ssh hammering help 1

[Grub3r]

Hello,

I've been hammered on the ssh.

Sep 10 15:14:28 sshd[7287]: Did not receive identification string from 208.65.60.51
Sep 10 15:24:09 sshd[7474]: Invalid user staff from 208.65.60.51
Sep 10 15:25:00 sshd[7474]: reverse mapping checking getaddrinfo for geek.nerfimages.net failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 10 13:25:00 sshd[7475]: input_userauth_request: invalid user staff
Sep 10 15:25:00 sshd[7474]: pam_unix(sshd:auth): check pass; user unknown
Sep 10 15:25:00 sshd[7474]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=208.65.60.51
Sep 10 15:25:00 sshd[7474]: pam_succeed_if(sshd:auth): error retrieving information about user staff
Sep 10 13:25:01 sshd[7475]: Failed password for invalid user staff from 208.65.60.51 port 41717 ssh2
Sep 10 13:25:01 sshd[7475]: Connection closed by 208.65.60.51
Sep 10 15:25:01 sshd[7474]: Failed password for invalid user staff from 208.65.60.51 port 41717 ssh2

I'm receving many attempts like this one form different ips every day.


Is there anything I can do to block people who are trying to guess:

-wrong(non-existing) username more than 3 times in an hour
-password for any user more than 3 times in an hour

Changing the ssh port number is not an option.

Thanks in advance.

Regards Dan

 

[QatQat]

Hi grub3r,

Here is an old post of mine related to the same problem.
I must say though that changing the port worked immediately and is probably the easiest solution.

http://www.tek-tips.com/viewthread.cfm?qid=1093086

In the post there are a numebr of alternative solutions.

Cheers

QatQat



Life is what happens when you are making other plans.

 

[thedaver]

Change the port, a good idea.

Also, you can create entries into
/etc/hosts.deny

using format

ssh : ip.ip.ip.ip

Which will deny certain IPs from being re-admitted to your ssh port.

consider logwatcher as a means to detect.

Also, make sure that you disable password logins for 'root' in your sshd_config file.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[thedaver]

Sorry, that syntax for /etc/hosts.deny is

sshd : ip.ip.ip.ip




D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[lgarner]

check ossec-hids (

http://www.ossec.net)

 

[Grub3r]

Thanks for the tips,

QatQat: I've read the thread you linked to and I've found many interesting things.

thedaver:
I can't change the port number but I could think to prohibit the ssh root login.


I also can't add ALL:ALL to hosts.deny, because I want to be able to login on my server from any place.

I'm considering using 3rd. party logwatcher.

Regards Dan

 

[thedaver]

Uh,
My suggestion, if you misread was to identify the IPs of the offending parties and ban them through the entries in the /etc/hosts.deny file.

Thus, if someone from 1.1.1.2 was pestering you, add the line

sshd : 1.1.1.2

into /etc/hosts.deny

Bingo, they are blocked. There's no ALL:ALL involved here, still a permissive ruleset that blocks specific IPs.

Yes, it's a reactive game....

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[Atavar]

If I am not mistaken you can add your own permitted networks/IP's in to /etc/hosts.allow which is checked *before* hosts.deny. That way your can deny all and allow some.

 

[Grub3r]

Hello again,

As I mentioned in my reply I can't restrict to any allowable IPs, because I would still want to login from any location and when I prohibit any and allow some that would still be problem to login from unknown address.

thedaver:
Yes, that would do it and I have actually used this method only with ALL: ip, who's hammering is no friend to me and should be banned on all services.

I'm testing out fail2ban, checks throuh security logs and adds offensive IPs to the hosts.deny

thanks for the help everybody.

Regards Dan

 

[marsd]

Dictionary attacks are painful but not prohibitively so.
A couple of pointers.

* Root cannot login via ssh.
* Users must use keys (no password based auth) and policy
regarding strong passwords and key safety are enforced.
* Limit connects to port 22 in kernelspace via netfilter
and plug in a userspace mechanism to alert and identify
RLA (repetitive login atrocities).

HTH

 

[stefanwagner]

Depending on your requirements, diffenent methods may be appropriate.

I use:
- no root login
- all users need strong passwords

I observe small attacks every few days, but those people try one username ('admin', 'root', 'joe', ... ), try one to 5 passwords, repeat with the next username, and leave after a few minutes.
They don't try more than one login per second and would need zillions of years to find the password with brute force - but they don't even find a valid username.

So I don't bother about ping and port.

Sometimes I look for the source of the attack, and if it's a german source (where I live), I inform the provider (allmost allways these attacks are from dial-in networks) about IP and date/time of the attack.

seeking a job as java-programmer in Berlin:

http://home.arcor.de/hirnstrom/bewerbung

 

[gbaughma]

This is probably a botnet-based attack; I've seen it used to "harvest" my server for valid e-mail addresses.

I'll see apple@parallel.tzo.com, adam@parallel.tzo.com, alfred@parallel.tzo.com etc. etc. etc.....

