[OpenIndiana-discuss] denyhosts IPS package?
Hi there, is there a denyhosts package available? I'd like to more effectively ban dictionary attackers from my systems and looking at https://www.illumos.org/issues/228#note-8 a package was at least in discussion. @Ken: can you comment on this? Cheers Stefan. Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] denyhosts IPS package?
Hi Stefan, does fail2ban fits your needs? $ pkg info network/fail2ban Name: network/fail2ban Summary: monitor logfiles for invalid login attempts and ban source IP-addresses - (github version e065f64b14699758a28fdbf4622fca884753e68f) Description: Fail2Ban monitors log files like /var/log/pwdfail or /var/log/apache/error_log and bans failure-prone addresses. It updates firewall rules to reject the IP address or executes user defined commands. (currently: /etc/hosts.deny is updated) NOTE: You need to configure syslog.conf to get necessary login log entries == INSTALLATION ON SOLARIS - Read the file /usr/share/doc/SFEfail2ban/README.Solaris Note from SFE maintainer for this package: If you do not follow the above README.Solaris (files already copied!) then you will not get a working fail2ban setup! Category: Network State: Installed Publisher: sfe Version: 0.0.0.0.0.2 Branch: 0.151.1.8 Packaging Date: December 4, 2013 06:11:08 PM Size: 296.89 kB FMRI: pkg://sfe/network/fail2ban@0.0.0.0.0.2-0.151.1.8:20131204T181108Z Regards. On 01/15/14 01:54 PM, Stefan Müller-Wilken wrote: Hi there, is there a denyhosts package available? I'd like to more effectively ban dictionary attackers from my systems and looking at https://www.illumos.org/issues/228#note-8 a package was at least in discussion. @Ken: can you comment on this? Cheers Stefan. Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss -- Predrag Zečević, Technical Support Analyst, 2e Systems GmbH Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894 Mobile:+49 174 3109 288, Skype: predrag.zecevic E-mail:predrag.zece...@2e-systems.com Headquarter: 2e Systems GmbH, Königsteiner Str. 87, 65812 Bad Soden am Taunus, Germany Company registration: Amtsgericht Königstein (Germany), HRB 7303 Managing director:Phil Douglas http://www.2e-systems.com/ - Making your business fly! [***]===--- Everybody needs a little love sometime; stop hacking and fall in love! ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] denyhosts IPS package?
On 01/15/2014 07:54 AM, Stefan Müller-Wilken wrote: Hi there, is there a denyhosts package available? I'd like to more effectively ban dictionary attackers from my systems and looking at https://www.illumos.org/issues/228#note-8 a package was at least in discussion. @Ken: can you comment on this? Cheers Stefan. Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss Stefan, Assuming you use ssh for remote login then I have updated sshguard so it works on OpenIndiana. It will monitor log files to identify attacks and then uses ipfilter to block them. I had to change the check for ssh invalid password to properly match OpenIndiana/Solaris ssh messages and updated the ipfilter insertion statement to match my ipfilter setup (specify which interface and add group tag). I also put together a rudimentary SMF file to make it a proper service. I personally prefer sshguard over fail2ban because it is so lightweight. Once it started blocking brute force attacks on my server (which was often) they suddenly stopped. Sshguard also can do the same for various MTA and other application logins but ssh is the only one I've tested. Let me know if you want what I've done. Gary ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] denyhosts IPS package?
