Re: [rlug] filtre iptables automate

2007-08-27 Thread Catalin Catana 

Multumesc pentru raspunsuri.

Catalin


___
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug

Re: [rlug] filtre iptables automate

2007-08-27 Thread Vasile C 
On Monday 27 August 2007, Dragos CHIRIAC wrote:
> lonely wolf wrote:
> > Catalin Catana wrote:
> >> Salut,
> >
> > iptables -A SSH_Brute_Force -j TARPIT
>
> Nu toata lumea are target tarpit in kernel :) . Desi e frumos, nu se
> aplica la oricine.
>
> For the record , eu folosesc satisfacut :
>
> iptables -A INPUT -i _eth0_ -p tcp --dport 22 -m state --state NEW -m
> recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
> (nesimtit)
>
> si de siguranta pam-abl (
> http://www.hexten.net/wiki/index.php/Pam_abl ).
>
> Merge, inca nu mi-am dat peste dejte singur. Deci e bine.
>
> Dragos
>
Salut,

Eu folosesc denyhosts ( http://denyhosts.sourceforge.net/ )  sau 
blocksshd ( http://sourceforge.net/projects/blocksshd/ ) , e posibil sa 
mai fie si altele.

Succes !

-- 
In case something goes worong use :
BOFH excuse #125:

we just switched to Sprint

PGP: http://new-order.org/public.key


signature.asc
Description: This is a digitally signed message part.
___
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug

Re: [rlug] filtre iptables automate

2007-08-27 Thread Dragos CHIRIAC 

lonely wolf wrote:

Catalin Catana wrote:

Salut,



iptables -A SSH_Brute_Force -j TARPIT


Nu toata lumea are target tarpit in kernel :) . Desi e frumos, nu se 
aplica la oricine.


For the record , eu folosesc satisfacut :

iptables -A INPUT -i _eth0_ -p tcp --dport 22 -m state --state NEW -m recent 
--update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP (nesimtit)

si de siguranta pam-abl ( http://www.hexten.net/wiki/index.php/Pam_abl ).

Merge, inca nu mi-am dat peste dejte singur. Deci e bine. 


Dragos





__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__


___
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug

Re: [rlug] filtre iptables automate

2007-08-27 Thread Cosmin Gorgovan 

Catalin Catana wrote:

Salut,

Vreau sa filtrez cu iptables in mod automat ip-urle de la care se 
scaneaza/incearca user/pass pe ssh (eventual si pentru alte servicii, 
dar in mod deosebit pentru ssh).
Problema mea e ca aceste atacuri dureaza cateva ore in sir .. si imi 
genereaza o incarcare inutila pe server ... daca le filtrez cu 
iptables si DROP ... incarcarea dispare.


Poate cineva sa ma indrepte spre un soft sau vreo documentatie care 
face asa ceva ?


Catalin,
Multumesc
Poti incerca fail2ban (http://www.fail2ban.org/). Exemplu de configurare 
pentru ssh ai la adresa http://www.fail2ban.org/wiki/index.php/OpenSSH.


___
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug

Re: [rlug] filtre iptables automate

2007-08-27 Thread lonely wolf 

Catalin Catana wrote:

Salut,

Vreau sa filtrez cu iptables in mod automat ip-urle de la care se 
scaneaza/incearca user/pass pe ssh (eventual si pentru alte servicii, 
dar in mod deosebit pentru ssh).
Problema mea e ca aceste atacuri dureaza cateva ore in sir .. si imi 
genereaza o incarcare inutila pe server ... daca le filtrez cu 
iptables si DROP ... incarcarea dispare.


# Let's jump to the SSH_Brute_Force chain if this is a new connection 
that is not from my IP address.

# This will prevent processing these rules for non SSH traffic.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s ! 
$MYIPADDRESS -j SSH_Brute_Force

# Let's white list some IP addresses.
iptables -A SSH_Brute_Force -s $My_IP_Address -j RETURN
iptables -A SSH_Brute_Force -s $My_Friends_IP_Address -j RETURN
iptables -A SSH_Brute_Force -s $Any_other_IP_that_I_want_to_white list 
-j RETURN
# If there have not been 4 NEW connection attempts from this source IP 
address in the last 60 seconds let's return to the INPUT chain.
iptables -A SSH_Brute_Force -m recent --name SSH ! --rcheck --seconds 60 
-m recent --hitcount 4 --set --name SSH -j RETURN
# Well, the NEW connection has been seen so let's update the SSH recent 
list.

iptables -A SSH_Brute_Force -m recent --name SSH --update
# I like to log on a line by it's self so I don't have to remember to do 
it on my last line prior to the end of my script.

iptables -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt:  "
# Let's send the person that is trying to SSH in to us to the TARPIT 
target and make them think twice before they try again.
# TARPIT will force the site that is SSHing in to us to timeout the 
connection.  Sure stick you hand in my port, I'll grab hold of it and 
not let go,
# you will have to chew your arm off and grow a new one and try again.  
I'll hold your new arm again and again and again and...  This should 
slow you down.

