave Strydom
  2005-10-04 17:42           ` Kyle Lutze
  2005-10-04 17:52           ` Neil Cherry
  0 siblings, 2 replies; 47+ messages in thread
From: Dave Strydom @ 2005-10-04 14:49 UTC (permalink / raw
  To: gentoo-security

[-- Attachment #1: Type: text/plain, Size: 2201 bytes --]

Which brings me back to my original idea, of only allowing your IP's to
connect to SSH on your servers, and just drop everything else, problem
solved.



On 10/4/05, Kyle Lutze <kyle@randomvoids.com> wrote:
>
> Dave Strydom wrote:
>
> You know what would be seriously awesome, is if they have a type of RBL
> listing for this kind of thing, and you could just link your iptables up to
> the rbl listings.
>
> (for those of you who don't know how rbl's work)
>
> Example, I see this in my auth.log:
> -------------------------------------------
> Sep 28 03:20:42 cerberus sshd[20136]: Address 209.50.253.203<http://209.50.253.203>maps to
> srv.warofthering.net <http://srv.warofthering.net>, but this does not map
> back to the address - POSSIBLE BREAKIN ATTEM
> PT!
> Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:43 cerberus sshd[20141]: Address 209.50.253.203<http://209.50.253.203>maps to
> srv.warofthering.net <http://srv.warofthering.net>, but this does not map
> back to the address - POSSIBLE BREAKIN ATTEM
> PT!
> Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> -------------------------------------------
>
> I could then submit the IP address to a RBL listing site, and then all
> people who plugin to the rbl listing could update their firewalls with the
> latest listing.
>
> Just an idea, i dont know how hard it would be to do?
>
> Dave
>
> That will never happen. The reason being stated plenty of times over, but
> I'll state them again:
>
> * Many of those addresses are from dynamic IPs
>
> * Some may be using fake IPs that you login from, it would suck to have
> you banned from your own server
>
> * if anybody can submit to an RBL you would have the whole world added to
> that RBL in no time because somebody will get the bright idea to do so.
>
> In short, bad idea.
>
> Kyle
>

[-- Attachment #2: Type: text/html, Size: 3420 bytes --]

^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-03 17:06       ` Kirk Hoganson
@ 2005-10-04 16:25         ` boger
  2005-10-04 17:16           ` Kirk Hoganson
  0 siblings, 1 reply; 47+ messages in thread
From: boger @ 2005-10-04 16:25 UTC (permalink / raw
  To: Kirk Hoganson

Hello Kirk,
Is there IPtables based port knocker? 
I dislike idea opening ports for this purpose because they can be distinguished by some way.
Promiscuous mode port knockers consume a lot of processor and
 I don't think it's good for production server.

KH> A port knocker of some sort is a much more secure solution that will
KH> allow you to block all unwanted IP's but still allow for dynamic 
KH> addresses.  There are port knockers that listen on various ports and
KH> work like a combination lock to open the port, and there are others that
KH> use a more secure one time pad "magic packet" kind of authentication to
KH> open the port for your IP.  It is more work to setup, but it is more
KH> secure than just changing the port.  Remember a few years ago when ssh
KH> had a remote exploit?  You probably shouldn't leave that port open.

-- 
Best regards,
 boger                            mailto:boger@ttk.ru

-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-04 16:25         ` boger
@ 2005-10-04 17:16           ` Kirk Hoganson
  2005-10-04 18:42             ` boger
  2005-10-04 19:45             ` [gentoo-security] Port knocking Tobias Sager
  0 siblings, 2 replies; 47+ messages in thread
From: Kirk Hoganson @ 2005-10-04 17:16 UTC (permalink / raw
  To: gentoo-security

Yes, there are.  I use one for my work servers that is iptables based. 
I don't have any links for you unfortunately but I have seen them.  If 
you are really interested I can probably track down one I saw that used 
iptables and was a combination style.  I also know of an open source 
"magic packet" style that I could probably find a link for if you were 
interested.

