[ previous ] [ next ] [ threads ]
 
 From:  "Quark IT - Hilton Travis" <Hilton at QuarkIT dot com dot au>
 To:  "Frank Richter" <richter at mpia dash hd dot mpg dot de>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Block 300 IP's
 Date:  Sat, 20 Dec 2008 00:18:31 +1000
> -----Original Message-----
> From: Frank Richter [mailto:richter at mpia dash hd dot mpg dot de]
> Sent: Friday, 19 December 2008 6:57 PM
> 
> Frank Richter wrote:
> >
> > is it possible to block 300 IP's easily with Mono?
> >
> >
> > Background:
> > I want to block the ongoing ssh-brute-force-attempts (300 IP's) to
me
> > network. But in Mono
> > it's only possible to block networks or single hosts (I will not add
> > 300 rules).
> >
> > Is there a way may be hidden to add something like:
> >
> > ipfw add deny from x.x.x.x, y.y.y.y, w.w.w.w, v.v.v.v to destination
> > port 22
> >
> > Or set an alias and this alias points to 300 IP's
> > YvesDM wrote:
> >> <m0n0wall dash help at lists dot m0n0 dot ch>
> >> I think it's a better idea to simply not allow password based
logins
> to your
> >> ssh server and only use certificates for ssh logins.
> >> Or you can limit ssh logins from a single ip which will also solve
> your
> >> problems.
> >> The way you want to do it keeps you going all the time, coz next
> week the
> >> attacks come from somewhere else.
> >>
> > Ryan Mullins wrote:
> >>
> >> I hit the same problem all the time here in my home network.
> >> Unfortunately, there's no good way to do this at the m0n0wall level
> >> that I've found -- someone please correct me if they have found a
> >> good way to deal with this e.g. 10 minute timer for a firewall
rule.
> >> The better way to deal with this IMHO is at the host.
> >>
> >> Some options for you:
> >> 1. Change the default port
> >>
> >> Configure SSH daemon to listen on a non-standard port. Just edit
the
> >> sshd_config file and modify the value for Port, and make sure to
> >> update your firewall rules for the NAT. This alone helps out a lot
> as
> >> it stops those that are just scanning for SSH servers on their
> >> default ports, any advanced port scanner will still find it, but it
> >> does make a difference - this alone dropped most of the attacks on
> >> my network by about 70%.
> >>
> >> 2. Disable password authentication - use keyless logins
> >>
> >> This will mean that you can only authenticate if you have the
> correct
> >> private key. Make sure you keep an off box copy of these keys!!!
> >> Especially if you're getting in remotely from a laptop. If you go
> >> this route, do NOT use password-less keys, and have your ssh-agent
> >> set up to not cache between logins. If you don't and someone steals
> >> your laptop and logs in, they've basically got the keys to the
> >> kingdom at that point. To disable password authentication on the
> >> server, change the value of PasswordAuthentication to no in your
> >> sshd_config.
> >>
> >> 3. Limit connections
> >>
> >> You can also limit the number of SYN (connection establishment)
> >> packets. This should be unnoticed by legitimate users, but it will
> >> delay an attacker that is making repeated connections. If you
wanted
> >> to limit the rate to 3 per minute and were using port 2000:
> >>
> >> iptables -A INPUT -p tcp -dport 2000 -syn -m limit -limit 1/m
> >> -limit-burst 3 -j ACCEPT
> >> iptables -A INPUT -p tcp -dport 2000 -syn -j DROP
> >>
> >> (If you need other firewall commands, let me know. I'm just looking
> >> on a local box here that's running iptables. :))
> >>
> >> 4. Deploy Anti-Brute-Force Tools
> >>
> >> sshd_sentry - SSHD Sentry is a Perl script that monitors SSH server
> >> logs, detects repeated failed login attempts and adds the hosts to
a
> >> black list.
> >> http://linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry -
I
> >> use this one, but mainly because it's perl and I can add anything
> >> that I think is missing. :)
> >>
> >> SSHBan - SSHban is simple daemon designed to ban attackers. Instead
