Re: [Astlinux-users] Dictionary Harvest Attack
Darrick Hartman wrote: > On Apr 27, 2009, at 5:07 PM, John Novack wrote: > >> May I assume this firewall module is not usable with boards that >> only have a single Ethernet port? >> >> >> John Novack > > Basically, yes 2+ interfaces are required. Lonnie, While not possible with the current Astlinux setup, it IS entirely possible to run Arno's Firewall with only one interface. I do this all the time to replace the stock iptables firewall on my Linux installs. Even if a device is not providing routing functionality or acting as the edge device in a network, it's still a sane security practice to have a firewall in place. Right now we have a test for intif prior to starting the firewall. It could be argued that it may be desirable to have a firewall enabled at all times. Darrick -- Darrick Hartman DJH Solutions, LLC http://www.djhsolutions.com -- Well, I'd enthusiastically agree, since I'm running AstLinux with a single Ethernet port and need to find a solution to block this attack, now underway. For now, I'll just edit the stock iptables firewall. If it's feasible, it seems this capability would be useful in a future revision. Thanks for your help, all. ~ D -- Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Dictionary Harvest Attack
Lonnie Abelbeck wrote: > On Apr 27, 2009, at 5:07 PM, John Novack wrote: > >> May I assume this firewall module is not usable with boards that >> only have a single Ethernet port? >> >> >> John Novack > > Basically, yes 2+ interfaces are required. Lonnie, While not possible with the current Astlinux setup, it IS entirely possible to run Arno's Firewall with only one interface. I do this all the time to replace the stock iptables firewall on my Linux installs. Even if a device is not providing routing functionality or acting as the edge device in a network, it's still a sane security practice to have a firewall in place. Right now we have a test for intif prior to starting the firewall. It could be argued that it may be desirable to have a firewall enabled at all times. Darrick -- Darrick Hartman DJH Solutions, LLC http://www.djhsolutions.com -- Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Dictionary Harvest Attack
No, you may not. :-) Hosts also need firewalling. -Philip John Novack wrote: > May I assume this firewall module is not usable with boards that only > have a single Ethernet port? > > > John Novack > > > Philip Prindeville wrote: >> Darrick Hartman (lists) wrote: >> >>> Michael Keuter wrote: >>> >>> >>> -Philip >>> >>> >> A problem in Astlinux is, that before you can add an attacker to the >> blocklist (when you see the attacks in realtime), the "/var/" >> partition will be full within 2-3 minutes just because of the growing >> syslog :-(. And from that point in time you do not have any logs at >> all. Is there a way that the rotated log can automatically zipped? >> >> > You can set Arno's firewall not to log blocked attacks. That is an > option. > > -- > Darrick Hartman > > Hi Darrick, I know that, but when the attack starts (and you don't see the attack live) you don't know the attacker IP-address. Then the log messages are coming from Asterisk. And within 2-3 minutes /var/ is full by the log messages of Asterisk (not by the firewall). >>> Two ways around that. >>> >>> 1). If you have enough system ram, you can set the size of the var >>> partition in the rc.conf file to a larger size. >>> >>> 2). Only allow SIP access from the IP addresses that you need to allow. >>> Instead of having a wide-open port 5060, only accept SIP traffic from >>> the IP addresses of your VOIP provider. >>> >>> Of course, if you're allowing anonymous calls into your Asterisk system, >>> you can't do #2. >>> >>> Darrick >>> >>> >> >> Michael: >> >> The outstanding news is that anyone can contribute to Arno's Iptables >> Firewall, including you. :-) >> >> Seriously though, it shouldn't be too hard to take >> /usr/share/arno-iptables-firewall/plugins/50ssh-brute-force-protection.plugin >> >> (or whatever it's called) and tweak it to do the same sort of >> rate-limiting with UDP traffic to port 5060 (or 5060-5064 or whatever). >> >> Try doing that... getting it working, and we can see about submitting it >> to Arno as part of the user contributed list of plugins. >> >> He's very receptive. :-) >> >> -Philip >> -- Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Dictionary Harvest Attack