boger said the following:
> Hello Kirk,
> Is there IPtables based port knocker? 
> I dislike idea opening ports for this purpose because they can be distinguished by some way.
> Promiscuous mode port knockers consume a lot of processor and
>  I don't think it's good for production server.
> 
> KH> A port knocker of some sort is a much more secure solution that will
> KH> allow you to block all unwanted IP's but still allow for dynamic 
> KH> addresses.  There are port knockers that listen on various ports and
> KH> work like a combination lock to open the port, and there are others that
> KH> use a more secure one time pad "magic packet" kind of authentication to
> KH> open the port for your IP.  It is more work to setup, but it is more
> KH> secure than just changing the port.  Remember a few years ago when ssh
> KH> had a remote exploit?  You probably shouldn't leave that port open.
> 
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-04 14:49         ` Dave Strydom
@ 2005-10-04 17:42           ` Kyle Lutze
  2005-10-04 17:52           ` Neil Cherry
  1 sibling, 0 replies; 47+ messages in thread
From: Kyle Lutze @ 2005-10-04 17:42 UTC (permalink / raw
  To: gentoo-security

Dave Strydom wrote:

> Which brings me back to my original idea, of only allowing your IP's 
> to connect to SSH on your servers, and just drop everything else, 
> problem solved.

Indeed, but please follow RFC and post underneath existing content, much 
easier to read :)
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-04 14:49         ` Dave Strydom
  2005-10-04 17:42           ` Kyle Lutze
@ 2005-10-04 17:52           ` Neil Cherry
  1 sibling, 0 replies; 47+ messages in thread
From: Neil Cherry @ 2005-10-04 17:52 UTC (permalink / raw
  To: gentoo-security

Dave Strydom wrote:
> Which brings me back to my original idea, of only allowing your IP's to
> connect to SSH on your servers, and just drop everything else, problem
> solved.

I do something along those lines. At my firewall/router I have a
rule that blocks private IP (and MS's 169 IP address). Other
addresses are permitted through but all are logged. This script
is on my ssh server for further protection (see below). I used
to do a type of blacklisting (still do) but I haven't had any
new entries since I started using this. BTW, I had a large
number of IP's from China, Korea, Japan, Singapore, Brazil and
a few other Asian countries. So blocking IP's (networks, not
individual IP's) became unmanageable.

Here's what I do (it's been trimmed and I broke the lines with \):

# Allow these site access to my machine
# -state NEW

permit() {
     # I want to log just the start of the conversation
     /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j LOG --syn \
                    --log-level info --log-prefix "iptables permit: " \
                    --log-ip-options
     /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j ACCEPT
}

# Deny these sites access to my machine
deny() {
     /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j LOG \
                    --log-level alert --log-prefix "iptables deny: " \
                    --log-ip-options
     /sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j DROP
}

# =[ Flush the tables completely ]============================================
/sbin/iptables -F

# =[ Permit list ]============================================================
#permit 127.0.0.0/8             # Local stuff
permit 10.0.0.0/8               # Local stuff
permit 172.16.0.0/12            # Local stuff
permit 192.168.0.0/16           # Local stuff

# =[ Deny list ]==============================================================
deny 0.0.0.0/0          # Deny everyone else
 

exit 0


-- 
Linux Home Automation         Neil Cherry       ncherry@comcast.net
http://home.comcast.net/~ncherry/               (Text only)
http://hcs.sourceforge.net/                     (HCS II)
http://linuxha.blogspot.com/                    My HA Blog
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-04 17:16           ` Kirk Hoganson
@ 2005-10-04 18:42             ` boger
  2005-10-04 20:30               ` Kirk Hoganson
  2005-10-04 19:45             ` [gentoo-security] Port knocking Tobias Sager
  1 sibling, 1 reply; 47+ messages in thread
From: boger @ 2005-10-04 18:42 UTC (permalink / raw
  To: Kirk Hoganson

Hello Kirk,

I'll appreciate it ;) 

Goggling gives a lot of links to libpcap based port knockers, but I dislike idea always running in promiscuous mode. Also "magic packet" is a sort of overkill for me, because I need access from random locations with different OS'es preferably without any additional tools. 
If computer is untrusted, after logon I can change knock sequence without leaving any keys behind. Even if password gets compromised is not so dangerous in this scenario.

By iptables based I mean using ulog or ipq to forward packets to knock daemon, thus its undetectable from outside and can be very fast.

About a year ago I tested 5 or 6 port knockers but I didn't find any  
suitable for me. Some had terrible cpu usage on my machine, 
some not enough flexible configuration.


KH> Yes, there are.  I use one for my work servers that is iptables based.
KH> I don't have any links for you unfortunately but I have seen them.  If
KH> you are really interested I can probably track down one I saw that used
KH> iptables and was a combination style.  I also know of an open source
KH> "magic packet" style that I could probably find a link for if you were
KH> interested.

-- 
Best regards,
 boger                            mailto:boger@ttk.ru

-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* [gentoo-security] Port knocking
  2005-10-04 17:16           ` Kirk Hoganson
  2005-10-04 18:42             ` boger
@ 2005-10-04 19:45             ` Tobias Sager
  2005-10-04 20:20               ` boger
  1 sibling, 1 reply; 47+ messages in thread
From: Tobias Sager @ 2005-10-04 19:45 UTC (permalink / raw
  To: gentoo-security

[-- Attachment #1: Type: text/plain, Size: 2024 bytes --]

on 2005-10-04 19:16 Kirk Hoganson wrote the following:
> Yes, there are.  I use one for my work servers that is iptables based. 
> I don't have any links for you unfortunately but I have seen them.  If 
> you are really interested I can probably track down one I saw that used 
> iptables and was a combination style.  I also know of an open source 
> "magic packet" style that I could probably find a link for if you were 
> interested.

That's a possibility I once saw on slashdot:

iptables -A INPUT -p tcp --dport 1000 -m recent --remove --name PART1
iptables -A INPUT -p tcp --dport 2000 -m recent --remove --name PART2
iptables -A INPUT -p tcp --dport 3000 -m recent --remove --name PART3
iptables -A INPUT -p tcp --dport 1000 -m recent --set --name PART1
iptables -A INPUT -p tcp --dport 2000 -m recent --set --name PART2
iptables -A INPUT -p tcp --dport 3000 -m recent --set --name PART3
iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 30 \
  --name PART1 --name PART2 --name PART3 -j ACCEPT

I have not tested if this works, but it looks plausible to me.
Please note this security flaw (fixed in 2.6.14) about ipt_recent:
http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/

>From the same guy, a shorewall solution for SSH attack:
http://blog.blackdown.de/2005/02/18/mitigating-ssh-brute-force-attacks-with-ipt_recent/


There are numerous knock, knock implementations listed at:
http://www.portknocking.org/view/implementations/implementations


IMHO, the problem with "normal" port knocking tools is the dependency on
client software. I would prefer a solution which can be used without
(too much) hassle (eg. using telnet and then putty or such).
This evidently is not be possible when using more sophisticated port
knocking with timing or specially crafted / encrypted packages, unless
you have a really good feel for timing.. ;-)

Cheers
Tobias

-- 
GPG-Key 0xEF37FF28 - 1024/4096 DSA/ELG-E - 16.11.2001
Fingerprint: 3C4B 155F 2621 CEAF D3A6 0CCB 937C 9597 EF37 FF28


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] Port knocking
  2005-10-04 19:45             ` [gentoo-security] Port knocking Tobias Sager
@ 2005-10-04 20:20               ` boger
  0 siblings, 0 replies; 47+ messages in thread
From: boger @ 2005-10-04 20:20 UTC (permalink / raw
  To: Tobias Sager

Hello Tobias,


TS> That's a possibility I once saw on slashdot:

TS> iptables -A INPUT -p tcp --dport 1000 -m recent --remove --name PART1
TS> iptables -A INPUT -p tcp --dport 2000 -m recent --remove --name PART2
TS> iptables -A INPUT -p tcp --dport 3000 -m recent --remove --name PART3
TS> iptables -A INPUT -p tcp --dport 1000 -m recent --set --name PART1
TS> iptables -A INPUT -p tcp --dport 2000 -m recent --set --name PART2
TS> iptables -A INPUT -p tcp --dport 3000 -m recent --set --name PART3
TS> iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 30 \
TS>   --name PART1 --name PART2 --name PART3 -j ACCEPT

It's the best :) 
I'll add some protection from plain port scan. 
iptables -A INPUT -p tcp --dport 999 -m recent --remove --name PART1
iptables -A INPUT -p tcp --dport 1001 -m recent --remove --name PART1
...

