Re: is there a way to block sshd trolling?
Hi Nick
I managed to get it working like this..
I am mainly writing this also if other users might benefit from it :-)
In /etc/pf.conf I added only the following line:
block quick on $ext_if inet proto { tcp udp } from sshdhackers to $ext_if
I then placed the following in /root/swatchrc:
watchfor /Invalid user/
[EMAIL PROTECTED], --subject=Hacking alert! We have an illegal
login attempt!
exec pfctl -t sshdhackers -T add $10
This means that I will get an email notification plus pfctl will add the
illegal IP to the sshdhackers tabel.
In my case I only want to block illegal users since I am using
AllowUsers with SSHD, and because I don't want to risk blocking someone
who might have forgotten his/hers password. This could be extended to
block the user if he or she fails at X attempts. Swatch then needs to be
looking for Failed password for USER where user is the right username.
This actually is a good idea to block in case some script kid gets hes
hands on the right username.
In /etc/rc.local I have placed the following line:
/usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog
If one wants to see the IP in sshdhackers it can be done with:
pfctl -t sshdhackers -T show
And if one needs to delete an IP:
pfctl -t sshdhackers -T delete xxx.xxx.xxx.xxx
Where xxx.xxx.xxx.xxx is the IP.
To get swatch to add the illegal entry to it's own logging file say
/root/swatchlog (as Nick used) I add this entry in /root/swatchrc after
the exec pfctl line:
exec echo $0 /root/swatchlog
And if you only want the IP to be logged:
exec echo $10 /root/swatchlog
In case someone don't know: $10 means the tenth word in the line (which
in authlog is the IP).
Hope others might benefit.
Cheers.
Rico.
Re: is there a way to block sshd trolling?
What you could also do is install swatch from ports or packages and have
a table in your pf.conf like this:
table sshdtrolls persist
and a rule
#stop ssh trolls
block in log quick on $EXT_IF inet proto {tcp,udp} from sshdtrolls to
$EXT_IF port ssh label SSHDTrolls
A swatchrc file of:
watchfor /Failed password for invalid user/
exec /sbin/pfctl -t sshdtrolls -T add $13
[EMAIL PROTECTED], --subject=woo. we have a troll
throttle 02:00
exec echo $13 /root/swatchlog
Then run swatch with:
/usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog
(Note file locations and settings might need to be changed depending on
your config)
I also have the AllowUsers and use PubKeyAuthentication and
PasswordAuthentication No settings enabled in sshd_config. This means
that for a normal login the error Failed password for invalid user
won't come up as it'll never get that far as it's expecting a key.
If a troll tries to log in, they get one chance before the swatch picks
it up and adds it to the block table.
Re: is there a way to block sshd trolling?
Dear Nick
I have tried your setup below. I too have the setup and file placement
as you, but I am not using keys.
When I try to log on as an illegal user, the atempt is logged by
authlog, and having swatch runing from the console it says:
1/1 addresses added.
I am using this 'table sshdtrolls persist file /root/pf/sshdhackers'
I don't get any entries in the sshdhackers file and I don't get blocked
from the system.
I also use AllowUsers
Would you mind explaining a bit more about your setup?
Friendly
Rico.
Nick Ryan wrote:
What you could also do is install swatch from ports or packages and have
a table in your pf.conf like this:
table sshdtrolls persist
and a rule
#stop ssh trolls
block in log quick on $EXT_IF inet proto {tcp,udp} from sshdtrolls to
$EXT_IF port ssh label SSHDTrolls
A swatchrc file of:
watchfor /Failed password for invalid user/
exec /sbin/pfctl -t sshdtrolls -T add $13
[EMAIL PROTECTED], --subject=woo. we have a troll
throttle 02:00
exec echo $13 /root/swatchlog
Then run swatch with:
/usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog
(Note file locations and settings might need to be changed depending on
your config)
I also have the AllowUsers and use PubKeyAuthentication and
PasswordAuthentication No settings enabled in sshd_config. This means
that for a normal login the error Failed password for invalid user
won't come up as it'll never get that far as it's expecting a key.
If a troll tries to log in, they get one chance before the swatch picks
it up and adds it to the block table.
.
Re: is there a way to block sshd trolling?
Strange. It's working for me - I've just tested my own setup again and
it blocks me. Although the file logging isn't working though - not sure
why that is...
Can you confirm that your pf rules have the block line in before the
permit rule and that it's correct for your firewall rules - ie. no other
rule is overriding it and that you're testing it on the interface the
rule is on - ie the external interface.