iptables -A SSH_Brute_Force -j TARPIT


--
"A computer will not make a good manager out of a bad manager.
It makes a good manager better faster and a bad manager worse faster."
Ed Esber, president, Ashton-Tate, 1986


___
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug

Re: [rlug] filtre iptables automate

2007-08-27 Thread Biru Ionut 
On Mon, 2007-08-27 at 15:30 +0300, Catalin Catana wrote:
> Salut,
> 
> Vreau sa filtrez cu iptables in mod automat ip-urle de la care se 
> scaneaza/incearca user/pass pe ssh (eventual si pentru alte servicii, 
> dar in mod deosebit pentru ssh).
> Problema mea e ca aceste atacuri dureaza cateva ore in sir .. si imi 
> genereaza o incarcare inutila pe server ... daca le filtrez cu iptables 
> si DROP ... incarcarea dispare.
> 
> Poate cineva sa ma indrepte spre un soft sau vreo documentatie care face 
> asa ceva ?
Eu folosesc cu incredere denyhosts. L-am configurat ca dupa 3 incercari
esuate sa introduca acel ip in /etc/hosts.deny ca apoi sa-l scoata dupa
1 sapt.


___
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug

Re: [rlug] filtre iptables automate

2007-08-27 Thread Paul Lacatus 

Catalin Catana wrote:


Salut,

Vreau sa filtrez cu iptables in mod automat ip-urle de la care se 
scaneaza/incearca user/pass pe ssh (eventual si pentru alte servicii, 
dar in mod deosebit pentru ssh).
Problema mea e ca aceste atacuri dureaza cateva ore in sir .. si imi 
genereaza o incarcare inutila pe server ... daca le filtrez cu 
iptables si DROP ... incarcarea dispare.


Nu e mai simplu sa pui sshd sa asculte pe alt port decit standard.  Nu 
vei mai avea incarcare de la scanerele de ssh  deloc .


PL

___
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug

Re: [rlug] filtre iptables automate

2007-08-27 Thread VC 
On Monday 27 August 2007, Catalin Catana wrote:
> Salut,
>
> Vreau sa filtrez cu iptables in mod automat ip-urle de la care se
> scaneaza/incearca user/pass pe ssh (eventual si pentru alte servicii,
> dar in mod deosebit pentru ssh).
> Problema mea e ca aceste atacuri dureaza cateva ore in sir .. si imi
> genereaza o incarcare inutila pe server ... daca le filtrez cu
> iptables si DROP ... incarcarea dispare.
>
> Poate cineva sa ma indrepte spre un soft sau vreo documentatie care
> face asa ceva ?
>
> Catalin,
> Multumesc
>
> ___
> RLUG mailing list
> RLUG@lists.lug.ro
> http://lists.lug.ro/mailman/listinfo/rlug

Salut,

Incearca denyhosts ( http://denyhosts.sourceforge.net/ )  sau 
blocksshd ( http://sourceforge.net/projects/blocksshd/ ) , e posibil sa 
mai fie si altele dar eu astea le folosesc.

Succes !

-- 
In case something goes worong use :
BOFH excuse #186:

permission denied

PGP: http://new-order.org/public.key


signature.asc
Description: This is a digitally signed message part.
___
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug

Re: [rlug] filtre iptables automate

2007-08-27 Thread Mircea Mitu 
On Mon, 2007-08-27 at 15:30 +0300, Catalin Catana wrote:
> Salut,
> 
> Vreau sa filtrez cu iptables in mod automat ip-urle de la care se 
> scaneaza/incearca user/pass pe ssh (eventual si pentru alte servicii, 
> dar in mod deosebit pentru ssh).
> Problema mea e ca aceste atacuri dureaza cateva ore in sir .. si imi 
> genereaza o incarcare inutila pe server ... daca le filtrez cu iptables 
> si DROP ... incarcarea dispare.
> 
> Poate cineva sa ma indrepte spre un soft sau vreo documentatie care face 
> asa ceva ?


portsentry


___
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug

Re: [rlug] filtre iptables automate

2007-08-27 Thread Mircea Ciocan 
http://freshmeat.net/search/?q=ssh+attackĀ§ion=projects&Go.x=0&Go.y=0

 Mircea "every day a dose of fresh meat" C.

On 8/27/07, Catalin Catana <[EMAIL PROTECTED]> wrote:
> Salut,
>
> Vreau sa filtrez cu iptables in mod automat ip-urle de la care se
> scaneaza/incearca user/pass pe ssh (eventual si pentru alte servicii,
> dar in mod deosebit pentru ssh).
> Problema mea e ca aceste atacuri dureaza cateva ore in sir .. si imi
> genereaza o incarcare inutila pe server ... daca le filtrez cu iptables
> si DROP ... incarcarea dispare.
>
> Poate cineva sa ma indrepte spre un soft sau vreo documentatie care face
> asa ceva ?
>
> Catalin,
> Multumesc
>
> ___
> RLUG mailing list
> RLUG@lists.lug.ro
> http://lists.lug.ro/mailman/listinfo/rlug
>

___
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug