[ previous ] [ next ] [ threads ]
 
 From:  "Quark IT - Hilton Travis" <Hilton at QuarkIT dot com dot au>
 To:  "Ryan Mullins" <rmullins at ciscomonkey dot net>, "Frank Richter" <richter at mpia dash hd dot mpg dot de>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Block 300 IP's
 Date:  Fri, 19 Dec 2008 16:52:35 +1000
> -----Original Message-----
> From: Ryan Mullins [mailto:rmullins at ciscomonkey dot net]
> Sent: Thursday, 18 December 2008 10:32 PM
> 
> 
> On Dec 18, 2008, at 2:22 AM, Frank Richter wrote:
> 
> > Hi,
> >
> > is it possible to block 300 IP's easily with Mono?
> >
> >
> > Background:
> > I want to block the ongoing ssh-brute-force-attempts (300 IP's) to
> > me network. But in Mono
> > it's only possible to block networks or single hosts (I will not add
> > 300 rules).
> >
> > Is there a way may be hidden to add something like:
> >
> > ipfw add deny from x.x.x.x, y.y.y.y, w.w.w.w, v.v.v.v to destination
> > port 22
> >
> > Or set an alias and this alias points to 300 IP's
> >
> > Best regards
> >   Frank Richter
> >
> > --
> >
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> 
> I hit the same problem all the time here in my home network.
> Unfortunately, there's no good way to do this at the m0n0wall level
> that I've found -- someone please correct me if they have found a good
> way to deal with this e.g. 10 minute timer for a firewall rule.  The
> better way to deal with this IMHO is at the host.
> 
> Some options for you:
> 1. Change the default port
> 
> Configure SSH daemon to listen on a non-standard port.  Just edit the
> sshd_config file and modify the value for Port, and make sure to
> update your firewall rules for the NAT.  This alone helps out a lot as
> it stops those that are just scanning for SSH servers on their default
> ports, any advanced port scanner will still find it, but it does make
> a difference - this alone dropped most of the attacks on my network by
> about 70%.
> 
> 2. Disable password authentication - use keyless logins
> 
> This will mean that you can only authenticate if you have the correct
> private key.  Make sure you keep an off box copy of these keys!!!
> Especially if you're getting in remotely from a laptop.  If you go
> this route, do NOT use password-less keys, and have your ssh-agent set
> up to not cache between logins.  If you don't and someone steals your
> laptop and logs in, they've basically got the keys to the kingdom at
> that point.  To disable password authentication on the server, change
> the value of PasswordAuthentication to no in your sshd_config.
> 
> 3. Limit connections
> 
> You can also limit the number of SYN (connection establishment)
> packets.  This should be unnoticed by legitimate users, but it will
> delay an attacker that is making repeated connections.  If you wanted
> to limit the rate to 3 per minute and were using port 2000:
> 
> iptables -A INPUT -p tcp -dport 2000 -syn -m limit -limit 1/m -limit-
> burst 3 -j ACCEPT
> iptables -A INPUT -p tcp -dport 2000 -syn -j DROP
> 
> (If you need other firewall commands, let me know.  I'm just looking
> on a local box here that's running iptables. :))
> 
> 4. Deploy Anti-Brute-Force Tools
> 
> sshd_sentry - SSHD Sentry is a Perl script that monitors SSH server
> logs, detects repeated failed login attempts and adds the hosts to a
> black list.
> http://linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry
>   - I use this one, but mainly because it's perl and I can add
> anything that I think is missing. :)
> 
> SSHBan - SSHban is simple daemon designed to ban attackers. Instead of
> scanning SSH logs, SSHBan directly receives data from the logger.
> http://linux.softpedia.com/get/Internet/Log-Analyzers/sshban-
> 15591.shtml
> 
> SSHDFilter -SSHDFilter blocks the frequent brute-force attacks by
> directly reading the SSH daemon logs and generating firewall rules to
> block the attack. The blocking firewall policy is defined by a list of
> block-rules.  http://www.csc.liv.ac.uk/~greg/sshdfilter/
> 
> Brute-Force Detection -BFD is a shell script for parsing application
> logs and checking for authentication failures and block the IP address
> using custom firewall rules. http://www.rfxnetworks.com/bfd.php
> SSHGuard - Protects networks from brute force attacks against ssh
> servers. It detects such attacks and blocks the host's address with a
> firewall rule. http://sshguard.sourceforge.net/
> 
> And there are plenty more out there to add to that list.
> 
> Hope that helps.
> 
> -Ryan

http://code.google.com/p/denyssh/

--

http://hiltont.blogspot.com/

Regards,

Hilton Travis                       Phone: +61 (0)7 3105 9101
(Brisbane, Australia)               Phone: +61 (0)419 792 394
Manager, Quark IT                   http://www.quarkit.com.au
         Quark Group                http://www.quarkgroup.com.au

War doesn't determine who is right.  War determines who is left.

This document and any attachments are for the intended recipient 
  only.  It may contain confidential, privileged or copyright 
     material which must not be disclosed or distributed.

                    Quark Group Pty. Ltd.
      T/A Quark Automation, Quark AudioVisual, Quark IT