[ previous ] [ next ] [ threads ]
 From:  Frank Richter <richter at mpia dash hd dot mpg dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Block 300 IP's
 Date:  Fri, 19 Dec 2008 09:57:02 +0100
Frank Richter wrote:
> is it possible to block 300 IP's easily with Mono?
> Background:
> I want to block the ongoing ssh-brute-force-attempts (300 IP's) to me 
> network. But in Mono
> it's only possible to block networks or single hosts (I will not add 
> 300 rules).
> Is there a way may be hidden to add something like:
> ipfw add deny from x.x.x.x, y.y.y.y, w.w.w.w, v.v.v.v to destination 
> port 22
> Or set an alias and this alias points to 300 IP's
> YvesDM wrote:
>> <m0n0wall dash help at lists dot m0n0 dot ch>
>> I think it's a better idea to simply not allow password based logins to your
>> ssh server and only use certificates for ssh logins.
>> Or you can limit ssh logins from a single ip which will also solve your
>> problems.
>> The way you want to do it keeps you going all the time, coz next week the
>> attacks come from somewhere else.
> Ryan Mullins wrote:
>> I hit the same problem all the time here in my home network. 
>> Unfortunately, there's no good way to do this at the m0n0wall level 
>> that I've found -- someone please correct me if they have found a 
>> good way to deal with this e.g. 10 minute timer for a firewall rule. 
>> The better way to deal with this IMHO is at the host.
>> Some options for you:
>> 1. Change the default port
>> Configure SSH daemon to listen on a non-standard port. Just edit the 
>> sshd_config file and modify the value for Port, and make sure to 
>> update your firewall rules for the NAT. This alone helps out a lot as 
>> it stops those that are just scanning for SSH servers on their 
>> default ports, any advanced port scanner will still find it, but it 
>> does make a difference - this alone dropped most of the attacks on my 
>> network by about 70%.
>> 2. Disable password authentication - use keyless logins
>> This will mean that you can only authenticate if you have the correct 
>> private key. Make sure you keep an off box copy of these keys!!! 
>> Especially if you're getting in remotely from a laptop. If you go 
>> this route, do NOT use password-less keys, and have your ssh-agent 
>> set up to not cache between logins. If you don't and someone steals 
>> your laptop and logs in, they've basically got the keys to the 
>> kingdom at that point. To disable password authentication on the 
>> server, change the value of PasswordAuthentication to no in your 
>> sshd_config.
>> 3. Limit connections
>> You can also limit the number of SYN (connection establishment) 
>> packets. This should be unnoticed by legitimate users, but it will 
>> delay an attacker that is making repeated connections. If you wanted 
>> to limit the rate to 3 per minute and were using port 2000:
>> iptables -A INPUT -p tcp -dport 2000 -syn -m limit -limit 1/m 
>> -limit-burst 3 -j ACCEPT
>> iptables -A INPUT -p tcp -dport 2000 -syn -j DROP
>> (If you need other firewall commands, let me know. I'm just looking 
>> on a local box here that's running iptables. :))
>> 4. Deploy Anti-Brute-Force Tools
>> sshd_sentry - SSHD Sentry is a Perl script that monitors SSH server 
>> logs, detects repeated failed login attempts and adds the hosts to a 
>> black list. 
>> http://linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry - I 
>> use this one, but mainly because it's perl and I can add anything 
>> that I think is missing. :)
>> SSHBan - SSHban is simple daemon designed to ban attackers. Instead 
>> of scanning SSH logs, SSHBan directly receives data from the logger. 
>> http://linux.softpedia.com/get/Internet/Log-Analyzers/sshban-15591.shtml
>> SSHDFilter -SSHDFilter blocks the frequent brute-force attacks by 
>> directly reading the SSH daemon logs and generating firewall rules to 
>> block the attack. The blocking firewall policy is defined by a list 
>> of block-rules. http://www.csc.liv.ac.uk/~greg/sshdfilter/
>> Brute-Force Detection -BFD is a shell script for parsing application 
>> logs and checking for authentication failures and block the IP 
>> address using custom firewall rules. http://www.rfxnetworks.com/bfd.php
>> SSHGuard - Protects networks from brute force attacks against ssh 
>> servers. It detects such attacks and blocks the hostís address with a 
>> firewall rule. http://sshguard.sourceforge.net/
>> And there are plenty more out there to add to that list.
> Lee Sharp wrote:
>> No, but...
>> First, let me add to Ryan, you can use fail2ban. I love this program! 
>> It cuts a lot of garbage out.
>> Now that said, you need to expand your concept of network. Start by 
>> sorting your ip addresses. Now do a 'whois' of one. See how many that 
>> netblock hits. Block that netblock. Also do the same for your IP 
>> addresses that you connect from, and allow them. For example, I use 
>> AT&T dsl at home. It is in the netblock, and if I allow 
>> only that I can still always connect. This may help... 
>> http://www.subnet-calculator.com/cidr.php
>> With that approach, you can knock your 300 down to probably 10 or 
>> less. Or allow only the subnet you are likely to use, which would 
>> probably be 5 or less.
> Quark IT - Hilton Travis wrote:
>> http://code.google.com/p/denyssh/
>> --
>> http://hiltont.blogspot.com/

Many thanks for all your suggestions. I've learned that blocking this 
brute-force attempts on the firewall is not the right place.
I see in my logs that an attacker tries to connect to all my SSHD 
(three) nearly simultaneously and then disappears for a long time (25h) 
and the next attacker tries the same username and disappears again.

Changing port from 22 to something different is not possible also the 
usage of keys;-(

But I will check some of the above-mentioned tools for detecting attacks.

I add another tool, to the above-mentioned, which is in FreeBSD 
Portstree (I've not tested this currently, if its possible to detect and 
block the attackers with it):

denyhosts http://denyhosts.sourceforge.net/

Many thanks again

Merry Chrismas and a Happy New Year!

> Best regards
> Frank Richter