See minor corrections:
also see DenyHosts
Many of us are constantly plagued with port knocking and script kiddies from
places like the Amazon Cloud.
With security issues, the procedural recommended post encroachment steps per
CERT are:
1) Remove the computer from your network (probably not workable if this is a
server) [use IPtables to protect it initially]
2) Gather log information about specific times, ports and ip addresses (both
source and destination)
3) Report to the SWIP authorities including the correct time zones for each
exploit.
4) Optional - load BackTrack and run forensics on the system if you CAN reboot
it.
5) Optional - setup a honeypot trap for the users including network alerting
and logging.
Using IPtables:
Generally,
since you can't always drop large numbers of IPADDRESSES into your IPtables
& the script kiddies just DHCP a new source address, so this is a temporary
measure.
First
drop in a basicIP table - here's a good basic example (season to
taste): [Do this while sitting in front of the machine so you don't
accidently shut yourself out]
You going to need iptables (you should have it already):
# dpkg -l iptables
iptables 1.2.11-10 Linux kernel 2.4+ iptables administration to
# rpm -qa | grep iptablesiptables-xxxxx
Check to see if it's there:
# which iptables
/sbin/iptables
If the utility is missing you can install it like so:
APT
# apt-get update && apt-get install iptables
RPM
# rpm -Uvh iptables-xxxx.rpm
Preparing ################################# [100%]
NEXT: Drop in a basic configuration:
# /etc/init.d/iptables start
Cut and copy this basic table example to /root/iptables/iptables.first
This
example only allows port 22, 80 and 443 and does some time based allow log and
drop (which might break if you have extensive scp jobs) (season to taste - for
instance if you need another port add it; or you have eth1 change this).
# Generated by iptables-save on Sun Oct 19 23 05:32:09 2008
*filter
:INPUT ACCEPT [273:55355]
:FORWARD ACCEPT [0:0]
:LOGNDROP - [0:0]
:OUTPUT ACCEPT [92376:20668252]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Optional log and drop limits
-A INPUT -j LOGNDROP
-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: "
--log-level 7
-A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: "
--log-level 7
-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: "
--log-level 7
-A LOGNDROP -j DROP
COMMIT
# Completed on Sun Oct 19 05:32:09 2008Next import it:
# /sbin/iptables-restore </root/iptables/iptables.first
Test - okay?
Borked?
# /etc/init.d/iptables stop
# /sbin/iptables -F
Edit and try again....
Protect from/to a host:
Once you have a basic config in place you can do command line drops:
# /sbin/iptables -A INPUT -s $badguyip -d $myserverip -p tcp --dport 22 -j DROP
-A Tells iptables to 'append' this rule to the INPUT Chain
-s Source Address. This rule only pertains to
traffic coming FROM this IP. Substitute with the IP address you are protecting
yourself from.
-d Destination Address. This rule only pertains to traffic going TO this IP.
Substitute with the IP of this server.
-p Protocol. Specifying traffic which is TCP.
--dport Destination Port. Specifying traffic which is for TCP Port 22 (SSH)
-j Jump. If everything in this rule matches then 'jump' to DROP
You can even do a quick grep on your logs and script drop all of them into the
tables via script:
Protect AFTER the FACT from LOGS (as in now when you discover a whole 48
accesses or attempts on your vsftpd)
#!/bin/sh
# Add own whitelisted hosts here.
whitelist="127.0.0.1 1192.168.7.2 192.168.31.145"
logfile="/var/log/messages"
# Define the checking interval through date-format.
interval=$(date | cut -b 5-15)
# Extract failed vsftpd login attempts; set blocking to 25.
# Modify iptables behavior or use drop all connections from evil script kiddies.
grep "$interval.* failure" $logfile | sed -e
'/vsftpd(pam_unix)\[[0-9]*\]: authentication failure/!d' -e
's/.*rhost=//' -e 's/ user=.*//' | sort |uniq -c | \
while read info
do
set -- $info
count=$1
host=$2
whitelisted=0
for white in $whitelist ; do
if [ "$white" = "$host" ] ; then
whitelisted=1
fi
done
if [ "$whitelisted" = "1" ] ; then
echo "$count attempt(s) from WHITELISTED $host"
else
echo "$count attempt(s) from $host"
if [ "$count" -gt "25" ] ; then
/sbin/iptables -I INPUT -s $host -j DROP
echo "Host $host blocked"
echo "iptable status:"
/sbin/iptables --list
fi
fi
done
----------------end script example for vsftpd------------------
Here's how my crontab looks like:
# Block offending hosts. Checks for attacks every 10 minutes
9,19,29,39,49,59 * * * * /bin/sh /scripts/Block
http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts
Saving and Editing your tables:
As a precaution enter /sbin/iptables-save to be sure it's right (and check it
via output)
You
can save and restore via crontabs the last iptables (Debian and Redhat
vary as to commands for persistent tables [see references]
# /sbin/iptables-save >/root/iptables/iptables.last
You can hand edit this with vi or joe
# /sbin/iptables-restore </root/iptables/iptables.last
SSH Brute force and Dictionary Attacks:
NOTE:
If your port 22 (or VNC or port 80 webserver) is being hit, you can
write a quick log protection script or use SSHUTOUT (which wraps ssh
and watches for brute force and dictionary attacks), by automagically
dropping to iptables deny anyone who meets the configuration critieria.
Drop
in something like this for now for quick and dirty iptables: (edit your
tables and place these lines under the loopback command replacing your
-A INPUT for ssh above.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m recent --update --hitcount 2 --seconds 60
--name SSHIN -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m recent --set --name SSHIN -j ACCEPT
COMMIT
If you are getting a TON of port 22 knocking - GET a wrapper like SSHOUT:
[if you need to shutout 22]: http://www.techfinesse.com/sshutout/sshutout.html
(use this great program)
References: http://www.howtoforge.com/linux_iptables_sarge
http://wapedia.mobi/en/Obnosis |
http://en.wiktionary.org/wiki/Citations:obnosis | Obnosis.com (503)754-4452
Laugh at this MSN Footer
When your life is on the go—take your life with you. Try Windows Mobile® today
_________________________________________________________________
Store, manage and share up to 5GB with Windows Live SkyDrive.
http://skydrive.live.com/welcome.aspx?provision=1?ocid=TXT_TAGLM_WL_skydrive_102008---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