TS> There are numerous knock, knock implementations listed at:
TS> http://www.portknocking.org/view/implementations/implementations

I've found this page not long ago, most promising temprules. I'm currently experimenting with them.   
TS> IMHO, the problem with "normal" port knocking tools is the dependency on
TS> client software. I would prefer a solution which can be used without
TS> (too much) hassle (eg. using telnet and then putty or such).
TS> This evidently is not be possible when using more sophisticated port
TS> knocking with timing or specially crafted / encrypted packages, unless
TS> you have a really good feel for timing.. ;-)
 Same to me ;)
 or even a web browser: http://somehost:123

-- 
Best regards,
 boger                            mailto:boger@ttk.ru

-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-04 18:42             ` boger
@ 2005-10-04 20:30               ` Kirk Hoganson
  2005-10-04 20:42                 ` boger
  0 siblings, 1 reply; 47+ messages in thread
From: Kirk Hoganson @ 2005-10-04 20:30 UTC (permalink / raw
  To: gentoo-security

boger said the following:
> Hello Kirk,
> 
> I'll appreciate it ;) 
> 
> Goggling gives a lot of links to libpcap based port knockers, but I dislike idea always running in promiscuous mode. Also "magic packet" is a sort of overkill for me, because I need access from random locations with different OS'es preferably without any additional tools. 
> If computer is untrusted, after logon I can change knock sequence without leaving any keys behind. Even if password gets compromised is not so dangerous in this scenario.
> 
> By iptables based I mean using ulog or ipq to forward packets to knock daemon, thus its undetectable from outside and can be very fast.
> 
> About a year ago I tested 5 or 6 port knockers but I didn't find any  
> suitable for me. Some had terrible cpu usage on my machine, 
> some not enough flexible configuration.
> 
> 
> KH> Yes, there are.  I use one for my work servers that is iptables based.
> KH> I don't have any links for you unfortunately but I have seen them.  If
> KH> you are really interested I can probably track down one I saw that used
> KH> iptables and was a combination style.  I also know of an open source
> KH> "magic packet" style that I could probably find a link for if you were
> KH> interested.
> 

It would appear that I was mistaken in thinking that the two I have used 
were iptables based.  Both are dependent upon libpcap.  I was briefly 
confused based on the way they have been integrated into the iptables 
firewall.  For what it is worth, my experiences with libpcap port 
knockers has been very favorable.  Sorry if that was a bit of a goose chase.
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-04 20:30               ` Kirk Hoganson
@ 2005-10-04 20:42                 ` boger
  0 siblings, 0 replies; 47+ messages in thread
From: boger @ 2005-10-04 20:42 UTC (permalink / raw
  To: gentoo-security

Hello Kirk,

Wednesday, October 5, 2005, 12:30:16 AM, you wrote:

KH> boger said the following:
>> Hello Kirk,
>> 
>> I'll appreciate it ;) 
>> 
>> Goggling gives a lot of links to libpcap based port knockers,
>> but I dislike idea always running in promiscuous mode. Also "magic
>> packet" is a sort of overkill for me, because I need access from
>> random locations with different OS'es preferably without any
>> additional tools. 
>> If computer is untrusted, after logon I can change knock
>> sequence without leaving any keys behind. Even if password gets
>> compromised is not so dangerous in this scenario.
>> 
>> By iptables based I mean using ulog or ipq to forward packets
>> to knock daemon, thus its undetectable from outside and can be very
>> fast.
>> 
>> About a year ago I tested 5 or 6 port knockers but I didn't find any
>> suitable for me. Some had terrible cpu usage on my machine, 
>> some not enough flexible configuration.
>> 
>> 

KH> It would appear that I was mistaken in thinking that the two I have used
KH> were iptables based.  Both are dependent upon libpcap.  I was briefly
KH> confused based on the way they have been integrated into the iptables
KH> firewall.  For what it is worth, my experiences with libpcap port 
KH> knockers has been very favorable.  Sorry if that was a bit of a goose chase.

Thanks to Tobias Allen, He offered suitable decision ;)
It's in '[gentoo-security] Port knocking' thread.