Hmmm... I thought I had checked for fail2ban as well but apparently haven't if it is in fact there. Maybe fail2ban is even supperior as it is not restricted to SSH but could secure IMAP as well. Thanks for your feedback! Cheers Stefan Am 15.01.2014 um 14:10 schrieb Predrag Zecevic [Unix Systems Administrator] predrag.zece...@2e-systems.com: Hi Stefan, does fail2ban fits your needs? $ pkg info network/fail2ban Name: network/fail2ban Summary: monitor logfiles for invalid login attempts and ban source IP-addresses - (github version e065f64b14699758a28fdbf4622fca884753e68f) Description: Fail2Ban monitors log files like /var/log/pwdfail or /var/log/apache/error_log and bans failure-prone addresses. It updates firewall rules to reject the IP address or executes user defined commands. (currently: /etc/hosts.deny is updated) NOTE: You need to configure syslog.conf to get necessary login log entries == INSTALLATION ON SOLARIS - Read the file /usr/share/doc/SFEfail2ban/README.Solaris Note from SFE maintainer for this package: If you do not follow the above README.Solaris (files already copied!) then you will not get a working fail2ban setup! Category: Network State: Installed Publisher: sfe Version: 0.0.0.0.0.2 Branch: 0.151.1.8 Packaging Date: December 4, 2013 06:11:08 PM Size: 296.89 kB FMRI: pkg://sfe/network/fail2ban@0.0.0.0.0.2-0.151.1.8:20131204T181108Z Regards. On 01/15/14 01:54 PM, Stefan Müller-Wilken wrote: Hi there, is there a denyhosts package available? I'd like to more effectively ban dictionary attackers from my systems and looking at https://www.illumos.org/issues/228#note-8 a package was at least in discussion. @Ken: can you comment on this? Cheers Stefan. Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss -- Predrag Zečević, Technical Support Analyst, 2e Systems GmbH Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894 Mobile:+49 174 3109 288, Skype: predrag.zecevic E-mail:predrag.zece...@2e-systems.com Headquarter: 2e Systems GmbH, Königsteiner Str. 87, 65812 Bad Soden am Taunus, Germany Company registration: Amtsgericht Königstein (Germany), HRB 7303 Managing director:Phil Douglas http://www.2e-systems.com/ - Making your business fly! [***]===--- Everybody needs a little love sometime; stop hacking and fall in love! ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] denyhosts IPS package?
Hi Gary, haven't looked at sshguard so far and it is definitely worth a look. 'Lightweight' sounds quite attractive. :-) Ultimately I'd also like to secure IMAP (I haven't dared opening to the world for the missing dictionary attack protection) etc. but maybe that's a second step. So, if I understand you right, sshguard currently requires manual installation but will work as a first class SMF citizen afterwards? Cheers Stefan Von: Gary Gendel [g...@genashor.com] Gesendet: Mittwoch, 15. Januar 2014 14:30 An: openindiana-discuss@openindiana.org Betreff: Re: [OpenIndiana-discuss] denyhosts IPS package? On 01/15/2014 07:54 AM, Stefan Müller-Wilken wrote: Hi there, is there a denyhosts package available? I'd like to more effectively ban dictionary attackers from my systems and looking at https://www.illumos.org/issues/228#note-8 a package was at least in discussion. @Ken: can you comment on this? Cheers Stefan. Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss Stefan, Assuming you use ssh for remote login then I have updated sshguard so it works on OpenIndiana. It will monitor log files to identify attacks and then uses ipfilter to block them. I had to change the check for ssh invalid password to properly match OpenIndiana/Solaris ssh messages and updated the ipfilter insertion statement to match my ipfilter setup (specify which interface and add group tag). I also put together a rudimentary SMF file to make it a proper service. I personally prefer sshguard over fail2ban because it is so lightweight. Once it started blocking brute force attacks on my server (which was often) they suddenly stopped. Sshguard also can do the same for various MTA and other application logins but ssh is the only one I've tested. Let me know if you want what I've done. Gary ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] denyhosts IPS package?