I'll see, say, 40 or 50 come from one IP address (reverse lookup usually shows it on a cable modem, DSL, or college), then the sequence CONTINUES from another IP address on a different network.

Definately distributed harvesting going on.

And what are they doing? They're watching for addresses that don't get "bounced". When one doesn't get "bounced", then they know it's a valid e-mail address, and the spam begins.



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg

http://parallel.tzo.com

 

[segment]

Dirty but more or less what you would want

#!/bin/sh
# Dirty SSH Blocker
# sil at infiltrated dot net // segment

cat > /usr/local/bin/sshblox << EOF
#!/bin/sh
awk '/Failed password/{print $13}' /var/log/secure|grep "\."|sort -ru >> /tmp/host.deny
diff /etc/hosts.deny /tmp/hosts.deny|grep ">" >> /etc/hosts.deny
EOF

mkdir ~/hosts.denied

cat > /usr/local/bin/cleandeny << EOF
mv /etc/hosts.deny ~/hosts.denied

EOF

chmod +x /usr/local/bin/sshblox
chmod +x /usr/local/bin/cleandeny

.........................................

Then run /usr/local/bin/sshblox and /usr/local/bin/cleandeny from cron...

* * * * * /usr/local/bin/sshblox &>/dev/null
0,15,30,45 * * * * /usr/local/bin/cleandeny &>/dev/null

Tested on Scientific Linux should work with slight modifications... Check your fields with awk first...

awk '/Failed password/{print $13}' /var/log/secure

You also want to modify the timing for the crontab entry on cleandeny
.........................................

perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-7),oct(104),10,oct(101));'

 

[segment]

Sorry... should have double checked. Anyhow this one is fine. Changed awk to read the IP addresses from user who enter a bogus name... Took out saving /etc/hosts.deny made no sense. Thought some would like to have a complete list of luzers repeatedly connecting. Anyhow... Try it out should be fine to run on most versions of Linux and BSD... Maybe I'll try it on Solaris tomorrow or something

#!/bin/sh
# Dirty SSH Brute Force Blocker
# sil at infiltrated dot net // segment

cat > /usr/local/bin/sshblox << EOF
#!/bin/sh

if [ -e /tmp/hosts.deny ]
then
rm /tmp/hosts.deny
fi

awk '/error retrieving/{getline;print \$13}' /var/log/secure|sort -ru >> /tmp/hosts.deny
diff /etc/hosts.deny /tmp/hosts.deny |awk '{print $2}'|grep "\."
EOF

if [ -e ~/hosts.denied ]

then echo "" >/dev/null
else mkdir /tmp/hosts.deny

fi

cat > /usr/local/bin/cleandeny << EOF
rm /etc/hosts.deny

EOF

chmod +x /usr/local/bin/sshblox
chmod +x /usr/local/bin/cleandeny

perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-7),oct(104),10,oct(101));'

 

[gbaughma]

Another bug in your code.... it creates a directory called /tmp/hosts.deny, then tries to do a diff on it....



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg

http://parallel.tzo.com

 

[gbaughma]

Also, would you mind putting your stuff in the

 blocks as well? :D



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg  [URL unfurl="true"]http://parallel.tzo.com[/URL]

 

[thedaver]

I thought I posted this, but I wrote a little series of scripts around this kind of activity...

http://www.bantcp.com/

It's free.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[hercj]

Here is a script I use. you only need to add a table to your firewall.

#!/bin/bash

# bad login lines
ssh_line=/tmp/ssh_line
touch $ssh_line

# all ip addresses, duplicated after each script execution
all_ip=/tmp/blacklist
touch $all_ip

# intermediary merge (old + new ips) file
merge_ip=/tmp/blackmerge
touch $merge_ip

# list of unique banned ip addresses
black_ip=/var/log/blacklist
touch $black_ip

# extract guilty ip addresses (Change log location to match yours)
grep sshd /var/log/messages | grep Failed | grep invalid > $ssh_line
cut -d : -f 7 $ssh_line | cut -d '\' -f 1 | grep -o '[0-9]\{1,\}\.[0-9]\{1,\}\.[0-9]\{1,\}\.[0-9]\{1,3\}' | sort | uniq > $all_ip

# get rid of duplicates
echo -n ^\^] > $merge_ip
cat $all_ip | sort | uniq > $merge_ip
cat $black_ip | sort | uniq >> $merge_ip
cat $merge_ip | sort | uniq > $black_ip

# insert all unique ips into iptables
# make sure to add Block-ip table and a rule to use the table or You change the script to add the rule into your input table
/sbin/iptables -F Block-ip
file=`cat $black_ip`
for ip in $file; do
/sbin/iptables -A Block-ip -s $ip -j DROP
done
/sbin/service iptables save

 

[gbaughma]

Thanks to thedaver for THIS great link.

It solved my problem.

http://www.csc.liv.ac.uk/~greg/sshdfilter/

Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg

http://parallel.tzo.com

 

[thedaver]

Thank the script's author, mah man, I'm just a messenger on that one.
Glad you're winning the battle!

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/