You could change your permit ssh line to be something like this:
pass in log quick inet proto tcp from !sshdtrolls to $EXT_IF port
22 modulate state label ssh in flags S/SA
Change that line for whatever suits your rules - it's just an example of
the !sshdtrolls bit. You probably don't even need the block rule in
with this.
Also check the IP address in the table with pfctl -t sshdtrolls -T show
and make sure it's correct.
The reason I think it's a firewall rule is that you said it said 1/1
address added which means that it's picking it up from the logs and
adding it to the table - the only other place it can go wrong is in the
block rule.
Let me know how you get on.
Cheers - Nick
Rico wrote:
Dear Nick
I have tried your setup below. I too have the setup and file placement
as you, but I am not using keys.
When I try to log on as an illegal user, the atempt is logged by
authlog, and having swatch runing from the console it says:
1/1 addresses added.
I am using this 'table sshdtrolls persist file /root/pf/sshdhackers'
I don't get any entries in the sshdhackers file and I don't get
blocked from the system.
I also use AllowUsers
Would you mind explaining a bit more about your setup?
Friendly
Rico.
Nick Ryan wrote:
What you could also do is install swatch from ports or packages and
have a table in your pf.conf like this:
table sshdtrolls persist
and a rule
#stop ssh trolls
block in log quick on $EXT_IF inet proto {tcp,udp} from sshdtrolls
to $EXT_IF port ssh label SSHDTrolls
A swatchrc file of:
watchfor /Failed password for invalid user/
exec /sbin/pfctl -t sshdtrolls -T add $13
[EMAIL PROTECTED], --subject=woo. we have a troll
throttle 02:00
exec echo $13 /root/swatchlog
Then run swatch with:
/usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog
(Note file locations and settings might need to be changed depending
on your config)
I also have the AllowUsers and use PubKeyAuthentication and
PasswordAuthentication No settings enabled in sshd_config. This means
that for a normal login the error Failed password for invalid user
won't come up as it'll never get that far as it's expecting a key.
If a troll tries to log in, they get one chance before the swatch
picks it up and adds it to the block table.
.
Re: is there a way to block sshd trolling?
Rico wrote:
I am using this 'table sshdtrolls persist file /root/pf/sshdhackers'
I don't get any entries in the sshdhackers file and I don't get blocked
from the system.
A table modification is not automatically added to the file the table
was once populated from. Use
# pfctl -t sshdtrolls -T show /root/pf/sshdhackers
for that.
Concerning not being blocked, do you have this too?
and a rule
#stop ssh trolls
block in log quick on $EXT_IF inet proto {tcp,udp} from sshdtrolls
to $EXT_IF port ssh label SSHDTrolls
/Alexander
Re: is there a way to block sshd trolling?
Alexander Hall wrote:
Rico wrote:
I am using this 'table sshdtrolls persist file /root/pf/sshdhackers'
I don't get any entries in the sshdhackers file and I don't get
blocked from the system.
A table modification is not automatically added to the file the table
was once populated from. Use
# pfctl -t sshdtrolls -T show /root/pf/sshdhackers
for that.
I know -) I am using Swatch to try to append to the file and then Swatch
is making pf reading the file again.
I can't make this work though.
Concerning not being blocked, do you have this too?
Yes :-)
and a rule
#stop ssh trolls
block in log quick on $EXT_IF inet proto {tcp,udp} from sshdtrolls
to $EXT_IF port ssh label SSHDTrolls
/Alexander
.
Re: is there a way to block sshd trolling?
Hi Nick
Nick Ryan wrote:
Strange. It's working for me - I've just tested my own setup again and
it blocks me. Although the file logging isn't working though - not sure
why that is...
This, I think, is the interresting part because I want that very log
file to be the blacklist file and then to have Swatch make pf grap
that file.
That way each time there is an Illegal user the log file is extended
with the IP and pf add's that IP to the block rule.
I will try to work on this before working more on the missing block part :-)
Thanks for your reply!
Kindly
Rico.
Can you confirm that your pf rules have the block line in before the
permit rule and that it's correct for your firewall rules - ie. no other
rule is overriding it and that you're testing it on the interface the
rule is on - ie the external interface.
You could change your permit ssh line to be something like this:
pass in log quick inet proto tcp from !sshdtrolls to $EXT_IF port
22 modulate state label ssh in flags S/SA
Change that line for whatever suits your rules - it's just an example of
the !sshdtrolls bit. You probably don't even need the block rule in
with this.
Also check the IP address in the table with pfctl -t sshdtrolls -T show
and make sure it's correct.
The reason I think it's a firewall rule is that you said it said 1/1
address added which means that it's picking it up from the logs and
adding it to the table - the only other place it can go wrong is in the
block rule.
Let me know how you get on.
Cheers - Nick
Rico wrote:
Dear Nick
I have tried your setup below. I too have the setup and file placement
as you, but I am not using keys.
When I try to log on as an illegal user, the atempt is logged by
authlog, and having swatch runing from the console it says:
1/1 addresses added.
I am using this 'table sshdtrolls persist file /root/pf/sshdhackers'
I don't get any entries in the sshdhackers file and I don't get
blocked from the system.
I also use AllowUsers
Would you mind explaining a bit more about your setup?
Friendly
Rico.
Nick Ryan wrote:
What you could also do is install swatch from ports or packages and
have a table in your pf.conf like this:
table sshdtrolls persist
and a rule
#stop ssh trolls
block in log quick on $EXT_IF inet proto {tcp,udp} from sshdtrolls
to $EXT_IF port ssh label SSHDTrolls
A swatchrc file of:
watchfor /Failed password for invalid user/
exec /sbin/pfctl -t sshdtrolls -T add $13
[EMAIL PROTECTED], --subject=woo. we have a troll
throttle 02:00
exec echo $13 /root/swatchlog
Then run swatch with:
/usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog
(Note file locations and settings might need to be changed depending
on your config)
I also have the AllowUsers and use PubKeyAuthentication and
PasswordAuthentication No settings enabled in sshd_config. This means
that for a normal login the error Failed password for invalid user
won't come up as it'll never get that far as it's expecting a key.
If a troll tries to log in, they get one chance before the swatch
picks it up and adds it to the block table.
.
.
Re: is there a way to block sshd trolling?
Hi Rico,
I'd probably do that the other way - get rid of the log file bit out of
the swatch config and let that update the pf table. Set up a separate
cronjob to dump the table contents to a file every hour or so with a
pfctl -t sshdtrolls -T show LOGFILENAME
This way the pf table is instantly updated as the person is scanning and
the logfile is created later on. If you do it the other way you're back
with the problem of how to import the logfile into the table quickly
enough to stop the scanning.
Cheers. Nick
Rico wrote:
Hi Nick
Nick Ryan wrote:
Strange. It's working for me - I've just tested my own setup again
and it blocks me. Although the file logging isn't working though -
not sure why that is...
This, I think, is the interresting part because I want that very log
file to be the blacklist file and then to have Swatch make pf grap
that file.
That way each time there is an Illegal user the log file is extended
with the IP and pf add's that IP to the block rule.
I will try to work on this before working more on the missing block
part :-)
Thanks for your reply!
Kindly
Rico.
Can you confirm that your pf rules have the block line in before the
permit rule and that it's correct for your firewall rules - ie. no
other rule is overriding it and that you're testing it on the
interface the rule is on - ie the external interface.
You could change your permit ssh line to be something like this:
pass in log quick inet proto tcp from !sshdtrolls to $EXT_IF
port 22 modulate state label ssh in flags S/SA
Change that line for whatever suits your rules - it's just an example
of the !sshdtrolls bit. You probably don't even need the block rule
in with this.
Also check the IP address in the table with pfctl -t sshdtrolls -T
show and make sure it's correct.
The reason I think it's a firewall rule is that you said it said 1/1
address added which means that it's picking it up from the logs and
adding it to the table - the only other place it can go wrong is in
the block rule.
Let me know how you get on.
Cheers - Nick
Rico wrote:
Dear Nick
I have tried your setup below. I too have the setup and file
placement as you, but I am not using keys.
When I try to log on as an illegal user, the atempt is logged by
authlog, and having swatch runing from the console it says:
1/1 addresses added.
I am using this 'table sshdtrolls persist file
/root/pf/sshdhackers'
I don't get any entries in the sshdhackers file and I don't get
blocked from the system.
I also use AllowUsers
Would you mind explaining a bit more about your setup?
Friendly
Rico.
Nick Ryan wrote:
What you could also do is install swatch from ports or packages and
have a table in your pf.conf like this:
table sshdtrolls persist
and a rule
#stop ssh trolls
block in log quick on $EXT_IF inet proto {tcp,udp} from
sshdtrolls to $EXT_IF port ssh label SSHDTrolls
A swatchrc file of:
watchfor /Failed password for invalid user/
exec /sbin/pfctl -t sshdtrolls -T add $13
[EMAIL PROTECTED], --subject=woo. we have a troll
throttle 02:00
exec echo $13 /root/swatchlog
Then run swatch with:
/usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog
(Note file locations and settings might need to be changed
depending on your config)
I also have the AllowUsers and use PubKeyAuthentication and
PasswordAuthentication No settings enabled in sshd_config. This
means that for a normal login the error Failed password for
invalid user won't come up as it'll never get that far as it's
expecting a key.
