* [gentoo-user] Break In attempts
@ 2007-10-07 9:40 Mick
2007-10-07 9:54 ` Elias Probst
` (4 more replies)
0 siblings, 5 replies; 11+ messages in thread
From: Mick @ 2007-10-07 9:40 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 604 bytes --]
Hi All,
Can you please advise what I could do to block IP addresses that have
repeatedly failed to log in? I am looking here at a server which over the
last week is being attacked daily with random usernames. So the only
constant in these repeated attempts is not the username, but the IP address.
Occasionally, the odd service name (e.g. rpc, mysql, postgres, etc.) repeats
itself, otherwise they seem to be randomly selected from a dictionary.
I have already disabled PAM authentication on sshd so that only users with a
public key in their ~/.ssh can login.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-user] Break In attempts
2007-10-07 9:40 [gentoo-user] Break In attempts Mick
@ 2007-10-07 9:54 ` Elias Probst
2007-10-07 11:45 ` Mick
2007-10-07 10:00 ` Joost van Surksum
` (3 subsequent siblings)
4 siblings, 1 reply; 11+ messages in thread
From: Elias Probst @ 2007-10-07 9:54 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 352 bytes --]
Am Sonntag, 7. Oktober 2007 11:40:10 schrieb Mick:
> Hi All,
>
> Can you please advise what I could do to block IP addresses that have
> repeatedly failed to log in?
I think you're looking for: net-analyzer/fail2ban (http://www.fail2ban.org)
Regards, Elias P.
--
A really nice number:
"09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0"
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: [gentoo-user] Break In attempts
2007-10-07 9:40 [gentoo-user] Break In attempts Mick
2007-10-07 9:54 ` Elias Probst
@ 2007-10-07 10:00 ` Joost van Surksum
2007-10-07 12:09 ` Bertram Scharpf
` (2 subsequent siblings)
4 siblings, 0 replies; 11+ messages in thread
From: Joost van Surksum @ 2007-10-07 10:00 UTC (permalink / raw
To: gentoo-user
If you have iptables available in your kernel, a quick manual step could be
to block all traffic incoming from that IP address. A statement like the
following could work:
iptables -I INPUT -s XXX.XXX.XXX.XXX -j DROP
(This drops all traffic coming from IP address XXX... effectively, it simply
looses the network packets and doesn't respond to it any more.)
Of course this is a one time only, manual thing. There may also be
processes/applications that automatically block unwanted IP traffic. Maybe
somebody else may suggest such a solution (I'm not that familiar with this).
Cheers,
Joost
> -----Original Message-----
> From: Mick [mailto:michaelkintzios@gmail.com]
> Sent: zondag 7 oktober 2007 11:40
> To: gentoo-user@lists.gentoo.org
> Subject: [gentoo-user] Break In attempts
>
>
> Hi All,
>
> Can you please advise what I could do to block IP addresses that have
> repeatedly failed to log in? I am looking here at a server
> which over the
> last week is being attacked daily with random usernames. So the only
> constant in these repeated attempts is not the username, but
> the IP address.
> Occasionally, the odd service name (e.g. rpc, mysql,
> postgres, etc.) repeats
> itself, otherwise they seem to be randomly selected from a dictionary.
>
> I have already disabled PAM authentication on sshd so that
> only users with a
> public key in their ~/.ssh can login.
> --
> Regards,
> Mick
>
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-user] Break In attempts
2007-10-07 9:54 ` Elias Probst
@ 2007-10-07 11:45 ` Mick
0 siblings, 0 replies; 11+ messages in thread
From: Mick @ 2007-10-07 11:45 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 402 bytes --]
On Sunday 07 October 2007, Elias Probst wrote:
> Am Sonntag, 7. Oktober 2007 11:40:10 schrieb Mick:
> > Hi All,
> >
> > Can you please advise what I could do to block IP addresses that have
> > repeatedly failed to log in?
>
> I think you're looking for: net-analyzer/fail2ban (http://www.fail2ban.org)
>
> Regards, Elias P.
This looks just like what I want. Thanks!