> >> of scanning SSH logs, SSHBan directly receives data from the
logger.
> >> http://linux.softpedia.com/get/Internet/Log-Analyzers/sshban-
> 15591.shtml
> >>
> >> SSHDFilter -SSHDFilter blocks the frequent brute-force attacks by
> >> directly reading the SSH daemon logs and generating firewall rules
> to
> >> block the attack. The blocking firewall policy is defined by a list
> >> of block-rules. http://www.csc.liv.ac.uk/~greg/sshdfilter/
> >>
> >> Brute-Force Detection -BFD is a shell script for parsing
application
> >> logs and checking for authentication failures and block the IP
> >> address using custom firewall rules.
> http://www.rfxnetworks.com/bfd.php
> >> SSHGuard - Protects networks from brute force attacks against ssh
> >> servers. It detects such attacks and blocks the host's address with
> a
> >> firewall rule. http://sshguard.sourceforge.net/
> >>
> >> And there are plenty more out there to add to that list.
> >>
> > Lee Sharp wrote:
> >>
> >> No, but...
> >>
> >> First, let me add to Ryan, you can use fail2ban. I love this
> program!
> >> It cuts a lot of garbage out.
> >>
> >> Now that said, you need to expand your concept of network. Start by
> >> sorting your ip addresses. Now do a 'whois' of one. See how many
> that
> >> netblock hits. Block that netblock. Also do the same for your IP
> >> addresses that you connect from, and allow them. For example, I use
> >> AT&T dsl at home. It is in the netblock 70.128.0.0/12, and if I
> allow
> >> only that I can still always connect. This may help...
> >> http://www.subnet-calculator.com/cidr.php
> >>
> >> With that approach, you can knock your 300 down to probably 10 or
> >> less. Or allow only the subnet you are likely to use, which would
> >> probably be 5 or less.
> > Quark IT - Hilton Travis wrote:
> >> http://code.google.com/p/denyssh/
> >>
> >> --
> >>
> >> http://hiltont.blogspot.com/
> >>
> 
> Many thanks for all your suggestions. I've learned that blocking this
> brute-force attempts on the firewall is not the right place.
> I see in my logs that an attacker tries to connect to all my SSHD
> (three) nearly simultaneously and then disappears for a long time
(25h)
> and the next attacker tries the same username and disappears again.
> 
> Changing port from 22 to something different is not possible also the
> usage of keys;-(
> 
> But I will check some of the above-mentioned tools for detecting
> attacks.
> 
> I add another tool, to the above-mentioned, which is in FreeBSD
> Portstree (I've not tested this currently, if its possible to detect
> and block the attackers with it):
> 
> denyhosts http://denyhosts.sourceforge.net/
> 
> Many thanks again
> 
> Merry Chrismas and a Happy New Year!
> 
> 
> > Best regards
> > Frank Richter

G'day Frank,

The issue I have with DenyHosts when compared with DenySSH is that it
creates an ever-growing list of IPs to block that is contained in
/etc/hosts.deny as compared to DenySSH that adds these IPS to a Packet
Filter table for a pre-determined period of time.  The DenyHosts method
will result in a huge, slow to process hosts.deny file, whereas the
DenySSH method will result in only temporarily blocking the hacker's IPs
and will remove those IPs once they are no longer actively hacking away
at your machine.

--

http://hiltont.blogspot.com/

Regards,

Hilton Travis                       Phone: +61 (0)7 3105 9101
(Brisbane, Australia)               Phone: +61 (0)419 792 394
Manager, Quark IT                   http://www.quarkit.com.au
         Quark Group                http://www.quarkgroup.com.au

War doesn't determine who is right.  War determines who is left.

This document and any attachments are for the intended recipient 
  only.  It may contain confidential, privileged or copyright 
     material which must not be disclosed or distributed.

                    Quark Group Pty. Ltd.
      T/A Quark Automation, Quark AudioVisual, Quark IT