[gentoo-user] netfilter tarpit target

[gentoo-user] netfilter tarpit target

[Daniel Iliev]

Hi, guys

Recently I was looking through my logs when I got  pissed off (again) by
the big number of lines showing something like 'sshd: auth. error:
unknown user "XXX" from "some IP address"'. I wrote a script which
automatically sets all connections from those IP addresses to be
dropped. Next I decided to change "-j DROP" with "-j TARPIT" and I
realized that gentoo-sources doesn't provide the netfilter target "TARPIT".

My question: what is the best way get this iptables module working w/o
diverting too much from the official Gentoo installation. I mean the
normal way is to use patch-o-matic to patch iptables source and vanilla
kernel source, then build and install. I have the feeling that it is not
exactly the right thing to with Gentoo.

Any advices would be much appreciated.


-- 
Best regards,
Daniel


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] netfilter tarpit target

[Dave Jones]

Hi Daniel

Daniel Iliev wrote on 01/04/07 15:03:
> Recently I was looking through my logs when I got  pissed off (again) by
> the big number of lines showing something like 'sshd: auth. error:
> unknown user "XXX" from "some IP address"'. I wrote a script which
> automatically sets all connections from those IP addresses to be
> dropped. Next I decided to change "-j DROP" with "-j TARPIT" and I
> realized that gentoo-sources doesn't provide the netfilter target "TARPIT".

> My question: what is the best way get this iptables module working w/o
> diverting too much from the official Gentoo installation. I mean the
> normal way is to use patch-o-matic to patch iptables source and vanilla
> kernel source, then build and install. I have the feeling that it is not
> exactly the right thing to with Gentoo.

cd /usr/src

svn co https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng
svn co https://svn.netfilter.org/netfilter/trunk/iptables

cd patch-o-matic-ng
./runme extra

cd /usr/src/linux
make menuconfig
make && make modules_install && make install

make sure you have USE "extensions" in your make.conf

emerge iptables

Cheers, Dave
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] netfilter tarpit target

[Daniel Iliev]

Dave Jones wrote:
> Hi Daniel
>
>   
>> My question: what is the best way get this iptables module working w/o
>> diverting too much from the official Gentoo installation. I mean the
>> normal way is to use patch-o-matic to patch iptables source and vanilla
>> kernel source, then build and install. I have the feeling that it is not
>> exactly the right thing to with Gentoo.
>>     
>
> cd /usr/src
>
> svn co https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng
> svn co https://svn.netfilter.org/netfilter/trunk/iptables
>
> cd patch-o-matic-ng
> ./runme extra
>
> cd /usr/src/linux
> make menuconfig
> make && make modules_install && make install
>
> make sure you have USE "extensions" in your make.conf
>
> emerge iptables
>
> Cheers, Dave
>   


Dave, thanks for your reply.

This patch appears to be incompatible with gentoo-sources or I'm doing
something wrong. After patching the module "TARPIT" appears in the
kernel configuration and I mark it to get built as a module [M]. Then:

======================

make all modules_install install
scripts/kconfig/conf -s arch/i386/Kconfig
  CHK     include/linux/version.h
  CHK     include/linux/utsrelease.h
  CHK     include/linux/compile.h
  GZIP    kernel/config_data.gz
  IKCFG   kernel/config_data.h
  CC      kernel/configs.o
  LD      kernel/built-in.o
  CC [M]  net/ipv4/netfilter/ipt_TARPIT.o
net/ipv4/netfilter/ipt_TARPIT.c: In function ‘ip_direct_send’:
net/ipv4/netfilter/ipt_TARPIT.c:65: warning: implicit declaration of
function ‘neigh_hh_output’
---snip----
Kernel: arch/i386/boot/bzImage is ready  (#2)
  Building modules, stage 2.
  MODPOST 159 modules
WARNING: "neigh_hh_output" [net/ipv4/netfilter/ipt_TARPIT.ko] undefined!
make[1]: *** [__modpost] Error 1
make: *** [modules] Error 2

======================



So, I'm still looking for advices.


