From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RKiya-0005Lb-HA for garchives@archives.gentoo.org; Mon, 31 Oct 2011 03:56:02 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 266FF21C035 for ; Mon, 31 Oct 2011 03:55:56 +0000 (UTC) Received: from bes.cs.utk.edu (bes.cs.utk.edu [160.36.56.220]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j93CrcLK015985 for ; Mon, 3 Oct 2005 12:53:39 GMT Received: from localhost (bes [127.0.0.1]) by bes.cs.utk.edu (Postfix) with ESMTP id A9D2327392 for ; Mon, 3 Oct 2005 09:01:42 -0400 (EDT) Received: from bes.cs.utk.edu ([127.0.0.1]) by localhost (bes [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05308-09 for ; Mon, 3 Oct 2005 09:01:11 -0400 (EDT) Received: from [160.91.206.54] (lappy486.ccs.ornl.gov [160.91.206.54]) by bes.cs.utk.edu (Postfix) with ESMTP id C715A2738A for ; Mon, 3 Oct 2005 09:01:11 -0400 (EDT) Message-ID: <43412B8F.5040207@cs.utk.edu> Date: Mon, 03 Oct 2005 09:01:03 -0400 From: David vasil User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050725) X-Accept-Language: en-us, en Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 To: gentoo-security@lists.gentoo.org Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs References: <43404CB8.3@lunatic.net.nz> <20051002211923.GA3186@maxiez.national-net.com> In-Reply-To: <20051002211923.GA3186@maxiez.national-net.com> Content-Type: multipart/mixed; boundary="------------060106020906000702030102" X-Virus-Scanned: by amavisd-new with ClamAV and SpamAssasin at cs.utk.edu X-Archives-Salt: cf3fc519-31e3-4f99-bfee-49fe38a5dd50 X-Archives-Hash: 5e3c1107bbe9372b04ff36f62257d321 This is a multi-part message in MIME format. --------------060106020906000702030102 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit MaxieZ wrote: > On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote: > >>Hey all, >> >>I'm looking for an app/script which can monitor for failed ssh logins, >>and block using IPTables for $time after $number of failed logins (an >>exclusion list would be handy as well) so that I can put a quick stop to >>these niggly brute-force ssh "attacks" I seem to be getting more and >>more often. > > http://kodu.neti.ee/~risto/sec/ Jeremy, I agree with MaxieZ, a combination of SEC and Iptables work nicely in this situation and could be extended to other services like FTP, IMAP, Web authentication, etc. I personally do not feel that security through obscurity by changing the port numbers is a viable solution. Here is what I do: First, I have SEC scanning my logs using the two rules from the attached sec.rules file. The first rule looks for connections to the sshd port that do not send an identification string. If it sees this message in syslog, it then uses iptables to insert a rule to drop all packets from the source address. The second rule looks for attempted logins using an invalid user id. It then creates an iptables rule like the first one. I added in a commented out action line for both of those rules which creates a 24 hour context, which after 24 hours will delete the iptable rule it created for that ip address. Second, I have three normal iptables rules which rate limit the number of connections to port 22. This is to defend against brute force attacks on a valid account. # iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 -j LOG --log-level 4 --log-prefix "iptables-drop: " # iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 -j DROP # iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set I highly recommend SEC for this type of log monitoring. -dave --------------060106020906000702030102 Content-Type: text/plain; name="sec.rules" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="sec.rules" # kill IP address trying to log in with invalid account # Sep 19 05:40:25 apathy sshd[13234]: Did not receive identification string from 69.60.114.13 type= single continue= dontcont ptype= regexp pattern= sshd\[[0-9]+\]: Did not receive identification string from ([A-z0-9._-]+) desc= ssh_no_ident_$1 action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $1 -j DROP; write /var/log/sec.log "%t iptables-insert: dropping all traffic from $1 because no identification string was given" # Use this action instead if you would like contexts to automatically be cleaned after 24 hours #action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $1 -j DROP; write /var/log/sec.log "%t iptables-insert: dropping all traffic from $1 because no identification string was given"; create ssh_no_ident_$1 86400 shellcmd /sbin/iptables -D INPUT -i eth0 -s $1 -j DROP # Sep 19 05:50:23 apathy sshd[13252]: Invalid user foto from 69.60.114.13 type= single continue= dontcont ptype= regexp pattern= sshd\[[0-9]+\]: Invalid user ([A-z0-9._-]+) from ([A-z0-9._-]+) desc= ssh_invalid_user_$1_$2 action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $2 -j DROP; write /var/log/sec.log "%t iptables-insert: dropping all traffic from $2 because attempted to log in with invalid user $1" # Use this action instead if you would like contexts to automatically be cleaned after 24 hours #action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $2 -j DROP; write /var/log/sec.log "%t iptables-insert: dropping all traffic from $2 because attempted to log in with invalid user $1"; create ssh_invalid_user_$1_$2 86400 shellcmd /sbin/iptables -D INPUT -i eth0 -s $2 -j DROP --------------060106020906000702030102-- -- gentoo-security@gentoo.org mailing list