Re: [gentoo-user] Curious pattern in log files from ssh...

[Evgeniy Bushkov <zhen@dotcomltd.ru>]

[-- Attachment #1: Type: text/plain, Size: 2528 bytes --]

Steve пишет:
> I've recently discovered a curious pattern emerging in my system log
> with failed login attempts via ssh.
>
> Previously, I noticed dictionary attacks launched - which were easy to
> detect... and I've a process to block the IP address of any host that
> repeatedly fails to authenticate.
>
> What I see now is quite different... I'm seeing a dictionary attack
> originating from a wide range of IP addresses - testing user-names in
> sequence... it has been in progress since 22nd November 2008 and has
> tried 7195 user names in alphabetical order from 521 distinct hosts -
> with no successive two attempts from the same host.
>
> I'm not particularly concerned - since I'm confident that all my users
> have strong passwords... but it strikes me that this data identifies a
> bot-net that is clearly malicious attempting to break passwords.
>
> Sure, I could use IPtables to block all these bad ports... or... I could
> disable password authentication entirely... but I keep thinking that
> there has to be something better I can do... any suggestions?  Is there
> a simple way to integrate a block-list of known-compromised hosts into
> IPtables - rather like my postfix is configured to drop connections from
> known spam sources from the sbl-xbl.spamhaus.org DNS block list, for
> example.
>
> Break in attempts today (attempted username/IP address):
> --
>
>   
Hi.
Best of all you can add iptables rules. It's better then use any script. 
Also take a note that there are no "known-compromised hosts" because ANY 
IP can be forged.
I've sometimes seen such rules in the internet. These I use in my firewall:

iptables -A INPUT -i eth0 -p tcp -m state --state NEW --dport 22 -m 
recent --name sshattack --set
iptables -A INPUT -i eth0 -p tcp -m state --state NEW --dport 22 -m 
recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j LOG -m 
limit --limit 3/minute --limit-burst 3 --log-level 4 --log-prefix 'SSH 
REJECT: '
iptables -A INPUT -i eth0 -p tcp -m state --state NEW --dport 22 -m 
recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j REJECT 
--reject-with tcp-reset

These rules give you possibility to use your ssh service from any IP but 
reject repeated login attempts from malicious users. You can tune 
parameter --hitcount to limit amount of
sequential login attempts per minute. Also you can look at 
/proc/net/ipt_recent/sshattack for malicious IPs and how often they were 
used.

Best regards,
Evgeniy B.



[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 5581 bytes --]