[gentoo-security] hackers

[gentoo-security] hackers

[Jochen Maes]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,


ok one off my servers i keep on getting one iprange that tries to
login through ssh (200-300) attemps with other usernames.
This is probably a script that's being ran all the time, but the isp
doesn't mind, i allready sent my logs and my complaints and i don't
get any response.
Is there something like hackerwatch that i can send those logs to
(preferrably automatically) when happening?
I've blocked the range now so isn't a problem but hate it that the isp
doesn nothing against it.

greetings,

SeJo

- --
"Defer no time, delays have dangerous ends"

Jochen Maes                     
Gentoo Linux
Gentoo Belgium
http://sejo.be
http://gentoo.be
http://gentoo.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDSjnYMXMsRNMHhmARAoXVAJ92bRcBAO04hIUk2VgBOcpm1gm9cgCgmNHe
ZPNqAHab5fXLdx11vdod5rc=
=35Kg
-----END PGP SIGNATURE-----

-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] hackers

[Christophe Garault]

Jochen Maes a écrit :

>Is there something like hackerwatch that i can send those logs to
>(preferrably automatically) when happening?
>  
>
Yes, have a look to Dshield: http://www.dshield.org/

-- 
Christophe Garault


-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] hackers

[APerez]

[-- Attachment #1: Type: text/plain, Size: 1417 bytes --]

I have a question:

Is there an application/program which can send an email whenever this
ssh attack happen?

A few months ago I got 300 attempts which made me close ssh port
and stop using it for a while.

Thanks

Alfredito
 



Jochen Maes <sejo@gentoo.org> 
10/10/2005 05:52 AM
Please respond to
gentoo-security@lists.gentoo.org


To
gentoo-security@lists.gentoo.org
cc

Subject
[gentoo-security] hackers






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,


ok one off my servers i keep on getting one iprange that tries to
login through ssh (200-300) attemps with other usernames.
This is probably a script that's being ran all the time, but the isp
doesn't mind, i allready sent my logs and my complaints and i don't
get any response.
Is there something like hackerwatch that i can send those logs to
(preferrably automatically) when happening?
I've blocked the range now so isn't a problem but hate it that the isp
doesn nothing against it.

greetings,

SeJo

- --
"Defer no time, delays have dangerous ends"

Jochen Maes 
Gentoo Linux
Gentoo Belgium
http://sejo.be
http://gentoo.be
http://gentoo.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDSjnYMXMsRNMHhmARAoXVAJ92bRcBAO04hIUk2VgBOcpm1gm9cgCgmNHe
ZPNqAHab5fXLdx11vdod5rc=
=35Kg
-----END PGP SIGNATURE-----

-- 
gentoo-security@gentoo.org mailing list



[-- Attachment #2: Type: text/html, Size: 2613 bytes --]

RE: [gentoo-security] hackers

[Sean Cook]

[-- Attachment #1: Type: text/plain, Size: 2143 bytes --]

Yes, you can set up triggers in syslog-ng that will trigger based on failed
ssh login attempts.

 

filter f_ssh_login_attempt {

        program("sshd.*")

        and match("(Failed|Accepted)")

        and not match("Accepted (hostbased|publickey) for (root|zoneaxfr)
from (10.4.3.1)");

};

 

log { 

        source(src);

        filter(f_ssh_login_attempt);

        destination(mail-alert-perl); 

};

destination mail-alert-perl { program("/usr/local/bin/syslog-mail-perl"); };

 

Sean

 

  _____  

From: APerez@cds.ca [mailto:APerez@cds.ca] 
Sent: Tuesday, October 11, 2005 8:22 AM
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] hackers

 


I have a question: 

Is there an application/program which can send an email whenever this 
ssh attack happen? 

A few months ago I got 300 attempts which made me close ssh port 
and stop using it for a while. 

Thanks 

Alfredito
  




Jochen Maes <sejo@gentoo.org> 

10/10/2005 05:52 AM 


Please respond to
gentoo-security@lists.gentoo.org


To

gentoo-security@lists.gentoo.org 


cc

 


Subject

[gentoo-security] hackers

 


 

 




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,


ok one off my servers i keep on getting one iprange that tries to
login through ssh (200-300) attemps with other usernames.
This is probably a script that's being ran all the time, but the isp
doesn't mind, i allready sent my logs and my complaints and i don't
get any response.
Is there something like hackerwatch that i can send those logs to
(preferrably automatically) when happening?
I've blocked the range now so isn't a problem but hate it that the isp
doesn nothing against it.

