Re: is there a way to block sshd trolling?
Hi Nick I managed to get it working like this.. I am mainly writing this also if other users might benefit from it :-) In /etc/pf.conf I added only the following line: block quick on $ext_if inet proto { tcp udp } from to $ext_if I then placed the following in /root/swatchrc: watchfor /Invalid user/ [EMAIL PROTECTED], --subject=Hacking alert! We have an illegal login attempt! exec pfctl -t sshdhackers -T add $10 This means that I will get an email notification plus pfctl will add the illegal IP to the sshdhackers tabel. In my case I only want to block illegal users since I am using AllowUsers with SSHD, and because I don't want to risk blocking someone who might have forgotten his/hers password. This could be extended to block the user if he or she fails at X attempts. Swatch then needs to be looking for "Failed password for USER" where user is the right username. This actually is a good idea to block in case some script kid gets hes hands on the right username. In /etc/rc.local I have placed the following line: /usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog If one wants to see the IP in sshdhackers it can be done with: pfctl -t sshdhackers -T show And if one needs to delete an IP: pfctl -t sshdhackers -T delete xxx.xxx.xxx.xxx Where xxx.xxx.xxx.xxx is the IP. To get swatch to add the illegal entry to it's own logging file say /root/swatchlog (as Nick used) I add this entry in /root/swatchrc after the "exec pfctl" line: exec echo $0 >> /root/swatchlog And if you only want the IP to be logged: exec echo $10 >> /root/swatchlog In case someone don't know: $10 means the tenth word in the line (which in authlog is the IP). Hope others might benefit. Cheers. Rico.
Re: is there a way to block sshd trolling?
Hi Rico, I'd probably do that the other way - get rid of the log file bit out of the swatch config and let that update the pf table. Set up a separate cronjob to dump the table contents to a file every hour or so with a pfctl -t sshdtrolls -T show > LOGFILENAME This way the pf table is instantly updated as the person is scanning and the logfile is created later on. If you do it the other way you're back with the problem of how to import the logfile into the table quickly enough to stop the scanning. Cheers. Nick Rico wrote: Hi Nick Nick Ryan wrote: Strange. It's working for me - I've just tested my own setup again and it blocks me. Although the file logging isn't working though - not sure why that is... This, I think, is the interresting part because I want that very log file to be the "blacklist" file and then to have Swatch make pf grap that file. That way each time there is an "Illegal user" the log file is extended with the IP and pf add's that IP to the block rule. I will try to work on this before working more on the missing block part :-) Thanks for your reply! Kindly Rico. Can you confirm that your pf rules have the block line in before the permit rule and that it's correct for your firewall rules - ie. no other rule is overriding it and that you're testing it on the interface the rule is on - ie the external interface. You could change your permit ssh line to be something like this: pass in log quick inet proto tcp from ! to $EXT_IF port 22 modulate state label "ssh in" flags S/SA Change that line for whatever suits your rules - it's just an example of the ! bit. You probably don't even need the block rule in with this. Also check the IP address in the table with pfctl -t sshdtrolls -T show and make sure it's correct. The reason I think it's a firewall rule is that you said it said 1/1 address added which means that it's picking it up from the logs and adding it to the table - the only other place it can go wrong is in the block rule. Let me know how you get on. Cheers - Nick Rico wrote: Dear Nick I have tried your setup below. I too have the setup and file placement as you, but I am not using keys. When I try to log on as an illegal user, the atempt is logged by authlog, and having swatch runing from the console it says: 1/1 addresses added. I am using this 'table persist file "/root/pf/sshdhackers"' I don't get any entries in the sshdhackers file and I don't get blocked from the system. I also use AllowUsers Would you mind explaining a bit more about your setup? Friendly Rico. Nick Ryan wrote: What you could also do is install swatch from ports or packages and have a table in your pf.conf like this: table persist and a rule #stop ssh trolls block in log quick on $EXT_IF inet proto {tcp,udp} from to $EXT_IF port ssh label "SSHDTrolls" A swatchrc file of: watchfor /Failed password for invalid user/ exec /sbin/pfctl -t sshdtrolls -T add $13 [EMAIL PROTECTED], --subject=woo. we have a troll throttle 02:00 exec echo $13 >> /root/swatchlog Then run swatch with: /usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog & (Note file locations and settings might need to be changed depending on your config) I also have the AllowUsers and use PubKeyAuthentication and PasswordAuthentication No settings enabled in sshd_config. This means that for a normal login the error "Failed password for invalid user" won't come up as it'll never get that far as it's expecting a key. If a troll tries to log in, they get one chance before the swatch picks it up and adds it to the block table. . .
Re: is there a way to block sshd trolling?
Hi Nick Nick Ryan wrote: Strange. It's working for me - I've just tested my own setup again and it blocks me. Although the file logging isn't working though - not sure why that is... This, I think, is the interresting part because I want that very log file to be the "blacklist" file and then to have Swatch make pf grap that file. That way each time there is an "Illegal user" the log file is extended with the IP and pf add's that IP to the block rule. I will try to work on this before working more on the missing block part :-) Thanks for your reply! Kindly Rico. Can you confirm that your pf rules have the block line in before the permit rule and that it's correct for your firewall rules - ie. no other rule is overriding it and that you're testing it on the interface the rule is on - ie the external interface. You could change your permit ssh line to be something like this: pass in log quick inet proto tcp from ! to $EXT_IF port 22 modulate state label "ssh in" flags S/SA Change that line for whatever suits your rules - it's just an example of the ! bit. You probably don't even need the block rule in with this. Also check the IP address in the table with pfctl -t sshdtrolls -T show and make sure it's correct. The reason I think it's a firewall rule is that you said it said 1/1 address added which means that it's picking it up from the logs and adding it to the table - the only other place it can go wrong is in the block rule. Let me know how you get on. Cheers - Nick Rico wrote: Dear Nick I have tried your setup below. I too have the setup and file placement as you, but I am not using keys. When I try to log on as an illegal user, the atempt is logged by authlog, and having swatch runing from the console it says: 1/1 addresses added. I am using this 'table persist file "/root/pf/sshdhackers"' I don't get any entries in the sshdhackers file and I don't get blocked from the system. I also use AllowUsers Would you mind explaining a bit more about your setup? Friendly Rico. Nick Ryan wrote: What you could also do is install swatch from ports or packages and have a table in your pf.conf like this: table persist and a rule #stop ssh trolls block in log quick on $EXT_IF inet proto {tcp,udp} from to $EXT_IF port ssh label "SSHDTrolls" A swatchrc file of: watchfor /Failed password for invalid user/ exec /sbin/pfctl -t sshdtrolls -T add $13 [EMAIL PROTECTED], --subject=woo. we have a troll throttle 02:00 exec echo $13 >> /root/swatchlog Then run swatch with: /usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog & (Note file locations and settings might need to be changed depending on your config) I also have the AllowUsers and use PubKeyAuthentication and PasswordAuthentication No settings enabled in sshd_config. This means that for a normal login the error "Failed password for invalid user" won't come up as it'll never get that far as it's expecting a key. If a troll tries to log in, they get one chance before the swatch picks it up and adds it to the block table. . .
Re: is there a way to block sshd trolling?
Alexander Hall wrote: Rico wrote: I am using this 'table persist file "/root/pf/sshdhackers"' I don't get any entries in the sshdhackers file and I don't get blocked from the system. A table modification is not automatically added to the file the table was once populated from. Use # pfctl -t sshdtrolls -T show > /root/pf/sshdhackers for that. I know -) I am using Swatch to try to append to the file and then Swatch is making pf reading the file again. I can't make this work though. Concerning not being blocked, do you have this too? Yes :-) and a rule #stop ssh trolls block in log quick on $EXT_IF inet proto {tcp,udp} from to $EXT_IF port ssh label "SSHDTrolls" /Alexander .
Re: is there a way to block sshd trolling?
Rico wrote: I am using this 'table persist file "/root/pf/sshdhackers"' I don't get any entries in the sshdhackers file and I don't get blocked from the system. A table modification is not automatically added to the file the table was once populated from. Use # pfctl -t sshdtrolls -T show > /root/pf/sshdhackers for that. Concerning not being blocked, do you have this too? and a rule #stop ssh trolls block in log quick on $EXT_IF inet proto {tcp,udp} from to $EXT_IF port ssh label "SSHDTrolls" /Alexander
Re: is there a way to block sshd trolling?
Strange. It's working for me - I've just tested my own setup again and it blocks me. Although the file logging isn't working though - not sure why that is... Can you confirm that your pf rules have the block line in before the permit rule and that it's correct for your firewall rules - ie. no other rule is overriding it and that you're testing it on the interface the rule is on - ie the external interface. You could change your permit ssh line to be something like this: pass in log quick inet proto tcp from ! to $EXT_IF port 22 modulate state label "ssh in" flags S/SA Change that line for whatever suits your rules - it's just an example of the ! bit. You probably don't even need the block rule in with this. Also check the IP address in the table with pfctl -t sshdtrolls -T show and make sure it's correct. The reason I think it's a firewall rule is that you said it said 1/1 address added which means that it's picking it up from the logs and adding it to the table - the only other place it can go wrong is in the block rule. Let me know how you get on. Cheers - Nick Rico wrote: Dear Nick I have tried your setup below. I too have the setup and file placement as you, but I am not using keys. When I try to log on as an illegal user, the atempt is logged by authlog, and having swatch runing from the console it says: 1/1 addresses added. I am using this 'table persist file "/root/pf/sshdhackers"' I don't get any entries in the sshdhackers file and I don't get blocked from the system. I also use AllowUsers Would you mind explaining a bit more about your setup? Friendly Rico. Nick Ryan wrote: What you could also do is install swatch from ports or packages and have a table in your pf.conf like this: table persist and a rule #stop ssh trolls block in log quick on $EXT_IF inet proto {tcp,udp} from to $EXT_IF port ssh label "SSHDTrolls" A swatchrc file of: watchfor /Failed password for invalid user/ exec /sbin/pfctl -t sshdtrolls -T add $13 [EMAIL PROTECTED], --subject=woo. we have a troll throttle 02:00 exec echo $13 >> /root/swatchlog Then run swatch with: /usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog & (Note file locations and settings might need to be changed depending on your config) I also have the AllowUsers and use PubKeyAuthentication and PasswordAuthentication No settings enabled in sshd_config. This means that for a normal login the error "Failed password for invalid user" won't come up as it'll never get that far as it's expecting a key. If a troll tries to log in, they get one chance before the swatch picks it up and adds it to the block table. .
Re: is there a way to block sshd trolling?
Dear Nick I have tried your setup below. I too have the setup and file placement as you, but I am not using keys. When I try to log on as an illegal user, the atempt is logged by authlog, and having swatch runing from the console it says: 1/1 addresses added. I am using this 'table persist file "/root/pf/sshdhackers"' I don't get any entries in the sshdhackers file and I don't get blocked from the system. I also use AllowUsers Would you mind explaining a bit more about your setup? Friendly Rico. Nick Ryan wrote: What you could also do is install swatch from ports or packages and have a table in your pf.conf like this: table persist and a rule #stop ssh trolls block in log quick on $EXT_IF inet proto {tcp,udp} from to $EXT_IF port ssh label "SSHDTrolls" A swatchrc file of: watchfor /Failed password for invalid user/ exec /sbin/pfctl -t sshdtrolls -T add $13 [EMAIL PROTECTED], --subject=woo. we have a troll throttle 02:00 exec echo $13 >> /root/swatchlog Then run swatch with: /usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog & (Note file locations and settings might need to be changed depending on your config) I also have the AllowUsers and use PubKeyAuthentication and PasswordAuthentication No settings enabled in sshd_config. This means that for a normal login the error "Failed password for invalid user" won't come up as it'll never get that far as it's expecting a key. If a troll tries to log in, they get one chance before the swatch picks it up and adds it to the block table. .
Re: is there a way to block sshd trolling?
What you could also do is install swatch from ports or packages and have a table in your pf.conf like this: table persist and a rule #stop ssh trolls block in log quick on $EXT_IF inet proto {tcp,udp} from to $EXT_IF port ssh label "SSHDTrolls" A swatchrc file of: watchfor /Failed password for invalid user/ exec /sbin/pfctl -t sshdtrolls -T add $13 [EMAIL PROTECTED], --subject=woo. we have a troll throttle 02:00 exec echo $13 >> /root/swatchlog Then run swatch with: /usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog & (Note file locations and settings might need to be changed depending on your config) I also have the AllowUsers and use PubKeyAuthentication and PasswordAuthentication No settings enabled in sshd_config. This means that for a normal login the error "Failed password for invalid user" won't come up as it'll never get that far as it's expecting a key. If a troll tries to log in, they get one chance before the swatch picks it up and adds it to the block table.
Re: is there a way to block sshd trolling?
I use an "intruder" table within pf table file "/etc/pf.intruders" Then in pf rules: block drop in log-all from to any Then I run this script out of cron on a periodic basis (remove the echo statements for cron use - I like to run it manually, too) #!/usr/local/bin/bash # This counts the number of failed login attempts from every ip address in /var/log/authlog echo echo echo "The following is a list of failed login attempts:" echo echo "# Tries IP Address" echo cat /var/log/authlog | grep Failed | awk '{print $13"\t"$14}' | grep port | awk '{print $1}' | uniq -c | sort | awk '{print "\t"$1"\t"$2}' > /etc/pf.intruders.tmp cat /etc/pf.intruders.tmp #set the following number to set tolerance level - currently set to 20 cat /etc/pf.intruders.tmp | awk '{if ($1 >= 20) print $2}' >> /etc/pf.intruders #The following addresses have tried to log in as root echo echo "The following is a list of failed root login attempts:" echo echo "# Tries IP Address" echo cat /var/log/authlog | grep root | grep -i fail | awk '{print $11}'| uniq -c | sort | awk '{print "\t"$1"\t"$2}' > /etc/pf.intruders.tmp cat /etc/pf.intruders.tmp cat /etc/pf.intruders.tmp | awk '{print $2}' >> /etc/pf.intruders # The following addresses have successfully logged in as root - this should NEVER contain any entries echo echo "The following is a list of successful root logins:" echo echo "# Tries IP Address" echo cat /var/log/authlog | grep root | grep -v -i fail | grep -v su | awk '{print $11}'| uniq -c | sort | awk '{print "\t"$1"\t"$2}' # insure only unique addresses and keep out my addresses (W.X.Y.Z) from the restricted log cat /etc/pf.intruders | grep -v W.X.Y.Z | sort -u > /etc/pf.intruders.tmp cp /etc/pf.intruders.tmp /etc/pf.intruders rm /etc/pf.intruders.tmp #replace the intruders table with the updated table pfctl -t intruders -T replace -f /etc/pf.intruders echo -n "Hack Check last ran at: " >> /var/log/hackchklog date >> /var/log/hackchklog echo echo "Addresses with more than 20 login attempts or any attempt to login as root have been copied to /etc/pf.intruders" cat /var/log/hackchklog echo I also like to check out IP address that product the greatest number of packets that have been blocked & logged echo "IP Addresses of Blocked Packets " tcpdump -n -e -ttt -r /var/log/pflog | awk '{print $1" "$2" "$3" "$10}' | awk '{print $4}' | awk '{ FS = "."; print $1"."$2"."$3"."$4}' | sort | uniq -c | sort John Marten wrote: You know what i mean? Every day I get some script kiddie, or adult trying to guess usernames or passwords. I've installed the newest version of SSH, so i'm covered there. But I still get a dozen or 2 of the "sshd Invalid user somename from ###.##.##.###" "input_userauth_request: ivalid user somename" "Failed password for invalid user somename" "Recieved disconnect from ###.##.##.###" Someone told me to add a 'block in quick on $net inet proto {tcp,udp} from ###.##.##.### to any flags S/SA' entry in my pf.conf file. But if I had do that for every hacker my pf.conf would be huge! There's got to be a better way, and I'm open to suggestions. John F. Marten III Information Technology Specialist
Re: is there a way to block sshd trolling?
I second that. Blocking ssh access from Linux hosts removes 95% of these attacks. Simple and effective. block drop in log quick on $ext_if proto { tcp, udp } from any os Linux to any port ssh label "Block ssh from Linux hosts" /jkm * Nick Ryan ([EMAIL PROTECTED]) wrote: > You could use pf to block linux ssh access. > > block in log quick on $EXT_IF inet proto tcp from any os "Linux" to port > 22 label "Blocked Linux ssh access: " > > That'll reduce it quite a lot. > > > > John Marten wrote: > > >You know what i mean? Every day I get some script kiddie, or adult > >trying to guess usernames or passwords. > >I've installed the newest version of SSH, so i'm covered there. But I > >still get a dozen or 2 of the > >"sshd Invalid user somename from ###.##.##.###" > >"input_userauth_request: ivalid user somename" > >"Failed password for invalid user somename" > >"Recieved disconnect from ###.##.##.###" > >Someone told me to add a 'block in quick on $net inet proto {tcp,udp} > >from ###.##.##.### to any flags S/SA' > >entry in my pf.conf file. But if I had do that for every hacker my > >pf.conf would be huge! > >There's got to be a better way, and I'm open to suggestions. > > > > > >John F. Marten III > > > >Information Technology Specialist
Re: is there a way to block sshd trolling?