Stefan, Exactly right. It does have hooks for some IMAP clients, see http://www.sshguard.net/docs/reference/attack-signatures/ but I haven't tested them. I suspect that they will work since these messages shouldn't be modified for OpenIndiana. I reported the changes I made to the sshguard team but I haven't heard back from them so I expect that Solaris/OpenIndiana support is not high on their priority list. :( The executable is only around 400k on my system (not stripped) and I've never even seen it in top/prstat. Gary On 01/15/2014 09:20 AM, Stefan Müller-Wilken wrote: Hi Gary, haven't looked at sshguard so far and it is definitely worth a look. 'Lightweight' sounds quite attractive. :-) Ultimately I'd also like to secure IMAP (I haven't dared opening to the world for the missing dictionary attack protection) etc. but maybe that's a second step. So, if I understand you right, sshguard currently requires manual installation but will work as a first class SMF citizen afterwards? Cheers Stefan Von: Gary Gendel [g...@genashor.com] Gesendet: Mittwoch, 15. Januar 2014 14:30 An: openindiana-discuss@openindiana.org Betreff: Re: [OpenIndiana-discuss] denyhosts IPS package? On 01/15/2014 07:54 AM, Stefan Müller-Wilken wrote: Hi there, is there a denyhosts package available? I'd like to more effectively ban dictionary attackers from my systems and looking at https://www.illumos.org/issues/228#note-8 a package was at least in discussion. @Ken: can you comment on this? Cheers Stefan. Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss Stefan, Assuming you use ssh for remote login then I have updated sshguard so it works on OpenIndiana. It will monitor log files to identify attacks and then uses ipfilter to block them. I had to change the check for ssh invalid password to properly match OpenIndiana/Solaris ssh messages and updated the ipfilter insertion statement to match my ipfilter setup (specify which interface and add group tag). I also put together a rudimentary SMF file to make it a proper service. I personally prefer sshguard over fail2ban because it is so lightweight. Once it started blocking brute force attacks on my server (which was often) they suddenly stopped. Sshguard also can do the same for various MTA and other application logins but ssh is the only one I've tested. Let me know if you want what I've done. Gary ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] denyhosts IPS package?
Do you require password authentication or can you require only key access? Disabling password authentication prevents the dictionary and other brute force password attempts. You might also consider setting up a couple of jump boxes and then use ipfilter or external firewall to only allow ssh traffic from those jump boxes. If you go this route remember to use proxycommand to relay the connection and not to store any keys on the jump box. Greg Sent from my HTC One on the Verizon Wireless 4G LTE network - Reply message - From: Stefan Müller-Wilken stefan.mueller-wil...@acando.de To: openindiana-discuss@openindiana.org openindiana-discuss@openindiana.org Subject: [OpenIndiana-discuss] denyhosts IPS package? Date: Wed, Jan 15, 2014 5:54 AM Hi there, is there a denyhosts package available? I'd like to more effectively ban dictionary attackers from my systems and looking at https://www.illumos.org/issues/228#note-8 a package was at least in discussion. @Ken: can you comment on this? Cheers Stefan. Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] denyhosts IPS package?
Hi Gregory, Thanks for the input! Intrusion prevention can never be done in a one-size-fits-all approach so anything will help. :-) Maybe we should set up a OpenIndiana wiki topic on setting up Internet facing boxes to collect all possible measures. Cheers Stefan Von: Gregory Youngblood [greg...@youngblood.me] Gesendet: Mittwoch, 15. Januar 2014 15:49 An: Discussion list for OpenIndiana Betreff: Re: [OpenIndiana-discuss] denyhosts IPS package? Do you require password authentication or can you require only key access? Disabling password authentication prevents the dictionary and other brute force password attempts. You might also consider setting up a couple of jump boxes and then use ipfilter or external firewall to only allow ssh traffic from those jump boxes. If you go this route remember to use proxycommand to relay the connection and not to store any keys on the jump box. Greg Sent from my HTC One on the Verizon Wireless 4G LTE network - Reply message - From: Stefan Müller-Wilken stefan.mueller-wil...@acando.de To: openindiana-discuss@openindiana.org openindiana-discuss@openindiana.org Subject: [OpenIndiana-discuss] denyhosts IPS package? Date: Wed, Jan 15, 2014 5:54 AM Hi there, is there a denyhosts package available? I'd like to more effectively ban dictionary attackers from my systems and looking at https://www.illumos.org/issues/228#note-8 a package was at least in discussion. @Ken: can you comment on this? Cheers Stefan. Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] denyhosts IPS package?
Am 15.01.2014 um 14:31 schrieb Gary Gendel g...@genashor.com: On 01/15/2014 07:54 AM, Stefan Müller-Wilken wrote: Hi there, is there a denyhosts package available? I'd like to more effectively ban dictionary attackers from my systems and looking at https://www.illumos.org/issues/228#note-8 a package was at least in discussion. @Ken: can you comment on this? Cheers Stefan. Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss Stefan, Assuming you use ssh for remote login then I have updated sshguard so it works on OpenIndiana. It will monitor log files to identify attacks and then uses ipfilter to block them. I had to change the check for ssh invalid password to properly match OpenIndiana/Solaris ssh messages and updated the ipfilter insertion statement to match my ipfilter setup (specify which interface and add group tag). I also put together a rudimentary SMF file to make it a proper service. I personally prefer sshguard over fail2ban because it is so lightweight. Once it started blocking brute force attacks on my server (which was often) they suddenly stopped. Sshguard also can do the same for various MTA and other application logins but ssh is the only one I've tested. Let me know if you want what I've done. Gary ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] denyhosts IPS package?
True. I use a multi-layered approach, of which my suggestions are but a couple. A wiki page on hardening OI for public facing installs would be a good idea. Seems like I recall seeing something like that a while bac;; not sure if that was OI or Solaris/OpenSolaris though. Greg Sent from my HTC One on the Verizon Wireless 4G LTE network - Reply message - From: Stefan Müller-Wilken stefan.mueller-wil...@acando.de To: Discussion list for OpenIndiana openindiana-discuss@openindiana.org Subject: [OpenIndiana-discuss] denyhosts IPS package? Date: Wed, Jan 15, 2014 7:58 AM Hi Gregory, Thanks for the input! Intrusion prevention can never be done in a one-size-fits-all approach so anything will help. :-) Maybe we should set up a OpenIndiana wiki topic on setting up Internet facing boxes to collect all possible measures. Cheers Stefan Von: Gregory Youngblood [greg...@youngblood.me] Gesendet: Mittwoch, 15. Januar 2014 15:49 An: Discussion list for OpenIndiana Betreff: Re: [OpenIndiana-discuss] denyhosts IPS package? Do you require password authentication or can you require only key access? Disabling password authentication prevents the dictionary and other brute force password attempts. You might also consider setting up a couple of jump boxes and then use ipfilter or external firewall to only allow ssh traffic from those jump boxes. If you go this route remember to use proxycommand to relay the connection and not to store any keys on the jump box. Greg Sent from my HTC One on the Verizon Wireless 4G LTE network - Reply message - From: Stefan Müller-Wilken stefan.mueller-wil...@acando.de To: openindiana-discuss@openindiana.org openindiana-discuss@openindiana.org Subject: [OpenIndiana-discuss] denyhosts IPS package? Date: Wed, Jan 15, 2014 5:54 AM Hi there, is there a denyhosts package available? I'd like to more effectively ban dictionary attackers from my systems and looking at https://www.illumos.org/issues/228#note-8 a package was at least in discussion. @Ken: can you comment on this? Cheers Stefan. Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] denyhosts IPS package?
Yes, I know. Have been using it in Linux environments for ages but since it was not abailable packaged for OI thought it worthwhile asking on the list... Cheers Stefan Am 15.01.2014 um 16:57 schrieb Jerry Kemp sun.mail.lis...@oryx.cc: I have been using denyhosts for a couple of years. Its a good product and easy to set up. Jerry On 01/15/14 06:54 AM, Stefan Müller-Wilken wrote: Hi there, is there a denyhosts package available? I'd like to more effectively ban dictionary attackers from my systems and looking at https://www.illumos.org/issues/228#note-8 a package was at least in discussion. @Ken: can you comment on this? Cheers Stefan. Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | Ust.Ident-Nr.:DE208833022 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