greetings,

SeJo

- --
"Defer no time, delays have dangerous ends"

Jochen Maes                     
Gentoo Linux
Gentoo Belgium
http://sejo.be
http://gentoo.be
http://gentoo.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDSjnYMXMsRNMHhmARAoXVAJ92bRcBAO04hIUk2VgBOcpm1gm9cgCgmNHe
ZPNqAHab5fXLdx11vdod5rc=
=35Kg
-----END PGP SIGNATURE-----

-- 
gentoo-security@gentoo.org mailing list




[-- Attachment #2: Type: text/html, Size: 13138 bytes --]

Re: [gentoo-security] hackers

[Chris Smart]

APerez@cds.ca wrote:

> A few months ago I got 300 attempts which made me close ssh port
> and stop using it for a while.

Why not change the external port to something other than 22?
Most of these attempts are scripts and only check the default port.

-c

>
> Thanks
>
> Alfredito
>  

-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] hackers

[Oliver Schad]

APerez@cds.ca wrote:
> 
> I have a question:
> 
> Is there an application/program which can send an email whenever this
> ssh attack happen?

Yes, you need grep, mail, wc and a counter. But you don't want to do
this. I count round about 65000 failed login attempts in last 6 month.

> A few months ago I got 300 attempts which made me close ssh port
> and stop using it for a while.

You need good passwords to be secure. That's all.

Best regards
Oli

-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] hackers

[Kurt Lieber]

[-- Attachment #1: Type: text/plain, Size: 414 bytes --]

On Tue, Oct 11, 2005 at 08:21:39AM -0400 or thereabouts, APerez@cds.ca wrote:
> Is there an application/program which can send an email whenever this
> ssh attack happen?

Yes, Tenshi does exactly that.

http://www.gentoo.org/proj/en/infrastructure/tenshi/

We use it to receive summaries of all the various SSH attacks that hit our
servers, as well as several other log events that are of interest to us.

--kurt

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-security] hackers

[woody]

Jochen Maes wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hey all,
> 
> 
> ok one off my servers i keep on getting one iprange that tries to
> login through ssh (200-300) attemps with other usernames.
> This is probably a script that's being ran all the time, but the isp
> doesn't mind, i allready sent my logs and my complaints and i don't
> get any response.
> Is there something like hackerwatch that i can send those logs to
> (preferrably automatically) when happening?
> I've blocked the range now so isn't a problem but hate it that the isp
> doesn nothing against it.

have a look to fail2ban..

diabolo prod # emerge -s fail2ban
Searching...
[ Results for search key : fail2ban ]
[ Applications found : 1 ]

*  net-firewall/fail2ban
       Latest version available: 0.5.4
       Latest version installed: 0.5.4
       Size of downloaded files: 18 kB
       Homepage:    http://sourceforge.net/projects/fail2ban
       Description: Bans IP that make too many password failures
       License:     GPL-2

> 
> greetings,
> 
> SeJo
> 
> - --
> "Defer no time, delays have dangerous ends"
> 
> Jochen Maes                     Gentoo Linux
> Gentoo Belgium
> http://sejo.be
> http://gentoo.be
> http://gentoo.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFDSjnYMXMsRNMHhmARAoXVAJ92bRcBAO04hIUk2VgBOcpm1gm9cgCgmNHe
> ZPNqAHab5fXLdx11vdod5rc=
> =35Kg
> -----END PGP SIGNATURE-----
> 

-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] hackers

[Dark]

For the task of banning people trying to force their way into my server 
I use the following combination:

portsentry + logwatch (and a bit of iptables to restrict access to 
certain servers to certain clients).

portsentry will monitor certain ports and check for known attacks (the 
SSH attack and port scan is among those) and given some rules it will 
put the IP/hostname into the /etc/hosts.deny file and thus make sure 
that they wont be able to gain access to the machine (with some other 
techniques they wont even be able to SEE the machine!).

logwatch mails me a summary of the most important logs every day (I've 
set my system to do it around midnight - just after my logsystem changes 
logfile). So I know how much diskspace is left, how much bandwidth I've 
used for the day, how many SSH login attempts there were (succesful, 
unsuccesful and which accounts were tried), etc.

Angel ~ # emerge -s portsentry
Searching...
[ Results for search key : portsentry ]
[ Applications found : 1 ]

*  net-analyzer/portsentry
      Latest version available: 1.2
      Latest version installed: [ Not Installed ]
      Size of downloaded files: 46 kB
      Homepage:    http://sourceforge.net/projects/sentrytools/
      Description: Automated port scan detector and response tool
      License:     GPL-2


Angel ~ # emerge -s logwatch
Searching...
[ Results for search key : logwatch ]
[ Applications found : 3 ]

...
*  sys-apps/logwatch
      Latest version available: 6.0.2
      Latest version installed: 6.0.2
      Size of downloaded files: 149 kB
      Homepage:    http://www.logwatch.org/
      Description: Analyzes and Reports on system logs
      License:     MIT
...


This is nice and stable - if you configure your portsentry a bit 
(remember to add your own IP as an exception - otherwise you MIGHT just 
lock yourself out of the box if you do some security auditing ;-) ).

Just my .02 on this subject. I've been using this for a while - and it 
definently does what it's supposed to do!

/Jakob Rosenlund

woody wrote:

> Jochen Maes wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hey all,
>>
>>
>> ok one off my servers i keep on getting one iprange that tries to
>> login through ssh (200-300) attemps with other usernames.
>> This is probably a script that's being ran all the time, but the isp
>> doesn't mind, i allready sent my logs and my complaints and i don't
>> get any response.
>> Is there something like hackerwatch that i can send those logs to
>> (preferrably automatically) when happening?
>> I've blocked the range now so isn't a problem but hate it that the isp
>> doesn nothing against it.
>
>
> have a look to fail2ban..
>
> diabolo prod # emerge -s fail2ban
> Searching...
> [ Results for search key : fail2ban ]
> [ Applications found : 1 ]
>
> *  net-firewall/fail2ban
>       Latest version available: 0.5.4
>       Latest version installed: 0.5.4
>       Size of downloaded files: 18 kB
>       Homepage:    http://sourceforge.net/projects/fail2ban
>       Description: Bans IP that make too many password failures
>       License:     GPL-2
>
>>
>> greetings,
>>
>> SeJo
>>
>> - --
>> "Defer no time, delays have dangerous ends"
>>
>> Jochen Maes                     Gentoo Linux
>> Gentoo Belgium
>> http://sejo.be
>> http://gentoo.be
>> http://gentoo.org
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.2 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFDSjnYMXMsRNMHhmARAoXVAJ92bRcBAO04hIUk2VgBOcpm1gm9cgCgmNHe
>> ZPNqAHab5fXLdx11vdod5rc=
>> =35Kg
>> -----END PGP SIGNATURE-----
>>
>
-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] hackers

[Elisamuel Resto]

[-- Attachment #1: Type: text/plain, Size: 3356 bytes --]

fail2ban is not on the Portage tree, you need to install it manually or via
a ebuild on a overlay, this was discussed in another thread in this mailing
list.

As per another discussion in this list, what you have to do is:

- create a local overlay: /usr/local/portage and then net-firewall/fail2ban
- declare this overlay in you make.conf
- copy fail2ban-0.5.4.ebuild (see below) into
/usr/local/portage/net-firewall/fail2ban/
- create an new directory under fail2ban called 'files'
- copy fail2ban-0.5.4.tar.bz2 from sourceforge into this new directory
- run "ebuild fail2ban-0.5.4.ebuild digest"

And then simply emerge fail2ban.

Here is the ebuild:
-----------------------------
# Distributed under the terms of the GNU General Public License v2

DESCRIPTION="Bans IP that make too many password failures"
HOMEPAGE="http://sourceforge.net/projects/fail2ban"
SRC_URI="mirror://sourceforge/fail2ban/${P}.tar.bz2<mirror://sourceforge/fail2ban/$%7BP%7D.tar.bz2>
"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~x86 ~amd64"
IUSE=""
DEPEND=">=dev-lang/python-2.3"

src_install() {
# Use python setup
python setup.py install --root=${D} || die

# Use fail2ban.conf.default as default config file
insinto /etc
newins config/fail2ban.conf.default fail2ban.conf
# Install initd scripts
exeinto /etc/init.d
newexe config/gentoo-initd fail2ban
insinto /etc/conf.d
newins config/gentoo-confd fail2ban
# Doc
doman man/*.[0-9]
dodoc CHANGELOG README TODO
}

pkg_postinst() {
# The user must edit the config file
echo ""
einfo "Please edit /etc/fail2ban.conf with parameters"
einfo "which correspond to your system."
echo ""
}


