Grafting a SSH auto-drop chain onto Arno's 1.8.3-RC1

This is a discussion on Grafting a SSH auto-drop chain onto Arno's 1.8.3-RC1 within the Linux Security forums, part of the System Security and Security Related category; Hello- I've recently run into some serious problems with attacks on my firewall with SSH. Several someones in Sweden/...


Go Back   Usenet Forums > System Security and Security Related > Linux Security

Reload this Page Grafting a SSH auto-drop chain onto Arno's 1.8.3-RC1

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 03-22-2005
purduephotog2@yahoo.com
 
Posts: n/a
Default Grafting a SSH auto-drop chain onto Arno's 1.8.3-RC1
Hello-

I've recently run into some serious problems with attacks on my
firewall with SSH. Several someones in Sweden/Korea/? have been
hammering my machine with multiple attacks per second. It's gotten
just a tad annoying.

For instance, in my messages file:
Mar 21 05:57:43 gateway sshd(pam_unix)[21048]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.34.23.2 user=root
Mar 21 05:57:47 gateway sshd(pam_unix)[21050]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.34.23.2 user=root
Mar 21 13:16:04 gateway sshd(pam_unix)[21110]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=h243n2fls31o920.telia.com
Mar 21 13:16:10 gateway sshd(pam_unix)[21112]: check pass; user unknown

and in my secure file
Mar 21 13:16:06 gateway sshd[21110]: Failed password for illegal user
anonymous from 213.64.252.243 port 59768 ssh2
Mar 21 13:16:12 gateway sshd[21112]: Failed password for illegal user
bruce from 213.64.252.243 port 59871 ssh2
Mar 21 13:16:16 gateway sshd[21114]: Failed password for illegal user
chuck from 213.64.252.243 port 60011 ssh2
Mar 21 13:16:20 gateway sshd[21116]: Failed password for illegal user
darkman from 213.64.252.243 port 60118 ssh2
Mar 21 13:16:24 gateway sshd[21118]: Failed password for illegal user
hostmaster from 213.64.252.243 port 60211 ssh2

etc.

I've been using Arno's IPTABLES Firewall Script 1.8.3-RC1, available
from Freshmeat at
http://freshmeat.net/projects/iptabl...ease_id=187708

for some time and found it quite effective, until recently.

I will also be the first to admit I'm hesitant to branch out on the
scripts as I've made a few mistakes when editing, which turned out to
be disasterous.

Do you see any method of easily modifying the drop chains to
automatically drop, say, the entire domain after the 4th attempt (for
instance) for 30 minutes (or longer, doesn't much matter to me).

Thanks in advance for any help and information you can provide,

Jason

Reply With Quote
  #2 (permalink)  
Old 03-22-2005
jayjwa
 
Posts: n/a
Default Re: Grafting a SSH auto-drop chain onto Arno's 1.8.3-RC1
On 2005-03-22, purduephotog2@yahoo.com <purduephotog2@yahoo.com> wrote:

> Hello-
>
> I've recently run into some serious problems with attacks on my
> firewall with SSH. Several someones in Sweden/Korea/? have been
> hammering my machine with multiple attacks per second. It's gotten
> just a tad annoying.
>
> For instance, in my messages file:
> Mar 21 05:57:43 gateway sshd(pam_unix)[21048]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.34.23.2 user=root
> Mar 21 05:57:47 gateway sshd(pam_unix)[21050]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.34.23.2 user=root
> Mar 21 13:16:04 gateway sshd(pam_unix)[21110]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser=
> rhost=h243n2fls31o920.telia.com
> Mar 21 13:16:10 gateway sshd(pam_unix)[21112]: check pass; user unknown


Yeah, this is the #1 exploit with Script Kiddies right now. It's a C source
file with some built-in users and passwords, most are way lame. You compile it
to a binary, brutessh, and wack away. First, always report these assholes. I've
got alot of them shutdown and their kiddie accounts closed. As for defending
against it, your request I can't exactly come up with a rule for, but I know
it' s possible. It will likely rely on the mark match targets, or maybe fuzzy
match, both of which I don't think are in the vanilla iptables matches. But
here's what you can probably do; if you didn't think of it already, disable
password logins completely. Public Key only. Disable protocol 1. Protocol 2,1
is still drop back to 1 support, which isn't as secure. Never allow remote
root, period. Use AllowUsers/DenyUser keywords to severly limit who can or
can't login, just in case you forget and create a user someday with the same
name as one of the logins these idiots try. Go to http://www.blackholes.us/
and download the ip space lists for a few certain countries/networks or ISP's
that are constantly giving you trouble. I saw way too many Korean/Chinanet
attacks in my logs, and now block all their traffic. Attacks fell 80%.
Arno's uses HOST_BLOCK I belive, for it's blocking table (maybe HOSTBLOCK,
check on it first), so you could do like

iptables -A HOST_BLOCK -s <the ip address in CIDR notation> -p tcp --dport 22
-m limit --limit 3/min --limit-burst 3 -j LOG --log-level 7 --log-prefix
"SSH'er: "

iptables -A HOST_BLOCK -s <same ip address> -p tcp --dport 22 -j DROP

to block those certain places from ever touching your ssh port (if you don't
move it to a high port first), or leave off the -p tcp --dport stuff to drop
all their traffic, period. If you have multiply interfaces, use, for example,
-i ppp0 if ppp0 is your external to-the-Internet interface.

You can go here http://www.netfilter.org/ and get the newest iptables, and get
the patchomatic-ng and add alot of neat options to iptables. You will have to
recompile your kernel after, but you can have matches like TARPIT:

iptables -A HOST_BLOCK -p tcp --dport 22 -j TARPIT

if you move your sshd server off port 22, that will catch all the scanners and
hold them for a bit (just be sure to tell your users first about it). That's
what I did and I find alot of Script Kiddies wallering around in my tarpits ;)

Move the SSH port, if at all possible, to a high random port, something above
30,000 maybe. All the widely circulated scripts target the default Port 22. I
have not seen one single ssh attack since I moved my sshd off port 22. Not
one, where before I got upwards of 5-10 a day.

In /etc/hosts.deny:

sshd: UNKNOWN

helps alot. Note that you have to compile sshd with libwrap support. It's
probably best to compile your own, so you can include it for sure. Latest
right now I belive is 4.0, of Openssh, at http://www.openssh.org/

Sorry I don't know your auto-block rule, but hope these help. I used exactly
these things and I don't have any more trouble with SSH'ing script kiddies.

If you do patch your kernel and get the extra match options, writing such a
rule shouldn't be too hard, you can use something like

iptables -A INPUT -m fuzzy -h

(note the -h after the -m match option) to learn about that one match. That
help isn't in the man pages, and comes in handy.


--
Why do people continue to pay real money
for a laughable attempt at an OS??
Micro$oft: How Can We Control You Today?
Educate yourself: http://www.microsuck.com/
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 04:17 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0