[gentoo-server] Locking out SSH brute-force attacks

[gentoo-server] Locking out SSH brute-force attacks

[A. Khattri]

Im sure this has probably been discussed: anyway to lock out IPs that fail
to login through ssh many many times. Or some way for ssh to temporarily
ignore connections from a specific IP that is brute-forcing ssh?



-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Locking out SSH brute-force attacks

[Erik Anderson]

On 10/5/05, A. Khattri <ajai@bway.net> wrote:
>
> Im sure this has probably been discussed: anyway to lock out IPs that fail
> to login through ssh many many times. Or some way for ssh to temporarily
> ignore connections from a specific IP that is brute-forcing ssh?

There is currently a lively thread on this topic going on in the
gentoo-security list.  You can see the archives here:

http://article.gmane.org/gmane.linux.gentoo.security/2486

Personally, I'm a big fan of http://denyhosts.sourceforge.net.  It's
excruciatingly simple to set up and it works as advertised.

-Erik

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Locking out SSH brute-force attacks

[Kurt Lieber]

[-- Attachment #1: Type: text/plain, Size: 478 bytes --]

On Wed, Oct 05, 2005 at 06:37:58PM -0400 or thereabouts, A. Khattri wrote:
> Im sure this has probably been discussed: anyway to lock out IPs that fail
> to login through ssh many many times. Or some way for ssh to temporarily
> ignore connections from a specific IP that is brute-forcing ssh?

This was *just* discussed (extensively) on the gentoo-security mailing
list.  Please see this thread for more info:

http://article.gmane.org/gmane.linux.gentoo.security/2486

--kurt

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] Locking out SSH brute-force attacks

[Erik Anderson]

On 10/5/05, Erik Anderson <erikerik@gmail.com> wrote:
> http://article.gmane.org/gmane.linux.gentoo.security/2486

Whoops - here's a better link to the thread:

http://news.gmane.org/find-root.php?message_id=%3c43404CB8.3%40lunatic.net.nz%3e

Sorry.

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Locking out SSH brute-force attacks

[Mark Rudholm]

Erik Anderson wrote:

>On 10/5/05, Erik Anderson <erikerik@gmail.com> wrote:
>  
>
>>http://article.gmane.org/gmane.linux.gentoo.security/2486
>>    
>>
>
>Whoops - here's a better link to the thread:
>
>http://news.gmane.org/find-root.php?message_id=%3c43404CB8.3%40lunatic.net.nz%3e
>  
>
In addition to the stuff discussed in that thread, in emergency situations
(like in response to a current/successful attack) you can define a bogus
route to the offending IP address or network.

route add bad.person.or.network 127.0.0.1 (or otherwise bogus destination)
is an effective emergency block.
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Locking out SSH brute-force attacks

[A. Khattri]

On Wed, 5 Oct 2005, Erik Anderson wrote:

> Personally, I'm a big fan of http://denyhosts.sourceforge.net.  It's
> excruciatingly simple to set up and it works as advertised.

Looks great - Ill look into this. On this web server, I allow ssh
connections so many of the techniques discussed on the thread (different
ports, port knocking, etc) are not open to me. If I didn't need to give
out ssh access I would just switch of password auth ;-)

Anyway, Ill go look at denyhosts...


Thanks,
-- 

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Locking out SSH brute-force attacks

[Erik Anderson]

On 10/6/05, A. Khattri <ajai@bway.net> wrote:
>
> Looks great - Ill look into this. On this web server, I allow ssh
> connections so many of the techniques discussed on the thread (different
> ports, port knocking, etc) are not open to me. If I didn't need to give
> out ssh access I would just switch of password auth ;-)
>
> Anyway, Ill go look at denyhosts...

Let me know if you have any issues getting it set up.  You basically
extract the tarball to a location of your choice -
/usr/local/denyhosts in my case, copy the denyhosts.cfg to /etc,
configure it as you want, and then add the following cron job:

* * * * *       python /usr/local/DenyHosts/denyhosts.py -c /etc/denyhosts.cfg

That will (obviously) run the script every minute.  Sure, that may be
overkill, but it shouldn't hurt anything.  If you keep your old
logfiles, you can manually run them through denyhosts.  The script is
able to deal gracefully with gzipped logfiles.  Look through the
documentation to see how to do this.