-- 
Best regards,
Daniel


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] netfilter tarpit target

[darren kirby]

quoth the Daniel Iliev:
> Next I decided to change "-j DROP" with "-j TARPIT" and I
> realized that gentoo-sources doesn't provide the netfilter
> target "TARPIT". -  
> Best regards,
> Daniel

I realize there is a sense of satisfaction from using the TARPIT target that 
is appealing, however you must consider:

1. These ssh bruteforce attacks are almost certainly coming from a zombie 
botnet, and thus there is no human to realize their connection has 
been 'stuck'. The zombie will happily freeze for 30 seconds then try again.

2. Due to the nature of the persistant connection using TARPIT, you are 
opening up your machine to a DOS attack, if the Bad Guy can deduce you are 
using it.

2 cents....   

-d
-- 
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] netfilter tarpit target

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1512 bytes --]

On Sunday 01 April 2007 14:03, Daniel Iliev wrote:
> Hi, guys
>
> Recently I was looking through my logs when I got  pissed off (again) by
> the big number of lines showing something like 'sshd: auth. error:
> unknown user "XXX" from "some IP address"'. I wrote a script which
> automatically sets all connections from those IP addresses to be
> dropped. Next I decided to change "-j DROP" with "-j TARPIT" and I
> realized that gentoo-sources doesn't provide the netfilter target "TARPIT".
>
> My question: what is the best way get this iptables module working w/o
> diverting too much from the official Gentoo installation. I mean the
> normal way is to use patch-o-matic to patch iptables source and vanilla
> kernel source, then build and install. I have the feeling that it is not
> exactly the right thing to with Gentoo.
>
> Any advices would be much appreciated.

Given that others have already replied how patch the kernel, here's a somewhat 
indirect answer which may resolve the route cause:  Are you using passwd 
authentication?  I wonder if the logs would still be filling up by such 
botnets if you had allowed only 'PubkeyAuthentication yes'.  The other thing 
to consider is changing the default ssh port 22 to some other random port 
which is not hit as frequently by botnets, only by more comprehensive port 
scans.  Then remove your iptables LOG rule for port 22 (if you have one) and 
you should get rid of almost all related messages.

HTH.
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] netfilter tarpit target

[Dave Jones]

Hi Mick,

Mick wrote on 01/04/07 20:44:
>> Recently I was looking through my logs when I got  pissed off (again) by
>> the big number of lines showing something like 'sshd: auth. error:
>> unknown user "XXX" from "some IP address"'. I wrote a script which
>> automatically sets all connections from those IP addresses to be
>> dropped. Next I decided to change "-j DROP" with "-j TARPIT" and I
>> realized that gentoo-sources doesn't provide the netfilter target "TARPIT".

> Given that others have already replied how patch the kernel, here's a somewhat 
> indirect answer which may resolve the route cause:  Are you using passwd 
> authentication?  I wonder if the logs would still be filling up by such 
> botnets if you had allowed only 'PubkeyAuthentication yes'.  The other thing 
> to consider is changing the default ssh port 22 to some other random port 
> which is not hit as frequently by botnets, only by more comprehensive port 
> scans.  Then remove your iptables LOG rule for port 22 (if you have one) and 
> you should get rid of almost all related messages.

Daniel complained about the sshd messages, not iptables messages.

I fully agree that he should implement pub/priv key authentication, but
even so, that will not prevent the flood of ssh messages in syslog.

Adding an unlogged iptables DROP target rule for port 22 will suppress
the messages, but not the attacks.

The botnet / script kiddie morons are a pain in the (anatomy of choice).