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-user] Break In attempts
2007-10-07 9:40 [gentoo-user] Break In attempts Mick
2007-10-07 9:54 ` Elias Probst
2007-10-07 10:00 ` Joost van Surksum
@ 2007-10-07 12:09 ` Bertram Scharpf
2007-10-07 18:16 ` [gentoo-user] " Remy Blank
2007-10-07 20:18 ` [gentoo-user] " Randy Barlow
4 siblings, 0 replies; 11+ messages in thread
From: Bertram Scharpf @ 2007-10-07 12:09 UTC (permalink / raw
To: gentoo-user
Hi,
Am Sonntag, 07. Okt 2007, 10:40:10 +0100 schrieb Mick:
> Can you please advise what I could do to block IP addresses that have
> repeatedly failed to log in? I am looking here at a server which over the
> last week is being attacked daily with random usernames. So the only
> constant in these repeated attempts is not the username, but the IP address.
> Occasionally, the odd service name (e.g. rpc, mysql, postgres, etc.) repeats
> itself, otherwise they seem to be randomly selected from a dictionary.
This is a _real_ nuisance. Besides that I doubt there is any
meaningful harvest.
> I have already disabled PAM authentication on sshd so that only users with a
> public key in their ~/.ssh can login.
Host-based authentication is one possible solution. Fail2ban
was already mentioned, too.
A bit more difficult is the ban by iptables. This one is
working here successfully for quite some time:
SSH_WHITELIST="192.168.0.0/16 11.22.33.44"
IPT='/sbin/iptables -v'
iptsshdefence()
{
$IPT -N sshwhite
for t in $SSH_WHITELIST
do
$IPT -A sshwhite -s $t -m recent --remove --name SSH -j ACCEPT
done
# $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j LOG --log-prefix 'SSH request '
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j sshwhite
# $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix 'SSH brute_force '
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j REJECT
}
Of course you need a kernel with recent module and reject
target support compiled in.
Thanks a lot again to this list!
Bertram
--
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 11+ messages in thread
* [gentoo-user] Re: Break In attempts
2007-10-07 9:40 [gentoo-user] Break In attempts Mick
` (2 preceding siblings ...)
2007-10-07 12:09 ` Bertram Scharpf
@ 2007-10-07 18:16 ` Remy Blank
2007-10-07 19:11 ` Mick
2007-10-13 10:43 ` Mick
2007-10-07 20:18 ` [gentoo-user] " Randy Barlow
4 siblings, 2 replies; 11+ messages in thread
From: Remy Blank @ 2007-10-07 18:16 UTC (permalink / raw
To: gentoo-user
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mick wrote:
> I have already disabled PAM authentication on sshd so that only users with a
> public key in their ~/.ssh can login.
This is the first and most important step. This means that the only real
problem is that your logs fill with failed log in attempts.
The easiest way I have found to avoid that is to change the port number
of the SSH daemon to something else than 22.
- -- Remy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFHCSKRCeNfIyhvXjIRAgiBAKCNqpLd1XzZWcEm74DVbZyL9CpmCgCgmN5X
FJWRjHgHrwHlv9vYT8jz5tM=
=njTK
-----END PGP SIGNATURE-----
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-user] Re: Break In attempts
2007-10-07 18:16 ` [gentoo-user] " Remy Blank
@ 2007-10-07 19:11 ` Mick
2007-10-07 19:46 ` Hex Star
2007-10-13 10:43 ` Mick
1 sibling, 1 reply; 11+ messages in thread
From: Mick @ 2007-10-07 19:11 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 777 bytes --]
On Sunday 07 October 2007, Remy Blank wrote:
> Mick wrote:
> > I have already disabled PAM authentication on sshd so that only users
> > with a public key in their ~/.ssh can login.
>
> This is the first and most important step. This means that the only real
> problem is that your logs fill with failed log in attempts.
>
> The easiest way I have found to avoid that is to change the port number
> of the SSH daemon to something else than 22.
That's right, my standard practice for this sort of problem is to disable root
& passwd authentication in favour of public key and then move the ssh port
away from the bots. The problem is that on this occasion, this is not my
server. I'll have a word with the owner and see what he thinks.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-user] Re: Break In attempts
2007-10-07 19:11 ` Mick
@ 2007-10-07 19:46 ` Hex Star
0 siblings, 0 replies; 11+ messages in thread
From: Hex Star @ 2007-10-07 19:46 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 73 bytes --]
http://www.google.com/search?hl=en&q=howto+secure+ssh&btnG=Google+Search
[-- Attachment #2: Type: text/html, Size: 176 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-user] Break In attempts
2007-10-07 9:40 [gentoo-user] Break In attempts Mick
` (3 preceding siblings ...)
2007-10-07 18:16 ` [gentoo-user] " Remy Blank
@ 2007-10-07 20:18 ` Randy Barlow
4 siblings, 0 replies; 11+ messages in thread
From: Randy Barlow @ 2007-10-07 20:18 UTC (permalink / raw
To: gentoo-user
Mick wrote:
> Can you please advise what I could do to block IP addresses that have
> repeatedly failed to log in?
You can also have a look at denyhosts...
--
Randy Barlow
http://electronsweatshop.com
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-user] Re: Break In attempts
2007-10-07 18:16 ` [gentoo-user] " Remy Blank
2007-10-07 19:11 ` Mick
@ 2007-10-13 10:43 ` Mick
2007-10-16 17:28 ` Mark Shields
1 sibling, 1 reply; 11+ messages in thread
From: Mick @ 2007-10-13 10:43 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 3055 bytes --]
On Sunday 07 October 2007, Remy Blank wrote:
> Mick wrote:
> > I have already disabled PAM authentication on sshd so that only users
> > with a public key in their ~/.ssh can login.
>
> This is the first and most important step. This means that the only real
> problem is that your logs fill with failed log in attempts.
>
> The easiest way I have found to avoid that is to change the port number
> of the SSH daemon to something else than 22.
I am trying out fail2ban, but I am not sure I have configured it correctly.
Shouldn't most of these repeated attempts have been stopped?
========================================================
Oct 12 21:01:01 support sshd[30347]: Did not receive identification string
from 203.128.89.99
Oct 13 01:01:38 support sshd[26419]: Did not receive identification string
from 85.8.136.219
Oct 13 01:01:38 support sshd[26422]: Did not receive identification string
from 85.8.136.219
Oct 13 01:11:14 support sshd[31765]: Invalid user admin from 85.8.136.219
Oct 13 01:11:15 support sshd[31792]: Invalid user test from 85.8.136.219
Oct 13 01:11:15 support sshd[31814]: Invalid user guest from 85.8.136.219
Oct 13 01:11:16 support sshd[31833]: Invalid user webmaster from 85.8.136.219
Oct 13 01:11:17 support sshd[31852]: User mysql not allowed because account is
locked
Oct 13 01:11:18 support sshd[31902]: Invalid user oracle from 85.8.136.219
Oct 13 01:11:19 support sshd[31929]: Invalid user library from 85.8.136.219
Oct 13 01:11:19 support sshd[31945]: Invalid user admin from 85.8.136.219
Oct 13 01:11:20 support sshd[31952]: Invalid user info from 85.8.136.219
Oct 13 01:11:20 support sshd[31965]: Invalid user test from 85.8.136.219
Oct 13 01:11:20 support sshd[31974]: Invalid user shell from 85.8.136.219
Oct 13 01:11:21 support sshd[31999]: Invalid user guest from 85.8.136.219
Oct 13 01:11:21 support sshd[32015]: Invalid user linux from 85.8.136.219
Oct 13 01:11:22 support sshd[32026]: Invalid user webmaster from 85.8.136.219
Oct 13 01:11:22 support sshd[32036]: Invalid user unix from 85.8.136.219
Oct 13 01:11:22 support sshd[32058]: User mysql not allowed because account is
locked
Oct 13 01:11:23 support sshd[32080]: Invalid user oracle from 85.8.136.219
Oct 13 01:11:24 support sshd[32109]: Invalid user library from 85.8.136.219
Oct 13 01:11:24 support sshd[32123]: Invalid user test from 85.8.136.219
Oct 13 01:11:25 support sshd[32134]: Invalid user info from 85.8.136.219
Oct 13 01:11:25 support sshd[32164]: Invalid user shell from 85.8.136.219
Oct 13 01:11:26 support sshd[32175]: Invalid user admin from 85.8.136.219
Oct 13 01:11:26 support sshd[32192]: Invalid user linux from 85.8.136.219
Oct 13 01:11:27 support sshd[32200]: Invalid user guest from 85.8.136.219
Oct 13 01:11:27 support sshd[32224]: Invalid user unix from 85.8.136.219
========================================================
I have just kept the default fail2ban config file and have not created any new
log files in /var/log/.
Any ideas?
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-user] Re: Break In attempts
2007-10-13 10:43 ` Mick
@ 2007-10-16 17:28 ` Mark Shields
0 siblings, 0 replies; 11+ messages in thread
From: Mark Shields @ 2007-10-16 17:28 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 3265 bytes --]
On 10/13/07, Mick <michaelkintzios@gmail.com> wrote:
>
> On Sunday 07 October 2007, Remy Blank wrote:
> > Mick wrote:
> > > I have already disabled PAM authentication on sshd so that only users
> > > with a public key in their ~/.ssh can login.
> >
> > This is the first and most important step. This means that the only real
> > problem is that your logs fill with failed log in attempts.
> >
> > The easiest way I have found to avoid that is to change the port number
> > of the SSH daemon to something else than 22.
>
> I am trying out fail2ban, but I am not sure I have configured it
> correctly.
> Shouldn't most of these repeated attempts have been stopped?
> ========================================================
> Oct 12 21:01:01 support sshd[30347]: Did not receive identification string
> from 203.128.89.99
> Oct 13 01:01:38 support sshd[26419]: Did not receive identification string
> from 85.8.136.219
> Oct 13 01:01:38 support sshd[26422]: Did not receive identification string
> from 85.8.136.219
> Oct 13 01:11:14 support sshd[31765]: Invalid user admin from 85.8.136.219
> Oct 13 01:11:15 support sshd[31792]: Invalid user test from 85.8.136.219
> Oct 13 01:11:15 support sshd[31814]: Invalid user guest from 85.8.136.219
> Oct 13 01:11:16 support sshd[31833]: Invalid user webmaster from
> 85.8.136.219
> Oct 13 01:11:17 support sshd[31852]: User mysql not allowed because
> account is
> locked
> Oct 13 01:11:18 support sshd[31902]: Invalid user oracle from 85.8.136.219
> Oct 13 01:11:19 support sshd[31929]: Invalid user library from
> 85.8.136.219
> Oct 13 01:11:19 support sshd[31945]: Invalid user admin from 85.8.136.219
> Oct 13 01:11:20 support sshd[31952]: Invalid user info from 85.8.136.219
> Oct 13 01:11:20 support sshd[31965]: Invalid user test from 85.8.136.219
> Oct 13 01:11:20 support sshd[31974]: Invalid user shell from 85.8.136.219
> Oct 13 01:11:21 support sshd[31999]: Invalid user guest from 85.8.136.219
> Oct 13 01:11:21 support sshd[32015]: Invalid user linux from 85.8.136.219
> Oct 13 01:11:22 support sshd[32026]: Invalid user webmaster from
> 85.8.136.219
> Oct 13 01:11:22 support sshd[32036]: Invalid user unix from 85.8.136.219
> Oct 13 01:11:22 support sshd[32058]: User mysql not allowed because
> account is
> locked
> Oct 13 01:11:23 support sshd[32080]: Invalid user oracle from 85.8.136.219
> Oct 13 01:11:24 support sshd[32109]: Invalid user library from
> 85.8.136.219
> Oct 13 01:11:24 support sshd[32123]: Invalid user test from 85.8.136.219
> Oct 13 01:11:25 support sshd[32134]: Invalid user info from 85.8.136.219
> Oct 13 01:11:25 support sshd[32164]: Invalid user shell from 85.8.136.219
> Oct 13 01:11:26 support sshd[32175]: Invalid user admin from 85.8.136.219
> Oct 13 01:11:26 support sshd[32192]: Invalid user linux from 85.8.136.219
> Oct 13 01:11:27 support sshd[32200]: Invalid user guest from 85.8.136.219
> Oct 13 01:11:27 support sshd[32224]: Invalid user unix from 85.8.136.219
> ========================================================
>
> I have just kept the default fail2ban config file and have not created any
> new
> log files in /var/log/.
>
> Any ideas?
> --
> Regards,
> Mick
>
>
Do you have anything in your default log file, /var/log/fail2ban.log ?
--
- Mark Shields
[-- Attachment #2: Type: text/html, Size: 4541 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2007-10-16 17:47 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-10-07 9:40 [gentoo-user] Break In attempts Mick
2007-10-07 9:54 ` Elias Probst
2007-10-07 11:45 ` Mick
2007-10-07 10:00 ` Joost van Surksum
2007-10-07 12:09 ` Bertram Scharpf
2007-10-07 18:16 ` [gentoo-user] " Remy Blank
2007-10-07 19:11 ` Mick
2007-10-07 19:46 ` Hex Star
2007-10-13 10:43 ` Mick
2007-10-16 17:28 ` Mark Shields
2007-10-07 20:18 ` [gentoo-user] " Randy Barlow
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox