James B. Byrne
2009-Jan-12 18:37 UTC
[CentOS] Intrusion Attempt Prevension - iptables problems
I have these rules in effect: ]# iptables --list --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 DROP all -- 202.14.0.0/24 anywhere 2 DROP all -- 220.232.0.0/24 anywhere 3 ACCEPT all -- anywhere anywhere 4 ACCEPT icmp -- anywhere anywhere icmp any 5 ACCEPT esp -- anywhere anywhere 6 ACCEPT ah -- anywhere anywhere 7 ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns 8 ACCEPT udp -- anywhere anywhere udp dpt:ipp 9 ACCEPT tcp -- anywhere anywhere tcp dpt:ipp 10 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 11 ACCEPT tcp -- 216.185.71.0/24 anywhere tcp dpts:ftp-data:ftp 12 ACCEPT tcp -- 216.185.71.0/25 anywhere tcp dpt:ssh state NEW 13 DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: CHECK seconds: 10 name: THROTTLE side: source 14 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: THROTTLE side: source 15 ACCEPT tcp -- 209.47.176.0/25 anywhere tcp dpt:ssh state NEW 16 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW ... Note particularly line 2. Now, notwithstanding the above, I see this in my /var/log/secure file: Jan 12 13:36:02 inet01 sshd[16056]: Received disconnect from 220.232.152.137: 11: Bye Bye Jan 12 13:36:13 inet01 sshd[16062]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=avalon.aty-group.com user=root Jan 12 13:36:15 inet01 sshd[16062]: Failed password for root from 220.232.152.137 port 38722 ssh2 Jan 12 13:36:15 inet01 sshd[16063]: Received disconnect from 220.232.152.137: 11: Bye Bye Jan 12 13:36:26 inet01 sshd[16070]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=avalon.aty-group.com user=root Jan 12 13:36:27 inet01 sshd[16070]: Failed password for root from 220.232.152.137 port 39287 ssh2 Jan 12 13:36:28 inet01 sshd[16071]: Received disconnect from 220.232.152.137: 11: Bye Bye Jan 12 13:36:38 inet01 sshd[16078]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=avalon.aty-group.com user=root Jan 12 13:36:40 inet01 sshd[16078]: Failed password for root from 220.232.152.137 port 39863 ssh2 Jan 12 13:36:40 inet01 sshd[16079]: Received disconnect from 220.232.152.137: 11: Bye Bye What is wrong with my IPTABLES rules that this connection is permitted? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Marko A. Jennings
2009-Jan-12 18:45 UTC
[CentOS] Intrusion Attempt Prevension - iptables problems
On Mon, January 12, 2009 1:37 pm, James B. Byrne wrote:> I have these rules in effect:<snip>> 1 DROP all -- 202.14.0.0/24 anywhere > 2 DROP all -- 220.232.0.0/24 anywhere<sniP>> > Note particularly line 2. > > Now, notwithstanding the above, I see this in my /var/log/secure file: > > Jan 12 13:36:02 inet01 sshd[16056]: Received disconnect from > 220.232.152.137: 11: Bye Bye > Jan 12 13:36:13 inet01 sshd[16062]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=avalon.aty-group.com > user=root > Jan 12 13:36:15 inet01 sshd[16062]: Failed password for root from > 220.232.152.137 port 38722 ssh2<snip>> > What is wrong with my IPTABLES rules that this connection is permitted?Your netmask. You might want to consider changing it to /16. Marko
James B. Byrne wrote:> Chain RH-Firewall-1-INPUT (2 references) > num target prot opt source destination > 1 DROP all -- 202.14.0.0/24 anywhere > 2 DROP all -- 220.232.0.0/24 anywhere> Jan 12 13:36:02 inet01 sshd[16056]: Received disconnect from > 220.232.152.137: 11: Bye Bye> What is wrong with my IPTABLES rules that this connection is permitted?Seems that your subnet masks are not correct Try /16 instead of /24 if you really want to block the last two octets. nate
James B. Byrne
2009-Jan-12 20:24 UTC
[CentOS] Intrusion Attempt Prevension - iptables problems
Thanks for the help. I completely missed that error. This guy is persistent. After I cut off 220.232.152.137 we had intrusion attempts from 216.107.171.10. After I cut off that one then we had attempts from 69.80.235.135. Since blocking that network we have had no more attempts recorded. When I first detected this attempt I thought that my iptable ssh throttle rules were somehow defective: 15 DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: CHECK seconds: 15 name: THROTTLE side: source 16 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: THROTTLE side: source however, more careful consideration of the log entries showed that the intruder was connecting every 23-24 seconds, which is outside the throttle threshold of 15 seconds. I am still concerned about any brute force attempt to discover the root password but, given no more than four connections per minute is possible, just how concerned should I be? It is evident that this attacker had more than one netblock available. It is conceivable that, instead of serially attacking us, they could just have easily attempted multiple simultaneous connections from all of their available IP addresses. This would completely defeat the current throttle rules. Should I also throttle the total number of new connections from all IPs? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3