Also I reported this method to http://www.portknocking.org.
-- 
Best regards,
 boger                            mailto:boger@ttk.ru

-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-04  8:55     ` Dave Strydom
  2005-10-04 14:45       ` Kyle Lutze
@ 2005-10-05 16:46       ` Robert Larson
  1 sibling, 0 replies; 47+ messages in thread
From: Robert Larson @ 2005-10-05 16:46 UTC (permalink / raw
  To: gentoo-security

On Tuesday 04 October 2005 03:55 am, Dave Strydom wrote:
> You know what would be seriously awesome, is if they have a type of RBL
> listing for this kind of thing, and you could just link your iptables up to
> the rbl listings.
...
> I could then submit the IP address to a RBL listing site, and then all
> people who plugin to the rbl listing could update their firewalls with the
> latest listing.

This may not be the best solution pertaining to this particular thread, but 
the following site may be of use for this kind of a thing.  I would recommend 
anyone managing a firewall to at least check it out, as it is a great 
resource:
http://www.dshield.org/

If you wanted to perhaps ban the most popular (not to mention annoying) script 
kiddies (or ban and not log), you could write some form of a script that 
could just grab and parse one of these feeds:
http://www.dshield.org/feeds_doc.php

Then add some rules to your firewall, using whatever means necessary.

HTH,

Robert


-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* RE: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-02 22:53   ` Alex Efros
  2005-10-02 23:02     ` Marc Risse
@ 2005-10-06  1:40     ` Tad Glines
  2005-10-06  8:13       ` Matan Peled
  1 sibling, 1 reply; 47+ messages in thread
From: Tad Glines @ 2005-10-06  1:40 UTC (permalink / raw
  To: gentoo-security

These rules only block out the offending IP. All others remain un-blocked.

> -----Original Message-----
> From: Alex Efros [mailto:powerman@sky.net.ua]
> Sent: Sunday, October 02, 2005 3:54 PM
> To: gentoo-security@lists.gentoo.org
> Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
> 
> Hi!
> 
> On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
> > These are the rules that I'm using.
> >
> > # Track connections to SSH
> > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
> > FIN,ACK \
> >    --dport 22 -m recent --name SSH --set
> > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST
> \
> >    --dport 22 -m recent --name SSH --set
> >
> > # Drop if connection rate exceeds 4/minute
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> >    --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
> > "SSH_limit: "
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> >    --rcheck --seconds 60 --hitcount 4 -j DROP
> >
> > # Drop if connection rate exceeds 20/hour
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> >    --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
> > "SSH_limit: "
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> >    --rcheck --seconds 3600 --hitcount 20 -j DROP
> 
> What about DoS because of these rules? Imagine somebody run SSH
> connections to your host every 10 seconds while you don't have
> already-opened SSH connection to server...... In this case you never
> will have a chance to log in to your server (and fix this issue)?!
> 
> --
> 			WBR, Alex.
> --
> gentoo-security@gentoo.org mailing list


-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-06  1:40     ` Tad Glines
@ 2005-10-06  8:13       ` Matan Peled
  2005-10-06  9:15         ` William Kenworthy
  2005-10-07  2:37         ` Tad Glines
  0 siblings, 2 replies; 47+ messages in thread
From: Matan Peled @ 2005-10-06  8:13 UTC (permalink / raw
  To: gentoo-security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tad Glines wrote:
> These rules only block out the offending IP. All others remain un-blocked.

IP spoofing. It isn't that far fetched, really...


- --
[Name      ]   ::  [Matan I. Peled    ]
[Location  ]   ::  [Israel            ]
[Public Key]   ::  [0xD6F42CA5        ]
[Keyserver ]   ::  [keyserver.kjsl.com]
encrypted/signed  plain text  preferred

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDRNy9A7Qvptb0LKURAhauAJ9eAx9RhXOGfWz2h6BX122ULW1JGgCfTEyT
v+4I9OQxcEWAuuqYenD+ejk=
=PQtc
-----END PGP SIGNATURE-----
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-06  8:13       ` Matan Peled
@ 2005-10-06  9:15         ` William Kenworthy
  2005-10-06 10:19           ` Matan Peled
  2005-10-07  2:37         ` Tad Glines
  1 sibling, 1 reply; 47+ messages in thread
From: William Kenworthy @ 2005-10-06  9:15 UTC (permalink / raw
  To: gentoo-security

Can anyone comment whether IP spoofing (for hiding country of origin) is
common?  Seems quite unlikely - at least at the current state of things.
Is it even possible to tell (at the firewall interface?)