El vie, 23-09-2005 a las 21:24 -0700, Ray Percival escribis: > [...] > > I wonder if it's possible to "fingerprint" these programs. I actually > > have a copy of the ssh-scanner that they use. I got it by looking at > > the hack logs on a Linux server and going to the same FTP site they > > used (anonymous ftp even ;). > I use the blocker script from this article. Seems to work pretty well. I'd > just block Linux but I have a few friends who have yet to see the OpenBSD > light. > http://www.undeadly.org/cgi?action=article&sid=20041231195454&mode=expanded >From my experience only about 10% of the attackers come back to try again, so filtering after scanning logs is not worth it you don't have a huge amount of attacks. If your sshd_config is ok (AllowUsers is your friend), you're OK with updates, and you're using good passwords... you're safe. Let'em try. regards, Juanjo -- Desarrollo y sistemas: http://www.usebox.net/ Pagina Personal: http://www.usebox.net/jjm/
Re: is there a way to block sshd trolling?
just a minor variation (in B dur) for what the others had said: relevant parts of /etc/pf.conf: SSH_LIMIT="(max-src-conn-rate 3/30, overload flush global)" table persist block return-rst log quick proto tcp from label "ssh-pirate" block in pass in on $ext_if proto tcp from any to ($ext_if) port ssh \ flags S/SA keep state $SSH_LIMIT label "ssh" kripel> cat /etc/daily.local #!/bin/sh echo "flushing bad_ssh: " pfctl -t bad_ssh -T show pfctl -t bad_ssh -T flush yes, i know, i am forgiving, i flush the table everyday.. but you get the idea. you can play with this as much as you like. even make statistics, draw graphs, etc ;-) corporate drones like that ;-) show them how much they need openbsd -f -- drinking kills brain cells, but just the weak ones...
Re: is there a way to block sshd trolling?
--On 24 September 2005 13:31 +0100, ed wrote: What they did was to exploit gzip, I'm fairly certain. I could not apt-get of course and thus left helpless. I no longer have faith in user passwords. I do my best to prevent people using common user names (besides myself who uses 'ed' of course, but with a descent password). See /usr/ports/security/passwdqc if you'd like to enforce strong passwords.
Re: is there a way to block sshd trolling?
On Fri, 23 Sep 2005 21:24:26 -0700 Ray Percival <[EMAIL PROTECTED]> wrote: > Yeah. This is only a threat against *really* weak boxes. Having said > that I've seen a lot of posts talking about changing ports. That's a > line that I won't cross. I refuse to hide from the bots and it's not > even a speedbump against somebody who is a real threat. But that just > my personalline in the sand. I agree, but I've personally been the victim of such an attack, it's a pain in the ass when you can't su to root, or login on the console. What they did was to exploit gzip, I'm fairly certain. I could not apt-get of course and thus left helpless. I no longer have faith in user passwords. I do my best to prevent people using common user names (besides myself who uses 'ed' of course, but with a descent password). The account abused was dominic/dominic, at the time this account was created the box did not have ssh open, and it was never an idea to, but then the service was opened and about 6 weeks later it was thoroughly shafted. I use the following now: rdr pass on $ext_if proto tcp from any to 1.2.3.4 port {22,3389} -> 10.10.10.10 block quick drop from abuse_src pass in on $ext_if proto tcp from any to $range port {22,3389} keep state ( max-src-conn 3, max-src-conn-rate 2/5, overload flush global ) After several weeks I have accumulated a list of about 60 IP blocks. I am wondering if block quick drop from abuse_src/24 is possible? But most the IP addresses are not sequential. -- A horse is a horse, of course, of course, And no one can talk to a horse, of course, Unless, of course, the horse, of course, Is the famous Mr. Ed! http://www.usenix.org.uk - http://irc.is-cool.net
Re: is there a way to block sshd trolling?
On Fri, Sep 23, 2005 at 08:07:35PM -0600, jared r r spiegel wrote: > caveat is that i currently haven't implemented a way to expire entries > out, however until you get something fancier tested/implemented, > some simple pf action like that above might fly /usr/ports/sysutils/expiretable in -current
Re: is there a way to block sshd trolling?
On Fri, Sep 23, 2005 at 08:24:15PM -0700, Bryan Irvine wrote: > > Some intelligent scripts look at tcp responses to port scans, ssh > > responds with SSH-2.0, which isn't too hard to identify. I don't know if > > changing the greeting would break the protocol, but I suspect it might > > break certain clients. > > I wonder if it's possible to "fingerprint" these programs. I actually > have a copy of the ssh-scanner that they use. I got it by looking at > the hack logs on a Linux server and going to the same FTP site they > used (anonymous ftp even ;). I use the blocker script from this article. Seems to work pretty well. I'd just block Linux but I have a few friends who have yet to see the OpenBSD light. http://www.undeadly.org/cgi?action=article&sid=20041231195454&mode=expanded > > The program that most of you see is probably "Skara". If you're > interested you run the program by doing "./a xxx.xxx" where xxx.xxx is > the first 2 octects of the network you want to scan (it only does > class b). Once it finds all the servers running ssh, it then forks > and runs "ssh-scan" on each and just crashes through the dictionary, > till it finds some servers, and reports the findings. Usually > something stupid like "admin/admin" or "vmail/vmail". I ran it on my > network to look for things that may have been done sloppily. I > actually did find one server where someone had created a user of > "test" with the pasword of "test"...nice. > > As long as you have secure passwords, I'd recomend just logging in as > a standard user, and using su so that you don't see all those logs. Yeah. This is only a threat against *really* weak boxes. Having said that I've seen a lot of posts talking about changing ports. That's a line that I won't cross. I refuse to hide from the bots and it's not even a speedbump against somebody who is a real threat. But that just my personalline in the sand. > > Keep in mind that they are just kiddies scanning class b's so there's > probably better things to worry about. > > A lot of nice tips though. I've learned a lot about PF just reading the > thread. > > > --Bryan > -- BOFH excuse #345: Having to manually track the satellite.
Re: is there a way to block sshd trolling?
> Some intelligent scripts look at tcp responses to port scans, ssh > responds with SSH-2.0, which isn't too hard to identify. I don't know if > changing the greeting would break the protocol, but I suspect it might > break certain clients. I wonder if it's possible to "fingerprint" these programs. I actually have a copy of the ssh-scanner that they use. I got it by looking at the hack logs on a Linux server and going to the same FTP site they used (anonymous ftp even ;). The program that most of you see is probably "Skara". If you're interested you run the program by doing "./a xxx.xxx" where xxx.xxx is the first 2 octects of the network you want to scan (it only does class b). Once it finds all the servers running ssh, it then forks and runs "ssh-scan" on each and just crashes through the dictionary, till it finds some servers, and reports the findings. Usually something stupid like "admin/admin" or "vmail/vmail". I ran it on my network to look for things that may have been done sloppily. I actually did find one server where someone had created a user of "test" with the pasword of "test"...nice. As long as you have secure passwords, I'd recomend just logging in as a standard user, and using su so that you don't see all those logs. Keep in mind that they are just kiddies scanning class b's so there's probably better things to worry about. A lot of nice tips though. I've learned a lot about PF just reading the thread. --Bryan
Re: is there a way to block sshd trolling?
On Friday 23 September 2005 14:40, John Marten wrote: > You know what i mean? Every day I get some script kiddie, or adult > trying to guess usernames or passwords. > I've installed the newest version of SSH, so i'm covered there. But I > still get a dozen or 2 of the > "sshd Invalid user somename from ###.##.##.###" > "input_userauth_request: ivalid user somename" > "Failed password for invalid user somename" > "Recieved disconnect from ###.##.##.###" > Someone told me to add a 'block in quick on $net inet proto {tcp,udp} > from ###.##.##.### to any flags S/SA' > entry in my pf.conf file. But if I had do that for every hacker my > pf.conf would be huge! > There's got to be a better way, and I'm open to suggestions. > > > John F. Marten III > > Information Technology Special Don't know if this is "better" and then "better" in what sense but here it goes and it's easy as pie: I installed "denyhosts" - a python script. Obvious downside is that you need to install python. Only adjustment you need to do is that denyhosts looks into /var/log/authlog for OBSD instead of /var/log/auth.log for Linux. My /etc/hosts.deny is growing steadily ever since ... Kind regards, Eike -- Eike Lantzsch ZP6CGE Casilla de Correo 1519 Asuncion / Paraguay Tel.: 595-21-578698 FAX: 595-21-578690
Re: is there a way to block sshd trolling?
On Fri, Sep 23, 2005 at 11:40:36AM -0700, John Marten wrote: > "input_userauth_request: ivalid user somename" > "Failed password for invalid user somename" haven't read the entire thread yet, so doubtless this has come up, but i use: -- e = sis2 tablepersist { } pass in on $e inet proto tcp from any to (carp0:0) port 22 synproxy state flags S/SA tag IBSSH pass in log on $e tagged IBSSH keep state (max-src-conn-rate 10/90 overload flush global) block log quick from -- i decided upon that rate after seeing what kind of rate i would get the spam. most people seem to be trying at a rate of 1 attempt per 2-4 seconds, so maybe the default in the "program" is ~3. a couple of smart people seem to have adjusted that to 1 try per 10s. caveat is that i currently haven't implemented a way to expire entries out, however until you get something fancier tested/implemented, some simple pf action like that above might fly jared -- [ openbsd 3.8 GENERIC ( sep 10 ) // i386 ]
Re: is there a way to block sshd trolling?
"Spruell, Darren-Perot" <[EMAIL PROTECTED]> writes: > From: Wolfgang S. Rupprecht >> 2) Forging the source IP in a TCP packet and succeeding in negotiating >>the 3-way handshake isn't all that simple any more. I wouldn't >>worry about it. If someone could forge that reliably, there is >>much better game to go after (like breaking into machines that >>still use IP addresses for authorization.) Someone spoofing an IP >>so that you mistakenly block an innocent party is pretty much >>wasting a good trick. > > Is it possible at all? You spoof your address to appear as my ISP for the > source address of a TCP connection. You send a SYN packet seeming to appear > from the ISP. I send SYN+ACK back to that ISP address. ISP drops it because > that address never sent SYN in first place. You never get anything back, > neither do I, and no TCP handshake occurs. > > Or does this involve a much more sophisticated attack than I'm imagining? Spoofing the tcp connection is possible if you can guess what was in the packet that the other side sent back in response to the first spoofed syn. Obviously you'll never see the packet, but the only thing that you need to know that isn't obvious is the initial sequence number. Back in the early days of BSD the initial tcp-sequence number wasn't all that hard to guess. Predicting it was relatively easy if the other side was a BSD system that didn't have too many tcp connections per second. After each tcp connections the kernel incremented the initial sequence number by some small, fixed amount. Connecting up to any tcp port would tell you what the kernel was currently using. Connecting a few times in a row would tell you how much it incremented the initial number by for each connection. It also gave on a rough idea how many connections per second the kernel was seeing. -wolfgang
Re: is there a way to block sshd trolling?
From: Wolfgang S. Rupprecht > 2) Forging the source IP in a TCP packet and succeeding in negotiating >the 3-way handshake isn't all that simple any more. I wouldn't >worry about it. If someone could forge that reliably, there is >much better game to go after (like breaking into machines that >still use IP addresses for authorization.) Someone spoofing an IP >so that you mistakenly block an innocent party is pretty much >wasting a good trick. Is it possible at all? You spoof your address to appear as my ISP for the source address of a TCP connection. You send a SYN packet seeming to appear from the ISP. I send SYN+ACK back to that ISP address. ISP drops it because that address never sent SYN in first place. You never get anything back, neither do I, and no TCP handshake occurs. Or does this involve a much more sophisticated attack than I'm imagining? DS
Re: is there a way to block sshd trolling?
just to add my $0.02. The best they could hope for would be disallowing your default gateway from connecting to your ssh server... whoop-de-doo. On 9/23/05, Wolfgang S. Rupprecht < [EMAIL PROTECTED]> wrote: > > <[EMAIL PROTECTED]> writes: > > My only question is what if I traceroute to you, find out the IP number > of your upstream router? Then I make a bunch of connection attempts to your > IP but forge the packets to make them look like they came from your > upstream. Don't *you* end up blacklisting your default route and you become > 'so long suckah'd? > > This isn't a problem for 2 reasons. > > 1) The upstream router isn't likely to be the destination of any > packet in a consumer-isp situation. Only if you are running some > routing protocol that uses that upstream router as an endpoint > (eg. rip, ospf, etc) will a block against that router's IP matter > to you. > > I've heard of cases where folks intentionally add an IP-level block > against their ISP's whole infrastructure. (Some ISP's don't allow > any "servers". If they find an sshd hanging on port 22 are they > going to hassle you? Just block 'em.) > > 2) Forging the source IP in a TCP packet and succeeding in negotiating > the 3-way handshake isn't all that simple any more. I wouldn't > worry about it. If someone could forge that reliably, there is > much better game to go after (like breaking into machines that > still use IP addresses for authorization.) Someone spoofing an IP > so that you mistakenly block an innocent party is pretty much > wasting a good trick. > > -wolfgang
Re: is there a way to block sshd trolling?
On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote: > There's got to be a better way, and I'm open to suggestions. This is really something well dealt with in the archives, so please search those for other suggestions. I'm sure there are better options. Personally, I use the following combination of lines: pass in quick on $ext_if proto tcp from to ($ext_if) \ port ssh flags S/SA keep state pass in quick on $ext_if proto tcp from ! to ($ext_if) \ port ssh flags S/SA keep state \ (max-src-conn-rate 10/10, overload flush global) Combined with two tables ("beheer" for known administrator addresses and "ssh-scan" for known offenders), this keeps most of my logs tidy. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: is there a way to block sshd trolling?
<[EMAIL PROTECTED]> writes: > My only question is what if I traceroute to you, find out the IP number of > your upstream router? Then I make a bunch of connection attempts to your IP > but forge the packets to make them look like they came from your upstream. > Don't *you* end up blacklisting your default route and you become 'so long > suckah'd? This isn't a problem for 2 reasons. 1) The upstream router isn't likely to be the destination of any packet in a consumer-isp situation. Only if you are running some routing protocol that uses that upstream router as an endpoint (eg. rip, ospf, etc) will a block against that router's IP matter to you. I've heard of cases where folks intentionally add an IP-level block against their ISP's whole infrastructure. (Some ISP's don't allow any "servers". If they find an sshd hanging on port 22 are they going to hassle you? Just block 'em.) 2) Forging the source IP in a TCP packet and succeeding in negotiating the 3-way handshake isn't all that simple any more. I wouldn't worry about it. If someone could forge that reliably, there is much better game to go after (like breaking into machines that still use IP addresses for authorization.) Someone spoofing an IP so that you mistakenly block an innocent party is pretty much wasting a good trick. -wolfgang
Re: is there a way to block sshd trolling?
John Marten wrote: > You know what i mean? Every day I get some script kiddie, or adult > trying to guess usernames or passwords. > I've installed the newest version of SSH, so i'm covered there. But I > still get a dozen or 2 of the > "sshd Invalid user somename from ###.##.##.###" > "input_userauth_request: ivalid user somename" > "Failed password for invalid user somename" > "Recieved disconnect from ###.##.##.###" > Someone told me to add a 'block in quick on $net inet proto {tcp,udp} > from ###.##.##.### to any flags S/SA' > entry in my pf.conf file. But if I had do that for every hacker my > pf.conf would be huge! > There's got to be a better way, and I'm open to suggestions. > > > John F. Marten III > > Information Technology Specialist > http://lfriends.franoculator.com/phpBB2/viewtopic.php?t=103 That's the hosts.deny method, for those of you scoring at home. It's a good solution, but you're better off enabling DSA/RSA keys and doing away with password auth altogether. Running sshd on a different port never hurt anyone either. HTH. -- Matt
Re: is there a way to block sshd trolling?
--On 23 September 2005 15:05 -0500, [EMAIL PROTECTED] wrote: My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. The suggestion is for max-src-conn-rate, not max-src-state.
Re: is there a way to block sshd trolling?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > My only question is what if I traceroute to you, find out the > IP number of your upstream router? Then I make a bunch of > connection attempts to your IP but forge the packets to make > them look like they came from your upstream. Don't *you* end > up blacklisting your default route and you become 'so long suckah'd? If you blacklist an IP on syn attempts only, maybe. In order for you to try to brute force logins you'll need a full TCP handshake which you'll never accomplish if you're spoofing yourself as the IP of the router. DS
Re: is there a way to block sshd trolling?
John Marten wrote: There's got to be a better way, and I'm open to suggestions. Use public key authentication to start with. It's very easy to setup and much more secure than password authentication. With public key authentication, passwords will never work. You might also want to make it a practice to disallow root logins via ssh. Changing the port number is not a bad idea also.
Re: is there a way to block sshd trolling?
On Fri, 23 Sep 2005 21:55:12 +0200 Tomasz Baranowski <[EMAIL PROTECTED]> wrote: > You can change the port number in /etc/ssh/sshd_config . It's 100% > effective against that kind of bots. Some intelligent scripts look at tcp responses to port scans, ssh responds with SSH-2.0, which isn't too hard to identify. I don't know if changing the greeting would break the protocol, but I suspect it might break certain clients. -- A horse is a horse, of course, of course, And no one can talk to a horse, of course, Unless, of course, the horse, of course, Is the famous Mr. Ed! http://www.usenix.org.uk - http://irc.is-cool.net
Re: is there a way to block sshd trolling?
[EMAIL PROTECTED] wrote: My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. Don't *you* end up blacklisting your default route and you become 'so long suckah'd? --ja That's how I handle this type of annoyance: http://data.homeip.net/projects/ssh_wall.php Of course, YMMV. Ciao. Add a "quick pass" rule for your upstream router before the max-src-conn foo.
Re: is there a way to block sshd trolling?