If a troll tries to log in, they get one chance before the swatch
picks it up and adds it to the block table.
.
.
Re: is there a way to block sshd trolling?
I second that. Blocking ssh access from Linux hosts removes 95% of these
attacks. Simple and effective.
block drop in log quick on $ext_if proto { tcp, udp } from any os Linux to any
port ssh label Block ssh from Linux hosts
/jkm
* Nick Ryan ([EMAIL PROTECTED]) wrote:
You could use pf to block linux ssh access.
block in log quick on $EXT_IF inet proto tcp from any os Linux to port
22 label Blocked Linux ssh access:
That'll reduce it quite a lot.
John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
Re: is there a way to block sshd trolling?
I use an intruder table within pf
table intruders file /etc/pf.intruders
Then in pf rules:
block drop in log-all from intruders to any
Then I run this script out of cron on a periodic basis (remove the echo
statements for cron use - I like to run it manually, too)
#!/usr/local/bin/bash
# This counts the number of failed login attempts from every ip address
in /var/log/authlog
echo
echo
echo The following is a list of failed login attempts:
echo
echo # Tries IP Address
echo
cat /var/log/authlog | grep Failed | awk '{print $13\t$14}' | grep
port | awk '{print $1}' | uniq -c | sort | awk '{print \t$1\t$2}'
/etc/pf.intruders.tmp
cat /etc/pf.intruders.tmp
#set the following number to set tolerance level - currently set to 20
cat /etc/pf.intruders.tmp | awk '{if ($1 = 20) print $2}'
/etc/pf.intruders
#The following addresses have tried to log in as root
echo
echo The following is a list of failed root login attempts:
echo
echo # Tries IP Address
echo
cat /var/log/authlog | grep root | grep -i fail | awk '{print $11}'|
uniq -c | sort | awk '{print \t$1\t$2}' /etc/pf.intruders.tmp
cat /etc/pf.intruders.tmp
cat /etc/pf.intruders.tmp | awk '{print $2}' /etc/pf.intruders
# The following addresses have successfully logged in as root - this
should NEVER contain any entries
echo
echo The following is a list of successful root logins:
echo
echo # Tries IP Address
echo
cat /var/log/authlog | grep root | grep -v -i fail | grep -v su | awk
'{print $11}'| uniq -c | sort | awk '{print \t$1\t$2}'
# insure only unique addresses and keep out my addresses (W.X.Y.Z) from
the restricted log
cat /etc/pf.intruders | grep -v W.X.Y.Z | sort -u /etc/pf.intruders.tmp
cp /etc/pf.intruders.tmp /etc/pf.intruders
rm /etc/pf.intruders.tmp
#replace the intruders table with the updated table
pfctl -t intruders -T replace -f /etc/pf.intruders
echo -n Hack Check last ran at: /var/log/hackchklog
date /var/log/hackchklog
echo
echo Addresses with more than 20 login attempts or any attempt to login
as root have been copied to /etc/pf.intruders
cat /var/log/hackchklog
echo
I also like to check out IP address that product the greatest number of
packets that have been blocked logged
echo IP Addresses of Blocked Packets
tcpdump -n -e -ttt -r /var/log/pflog | awk '{print $1 $2 $3 $10}'
| awk '{print $4}' | awk '{ FS = .; print $1.$2.$3.$4}' | sort |
uniq -c | sort
John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
Re: is there a way to block sshd trolling?
El vie, 23-09-2005 a las 21:24 -0700, Ray Percival escribis: [...] I wonder if it's possible to fingerprint these programs. I actually have a copy of the ssh-scanner that they use. I got it by looking at the hack logs on a Linux server and going to the same FTP site they used (anonymous ftp even ;). I use the blocker script from this article. Seems to work pretty well. I'd just block Linux but I have a few friends who have yet to see the OpenBSD light. http://www.undeadly.org/cgi?action=articlesid=20041231195454mode=expanded From my experience only about 10% of the attackers come back to try again, so filtering after scanning logs is not worth it you don't have a huge amount of attacks. If your sshd_config is ok (AllowUsers is your friend), you're OK with updates, and you're using good passwords... you're safe. Let'em try. regards, Juanjo -- Desarrollo y sistemas: http://www.usebox.net/ Pagina Personal: http://www.usebox.net/jjm/
Re: is there a way to block sshd trolling?
On Fri, Sep 23, 2005 at 08:07:35PM -0600, jared r r spiegel wrote: caveat is that i currently haven't implemented a way to expire entries out, however until you get something fancier tested/implemented, some simple pf action like that above might fly /usr/ports/sysutils/expiretable in -current
Re: is there a way to block sshd trolling?