Cheers, Dave
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] netfilter tarpit target

[Dave Jones]

Hi Daniel

Daniel Iliev wrote on 01/04/07 19:10:
>>> My question: what is the best way get this iptables module working w/o
>>> diverting too much from the official Gentoo installation. I mean the
>>> normal way is to use patch-o-matic to patch iptables source and vanilla
>>> kernel source, then build and install. I have the feeling that it is not
>>> exactly the right thing to with Gentoo.

>> cd /usr/src
>> svn co https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng
>> svn co https://svn.netfilter.org/netfilter/trunk/iptables
>> cd patch-o-matic-ng
>> ./runme extra
>> cd /usr/src/linux
>> make menuconfig
>> make && make modules_install && make install
>> make sure you have USE "extensions" in your make.conf
>> emerge iptables

> This patch appears to be incompatible with gentoo-sources or I'm doing
> something wrong. After patching the module "TARPIT" appears in the
> kernel configuration and I mark it to get built as a module [M]. Then:
> ======================
> make all modules_install install
> scripts/kconfig/conf -s arch/i386/Kconfig
>   CHK     include/linux/version.h
>   CHK     include/linux/utsrelease.h
>   CHK     include/linux/compile.h
>   GZIP    kernel/config_data.gz
>   IKCFG   kernel/config_data.h
>   CC      kernel/configs.o
>   LD      kernel/built-in.o
>   CC [M]  net/ipv4/netfilter/ipt_TARPIT.o
> net/ipv4/netfilter/ipt_TARPIT.c: In function ‘ip_direct_send’:
> net/ipv4/netfilter/ipt_TARPIT.c:65: warning: implicit declaration of
> function ‘neigh_hh_output’
> ---snip----
> Kernel: arch/i386/boot/bzImage is ready  (#2)
>   Building modules, stage 2.
>   MODPOST 159 modules
> WARNING: "neigh_hh_output" [net/ipv4/netfilter/ipt_TARPIT.ko] undefined!
> make[1]: *** [__modpost] Error 1
> make: *** [modules] Error 2
> ======================
> So, I'm still looking for advices.

Did the patches apply OK?

Did you do:

cd /usr/src/iptables
svn update
cd /usr/src/patch-o-matic-ng
svn update

.. before updating your kernel?

What kernel are you running?

Cheers, Dave
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] netfilter tarpit target

[Willie Wong]

On Sun, Apr 01, 2007 at 11:49:06AM -0600, darren kirby wrote:
> I realize there is a sense of satisfaction from using the TARPIT target that 
> is appealing, however you must consider:
> 
> 1. These ssh bruteforce attacks are almost certainly coming from a zombie 
> botnet, and thus there is no human to realize their connection has 
> been 'stuck'. The zombie will happily freeze for 30 seconds then try again.
> 

I use a -j DROP for my script that lasts for 1 hour. My experience 
from two years ago when I wrote that script was that the Bots stops 
trying after 5 minutes or so. YMMV

W
-- 
Willie W. Wong                                      wwong@math.princeton.edu
408 Fine Hall,  Department of Mathematics,  Princeton University,  Princeton
A mathematician's reputation rests on the number of bad proofs he has given.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] netfilter tarpit target

[Ryan Curtin]

On Sun, Apr 01, 2007 at 04:03:48PM +0300, Daniel Iliev wrote:
> Hi, guys
> 
> Recently I was looking through my logs when I got  pissed off (again) by
> the big number of lines showing something like 'sshd: auth. error:
> unknown user "XXX" from "some IP address"'. I wrote a script which
> automatically sets all connections from those IP addresses to be
> dropped. Next I decided to change "-j DROP" with "-j TARPIT" and I
> realized that gentoo-sources doesn't provide the netfilter target "TARPIT".

Instead of using iptables, you may want to try DenyHosts
(app-admin/denyhosts).  It's a simple Python script that parses through
/var/log/secure (or whatever your sshd logs to) and finds IPs who have
failed authentication a certain number of times, then adds those IPs to
/etc/hosts.deny.  Naturally, the threshold for blocking a host can be
configured, and many other options can too.  It's worked great for me,
and I've used it for about half a year now.

The website for the DenyHosts project is:
http://denyhosts.sourceforge.net/

I hope that I read your question right and that this will help.

Ryan Curtin
ryan@www.igglybob.com

-- 
<www.igglybob.com>
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] netfilter tarpit target

[Daniel Iliev]

[-- Attachment #1: Type: text/plain, Size: 1279 bytes --]

Ryan Curtin wrote:
> Instead of using iptables, you may want to try DenyHosts
> (app-admin/denyhosts).  It's a simple Python script that parses through
> /var/log/secure (or whatever your sshd logs to) and finds IPs who have
> failed authentication a certain number of times, then adds those IPs to
> /etc/hosts.deny.  Naturally, the threshold for blocking a host can be
> configured, and many other options can too.  It's worked great for me,
> and I've used it for about half a year now.
>
> The website for the DenyHosts project is:
> http://denyhosts.sourceforge.net/
>
> I hope that I read your question right and that this will help.
>
> Ryan Curtin
> ryan@www.igglybob.com
>
>   
>

Thanks, Ryan, but I really want to stick with the tar pit solution. I
had already solved the real problem when I asked for help here. I want
to play with  the tar pit module for..let's say "academic purposes" ;-)

Unfortunately I had no luck. Clean kernel, the latest patch-o-matic, the
latest iptables and the same result. Obviously gentoo-sources is
incompatible with tar pit module. ;-(

I'm attaching here a file called "tarpit.txt" containing the commands I
issued and the relevant output from them in hope that someone could show
a mistake I'm repeating.

-- 
Best regards,
Daniel



[-- Attachment #2: tarpit.txt --]
[-- Type: text/plain, Size: 3169 bytes --]

test ~ # cd /usr/src
test src # rm -rf linu*
test src # emerge -C gentoo-sources ; emerge gentoo-sources
test src # svn co https://svn.netfilter.org/netfilter/trunk/iptables
test iptables # cd iptables
test iptables # svn update
At revision 6786.
test src # cd ..
test src # svn co https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng
test src # cd patch-o-matic-ng
test patch-o-matic-ng # svn update
At revision 6786.
test patch-o-matic-ng # ./runme TARPIT
Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux]
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables]
Loading patchlet definitions................. done


Welcome to Patch-o-matic ($Revision: 6736 $)!

Kernel:   2.6.19, /usr/src/linux
Iptables: 1.3.7, /usr/src/iptables
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing TARPIT... not applied
The TARPIT patch:
   Author: "Aaron Hopkins" <lists@die.net>
   Status: Works for me



Adds a TARPIT target to iptables, which captures and holds incoming TCP
connections using no local per-connection resources.  Connections are
accepted, but immediately switched to the persist state (0 byte window), in
which the remote side stops sending data and asks to continue every 60-240
seconds.  Attempts to close the connection are ignored, forcing the remote
side to time out the connection in 12-24 minutes.

This offers similar functionality to LaBrea
<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated hardware
or IPs.  Any TCP port that you would normally DROP or REJECT can instead
become a tarpit.

To tarpit connections to TCP port 80 destined for the current machine:

  iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT

To significantly slow down Code Red/Nimda-style scans of unused address
space, forward unused ip addresses to a Linux box not acting as a router
(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
forwarding on the Linux box, and add:

  iptables -A FORWARD -p tcp -j TARPIT
  iptables -A FORWARD -j DROP

You probably don't want the conntrack module loaded while you are using
TARPIT, or you will be using resources per connection.