On Friday 23 September 2005 03:15 pm, Mr.Slippery wrote: > That's how I handle this type of annoyance: > http://data.homeip.net/projects/ssh_wall.php Slick. Er...slippery, that is.
Re: is there a way to block sshd trolling?
Roy Morris wrote: > why not use max-connections ? and dump them into a > table with no access. Or if this is a home machine just > move the port to some high port, most scripts wont bother > looking. Yup, I forgot to add that you can put another thing in that max-conn... that handles the overflow it sends it to a bad hosts file or some such... then just persist that. Brandon
Re: is there a way to block sshd trolling?
Use the tarpit patch that I wrote http://www.linbsd.org/openssh-samepasswd.patch -Ober -Ober On Fri, 23 Sep 2005, Abraham Al-Saleh wrote: You could use connection throttling, it won't eliminate them, but it will make it take longer. If you don't need ssh on that host (although, you probably do, I'd be lost without it) disable it. You could bind sshd to a different port, and disable port 22 (most of these attacks are automated bots). The best thing you can do is to disable root access, use difficult passwords (or better yet, use keys and disable passwords), go out of your way to make sure you don't use common names for usernames (if you can), and enforce a good password policy. Then you can do what I do when I get the output of my logs, laugh. On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote: You know what i mean? Every day I get some script kiddie, or adult trying to guess usernames or passwords. I've installed the newest version of SSH, so i'm covered there. But I still get a dozen or 2 of the "sshd Invalid user somename from ###.##.##.###" "input_userauth_request: ivalid user somename" "Failed password for invalid user somename" "Recieved disconnect from ###.##.##.###" Someone told me to add a 'block in quick on $net inet proto {tcp,udp} from ###.##.##.### to any flags S/SA' entry in my pf.conf file. But if I had do that for every hacker my pf.conf would be huge! There's got to be a better way, and I'm open to suggestions. John F. Marten III Information Technology Specialist -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Re: is there a way to block sshd trolling?
On Fri, 23 Sep 2005 11:40:36 -0700 "John Marten" <[EMAIL PROTECTED]> wrote: > You know what i mean? Every day I get some script kiddie, or adult > trying to guess usernames or passwords. > I've installed the newest version of SSH, so i'm covered there. But I > still get a dozen or 2 of the > "sshd Invalid user somename from ###.##.##.###" > "input_userauth_request: ivalid user somename" > "Failed password for invalid user somename" > "Recieved disconnect from ###.##.##.###" > Someone told me to add a 'block in quick on $net inet proto {tcp,udp} > from ###.##.##.### to any flags S/SA' > entry in my pf.conf file. But if I had do that for every hacker my > pf.conf would be huge! > There's got to be a better way, and I'm open to suggestions. > > > John F. Marten III > > Information Technology Specialist > Use tables. See: http://www.section6.net/wiki/index.php/Thwarting_ssh_hackers_with_swatch_pf -- Thordur I. <[EMAIL PROTECTED]> Humppa!
Re: is there a way to block sshd trolling?
You could use pf to block linux ssh access. block in log quick on $EXT_IF inet proto tcp from any os "Linux" to port 22 label "Blocked Linux ssh access: " That'll reduce it quite a lot. John Marten wrote: You know what i mean? Every day I get some script kiddie, or adult trying to guess usernames or passwords. I've installed the newest version of SSH, so i'm covered there. But I still get a dozen or 2 of the "sshd Invalid user somename from ###.##.##.###" "input_userauth_request: ivalid user somename" "Failed password for invalid user somename" "Recieved disconnect from ###.##.##.###" Someone told me to add a 'block in quick on $net inet proto {tcp,udp} from ###.##.##.### to any flags S/SA' entry in my pf.conf file. But if I had do that for every hacker my pf.conf would be huge! There's got to be a better way, and I'm open to suggestions. John F. Marten III Information Technology Specialist
Re: is there a way to block sshd trolling?
My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. Don't *you* end up blacklisting your default route and you become 'so long suckah'd? --ja > > > That's how I handle this type of annoyance: > http://data.homeip.net/projects/ssh_wall.php > Of course, YMMV. > Ciao. > --
Re: is there a way to block sshd trolling?
On Fri, Sep 23, 2005 at 11:40:36AM -0700, John Marten wrote: > You know what i mean? Every day I get some script kiddie, or adult > trying to guess usernames or passwords. You can change the port number in /etc/ssh/sshd_config . It's 100% effective against that kind of bots. Greetings, Tomasz Baranowski
Re: is there a way to block sshd trolling?
- Original Message: From: Bryan Irvine <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Friday, September 23 2005 09:55 AM Subject: Re: is there a way to block sshd trolling? >Have snort or portsentry add those ips to a table in pf.conf. > >--Bryan > >On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote: >> You know what i mean? Every day I get some script kiddie, or adult >> trying to guess usernames or passwords. >> I've installed the newest version of SSH, so i'm covered there. But I >> still get a dozen or 2 of the >> "sshd Invalid user somename from ###.##.##.###" >> "input_userauth_request: ivalid user somename" >> "Failed password for invalid user somename" >> "Recieved disconnect from ###.##.##.###" >> Someone told me to add a 'block in quick on $net inet proto {tcp,udp} >> from ###.##.##.### to any flags S/SA' >> entry in my pf.conf file. But if I had do that for every hacker my >> pf.conf would be huge! >> There's got to be a better way, and I'm open to suggestions. >> >> >> John F. Marten III >> >> Information Technology Specialist - You could use pf to add the entries to your block table based upon connect/disconnect rate. Notice the timescale of this attack in your authlog, no human types this fast. See man pf.conf for pertinent examples. Regards, Rob
Re: is there a way to block sshd trolling?
You could use connection throttling, it won't eliminate them, but it will make it take longer. If you don't need ssh on that host (although, you probably do, I'd be lost without it) disable it. You could bind sshd to a different port, and disable port 22 (most of these attacks are automated bots). The best thing you can do is to disable root access, use difficult passwords (or better yet, use keys and disable passwords), go out of your way to make sure you don't use common names for usernames (if you can), and enforce a good password policy. Then you can do what I do when I get the output of my logs, laugh. On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote: > > You know what i mean? Every day I get some script kiddie, or adult > trying to guess usernames or passwords. > I've installed the newest version of SSH, so i'm covered there. But I > still get a dozen or 2 of the > "sshd Invalid user somename from ###.##.##.###" > "input_userauth_request: ivalid user somename" > "Failed password for invalid user somename" > "Recieved disconnect from ###.##.##.###" > Someone told me to add a 'block in quick on $net inet proto {tcp,udp} > from ###.##.##.### to any flags S/SA' > entry in my pf.conf file. But if I had do that for every hacker my > pf.conf would be huge! > There's got to be a better way, and I'm open to suggestions. > > > John F. Marten III > > Information Technology Specialist > > -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Re: is there a way to block sshd trolling?
John Marten wrote: >You know what i mean? Every day I get some script kiddie, or adult >trying to guess usernames or passwords. >I've installed the newest version of SSH, so i'm covered there. But I >still get a dozen or 2 of the >"sshd Invalid user somename from ###.##.##.###" >"input_userauth_request: ivalid user somename" >"Failed password for invalid user somename" >"Recieved disconnect from ###.##.##.###" >Someone told me to add a 'block in quick on $net inet proto {tcp,udp} >from ###.##.##.### to any flags S/SA' >entry in my pf.conf file. But if I had do that for every hacker my >pf.conf would be huge! >There's got to be a better way, and I'm open to suggestions. > > You can try to limit the overly persistant number of incoming connections. Or you can run SSH on a non-default port. Try the pf way first with the max-src-conn-rate on all incoming connections. I think it's like pass in quick on $external from any to any port $services flags... etc keep state (max-src-conn-rate 100/10) or whatever you need. Brandon
Re: is there a way to block sshd trolling?
On Friday 23 September 2005 02:40 pm, John Marten wrote: > There's got to be a better way, and I'm open to suggestions. Use a non-standard port and/or public key exchange. Chris
Re: is there a way to block sshd trolling?
why not use max-connections ? and dump them into a table with no access. Or if this is a home machine just move the port to some high port, most scripts wont bother looking. cheers rm John Marten wrote: You know what i mean? Every day I get some script kiddie, or adult trying to guess usernames or passwords. I've installed the newest version of SSH, so i'm covered there. But I still get a dozen or 2 of the "sshd Invalid user somename from ###.##.##.###" "input_userauth_request: ivalid user somename" "Failed password for invalid user somename" "Recieved disconnect from ###.##.##.###" Someone told me to add a 'block in quick on $net inet proto {tcp,udp} from ###.##.##.### to any flags S/SA' entry in my pf.conf file. But if I had do that for every hacker my pf.conf would be huge! There's got to be a better way, and I'm open to suggestions. John F. Marten III Information Technology Specialist
Re: is there a way to block sshd trolling?
> On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote: > > You know what i mean? Every day I get some script kiddie, or adult > > trying to guess usernames or passwords. > > I've installed the newest version of SSH, so i'm covered there. But I > > still get a dozen or 2 of the > > "sshd Invalid user somename from ###.##.##.###" > > "input_userauth_request: ivalid user somename" > > "Failed password for invalid user somename" > > "Recieved disconnect from ###.##.##.###" > > Someone told me to add a 'block in quick on $net inet proto {tcp,udp} > > from ###.##.##.### to any flags S/SA' > > entry in my pf.conf file. But if I had do that for every hacker my > > pf.conf would be huge! > > There's got to be a better way, and I'm open to suggestions. > > > > > > John F. Marten III > > > > Information Technology Specialist Change your sshd listen port? Should take care of most of the scripts.
Re: is there a way to block sshd trolling?
John Marten ([EMAIL PROTECTED]) dixit: > You know what i mean? Every day I get some script kiddie, or adult > trying to guess usernames or passwords. > I've installed the newest version of SSH, so i'm covered there. But I > still get a dozen or 2 of the > "sshd Invalid user somename from ###.##.##.###" > "input_userauth_request: ivalid user somename" > "Failed password for invalid user somename" > "Recieved disconnect from ###.##.##.###" > Someone told me to add a 'block in quick on $net inet proto {tcp,udp} > from ###.##.##.### to any flags S/SA' > entry in my pf.conf file. But if I had do that for every hacker my > pf.conf would be huge! > There's got to be a better way, and I'm open to suggestions. > > > John F. Marten III > > Information Technology Specialist > That's how I handle this type of annoyance: http://data.homeip.net/projects/ssh_wall.php Of course, YMMV. Ciao. -- .--. | Florin (Slippery) Iamandi| | Reason is the first victim of emotion. -- Scytale, Dune Messiah |
Re: is there a way to block sshd trolling?
Have snort or portsentry add those ips to a table in pf.conf. --Bryan On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote: > You know what i mean? Every day I get some script kiddie, or adult > trying to guess usernames or passwords. > I've installed the newest version of SSH, so i'm covered there. But I > still get a dozen or 2 of the > "sshd Invalid user somename from ###.##.##.###" > "input_userauth_request: ivalid user somename" > "Failed password for invalid user somename" > "Recieved disconnect from ###.##.##.###" > Someone told me to add a 'block in quick on $net inet proto {tcp,udp} > from ###.##.##.### to any flags S/SA' > entry in my pf.conf file. But if I had do that for every hacker my > pf.conf would be huge! > There's got to be a better way, and I'm open to suggestions. > > > John F. Marten III > > Information Technology Specialist
Re: is there a way to block sshd trolling?
IIRC there are scripts what will automatically add lines to your hosts.deny file. Sorry, but I can't remember the names. I suggest you also create some keys for yourself to use and disable password authentication. With password auth disabled the attacks won't go be more than an annoyance for the most part. If you google you'll find it's a very common problem, I'm sure you'll also find the scripts I mentioned above. If I can find them I'll post links. Good luck! Mike