Steve пишет:
I've recently discovered a curious pattern emerging in my system log with failed login attempts via ssh.Previously, I noticed dictionary attacks launched - which were easy to detect... and I've a process to block the IP address of any host that repeatedly fails to authenticate. What I see now is quite different... I'm seeing a dictionary attack originating from a wide range of IP addresses - testing user-names in sequence... it has been in progress since 22nd November 2008 and has tried 7195 user names in alphabetical order from 521 distinct hosts - with no successive two attempts from the same host. I'm not particularly concerned - since I'm confident that all my users have strong passwords... but it strikes me that this data identifies a bot-net that is clearly malicious attempting to break passwords. Sure, I could use IPtables to block all these bad ports... or... I could disable password authentication entirely... but I keep thinking that there has to be something better I can do... any suggestions? Is there a simple way to integrate a block-list of known-compromised hosts into IPtables - rather like my postfix is configured to drop connections from known spam sources from the sbl-xbl.spamhaus.org DNS block list, for example. Break in attempts today (attempted username/IP address): --
Hi.Best of all you can add iptables rules. It's better then use any script. Also take a note that there are no "known-compromised hosts" because ANY IP can be forged.
I've sometimes seen such rules in the internet. These I use in my firewall:iptables -A INPUT -i eth0 -p tcp -m state --state NEW --dport 22 -m recent --name sshattack --set iptables -A INPUT -i eth0 -p tcp -m state --state NEW --dport 22 -m recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j LOG -m limit --limit 3/minute --limit-burst 3 --log-level 4 --log-prefix 'SSH REJECT: ' iptables -A INPUT -i eth0 -p tcp -m state --state NEW --dport 22 -m recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j REJECT --reject-with tcp-reset
These rules give you possibility to use your ssh service from any IP but reject repeated login attempts from malicious users. You can tune parameter --hitcount to limit amount of sequential login attempts per minute. Also you can look at /proc/net/ipt_recent/sshattack for malicious IPs and how often they were used.
Best regards, Evgeniy B.
smime.p7s
Description: S/MIME Cryptographic Signature