Re: Package to block random SSH login attempts?
on Mon, Dec 06, 2004 at 07:10:03PM +1100, Sam Watkins ([EMAIL PROTECTED]) wrote: The other thing about ssh attacks is that I feel that I should try to contact the people whose server has presumably been taken over and let them know that it is attacking other servers. I did this manually a couple times, but I guess it would be useful to have a script to help. (lookup whois and reverse DNS, see if there's a webpage hosted on the machine, look for contact email, and draft a message to various possible contact emails for me to edit) I know if my box was comprimised and attacking people, I'd like to know about it! Attacking people's boxen running ssh seems to be a popular passtime at the moment, it would be good to have a way to fight back against this trend, rather than just protecting our own machines. Maybe there's some good reason NOT to contact people, I can't think why. Might not want to use your canonical email address though! If you're really interested in doing that sort of reporting, you're welcome to crib from my SpamTools package (GPL): http://linuxmafia.com/~karsten/Download/SpamTools.tar.gz ...which does a lot of the who are the contacts based on a given IP logic. Peace. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? We're not going to fix this by getting the pilots to be more careful. - Aviation industry approach to systemic improvement. signature.asc Description: Digital signature
Re: Package to block random SSH login attempts?
You can also propose to everyone who want to verify the integrity of its system to check that himself. A script like chkrootkit which search for the signature of a past ssh (or other) attack. A simple reference in the doc of ssh could alarm lots of people. cron ta run it periodically, and don't bother to find a contact address. On Thu, 23 Dec 2004 13:31:27 -0800, Karsten M. Self kmself@ix.netcom.com wrote: Attacking people's boxen running ssh seems to be a popular passtime at the moment, it would be good to have a way to fight back against this trend, rather than just protecting our own machines. Maybe there's some good reason NOT to contact people, I can't think why. Might not want to use your canonical email address though! -- Marc Demlenne GPG : 768FA483 (http://pgp.mit.edu) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Package to block random SSH login attempts?
The other thing about ssh attacks is that I feel that I should try to contact the people whose server has presumably been taken over and let them know that it is attacking other servers. I did this manually a couple times, but I guess it would be useful to have a script to help. (lookup whois and reverse DNS, see if there's a webpage hosted on the machine, look for contact email, and draft a message to various possible contact emails for me to edit) I know if my box was comprimised and attacking people, I'd like to know about it! Attacking people's boxen running ssh seems to be a popular passtime at the moment, it would be good to have a way to fight back against this trend, rather than just protecting our own machines. Maybe there's some good reason NOT to contact people, I can't think why. Might not want to use your canonical email address though! Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Package to block random SSH login attempts?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Adam Rosi-Kessel wrote: | Is there any Debian package (or free software outside of Debian) that can | detect random ssh login attempts and blacklist (temporarily or | permanently) the IP address? | | portsentry is similar but not quite on point. As I understand it, | portsentry will block port scanners, but not people attempting random | logins. | | What I'd like to do is block a particular IP address if there are more | than, say, 5 attempted logins from nonexistent usernames, and more than | 10 failed logins from existent usernames. How about going about it another way. Use knockd to keep everyone out, unless they use the right knock sequence first. That way, the port would not even seem to be open. Paul - -- /** Running Debian Linux * For God so loved the world that He gave his only begotten Son,* * that whoever believes in Him should not perish...John 3:16* ** W. Paul Mills ** http://Mills-USA.com/ **/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBssaJu4tRirKTPYwRAmSPAJ9YzIAkjx452+CetE1wDmrzrQRGfQCZAVnD qo+o8WXOZWTAvASOAfMhxok= =jH5m -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Package to block random SSH login attempts?
[EMAIL PROTECTED] (Adam Rosi-Kessel) writes: Is there any Debian package (or free software outside of Debian) that can detect random ssh login attempts and blacklist (temporarily or permanently) the IP address? You might want to check the (albeit still unofficial) mirabello package i provide at an apt-get enabled unofficial archive at http://ietpd1.sowi.uni-mainz.de/debian/: snip Package: mirabello Version: 0.31 Priority: optional Section: net Maintainer: Paul Seelig [EMAIL PROTECTED] Depends: screen, iptables, whois, bash (= 3.0-1) Suggests: ipmasq, portsentry Architecture: all Filename: ./binary/mirabello_0.31_all.deb Size: 6848 Installed-Size: 24 MD5sum: d04bd01b116f2c669ba09aa3c51322b6 Description: intrusion detection monitoring and IP blocking scripts The script runclient is run via cron job at each reboot and every 15 minutes to ensure that scripts or programs defined via the RUNCLIENTS variable in /etc/mirabello.conf are started or continually running in the background within a detached screen session. . The mirabello script checks for illegal uploads via abuse of apache webserver vulnerabilities. It immediately shuts down the webserver if files owned by user www-data appear in the monitored temp dirs, and archives all log files into a not so obvious place on the server machine for remote retrieval by the sysadmin who has been sent an alert via mail. . The script intrudercheck monitors /var/log/auth.log for illegal ssh login attempts and blocks any source IP address from further contact to the system via iptables reject command. snip - End forwarded message - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Package to block random SSH login attempts?
On Sat, Dec 04, 2004 at 11:42:40AM -0500, Adam Rosi-Kessel wrote: Is there any Debian package (or free software outside of Debian) that can detect random ssh login attempts and blacklist (temporarily or permanently) the IP address? My new server has been getting attacked several times a week, even though it's not serving anything much yet. I wrote a little script to check how many times it's been attacked, and by whom, here's the results so far: 107 Nov 22 220.72.22.110 9 Nov 22 61.135.145.249 9 Nov 23 67.15.45.240 107 Nov 23 211.229.236.170 3 Nov 28 207.248.228.194 18 Nov 29 210.219.250.239 3 Nov 29 196.38.231.130 112 Dec 1 203.69.243.102 577 Dec 2 216.240.139.153 9 Dec 5 220.70.167.67 I'm not much worried about a break-in, but 557 attempts is quite a lot. Apart from anything, it must slow down my puny server having to do all that crypto! I don't want to run my script one day and see a million attempts or something! I suppose it would be possible to do something like that with a threaded attack. Still, it's more efficient for them to go after people with dumb passwords. I think a good solution would be exponential lockout, for each failed login, sshd should double the amount of time a certain IP has to wait before it will be allowed to connect again, and reset to 1 after a successful login. i.e. if someone types the wrong password, their IP will be locked out for 1 second, if they type the wrong password again, they are locked out for 2 seconds, then 4, then 8, etc. This would limit the number of failed connections per day from a particular IP address to about 16 (2^17 seconds/day), which is not enough for anyone to guess my password, but it wouldn't lock ME out (for long) if I accidentally typed my password wrong or screwed up my keys a few times. Maybe this kind of solution is more scalable for a multi-user system than arbitrary limits and permanent lockout. I wrote a hack for pppd that did something like this a while ago, it would redial automatically if the connection dropped out, but for every failed connection would wait twice as long before it did (we pay a connection fee for local phone calls in .au, infinite redial loops can be expensive!) If anyone else thinks this would be worthwhile, I might have a go at getting sshd to do it. Or would this be better implemented somewhere else, maybe as a general anti-abuse service that would interact with iptables? Sam P.S. here's my attacks script if you're interested: ls -r /var/log/auth.log* | xargs catz | grep 'Failed password' | grep $HOSTNAME | sed s/$HOSTNAME.*::://; s/ port.*//; s/ ..:..:.. / /; | uniq -c and catz is: for A in $@; do case $A in *.gz) zcat $A ;; *.bz2) bzcat $A ;; *) cat $A ;; esac done -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Package to block random SSH login attempts?
Incoming from Adam Rosi-Kessel: Is there any Debian package (or free software outside of Debian) that can detect random ssh login attempts and blacklist (temporarily or permanently) the IP address? fwlogwatch purports to be able to do this (I haven't tried this feature; ymmv). However, wouldn't it make more sense to simply limit ssh to accept login attempts only from IPs you (or your users?) might be coming from? -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Package to block random SSH login attempts?
On Sat, 4 Dec 2004 14:50:24 -0700 s. keeling [EMAIL PROTECTED] wrote: Incoming from Adam Rosi-Kessel: Is there any Debian package (or free software outside of Debian) that can detect random ssh login attempts and blacklist (temporarily or permanently) the IP address? fwlogwatch purports to be able to do this (I haven't tried this feature; ymmv). However, wouldn't it make more sense to simply limit ssh to accept login attempts only from IPs you (or your users?) might be coming from? Limiting login to certain ips tremendously decreases flexibility. Things such as remote admin from a dynamic ip, users on the road (or even being on the road yourself, etc). If you're strictly doing it in a work environment where you only access the servers from your own network, you're extremely fortunate. I rarely have that pleasure. This is Linux, where we're supposed to be able to have a server accessible to the world without having to worry about who can get in. Ok, so a good password should prevent the need for worry, but I still believe there should be an easier way than simply restricting ssh access to certain ips. To the OP, you might check out the following thread on the same subject from a couple months ago. It has a good stop-gap measure (pam) along with a couple more detailed solutions if you don't mind recompiling your kernel. The thread can be found at: http://lists.debian.org/debian-user/2004/09/msg03580.html HTH, Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Package to block random SSH login attempts?
Incoming from Jacob S: On Sat, 4 Dec 2004 14:50:24 -0700 s. keeling [EMAIL PROTECTED] wrote: Incoming from Adam Rosi-Kessel: Is there any Debian package (or free software outside of Debian) that can detect random ssh login attempts and blacklist (temporarily fwlogwatch purports to be able to do this (I haven't tried this feature; ymmv). However, wouldn't it make more sense to simply limit ssh to accept login attempts only from IPs you (or your users?) might Limiting login to certain ips tremendously decreases flexibility. Things Flexibility, vulnerability, ... Choose one. This is Linux, where we're supposed to be able to have a server accessible to the world without having to worry about who can get in. What have you been smoking, and may I have some? -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Package to block random SSH login attempts?
On Sat, 2004-12-04 at 11:42 -0500, Adam Rosi-Kessel wrote: Is there any Debian package (or free software outside of Debian) that can detect random ssh login attempts and blacklist (temporarily or permanently) the IP address? portsentry is similar but not quite on point. As I understand it, portsentry will block port scanners, but not people attempting random logins. What I'd like to do is block a particular IP address if there are more than, say, 5 attempted logins from nonexistent usernames, and more than 10 failed logins from existent usernames. I've written the following little hack to do it, but I don't particularly like running untested hacks as root, and also it'd be preferable if the blacklisting could happen immediately, rather than as an occasional cron job. Something that continuously tails might get around the occasional cron job problem. Since group adm has +r access to /var/log/syslog, a user that belongs to group adm may be the key. -- - Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. 484,246 sq mi (1,254,197 sq km) are needed for 6 billion people to live, 4 persons per lot, in lots that are 60'x150' (a nice suburban US plot). That is ~ California, Texas and Missouri. Alternatively, France, Spain and The United Kingdom. signature.asc Description: This is a digitally signed message part