On 10/11/05, woody < cyril@toysnet.org> wrote:
>
> Jochen Maes wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hey all,
> >
> >
> > ok one off my servers i keep on getting one iprange that tries to
> > login through ssh (200-300) attemps with other usernames.
> > This is probably a script that's being ran all the time, but the isp
> > doesn't mind, i allready sent my logs and my complaints and i don't
> > get any response.
> > Is there something like hackerwatch that i can send those logs to
> > (preferrably automatically) when happening?
> > I've blocked the range now so isn't a problem but hate it that the isp
> > doesn nothing against it.
>
> have a look to fail2ban..
>
> diabolo prod # emerge -s fail2ban
> Searching...
> [ Results for search key : fail2ban ]
> [ Applications found : 1 ]
>
> * net-firewall/fail2ban
> Latest version available: 0.5.4
> Latest version installed: 0.5.4
> Size of downloaded files: 18 kB
> Homepage: http://sourceforge.net/projects/fail2ban
> Description: Bans IP that make too many password failures
> License: GPL-2
>
> >
> > greetings,
> >
> > SeJo
> >
> > - --
> > "Defer no time, delays have dangerous ends"
> >
> > Jochen Maes Gentoo Linux
> > Gentoo Belgium
> > http://sejo.be
> > http://gentoo.be
> > http://gentoo.org
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.2 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQFDSjnYMXMsRNMHhmARAoXVAJ92bRcBAO04hIUk2VgBOcpm1gm9cgCgmNHe
> > ZPNqAHab5fXLdx11vdod5rc=
> > =35Kg
> > -----END PGP SIGNATURE-----
> >
>
> --
> gentoo-security@gentoo.org mailing list
>
>

[-- Attachment #2: Type: text/html, Size: 5402 bytes --]

Re: [gentoo-security] hackers

[Erik Anderson]

On 10/11/05, APerez@cds.ca <APerez@cds.ca> wrote:
>
> I have a question:
>
> Is there an application/program which can send an email whenever this
> ssh attack happen?

You've already received a few other suggestions, but I thought I'd
throw my personal favorite into the mix:

http://denyhosts.sf.net

An ebuild was recently added for denyhosts, but it's masked currently
(~x86).  I'm using it on many servers and haven't run into any
problems as of yet.

-Erik

-- 
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: hackers

[Noah K Tilton]

On 10/11/05, Erik Anderson <erikerik@gmail.com> wrote:
> On 10/11/05, APerez@cds.ca <APerez@cds.ca> wrote:
> >
> > I have a question:
> >
> > Is there an application/program which can send an email whenever this
> > ssh attack happen?
>
> You've already received a few other suggestions, but I thought I'd
> throw my personal favorite into the mix:
>
> http://denyhosts.sf.net
>
> An ebuild was recently added for denyhosts, but it's masked currently
> (~x86).  I'm using it on many servers and haven't run into any
> problems as of yet.
>
> -Erik
>
> --
> gentoo-security@gentoo.org mailing list
>
>

I hacked up a little something to do exactly that--send emails... You
might think it sucks, but hey, I'm an amateur! It does work, though...
:-)

http://transplant.dyndns.org/sv/strange_vagaries_codex/rubysyslog-ng-qmail-inject-handler/

Be forewarned that it relies upon a rather strict set of
requirements--ruby, syslog-ng, and qmail. It could concievably be
modified to fit other modes, but why wouldn't you want to use that
combination? It's the best...

/NKT

-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: hackers

[Robert Larson]

On Tuesday 11 October 2005 10:52 am, Noah K Tilton wrote:
> http://transplant.dyndns.org/sv/strange_vagaries_codex/rubysyslog-ng-qmail-
>inject-handler/
>
> /NKT

I can't seem to get this URL to work, I get a 404 error...

Regards,

Robert
-- 
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: hackers

[Noah K Tilton]

sorry, does anyone know how to copy/paste in elinks?? I always screw
it up when I type it in.

http://transplant.dyndns.org/sv/strange_vagaries_codex/rubysyslog-ng-qmail-inject-handler/

I did it slower this time, let's see...

On 10/11/05, Robert Larson <robert@sixthings.com> wrote:
> On Tuesday 11 October 2005 10:52 am, Noah K Tilton wrote:
> >
> http://transplant.dyndns.org/sv/strange_vagaries_codex/rubysyslog-ng-qmail-
> >inject-handler/
> >
> > /NKT
>
> I can't seem to get this URL to work, I get a 404 error...
>
> Regards,
>
> Robert
> --
> gentoo-security@gentoo.org mailing list
>
>

-- 
gentoo-security@gentoo.org mailing list