-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] t
Patch TARPIT applies cleanly
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y

Excellent! Source trees are ready for compilation.

test patch-o-matic-ng # cd /usr/src/linux
test linux # make menuconfig
test linux # grep tarpit -i .config
CONFIG_IP_NF_TARGET_TARPIT=m
test linux # make
--snip--

Root device is (3, 1)
Boot sector 512 bytes.
Setup is 4730 bytes.
System is 1622 kB
Kernel: arch/i386/boot/bzImage is ready  (#1)
  Building modules, stage 2.
  MODPOST 159 modules
WARNING: "neigh_hh_output" [net/ipv4/netfilter/ipt_TARPIT.ko] undefined!
make[1]: *** [__modpost] Error 1
make: *** [modules] Error 2
test linux #

Re: [gentoo-user] netfilter tarpit target

[Dave Jones]

Hi Daniel

Daniel Iliev wrote on 03/04/07 05:13:
> test ~ # cd /usr/src
> test src # rm -rf linu*
> test src # emerge -C gentoo-sources ; emerge gentoo-sources
> test src # svn co https://svn.netfilter.org/netfilter/trunk/iptables
> test iptables # cd iptables
> test iptables # svn update
> At revision 6786.
> test src # cd ..
> test src # svn co https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng
> test src # cd patch-o-matic-ng
> test patch-o-matic-ng # svn update
> At revision 6786.
> test patch-o-matic-ng # ./runme TARPIT
> Hey! KERNEL_DIR is not set.
> Where is your kernel source directory? [/usr/src/linux]
> Hey! IPTABLES_DIR is not set.
> Where is your iptables source code directory? [/usr/src/iptables]
> Loading patchlet definitions................. done
> Welcome to Patch-o-matic ($Revision: 6736 $)!
> 
> Kernel:   2.6.19, /usr/src/linux
> Iptables: 1.3.7, /usr/src/iptables
--snip--
> -----------------------------------------------------------------
> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] t
> Patch TARPIT applies cleanly
> -----------------------------------------------------------------
> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
> Excellent! Source trees are ready for compilation.
> test patch-o-matic-ng # cd /usr/src/linux
> test linux # make menuconfig
> test linux # grep tarpit -i .config
> CONFIG_IP_NF_TARGET_TARPIT=m
> test linux # make
> --snip--
> 
> Root device is (3, 1)
> Boot sector 512 bytes.
> Setup is 4730 bytes.
> System is 1622 kB
> Kernel: arch/i386/boot/bzImage is ready  (#1)
>   Building modules, stage 2.
>   MODPOST 159 modules
> WARNING: "neigh_hh_output" [net/ipv4/netfilter/ipt_TARPIT.ko] undefined!
> make[1]: *** [__modpost] Error 1
> make: *** [modules] Error 2
> test linux #

Your .runme process ssem sOK, though I usually use ./runme extras to do
the kernel updates.

I'll try the same as you did here to see if I get the same problem.

Cheers, Dave
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] netfilter tarpit target

[Dave Jones]

Hi Daniel

Daniel Iliev wrote on 03/04/07 05:13:
> Unfortunately I had no luck. Clean kernel, the latest patch-o-matic, the
> latest iptables and the same result. Obviously gentoo-sources is
> incompatible with tar pit module. ;-(

I just tried your update process and ended up with the same failure.
Seems you might be right about the gentoo-sources being incompatible
with the tarpit module.

Sorry, but I'm fresh out of ideas.

Cheers, Dave
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] netfilter tarpit target

[Daniel Iliev]

Dave, I'm grateful for all your ideas and everything you did to help me
and to confirm my results. I'm postponing this little experiment of mine
until I have more free time.

Thank you, guys, I appreciate your replies!

-- 
Best regards,
Daniel


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] netfilter tarpit target

[Neil Walker]

Dave Jones wrote:
> I just tried your update process and ended up with the same failure.
> Seems you might be right about the gentoo-sources being incompatible
> with the tarpit module.
>
>   
I installed the TARPIT and GEOIP modules using PoM just a few days ago
on two servers. Both are using gentoo-sources-2.6.20-r4. I didn't have
any problems with either. *shrugs*.


Be lucky,

Neil

-- 
gentoo-user@gentoo.org mailing list