BillK

On Thu, 2005-10-06 at 11:13 +0300, Matan Peled wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Tad Glines wrote:
> > These rules only block out the offending IP. All others remain un-blocked.
> 
> IP spoofing. It isn't that far fetched, really...
> 
> 
> -
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-06  9:15         ` William Kenworthy
@ 2005-10-06 10:19           ` Matan Peled
  2005-10-06 12:44             ` William Kenworthy
  2005-10-06 21:02             ` Kirk Hoganson
  0 siblings, 2 replies; 47+ messages in thread
From: Matan Peled @ 2005-10-06 10:19 UTC (permalink / raw
  To: gentoo-security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

William Kenworthy wrote:
> Can anyone comment whether IP spoofing (for hiding country of origin) is
> common?  Seems quite unlikely - at least at the current state of things.
> Is it even possible to tell (at the firewall interface?)
> 
> BillK

I think that for hiding country of origin by IP spoofing is quite useless, at
least on the Internet (It might work on a single subnet, or if you pretend to be
another IP in your subnet, and then switches complicate it as well...)

AFAIK, you can't actually connect to a server with a spoofed IP, since the
server will send the reply packets to the spoofed IP, which will either drop
them or tell the server it doesn't want them.

Spoofed IPs are only good if you want to flood a server with them and not have
the admin know where they came from (not easily, anyway).

However, firewalls that automatically blacklist IPs that do weird things can be
exploited. Lets say you have connection rate limiting on your SSH port. I can
send your firewall spoofed packets that contain your IP, have it rate limit my
spoofed packets.

And then you can't connect. Not good...

Anyway, about hiding country of origin - its usually done using proxies. There
are many open proxies out there...

- --
[Name      ]   ::  [Matan I. Peled    ]
[Location  ]   ::  [Israel            ]
[Public Key]   ::  [0xD6F42CA5        ]
[Keyserver ]   ::  [keyserver.kjsl.com]
encrypted/signed  plain text  preferred

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDRPpJA7Qvptb0LKURAsdQAKCDM4797OODEaG4oZrh6ngY4MqU9wCfTJ/r
pgkv/3N54kfgGt7HqXvki7E=
=m21U
-----END PGP SIGNATURE-----
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-06 10:19           ` Matan Peled
@ 2005-10-06 12:44             ` William Kenworthy
  2005-10-06 21:02             ` Kirk Hoganson
  1 sibling, 0 replies; 47+ messages in thread
From: William Kenworthy @ 2005-10-06 12:44 UTC (permalink / raw
  To: gentoo-security

On Thu, 2005-10-06 at 13:19 +0300, Matan Peled wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> William Kenworthy wrote:
> > Can anyone comment whether IP spoofing (for hiding country of origin) is
> > common?  Seems quite unlikely - at least at the current state of things.
> > Is it even possible to tell (at the firewall interface?)
> > 
> > BillK
> 
> I think that for hiding country of origin by IP spoofing is quite useless, at
...
Thanks, good description.

BillK

-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-06 10:19           ` Matan Peled
  2005-10-06 12:44             ` William Kenworthy
@ 2005-10-06 21:02             ` Kirk Hoganson
  2005-10-06 21:05               ` Brian Micek
  1 sibling, 1 reply; 47+ messages in thread
From: Kirk Hoganson @ 2005-10-06 21:02 UTC (permalink / raw
  To: gentoo-security

Matan Peled said the following:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> William Kenworthy wrote:
> 
>>Can anyone comment whether IP spoofing (for hiding country of origin) is
>>common?  Seems quite unlikely - at least at the current state of things.
>>Is it even possible to tell (at the firewall interface?)
>>
>>BillK
> 
> 
> I think that for hiding country of origin by IP spoofing is quite useless, at
> least on the Internet (It might work on a single subnet, or if you pretend to be
> another IP in your subnet, and then switches complicate it as well...)
> 

I think it depends on your purpose.  It is easy to get around, but 
blocking whole ranges based on country could help cut down on the 
vulerability scans that can be so annoying.  Our country does no 
business with China, yet various subnets are frequently scanned from 
addresses originating there.  Blocking those ranges would cause most of 
them to move on.  It is likely that you already block whole invalid 
subnets in your firewall rules anyway.
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-06 21:02             ` Kirk Hoganson
@ 2005-10-06 21:05               ` Brian Micek
  0 siblings, 0 replies; 47+ messages in thread
From: Brian Micek @ 2005-10-06 21:05 UTC (permalink / raw
  To: gentoo-security


[-- Attachment #1.1.1: Type: text/plain, Size: 1388 bytes --]

Attached are my scripts I generate in a cron job to block China and
Korea if anyone is interested.  I've observed the CIDRs to these
countries change so it might be a good idea to have semi-recent copies. 