On Apr 27, 2009, at 5:07 PM, John Novack wrote: > May I assume this firewall module is not usable with boards that > only have a single Ethernet port? > > > John Novack Basically, yes 2+ interfaces are required. The devel's had talked about installing a dummy interface to always allow firewall and dnsmasq features, even with single interface boards, but I'm not aware of any progress on that front. A possible option (thought I haven't tried it) would be to enable a vlan on your single ethernet interface, ie. use eth0 (untagged) for the external interface and eth0.10 (tagged) for the internal interface, BUT be very careful that your upstream switch is properly configured, so as the VLAN 10 is ignored (or accepted to other VLAN 10 ports). vlans are cool. Lonnie -- Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Dictionary Harvest Attack
May I assume this firewall module is not usable with boards that only have a single Ethernet port? John Novack Philip Prindeville wrote: Darrick Hartman (lists) wrote: Michael Keuter wrote: -Philip A problem in Astlinux is, that before you can add an attacker to the blocklist (when you see the attacks in realtime), the "/var/" partition will be full within 2-3 minutes just because of the growing syslog :-(. And from that point in time you do not have any logs at all. Is there a way that the rotated log can automatically zipped? You can set Arno's firewall not to log blocked attacks. That is an option. -- Darrick Hartman Hi Darrick, I know that, but when the attack starts (and you don't see the attack live) you don't know the attacker IP-address. Then the log messages are coming from Asterisk. And within 2-3 minutes /var/ is full by the log messages of Asterisk (not by the firewall). Two ways around that. 1). If you have enough system ram, you can set the size of the var partition in the rc.conf file to a larger size. 2). Only allow SIP access from the IP addresses that you need to allow. Instead of having a wide-open port 5060, only accept SIP traffic from the IP addresses of your VOIP provider. Of course, if you're allowing anonymous calls into your Asterisk system, you can't do #2. Darrick Michael: The outstanding news is that anyone can contribute to Arno's Iptables Firewall, including you. :-) Seriously though, it shouldn't be too hard to take /usr/share/arno-iptables-firewall/plugins/50ssh-brute-force-protection.plugin (or whatever it's called) and tweak it to do the same sort of rate-limiting with UDP traffic to port 5060 (or 5060-5064 or whatever). Try doing that... getting it working, and we can see about submitting it to Arno as part of the user contributed list of plugins. He's very receptive. :-) -Philip -- Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. -- Dog is my co-pilot -- Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Dictionary Harvest Attack
Darrick Hartman (lists) wrote: > Michael Keuter wrote: > > -Philip > A problem in Astlinux is, that before you can add an attacker to the blocklist (when you see the attacks in realtime), the "/var/" partition will be full within 2-3 minutes just because of the growing syslog :-(. And from that point in time you do not have any logs at all. Is there a way that the rotated log can automatically zipped? >>> You can set Arno's firewall not to log blocked attacks. That is an option. >>> >>> -- >>> Darrick Hartman >>> >> Hi Darrick, >> >> I know that, but when the attack starts (and you don't see the attack >> live) you don't know the attacker IP-address. Then the log messages >> are coming from Asterisk. And within 2-3 minutes /var/ is full by the >> log messages of Asterisk (not by the firewall). >> > > Two ways around that. > > 1). If you have enough system ram, you can set the size of the var > partition in the rc.conf file to a larger size. > > 2). Only allow SIP access from the IP addresses that you need to allow. > Instead of having a wide-open port 5060, only accept SIP traffic from > the IP addresses of your VOIP provider. > > Of course, if you're allowing anonymous calls into your Asterisk system, > you can't do #2. > > Darrick > Michael: The outstanding news is that anyone can contribute to Arno's Iptables Firewall, including you. :-) Seriously though, it shouldn't be too hard to take /usr/share/arno-iptables-firewall/plugins/50ssh-brute-force-protection.plugin (or whatever it's called) and tweak it to do the same sort of rate-limiting with UDP traffic to port 5060 (or 5060-5064 or whatever). Try doing that... getting it working, and we can see about submitting it to Arno as part of the user contributed list of plugins. He's very receptive. :-) -Philip -- Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Dictionary Harvest Attack
Michael Keuter wrote: -Philip >>> A problem in Astlinux is, that before you can add an attacker to the >>> blocklist (when you see the attacks in realtime), the "/var/" >>> partition will be full within 2-3 minutes just because of the growing >>> syslog :-(. And from that point in time you do not have any logs at >>> all. Is there a way that the rotated log can automatically zipped? >> You can set Arno's firewall not to log blocked attacks. That is an option. >> >> -- >> Darrick Hartman > > Hi Darrick, > > I know that, but when the attack starts (and you don't see the attack > live) you don't know the attacker IP-address. Then the log messages > are coming from Asterisk. And within 2-3 minutes /var/ is full by the > log messages of Asterisk (not by the firewall). Two ways around that. 1). If you have enough system ram, you can set the size of the var partition in the rc.conf file to a larger size. 2). Only allow SIP access from the IP addresses that you need to allow. Instead of having a wide-open port 5060, only accept SIP traffic from the IP addresses of your VOIP provider. Of course, if you're allowing anonymous calls into your Asterisk system, you can't do #2. Darrick -- Darrick Hartman DJH Solutions, LLC http://www.djhsolutions.com -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Dictionary Harvest Attack
>Michael Keuter wrote: >>> Dan Ryson wrote: All, It appears we're getting pounded by a kiddy script that's trying to guess passwords. It's generating ~1,350 password guesses and log entries per minute (see example below). Although I have strong passwords, I'd like to block this effort by blocking this IP address. What's the preferred way to block a dictionary attack in AstLinux? I'm presently using astlinux-0.6.4 on an x386 - with an external, hardware firewall. I'd prefer to not use IP Tables because I suspect any entries would be deleted whenever I upgrade versions. ~ Dan Registration from '"317" ' failed for '85.214.69.155' - Wrong password >>> Actually, they wouldn't. >>> >>> Look at using /etc/arno-iptables-firewall/blocked-hosts >>> >>> 85.214.69.155/32 >>> >>> is all you need in there. >>> >>> -Philip >> >> A problem in Astlinux is, that before you can add an attacker to the >> blocklist (when you see the attacks in realtime), the "/var/" >> partition will be full within 2-3 minutes just because of the growing >> syslog :-(. And from that point in time you do not have any logs at >> all. Is there a way that the rotated log can automatically zipped? > >You can set Arno's firewall not to log blocked attacks. That is an option. > >-- >Darrick Hartman Hi Darrick, I know that, but when the attack starts (and you don't see the attack live) you don't know the attacker IP-address. Then the log messages are coming from Asterisk. And within 2-3 minutes /var/ is full by the log messages of Asterisk (not by the firewall). Michael -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Dictionary Harvest Attack
Michael Keuter wrote: >> Dan Ryson wrote: >>> All, >>> >>> It appears we're getting pounded by a kiddy script that's trying to >>> guess passwords. It's generating ~1,350 password guesses and log >>> entries per minute (see example below). Although I have strong >>> passwords, I'd like to block this effort by blocking this IP address. >>> >>> What's the preferred way to block a dictionary attack in AstLinux? I'm >>> presently using astlinux-0.6.4 on an x386 - with an external, hardware >>> firewall. I'd prefer to not use IP Tables because I suspect any entries >>> would be deleted whenever I upgrade versions. >>> >>> ~ Dan >>> >>> Registration from '"317" ' failed for >>> '85.214.69.155' - Wrong password >>> >> Actually, they wouldn't. >> >> Look at using /etc/arno-iptables-firewall/blocked-hosts >> >> 85.214.69.155/32 >> >> is all you need in there. >> >> -Philip > > A problem in Astlinux is, that before you can add an attacker to the > blocklist (when you see the attacks in realtime), the "/var/" > partition will be full within 2-3 minutes just because of the growing > syslog :-(. And from that point in time you do not have any logs at > all. Is there a way that the rotated log can automatically zipped? You can set Arno's firewall not to log blocked attacks. That is an option. -- Darrick Hartman DJH Solutions, LLC http://www.djhsolutions.com -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Dictionary Harvest Attack
>Dan Ryson wrote: >> All, >> >> It appears we're getting pounded by a kiddy script that's trying to >> guess passwords. It's generating ~1,350 password guesses and log >> entries per minute (see example below). Although I have strong >> passwords, I'd like to block this effort by blocking this IP address. >> >> What's the preferred way to block a dictionary attack in AstLinux? I'm >> presently using astlinux-0.6.4 on an x386 - with an external, hardware >> firewall. I'd prefer to not use IP Tables because I suspect any entries >> would be deleted whenever I upgrade versions. >> >> ~ Dan >> >> Registration from '"317" ' failed for >>'85.214.69.155' - Wrong password >> > >Actually, they wouldn't. > >Look at using /etc/arno-iptables-firewall/blocked-hosts > >85.214.69.155/32 > >is all you need in there. > >-Philip A problem in Astlinux is, that before you can add an attacker to the blocklist (when you see the attacks in realtime), the "/var/" partition will be full within 2-3 minutes just because of the growing syslog :-(. And from that point in time you do not have any logs at all. Is there a way that the rotated log can automatically zipped? Michael -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Dictionary Harvest Attack
Outstanding. I'll give that a try. Thanks Darrick and Philip. ~ D Philip A. Prindeville wrote: Dan Ryson wrote: All, It appears we're getting pounded by a kiddy script that's trying to guess passwords. It's generating ~1,350 password guesses and log entries per minute (see example below). Although I have strong passwords, I'd like to block this effort by blocking this IP address. What's the preferred way to block a dictionary attack in AstLinux? I'm presently using astlinux-0.6.4 on an x386 - with an external, hardware firewall. I'd prefer to not use IP Tables because I suspect any entries would be deleted whenever I upgrade versions. ~ Dan Registration from '"317" ' failed for '85.214.69.155' - Wrong password Actually, they wouldn't. Look at using /etc/arno-iptables-firewall/blocked-hosts 85.214.69.155/32 is all you need in there. -Philip -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Dictionary Harvest Attack
Dan Ryson wrote: > All, > > It appears we're getting pounded by a kiddy script that's trying to > guess passwords. It's generating ~1,350 password guesses and log > entries per minute (see example below). Although I have strong > passwords, I'd like to block this effort by blocking this IP address. > > What's the preferred way to block a dictionary attack in AstLinux? I'm > presently using astlinux-0.6.4 on an x386 - with an external, hardware > firewall. I'd prefer to not use IP Tables because I suspect any entries > would be deleted whenever I upgrade versions. > > ~ Dan > > Registration from '"317" ' failed for '85.214.69.155' - > Wrong password > Actually, they wouldn't. Look at using /etc/arno-iptables-firewall/blocked-hosts 85.214.69.155/32 is all you need in there. -Philip -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] Dictionary Harvest Attack
Dan, If you're using Arno's fw, you can configure blocked IP addresses very easily. Those blocks will survive an upgrade. That feature should be present in the web interface, but can be done from the command line as well. Darrick Dan Ryson wrote: > All, > > It appears we're getting pounded by a kiddy script that's trying to > guess passwords. It's generating ~1,350 password guesses and log > entries per minute (see example below). Although I have strong > passwords, I'd like to block this effort by blocking this IP address. > > What's the preferred way to block a dictionary attack in AstLinux? I'm > presently using astlinux-0.6.4 on an x386 - with an external, hardware > firewall. I'd prefer to not use IP Tables because I suspect any entries > would be deleted whenever I upgrade versions. > > ~ Dan > > Registration from '"317" ' failed for '85.214.69.155' - > Wrong password -- Darrick Hartman DJH Solutions, LLC http://www.djhsolutions.com -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] Dictionary Harvest Attack
All, It appears we're getting pounded by a kiddy script that's trying to guess passwords. It's generating ~1,350 password guesses and log entries per minute (see example below). Although I have strong passwords, I'd like to block this effort by blocking this IP address. What's the preferred way to block a dictionary attack in AstLinux? I'm presently using astlinux-0.6.4 on an x386 - with an external, hardware firewall. I'd prefer to not use IP Tables because I suspect any entries would be deleted whenever I upgrade versions. ~ Dan Registration from '"317" ' failed for '85.214.69.155' - Wrong password -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