On Fri, 23 Sep 2005 21:24:26 -0700
Ray Percival [EMAIL PROTECTED] wrote:
Yeah. This is only a threat against *really* weak boxes. Having said
that I've seen a lot of posts talking about changing ports. That's a
line that I won't cross. I refuse to hide from the bots and it's not
even a speedbump against somebody who is a real threat. But that just
my personalline in the sand.
I agree, but I've personally been the victim of such an attack, it's a
pain in the ass when you can't su to root, or login on the console.
What they did was to exploit gzip, I'm fairly certain. I could not
apt-get of course and thus left helpless. I no longer have faith in user
passwords. I do my best to prevent people using common user names
(besides myself who uses 'ed' of course, but with a descent password).
The account abused was dominic/dominic, at the time this account was
created the box did not have ssh open, and it was never an idea to, but
then the service was opened and about 6 weeks later it was thoroughly
shafted.
I use the following now:
rdr pass on $ext_if proto tcp from any to 1.2.3.4 port {22,3389} -
10.10.10.10
block quick drop from abuse_src
pass in on $ext_if proto tcp from any to $range port {22,3389} keep
state ( max-src-conn 3, max-src-conn-rate 2/5, overload flush global )
After several weeks I have accumulated a list of about 60 IP blocks. I
am wondering if block quick drop from abuse_src/24 is possible? But most
the IP addresses are not sequential.
--
A horse is a horse, of course, of course, And no one can talk to a
horse, of course, Unless, of course, the horse, of course, Is the famous
Mr. Ed! http://www.usenix.org.uk - http://irc.is-cool.net
Re: is there a way to block sshd trolling?
--On 24 September 2005 13:31 +0100, ed wrote: What they did was to exploit gzip, I'm fairly certain. I could not apt-get of course and thus left helpless. I no longer have faith in user passwords. I do my best to prevent people using common user names (besides myself who uses 'ed' of course, but with a descent password). See /usr/ports/security/passwdqc if you'd like to enforce strong passwords.
Re: is there a way to block sshd trolling?
just a minor variation (in B dur) for what the others had said: relevant parts of /etc/pf.conf: SSH_LIMIT=(max-src-conn-rate 3/30, overload bad_ssh flush global) table bad_ssh persist block return-rst log quick proto tcp from bad_ssh label ssh-pirate block in pass in on $ext_if proto tcp from any to ($ext_if) port ssh \ flags S/SA keep state $SSH_LIMIT label ssh kripel cat /etc/daily.local #!/bin/sh echo flushing bad_ssh: pfctl -t bad_ssh -T show pfctl -t bad_ssh -T flush yes, i know, i am forgiving, i flush the table everyday.. but you get the idea. you can play with this as much as you like. even make statistics, draw graphs, etc ;-) corporate drones like that ;-) show them how much they need openbsd -f -- drinking kills brain cells, but just the weak ones...
Re: is there a way to block sshd trolling?
IIRC there are scripts what will automatically add lines to your hosts.deny file. Sorry, but I can't remember the names. I suggest you also create some keys for yourself to use and disable password authentication. With password auth disabled the attacks won't go be more than an annoyance for the most part. If you google you'll find it's a very common problem, I'm sure you'll also find the scripts I mentioned above. If I can find them I'll post links. Good luck! Mike
Re: is there a way to block sshd trolling?
Have snort or portsentry add those ips to a table in pf.conf.
--Bryan
On 9/23/05, John Marten [EMAIL PROTECTED] wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
Re: is there a way to block sshd trolling?
John Marten ([EMAIL PROTECTED]) dixit:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
That's how I handle this type of annoyance:
http://data.homeip.net/projects/ssh_wall.php
Of course, YMMV.
Ciao.
--
.--.
| Florin (Slippery) Iamandi|
| Reason is the first victim of emotion. -- Scytale, Dune Messiah |
Re: is there a way to block sshd trolling?
why not use max-connections ? and dump them into a
table with no access. Or if this is a home machine just
move the port to some high port, most scripts wont bother
looking.
cheers
rm
John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
Re: is there a way to block sshd trolling?
On Friday 23 September 2005 02:40 pm, John Marten wrote: There's got to be a better way, and I'm open to suggestions. Use a non-standard port and/or public key exchange. Chris
Re: is there a way to block sshd trolling?
John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
You can try to limit the overly persistant number of incoming
connections. Or you can run SSH on a non-default port. Try the pf way
first with the max-src-conn-rate on all incoming connections. I think
it's like pass in quick on $external from any to any port $services
flags... etc keep state (max-src-conn-rate 100/10) or whatever you need.
Brandon
Re: is there a way to block sshd trolling?
You could use connection throttling, it won't eliminate them, but it will
make it take longer. If you don't need ssh on that host (although, you
probably do, I'd be lost without it) disable it. You could bind sshd to a
different port, and disable port 22 (most of these attacks are automated
bots). The best thing you can do is to disable root access, use difficult
passwords (or better yet, use keys and disable passwords), go out of your
way to make sure you don't use common names for usernames (if you can), and
enforce a good password policy. Then you can do what I do when I get the
output of my logs, laugh.
On 9/23/05, John Marten [EMAIL PROTECTED] wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
--
Abe Al-Saleh
And then came the Apocolypse. It actually wasn't that
bad, everyone got the day off and there were barbeques
all around.
Re: is there a way to block sshd trolling?
-
Original Message:
From: Bryan Irvine [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Friday, September 23 2005 09:55 AM
Subject: Re: is there a way to block sshd trolling?
Have snort or portsentry add those ips to a table in pf.conf.
--Bryan
On 9/23/05, John Marten [EMAIL PROTECTED] wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
-
You could use pf to add the entries to your block table based upon
connect/disconnect rate.
Notice the timescale of this attack in your authlog, no human types this fast.
See man pf.conf for pertinent examples.
Regards,
Rob
Re: is there a way to block sshd trolling?
On Fri, Sep 23, 2005 at 11:40:36AM -0700, John Marten wrote: You know what i mean? Every day I get some script kiddie, or adult trying to guess usernames or passwords. You can change the port number in /etc/ssh/sshd_config . It's 100% effective against that kind of bots. Greetings, Tomasz Baranowski
Re: is there a way to block sshd trolling?
My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. Don't *you* end up blacklisting your default route and you become 'so long suckah'd? --ja That's how I handle this type of annoyance: http://data.homeip.net/projects/ssh_wall.php Of course, YMMV. Ciao. --
Re: is there a way to block sshd trolling?
You could use pf to block linux ssh access.
block in log quick on $EXT_IF inet proto tcp from any os Linux to port
22 label Blocked Linux ssh access:
That'll reduce it quite a lot.
John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
Re: is there a way to block sshd trolling?
On Fri, 23 Sep 2005 11:40:36 -0700
John Marten [EMAIL PROTECTED] wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
Use tables.
See:
http://www.section6.net/wiki/index.php/Thwarting_ssh_hackers_with_swatch_pf
--
Thordur I. [EMAIL PROTECTED]
Humppa!
Re: is there a way to block sshd trolling?
Use the tarpit patch that I wrote
http://www.linbsd.org/openssh-samepasswd.patch
-Ober
-Ober
On Fri, 23 Sep 2005, Abraham Al-Saleh wrote:
You could use connection throttling, it won't eliminate them, but it will
make it take longer. If you don't need ssh on that host (although, you
probably do, I'd be lost without it) disable it. You could bind sshd to a
different port, and disable port 22 (most of these attacks are automated
bots). The best thing you can do is to disable root access, use difficult
passwords (or better yet, use keys and disable passwords), go out of your
way to make sure you don't use common names for usernames (if you can), and
enforce a good password policy. Then you can do what I do when I get the
output of my logs, laugh.
On 9/23/05, John Marten [EMAIL PROTECTED] wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
--
Abe Al-Saleh
And then came the Apocolypse. It actually wasn't that
bad, everyone got the day off and there were barbeques
all around.
Re: is there a way to block sshd trolling?
Roy Morris wrote: why not use max-connections ? and dump them into a table with no access. Or if this is a home machine just move the port to some high port, most scripts wont bother looking. Yup, I forgot to add that you can put another thing in that max-conn... that handles the overflow it sends it to a bad hosts file or some such... then just persist that. Brandon
Re: is there a way to block sshd trolling?
On Friday 23 September 2005 03:15 pm, Mr.Slippery wrote: That's how I handle this type of annoyance: http://data.homeip.net/projects/ssh_wall.php Slick. Er...slippery, that is.
Re: is there a way to block sshd trolling?
On Fri, 23 Sep 2005 21:55:12 +0200 Tomasz Baranowski [EMAIL PROTECTED] wrote: You can change the port number in /etc/ssh/sshd_config . It's 100% effective against that kind of bots. Some intelligent scripts look at tcp responses to port scans, ssh responds with SSH-2.0, which isn't too hard to identify. I don't know if changing the greeting would break the protocol, but I suspect it might break certain clients. -- A horse is a horse, of course, of course, And no one can talk to a horse, of course, Unless, of course, the horse, of course, Is the famous Mr. Ed! http://www.usenix.org.uk - http://irc.is-cool.net
Re: is there a way to block sshd trolling?
John Marten wrote: There's got to be a better way, and I'm open to suggestions. Use public key authentication to start with. It's very easy to setup and much more secure than password authentication. With public key authentication, passwords will never work. You might also want to make it a practice to disallow root logins via ssh. Changing the port number is not a bad idea also.
Re: is there a way to block sshd trolling?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. Don't *you* end up blacklisting your default route and you become 'so long suckah'd? If you blacklist an IP on syn attempts only, maybe. In order for you to try to brute force logins you'll need a full TCP handshake which you'll never accomplish if you're spoofing yourself as the IP of the router. DS
Re: is there a way to block sshd trolling?
--On 23 September 2005 15:05 -0500, [EMAIL PROTECTED] wrote: My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. The suggestion is for max-src-conn-rate, not max-src-state.
Re: is there a way to block sshd trolling?
John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
http://lfriends.franoculator.com/phpBB2/viewtopic.php?t=103
That's the hosts.deny method, for those of you scoring at home.
It's a good solution, but you're better off enabling DSA/RSA keys and
doing away with password auth altogether. Running sshd on a different
port never hurt anyone either.
HTH.
--
Matt
Re: is there a way to block sshd trolling?
[EMAIL PROTECTED] writes: My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. Don't *you* end up blacklisting your default route and you become 'so long suckah'd? This isn't a problem for 2 reasons. 1) The upstream router isn't likely to be the destination of any packet in a consumer-isp situation. Only if you are running some routing protocol that uses that upstream router as an endpoint (eg. rip, ospf, etc) will a block against that router's IP matter to you. I've heard of cases where folks intentionally add an IP-level block against their ISP's whole infrastructure. (Some ISP's don't allow any servers. If they find an sshd hanging on port 22 are they going to hassle you? Just block 'em.) 2) Forging the source IP in a TCP packet and succeeding in negotiating the 3-way handshake isn't all that simple any more. I wouldn't worry about it. If someone could forge that reliably, there is much better game to go after (like breaking into machines that still use IP addresses for authorization.) Someone spoofing an IP so that you mistakenly block an innocent party is pretty much wasting a good trick. -wolfgang
Re: is there a way to block sshd trolling?
just to add my $0.02. The best they could hope for would be disallowing your default gateway from connecting to your ssh server... whoop-de-doo. On 9/23/05, Wolfgang S. Rupprecht [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] writes: My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. Don't *you* end up blacklisting your default route and you become 'so long suckah'd? This isn't a problem for 2 reasons. 1) The upstream router isn't likely to be the destination of any packet in a consumer-isp situation. Only if you are running some routing protocol that uses that upstream router as an endpoint (eg. rip, ospf, etc) will a block against that router's IP matter to you. I've heard of cases where folks intentionally add an IP-level block against their ISP's whole infrastructure. (Some ISP's don't allow any servers. If they find an sshd hanging on port 22 are they going to hassle you? Just block 'em.) 2) Forging the source IP in a TCP packet and succeeding in negotiating the 3-way handshake isn't all that simple any more. I wouldn't worry about it. If someone could forge that reliably, there is much better game to go after (like breaking into machines that still use IP addresses for authorization.) Someone spoofing an IP so that you mistakenly block an innocent party is pretty much wasting a good trick. -wolfgang
Re: is there a way to block sshd trolling?
From: Wolfgang S. Rupprecht 2) Forging the source IP in a TCP packet and succeeding in negotiating the 3-way handshake isn't all that simple any more. I wouldn't worry about it. If someone could forge that reliably, there is much better game to go after (like breaking into machines that still use IP addresses for authorization.) Someone spoofing an IP so that you mistakenly block an innocent party is pretty much wasting a good trick. Is it possible at all? You spoof your address to appear as my ISP for the source address of a TCP connection. You send a SYN packet seeming to appear from the ISP. I send SYN+ACK back to that ISP address. ISP drops it because that address never sent SYN in first place. You never get anything back, neither do I, and no TCP handshake occurs. Or does this involve a much more sophisticated attack than I'm imagining? DS
Re: is there a way to block sshd trolling?
Spruell, Darren-Perot [EMAIL PROTECTED] writes: From: Wolfgang S. Rupprecht 2) Forging the source IP in a TCP packet and succeeding in negotiating the 3-way handshake isn't all that simple any more. I wouldn't worry about it. If someone could forge that reliably, there is much better game to go after (like breaking into machines that still use IP addresses for authorization.) Someone spoofing an IP so that you mistakenly block an innocent party is pretty much wasting a good trick. Is it possible at all? You spoof your address to appear as my ISP for the source address of a TCP connection. You send a SYN packet seeming to appear from the ISP. I send SYN+ACK back to that ISP address. ISP drops it because that address never sent SYN in first place. You never get anything back, neither do I, and no TCP handshake occurs. Or does this involve a much more sophisticated attack than I'm imagining? Spoofing the tcp connection is possible if you can guess what was in the packet that the other side sent back in response to the first spoofed syn. Obviously you'll never see the packet, but the only thing that you need to know that isn't obvious is the initial sequence number. Back in the early days of BSD the initial tcp-sequence number wasn't all that hard to guess. Predicting it was relatively easy if the other side was a BSD system that didn't have too many tcp connections per second. After each tcp connections the kernel incremented the initial sequence number by some small, fixed amount. Connecting up to any tcp port would tell you what the kernel was currently using. Connecting a few times in a row would tell you how much it incremented the initial number by for each connection. It also gave on a rough idea how many connections per second the kernel was seeing. -wolfgang
Re: is there a way to block sshd trolling?
On Friday 23 September 2005 14:40, John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Special
Don't know if this is better and then better in what sense but here it
goes and it's easy as pie:
I installed denyhosts - a python script. Obvious downside is that you need
to install python. Only adjustment you need to do is that denyhosts looks
into /var/log/authlog for OBSD instead of /var/log/auth.log for Linux.
My /etc/hosts.deny is growing steadily ever since ...
Kind regards, Eike
--
Eike Lantzsch ZP6CGE
Casilla de Correo 1519
Asuncion / Paraguay
Tel.: 595-21-578698 FAX: 595-21-578690
Re: is there a way to block sshd trolling?
Some intelligent scripts look at tcp responses to port scans, ssh responds with SSH-2.0, which isn't too hard to identify. I don't know if changing the greeting would break the protocol, but I suspect it might break certain clients. I wonder if it's possible to fingerprint these programs. I actually have a copy of the ssh-scanner that they use. I got it by looking at the hack logs on a Linux server and going to the same FTP site they used (anonymous ftp even ;). The program that most of you see is probably Skara. If you're interested you run the program by doing ./a xxx.xxx where xxx.xxx is the first 2 octects of the network you want to scan (it only does class b). Once it finds all the servers running ssh, it then forks and runs ssh-scan on each and just crashes through the dictionary, till it finds some servers, and reports the findings. Usually something stupid like admin/admin or vmail/vmail. I ran it on my network to look for things that may have been done sloppily. I actually did find one server where someone had created a user of test with the pasword of test...nice. As long as you have secure passwords, I'd recomend just logging in as a standard user, and using su so that you don't see all those logs. Keep in mind that they are just kiddies scanning class b's so there's probably better things to worry about. A lot of nice tips though. I've learned a lot about PF just reading the thread. --Bryan
Re: is there a way to block sshd trolling?
On Fri, Sep 23, 2005 at 08:24:15PM -0700, Bryan Irvine wrote: Some intelligent scripts look at tcp responses to port scans, ssh responds with SSH-2.0, which isn't too hard to identify. I don't know if changing the greeting would break the protocol, but I suspect it might break certain clients. I wonder if it's possible to fingerprint these programs. I actually have a copy of the ssh-scanner that they use. I got it by looking at the hack logs on a Linux server and going to the same FTP site they used (anonymous ftp even ;). I use the blocker script from this article. Seems to work pretty well. I'd just block Linux but I have a few friends who have yet to see the OpenBSD light. http://www.undeadly.org/cgi?action=articlesid=20041231195454mode=expanded The program that most of you see is probably Skara. If you're interested you run the program by doing ./a xxx.xxx where xxx.xxx is the first 2 octects of the network you want to scan (it only does class b). Once it finds all the servers running ssh, it then forks and runs ssh-scan on each and just crashes through the dictionary, till it finds some servers, and reports the findings. Usually something stupid like admin/admin or vmail/vmail. I ran it on my network to look for things that may have been done sloppily. I actually did find one server where someone had created a user of test with the pasword of test...nice. As long as you have secure passwords, I'd recomend just logging in as a standard user, and using su so that you don't see all those logs. Yeah. This is only a threat against *really* weak boxes. Having said that I've seen a lot of posts talking about changing ports. That's a line that I won't cross. I refuse to hide from the bots and it's not even a speedbump against somebody who is a real threat. But that just my personalline in the sand. Keep in mind that they are just kiddies scanning class b's so there's probably better things to worry about. A lot of nice tips though. I've learned a lot about PF just reading the thread. --Bryan -- BOFH excuse #345: Having to manually track the satellite.