Brian 

On Thu, 2005-10-06 at 15:02 -0600, Kirk Hoganson wrote:

> Matan Peled said the following:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > William Kenworthy wrote:
> > 
> >>Can anyone comment whether IP spoofing (for hiding country of origin) is
> >>common?  Seems quite unlikely - at least at the current state of things.
> >>Is it even possible to tell (at the firewall interface?)
> >>
> >>BillK
> > 
> > 
> > I think that for hiding country of origin by IP spoofing is quite useless, at
> > least on the Internet (It might work on a single subnet, or if you pretend to be
> > another IP in your subnet, and then switches complicate it as well...)
> > 
> 
> I think it depends on your purpose.  It is easy to get around, but 
> blocking whole ranges based on country could help cut down on the 
> vulerability scans that can be so annoying.  Our country does no 
> business with China, yet various subnets are frequently scanned from 
> addresses originating there.  Blocking those ranges would cause most of 
> them to move on.  It is likely that you already block whole invalid 
> subnets in your firewall rules anyway.

[-- Attachment #1.1.2: Type: text/html, Size: 2405 bytes --]

[-- Attachment #1.2: block-cn.sh --]
[-- Type: application/x-shellscript, Size: 35946 bytes --]

[-- Attachment #1.3: block-kr.sh --]
[-- Type: application/x-shellscript, Size: 21195 bytes --]

[-- Attachment #1.4: undo-block-cn.sh --]
[-- Type: application/x-shellscript, Size: 35920 bytes --]

[-- Attachment #1.5: undo-block-kr.sh --]
[-- Type: application/x-shellscript, Size: 21169 bytes --]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 47+ messages in thread

* RE: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-06  8:13       ` Matan Peled
  2005-10-06  9:15         ` William Kenworthy
@ 2005-10-07  2:37         ` Tad Glines
  2005-10-07 18:47           ` Eric Paynter
  1 sibling, 1 reply; 47+ messages in thread
From: Tad Glines @ 2005-10-07  2:37 UTC (permalink / raw
  To: gentoo-security

The intent wasn't to be 100% secure. It was to really slow down the script
kiddies that where clogging my server logs.

As for IP spoofing. Spoofing an IP packet source address is really easy,
which is why blocking DDoS attacks can be difficult. However, if you want to
have an actual two-way conversation with a computer you have to find a third
host that supports loose source routing (any older windoze box will do).
Most infrastructure routers on the net drop/block packets with source route
options so spoofing the source IP of a TCP conversation is not generally
practical over the internet.

-Tad

> -----Original Message-----
> From: Matan Peled [mailto:chaosite@gmail.com]
> Sent: Thursday, October 06, 2005 1:14 AM
> To: gentoo-security@lists.gentoo.org
> Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Tad Glines wrote:
> > These rules only block out the offending IP. All others remain un-
> blocked.
> 
> IP spoofing. It isn't that far fetched, really...
> 
> 
> - --
> [Name      ]   ::  [Matan I. Peled    ]
> [Location  ]   ::  [Israel            ]
> [Public Key]   ::  [0xD6F42CA5        ]
> [Keyserver ]   ::  [keyserver.kjsl.com]
> encrypted/signed  plain text  preferred
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> 
> iD8DBQFDRNy9A7Qvptb0LKURAhauAJ9eAx9RhXOGfWz2h6BX122ULW1JGgCfTEyT
> v+4I9OQxcEWAuuqYenD+ejk=
> =PQtc
> -----END PGP SIGNATURE-----
> --
> gentoo-security@gentoo.org mailing list


-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* RE: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-07  2:37         ` Tad Glines
@ 2005-10-07 18:47           ` Eric Paynter
  2005-10-08 13:40             ` RADDS Support Team
  0 siblings, 1 reply; 47+ messages in thread
From: Eric Paynter @ 2005-10-07 18:47 UTC (permalink / raw
  To: gentoo-security

On Thu, October 6, 2005 7:37 pm, Tad Glines said:
> Most infrastructure routers on the net drop/block packets with source
> route options so spoofing the source IP of a TCP conversation is not
> generally practical over the internet.

To be sure, drop source-routed packets at your own firewall too. Don't
rely on "most" infrastructure to do it for you.

-Eric

--
arctic bears - email and dns services
http://www.arcticbears.com

-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

* Re: [gentoo-security] [OT?] automatically firewalling off IPs
  2005-10-07 18:47           ` Eric Paynter
@ 2005-10-08 13:40             ` RADDS Support Team
  0 siblings, 0 replies; 47+ messages in thread
From: RADDS Support Team @ 2005-10-08 13:40 UTC (permalink / raw
  To: gentoo-security

Eric Paynter wrote:
> On Thu, October 6, 2005 7:37 pm, Tad Glines said:
> 
>>Most infrastructure routers on the net drop/block packets with source
>>route options so spoofing the source IP of a TCP conversation is not
>>generally practical over the internet.
> 
> 
> To be sure, drop source-routed packets at your own firewall too. Don't
> rely on "most" infrastructure to do it for you.
which is best way to do so, then? i'd use sysctl.conf for this:

# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0

# Don't Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0

is there any better?

regards,
Dennis
-- 
gentoo-security@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 47+ messages in thread

end of thread, other threads:[~2011-10-31  3:56 UTC | newest]

Thread overview: 47+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
2005-10-02 21:19 ` MaxieZ
2005-10-02 22:29   ` J Holder
2005-10-03  2:52     ` Brian Micek
2005-10-03 13:01   ` David vasil
2005-10-03 13:18     ` rpfc
2005-10-03 17:06       ` Kirk Hoganson
2005-10-04 16:25         ` boger
2005-10-04 17:16           ` Kirk Hoganson
2005-10-04 18:42             ` boger
2005-10-04 20:30               ` Kirk Hoganson
2005-10-04 20:42                 ` boger
2005-10-04 19:45             ` [gentoo-security] Port knocking Tobias Sager
2005-10-04 20:20               ` boger
2005-10-02 21:24 ` [gentoo-security] [OT?] automatically firewalling off IPs Tad Glines
2005-10-02 22:53   ` Alex Efros
2005-10-02 23:02     ` Marc Risse
2005-10-06  1:40     ` Tad Glines
2005-10-06  8:13       ` Matan Peled
2005-10-06  9:15         ` William Kenworthy
2005-10-06 10:19           ` Matan Peled
2005-10-06 12:44             ` William Kenworthy
2005-10-06 21:02             ` Kirk Hoganson
2005-10-06 21:05               ` Brian Micek
2005-10-07  2:37         ` Tad Glines
2005-10-07 18:47           ` Eric Paynter
2005-10-08 13:40             ` RADDS Support Team
2005-10-02 21:33 ` DeadManMoving
2005-10-02 21:37 ` Hemmann, Volker Armin
2005-10-02 21:56   ` Alec Joseph Warner
2005-10-02 22:13   ` xyon
2005-10-02 21:53 ` Hassan El-Masri
2005-10-02 21:57 ` Andreas Waschbuesch
2005-10-02 22:20 ` darren kirby
2005-10-03  7:53 ` Christophe Garault
2005-10-03  8:29   ` Jerry Eastmanhouser
2005-10-03 10:58 ` Dave Strydom [i*]Group
2005-10-03 12:25 ` Oscar Carlsson
2005-10-03 13:29 ` Dan Shookowsky
2005-10-03 23:26 ` Jeremy Brake
2005-10-04  6:15   ` Joerg Mertin
2005-10-04  8:55     ` Dave Strydom
2005-10-04 14:45       ` Kyle Lutze
2005-10-04 14:49         ` Dave Strydom
2005-10-04 17:42           ` Kyle Lutze
2005-10-04 17:52           ` Neil Cherry
2005-10-05 16:46       ` Robert Larson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox