Re: avoid logging useless ssh brute force attempts
I've simply added in an overload rule to pf on my server. This has helped significantly. On Jan 31, 2008, at 11:11 PM, Chris wrote: my logs are filled with useless ssh bruteforce attempts - is there anything i can do to avoid logging random brute force attacks? since i disallow ssh root login and use the allowuser acl - i guess i could just avoid logging all these random attacks in my logs. Any suggestions would be much appreciated. Thanks.
Re: avoid logging useless ssh brute force attempts
Chris <[EMAIL PROTECTED]> writes: > my logs are filled with useless ssh bruteforce attempts - is there > anything i can do to avoid logging random brute force attacks? since i > disallow ssh root login and use the allowuser acl - i guess i could > just avoid logging all these random attacks in my logs. I suppose you already have a PF rule set with overload rules[1]? If not, writing a few simple rules like the one in that example will rid you of most of the noise. [1] see eg http://home.nuug.no/~peter/pf/en/bruteforce.html -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: avoid logging useless ssh brute force attempts
On 1/02/2008, at 8:39 PM, Peter N. M. Hansteen wrote: Chris <[EMAIL PROTECTED]> writes: my logs are filled with useless ssh bruteforce attempts - is there anything i can do to avoid logging random brute force attacks? since i disallow ssh root login and use the allowuser acl - i guess i could just avoid logging all these random attacks in my logs. I suppose you already have a PF rule set with overload rules[1]? If not, writing a few simple rules like the one in that example will rid you of most of the noise. [1] see eg http://home.nuug.no/~peter/pf/en/bruteforce.html And I would recommend (seriously) a book by some fellow called Peter N. M. Hansteen. I think he hangs around this list ... 8-) The Book of PF - A No-Nonsense Guide to the OpenBSD Firewall (Paperback) by P Hansteen (Author) First tech. book in a long time that I have read cover-to-cover and ear-marked quite a few pages for investigating further. Not sure if it fixes your exact problems (which logs exactly are being filled? pflog? authlog? Are you using pf or just sshd?)
Re: avoid logging useless ssh brute force attempts
Chris schreef: my logs are filled with useless ssh bruteforce attempts - is there anything i can do to avoid logging random brute force attacks? since i disallow ssh root login and use the allowuser acl - i guess i could just avoid logging all these random attacks in my logs. Any suggestions would be much appreciated. Thanks. One of the suggestions I have seen on this list is to enable pf and add an max-src-connection rate for ssh. So if someone connects, say 4 times within 30 seconds, you block them. It will not stop the first attempts from being logged but after that you are in the clear. Make sure you empty the table with attackers once in a while though. Matt
Re: avoid logging useless ssh brute force attempts
On 1/02/2008, at 9:11 PM, Richard Toohey wrote: On 1/02/2008, at 8:39 PM, Peter N. M. Hansteen wrote: Chris <[EMAIL PROTECTED]> writes: my logs are filled with useless ssh bruteforce attempts - is there anything i can do to avoid logging random brute force attacks? since i disallow ssh root login and use the allowuser acl - i guess i could just avoid logging all these random attacks in my logs. Not sure if it fixes your exact problems (which logs exactly are being filled? pflog? authlog? Are you using pf or just sshd?) Sorry, ignore the dumb question about which logs - I just have to look at my own logs to see. Not much noise in my logs with sshd on high port numbers, and the next step after that is to follow Peter's suggestions ... if you are using (or can use) pf. And if you do, the book is worth a read!
Re: avoid logging useless ssh brute force attempts
On Fri, Feb 01, 2008 at 06:11:17PM +1100, Chris wrote: > my logs are filled with useless ssh bruteforce attempts - is there > anything i can do to avoid logging random brute force attacks? since i > disallow ssh root login and use the allowuser acl - i guess i could > just avoid logging all these random attacks in my logs. > Any suggestions would be much appreciated. Thanks. For a start, you can use DenyHosts [0], which would add the "attacking" IP in your hosts.deny file after a certain number of failed connection attempts so that they won't even be able to establish a connection to the SSH daemon. It won't solve your problem by itself, but at least greatly diminish the entries in your log files. You have to be careful, though, to have a good hosts.allow file (whitelisting your domains/IPs) in order not to lock you out by mistake (sometimes, to much alcohol doesn't help correctly remembering one's password...). [0] http://denyhosts.sf.net -- Olivier Mehani <[EMAIL PROTECTED]> PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
Re: avoid logging useless ssh brute force attempts
On Fri, 1 Feb 2008, Matt wrote: > From: Matt <[EMAIL PROTECTED]> > To: Chris <[EMAIL PROTECTED]> > Cc: OpenBSD Misc > Date: Fri, 01 Feb 2008 09:25:02 +0100 > Subject: Re: avoid logging useless ssh brute force attempts > ... > One of the suggestions I have seen on this list is to enable > pf and add an max-src-connection rate for ssh. So if someone > connects, say 4 times within 30 seconds, you block them. It will > not stop the first attempts from being logged but after that you > are in the clear. As Peter has pointed out: http://home.nuug.no/~peter/pf/en/bruteforce.html is an excellent starting point for setting this up. That's where I started from. > Make sure you empty the table with attackers once in a while though. See: /usr/ports/sysutils/expiretable for an easy way to set this up, either as a daemon process or run out of cron. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
Re: avoid logging useless ssh brute force attempts
Dennis Davis <[EMAIL PROTECTED]> writes: > /usr/ports/sysutils/expiretable > > for an easy way to set this up, either as a daemon process or run out > of cron. recent versions of pfctl has expire functionality built in, but expiretable still works too -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: avoid logging useless ssh brute force attempts
On Fri, Feb 01, 2008 at 06:11:17PM +1100, Chris wrote: > my logs are filled with useless ssh bruteforce attempts - is there > anything i can do to avoid logging random brute force attacks? since i > disallow ssh root login and use the allowuser acl - i guess i could > just avoid logging all these random attacks in my logs. > > Any suggestions would be much appreciated. Thanks. Configuring pf to not even respond to unallocated ip space also helps. Search for Bogon filtering. BruteForceBlocker works great: http://danger.rulez.sk/projects/bruteforceblocker/ Kind regards. -- i am jack's annoying signature.
Re: avoid logging useless ssh brute force attempts
2008/2/1, elpinguim <[EMAIL PROTECTED]>: > Configuring pf to not even respond to unallocated ip space also > helps. Search for Bogon filtering. No. This just adds another way for things to go wrong. KISS. :-) But I can understand that Penguins think it's a great idea. Best Martin
Re: avoid logging useless ssh brute force attempts
On Fri, Feb 01, 2008 at 05:28:11PM +0100, Martin Schr?der wrote: > 2008/2/1, elpinguim <[EMAIL PROTECTED]>: > > Configuring pf to not even respond to unallocated ip space also > > helps. Search for Bogon filtering. > > No. This just adds another way for things to go wrong. KISS. :-) Really, what things? Script it, set cron to call it, done. Simple. Kind regards. -- i am jack's annoying signature.
Re: avoid logging useless ssh brute force attempts
elpinguim wrote: > On Fri, Feb 01, 2008 at 05:28:11PM +0100, Martin Schr?der wrote: > > 2008/2/1, elpinguim <[EMAIL PROTECTED]>: > > > Configuring pf to not even respond to unallocated ip space also > > > helps. Search for Bogon filtering. > > > > No. This just adds another way for things to go wrong. KISS. :-) > > Really, what things? Script it, set cron to call it, done. Simple. > What happens when such as http://www.cymru.com/Documents/bogon-list.html gets moved to bogon space? How do you access information from an address that you insist cannot exist? How doe you script things when the format changes? At any rate, why bother spoofing from a bogon address? It has to be easy to find unused IP addresses in legitimate address blocks.
Re: avoid logging useless ssh brute force attempts
2008/2/2, elpinguim <[EMAIL PROTECTED]>: > On Fri, Feb 01, 2008 at 05:28:11PM +0100, Martin Schr?der wrote: > > No. This just adds another way for things to go wrong. KISS. :-) > > Really, what things? Script it, set cron to call it, done. Simple. "IP addresses that are bogon today may not be bogon tomorrow." http://www.mcanerin.com/EN/articles/bogon-01.asp KISS. Best Martin
Re: avoid logging useless ssh brute force attempts
On Sat, Feb 02, 2008 at 05:26:59AM -0600, Tony Abernethy wrote: > elpinguim wrote: > > On Fri, Feb 01, 2008 at 05:28:11PM +0100, Martin Schr?der wrote: > > > 2008/2/1, elpinguim <[EMAIL PROTECTED]>: > > > > Configuring pf to not even respond to unallocated ip space also > > > > helps. Search for Bogon filtering. > > > > > > No. This just adds another way for things to go wrong. KISS. :-) > > > > Really, what things? Script it, set cron to call it, done. Simple. > > > What happens when such as http://www.cymru.com/Documents/bogon-list.html > gets moved to bogon space? > How do you access information from an address that you insist cannot exist? > How doe you script things when the format changes? > > At any rate, why bother spoofing from a bogon address? > It has to be easy to find unused IP addresses in legitimate address blocks. Assuming that one is relying on a poorly maintained (or abandoned) bogons list. Then, yes I would agree there would be a problem. But if the bogons list is actively reflecting the changes of ip allocation on a daily basis (ie. whois databases from ARIN, RIPE, APNIC) as well as the system thats using it. Would there still be a problem? Not likely. -- i am jack's annoying signature.
Re: avoid logging useless ssh brute force attempts
On Sat, Feb 02, 2008 at 12:47:54PM +0100, Martin Schr?der wrote: > 2008/2/2, elpinguim <[EMAIL PROTECTED]>: > > On Fri, Feb 01, 2008 at 05:28:11PM +0100, Martin Schr?der wrote: > > > No. This just adds another way for things to go wrong. KISS. :-) > > > > Really, what things? Script it, set cron to call it, done. Simple. > > "IP addresses that are bogon today may not be bogon tomorrow." > > http://www.mcanerin.com/EN/articles/bogon-01.asp > > KISS. > > Best >Martin Agreed. Assuming that a bogon list is not tracking the changes in ip allocation, then yes, there would be a problem. -- i am jack's annoying signature.
Re: avoid logging useless ssh brute force attempts
I don't think bogons are able to complete the TCP handshake since you don't know how to route back. Filtering those will not make sure there are less log messages about ssh logins Wijnand
Re: avoid logging useless ssh brute force attempts
On Feb 2, 2008, at 6:32 AM, Wijnand Wiersma wrote: I don't think bogons are able to complete the TCP handshake since you don't know how to route back. Filtering those will not make sure there are less log messages about ssh logins Not entirely true. Bogons are not supposed to be routed, or routable. It doesn't mean someone can't just throw up a BGP advert for a Bogon range and start using it, or intentionally spoof addresses from the route.
Re: avoid logging useless ssh brute force attempts
On Feb 3, 2008, at 9:12 PM, Ted Unangst wrote: you still don't gain anything. what percentage of your traffic is coming from unallocated space? I'm not disagreeing with you in that it's wasted effort. It is. This is why I personally use overload tables.
Re: avoid logging useless ssh brute force attempts
On 2/2/08, johan beisser <[EMAIL PROTECTED]> wrote: > Not entirely true. Bogons are not supposed to be routed, or routable. > It doesn't mean someone can't just throw up a BGP advert for a Bogon > range and start using it, or intentionally spoof addresses from the > route. you still don't gain anything. what percentage of your traffic is coming from unallocated space?