-Erik

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Locking out SSH brute-force attacks

[A. Khattri]

On Thu, 6 Oct 2005, Erik Anderson wrote:

> Let me know if you have any issues getting it set up.  You basically
> extract the tarball to a location of your choice -
> /usr/local/denyhosts in my case, copy the denyhosts.cfg to /etc,
> configure it as you want, and then add the following cron job:
>
> * * * * *       python /usr/local/DenyHosts/denyhosts.py -c /etc/denyhosts.cfg
>
> That will (obviously) run the script every minute.  Sure, that may be
> overkill, but it shouldn't hurt anything.  If you keep your old
> logfiles, you can manually run them through denyhosts.  The script is
> able to deal gracefully with gzipped logfiles.  Look through the
> documentation to see how to do this.

Forget tarballs - there's an ebuild in Gentoo's Bugzilla:
http://bugs.gentoo.org/show_bug.cgi?id=100043

You need the ebuild, the init script and the patch. Create a local portage
overlay and away you go.

I have it running as a daemon on a test machine right now - doesn't seem
to affect the load either.


-- 

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Locking out SSH brute-force attacks

[Benjamin Smee]

[-- Attachment #1: Type: text/plain, Size: 570 bytes --]

lo,

On Friday 07 October 2005 08:16 pm, A. Khattri wrote:
> > documentation to see how to do this.
>
> Forget tarballs - there's an ebuild in Gentoo's Bugzilla:
> http://bugs.gentoo.org/show_bug.cgi?id=100043
>
> You need the ebuild, the init script and the patch. Create a local portage
> overlay and away you go.
>

Just a quick heads up, I just added this to portage. Please make a bug if you 
have any problems with it.

-- 
Benjamin Smee (strerror)
net-mail/netmon/forensics/crypto
Fingerprint: 497F 5E98 1FA0 C313 EA0B 08C7 004A 66ED 448B E78C

[-- Attachment #2: Type: application/pgp-signature, Size: 190 bytes --]

Re: [gentoo-server] Locking out SSH brute-force attacks

[Luke-Jr]

[-- Attachment #1: Type: text/plain, Size: 333 bytes --]

On Thursday 06 October 2005 00:15, Mark Rudholm wrote:
> route add bad.person.or.network 127.0.0.1 (or otherwise bogus destination)
> is an effective emergency block.

Just a small note: I've found that using iptables to drop the packets affects 
latency quite a bit ;)

-- 
Luke-Jr
Developer, Utopios
http://utopios.org/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] Locking out SSH brute-force attacks

[xyon]

I'd have to agree. I've used iptables to filter through an extensive ban
list and the network almost became unresponsive.

On Sat, 2005-10-08 at 04:23 +0000, Luke-Jr wrote:
> On Thursday 06 October 2005 00:15, Mark Rudholm wrote:
> > route add bad.person.or.network 127.0.0.1 (or otherwise bogus destination)
> > is an effective emergency block.
> 
> Just a small note: I've found that using iptables to drop the packets affects 
> latency quite a bit ;)


-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Locking out SSH brute-force attacks

[William Kenworthy]

Can you expand a bit?  Do you mean no iptables to running some rules, or
a few rules to a lot of rules, or general wildcards (e.g. CC) compared
to individual targets?

I have noticed a slight increase with > 2000 rules, but its quite
noticeable >6000 rules (adds a ~200ms or so to latency)

* why so many rules: one of the kids ran a downloader program that
included bittorrent and the drop script happily blackholed each connect
with an individual rule.  I only discovered it by accident (checking the
logs) - everything was ticking over quite nicely!

BillK

On Sat, 2005-10-08 at 04:23 +0000, Luke-Jr wrote:
> On Thursday 06 October 2005 00:15, Mark Rudholm wrote:
> > route add bad.person.or.network 127.0.0.1 (or otherwise bogus destination)
> > is an effective emergency block.
> 
> Just a small note: I've found that using iptables to drop the packets affects 
> latency quite a bit ;)
> 
-- 
William Kenworthy <billk@iinet.net.au>
Home!
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Locking out SSH brute-force attacks

[Jeroen Geilman]

Benjamin Smee wrote:

>lo,
>
>On Friday 07 October 2005 08:16 pm, A. Khattri wrote:
>  
>
>>>documentation to see how to do this.
>>>      
>>>
>>Forget tarballs - there's an ebuild in Gentoo's Bugzilla:
>>http://bugs.gentoo.org/show_bug.cgi?id=100043
>>
>>You need the ebuild, the init script and the patch. Create a local portage
>>overlay and away you go.
>>
>>    
>>
>
>Just a quick heads up, I just added this to portage. Please make a bug if you 
>have any problems with it.
>
>  
>
Checking it out now.... will report any problems ;-)

-- 
gentoo-server@gentoo.org mailing list