preventing password cracking attempts

[SM777]

I'm experience a bad flood of password cracking attempts. What I usually do is to see the ip address and block it in the .htaccess file.

But this time I'm seeing about 40 or 50 different IP address worldwide hitting on me with random passwords.

Whats the best thing to do now and in the future?

for now I have stopped Apache.

In the future I guess I need some tool to block ip addresses dynamically. How's this done?

I have a 404 redirect that brings up a page if an incorrect password is entered whilst trying to access a secure area. Is this not enough? Does it not slow the &*^£*^$ers down? would the 404 redirect be better in say redirecting to a non existant site?

Help me out here guys its late and I dont want to stay up all night.

debian. apache 1.3.20

 

[SM777]

Correction: I have a 401 redirect that brings up a page if an incorrect password is...

 

[netnew]

Hello there, have you closed some unused ports such as telnet , ftp, ssh and etc. if you don't use these ports please closed it ..

 

[SM777]

Those ports are fine.

The problem is that the guy is trying to access a secure area and he is using a dumb brute force tool like

http://wwwhack.

Its not a big security issue as there is nothing much in the members area of value. It is more of a hindrance as its slowing my site down and filling my log files up with 100'000s of hits.

 

[garwain]

I suppose you could write a script that would add the ip to the block list when it has failed at 3 attempts or so withing a short period. I had problems a year ago with someone trying to break into one of my servers so I set up a script that would insert all failed login attempts into a DB table then move the lines from the log file into a backup logfile so I wouldn't keep hitting the lines. Then I would query the database for failled attempts and any ip that had more than 3 failures within 5 minutes would be added to my hosts.deny file, completely bocking the IP.

I then set up a script that would re-activate an IP after a certain time limit ie 3 failures = deny 1 hour, 6 failures = deny 1 day, 9 failures = deny 2 days, 12 failures = deny 1 week, 12+ sends email alert to me with copy of related lines from log file...

I found these scripts did a good job at discouraging attemts (of course some of those !@#$^& idiots had several (probably stollen) accounts with different ISPs so they had IP addresses all over the place, but after a while they would realize that they only had 5 minutes with one address, and would have to re-connect to get another IP then try again, which would cost a few seconds. Anyway after a couple weeks and maybe 50 calls to a handful of ISPs, I was back to the usualy 2 or 3 failures because someone forgot their password...

Unfortionatly I don't have the scripts anymore, but the idea might help...

 

[SM777]

I was thinking on similar lines, but your idea of reanabling the ip address after x minutes is a good one so that genuine members can get back on.

I have other thoughts on this. I have a redirect in .htaccess which runs a script when a 401 error is generated. What it does is display a password error page and asks the user to click here to try again. the ip details is also displayed.

Whilst this is useful for genuine members and the occasional "lets try guest and password" chummy, the tools the real crackers are using dont read the page. I had thought of redirecting to

http://www.fbi.gov,

but their cracking tools dont do that.

From what I can gather they just read the returned header. If it says 401 it chops the return and submits another password. If it reads a 200 success then it stops and alerts chummy that a valid password is found.

The trick is then for the script to print "200 header" or whatever the correct syntax as, as this then stops the password flooding. Chummy thinks he has a genuine password but when he tries it manually it wont let him in.

 

[SM777]

One other crucial point.

My Apache access_log files and my 401log script which just logs the CLIENT_IP showed about a hundred different IP addresses.

When I spoke to the webhosters they say that I was being hit by only 3 IP addresses which were totally different to the ones I was seeing in the log files.

I'm waiting for them to clarify where they got their numbers from. I'm wondering if chummy was using any kind of spoofing to generate a random pool of IP addresses.

My log files also records HTTP_BROWSER, refer, windows etc. And I can see about a dozen different IE4, 5, NT4, AOL machines in the log files.

Totally confused with this because if I do write a script which blocks the IP address then surely, the IP address is false?

 

[SM777]

Come on guys, any help here?

Let me run it by you again. I have a private area secured by a .htaccess .htpasswd setup.

Chummy is using something like

http://wwwhack

to brute force attempt to find a valid password.

I cant block his IP address because he is spoofing from a pool of hundreds of IP addresses. I cant complain to his ISP for the same reason.

I'm converting to a PHP login system but this will take me time.

Help me out here guys I'm getting 100,000 hits an hour.

 

[SM777]

I just checked the log files in excel. He's hit me with 1171 different IP addresses in the past hour.

What can I do about that? I could cut n paste into .htaccess deny list but is that wise with that amount of entries? will the server slow down trying to process it?

 

[abovebrd]

There are no easy answers.

Are you running ipchains ? You could write a script that creates a ipchain rule the denys the offending IP. Or if your not running ipchains how about a route deny statement in the routing table.

Port Sentry may be of some use, maybe worth looking at.

Access lists on the router or firewall may also prove useful.
-Danny
dan@snoboarder.net

 

[SM777]

Danny, what is the point in using IP chains if the guy is spoofing IP addresses? You'll just block valid ip addresses and he just picks a new one next time.

I've been watching his patterns. He uses a pool of X random ip addresses and even spoofs the browser, windows version, referal etc. Each IP address hits about 20 times. The IP address is not incremental (e.g. 200.10.10.1 then 200.10.10.2) but random between 195 and 210. something.

Look, we are clearly getting nowhere here and I dont think the denizens of this forum are interested because it doesnt affect them. But it may do so lets come up with some good ideas.

First, what do we know?

A brute force password cracking program is in use. This program spoofs IP addresses making the identification of the source impossible. The blocking of the offending IP is futile because the program just picks a new IP - you'll just end up with 1000's of blocked senders in your .htaccess.

What can we do?

We cant block the IP address for the reasons above. We cant complain to the ISP of the IP address because the guy is masquerading.

1) create a perl script that is fired up when a 401 error occurs. This script sends Header "200 status OK" to fool the password cracking tool that a valid password has been found. Downside is that no genuine members can access the private area.

2) rename the members area. This will generate thousands of 404 errors and chummy may stop his program and give up. Downside is that genuine members cant access your site whilst this is in progress.

3) Temporarily remove the password protected area (rename the .htaccess). This has the effect if making the brute force password cracking tool to register a 'positive hit'. If chummy is not at his keyboard and is letting thr program to run to find passwords then he is going to receive thousands of 200 status OK and his screen will fill up with what he thinks is genuine passwords. Ok, the downside is that your private area will be open to the world. But will it matter for 5 mins? Isnt it best to let freeloaders have some freetime rather than regular members have downtime?

What I have done is 3) I let his program hit me and then I watched the logs to see when his programmed stopped. He thought that he found a valid user (say 222) and then 5 minutes later he tried logging in with the user 222. Now to me this is like an undercover sting. The login of 222 was out of sequence and timeslice so that indicates to me that this loging with 222 was the guy typing in at his keyboard thinking it was genuine. Unfortunately the failed password log this time was registered as a german newspaper so that proves that he is still spoofing.

My only other option is to let them have what he wants. If when he attacks again (everynight now for the past 10 nights) I rename the .htaccess I'll let him have a browse around the private area.

I'm working on converting to perl, but I just cant believe that in this forum, the perl forum, and the apache forum not many punters are bothered with this. Ok, it is not as serious as brute forcing the server root password but to me it is darn cheeky and downright despicable. I have paying customers and someone reckons he can get it for nothing.

 

[SM777]

typo -> I'm working on converting to PHP and ditching .htaccess