CentOS - Apr 2011 - sshd: Authentication Failures: 137 Time(s)

Hi,

to prevent scripted dictionary attacks to sshd
I applied those iptables rules:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent 
--update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set 
--name SSH --rsource

And this is part of logwatch:

sshd:
     Authentication Failures:
        unknown (www.telkom.co.ke): 137 Time(s)
        unknown (mkongwe.jambo.co.ke): 130 Time(s)
        unknown (212.49.70.24): 107 Time(s)
        root (195.191.250.101): 8 Time(s)

How is it possible for an attacker to try to logon more then 4 times?
Can the attacker do this with only one TCP/IP connection without 
establishing a new one?
Or have the scripts been adapted to this?

Thx
Rainer

On 04/04/11 11:18, Rainer Traut wrote:
> Hi,
> 
> to prevent scripted dictionary attacks to sshd
> I applied those iptables rules:
> 
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent 
> --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set 
> --name SSH --rsource
> 
> And this is part of logwatch:
> 
> sshd:
>      Authentication Failures:
>         unknown (www.telkom.co.ke): 137 Time(s)
>         unknown (mkongwe.jambo.co.ke): 130 Time(s)
>         unknown (212.49.70.24): 107 Time(s)
>         root (195.191.250.101): 8 Time(s)
> 
> How is it possible for an attacker to try to logon more then 4 times?
> Can the attacker do this with only one TCP/IP connection without 
> establishing a new one?
> Or have the scripts been adapted to this?
This is just a hunch, but --seconds 60 indicates that it will only look
back one minute to check if it could find a hit.  So if the attacker tries
to connect again after 2 minutes or even 61 seconds, it won't trigger this
rule.  Try increasing this value to 3600 (1 hour).  Maybe you want even longer.


kind regards,

David Sommerseth

On Monday 04 April 2011 12:18:43 Rainer Traut wrote:
> Hi,
> 
> to prevent scripted dictionary attacks to sshd
> I applied those iptables rules:
> 
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent
> --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set
> --name SSH --rsource
> 
> And this is part of logwatch:
> 
> sshd:
>      Authentication Failures:
>         unknown (www.telkom.co.ke): 137 Time(s)
>         unknown (mkongwe.jambo.co.ke): 130 Time(s)
>         unknown (212.49.70.24): 107 Time(s)
>         root (195.191.250.101): 8 Time(s)
> 
> How is it possible for an attacker to try to logon more then 4 times?
> Can the attacker do this with only one TCP/IP connection without
> establishing a new one?
> Or have the scripts been adapted to this?
The attackers are not trying constantly.. Just a few bursts of trys.

Look at denyhosts ( http://denyhosts.sourceforge.net/ ). 
I also have a tool for protecting from brute force attacks called Hawk ( 
https://github.com/hackman/Hawk-IDS-IPS ).

Marian
> 
> Thx
> Rainer
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
-- 
Best regards,
Marian Marinov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.centos.org/pipermail/centos/attachments/20110404/824fb5a3/attachment-0005.sig>

Am 04.04.2011 12:34, schrieb Marian Marinov:
>> How is it possible for an attacker to try to logon more then 4 times?
>> Can the attacker do this with only one TCP/IP connection without
>> establishing a new one?
>> Or have the scripts been adapted to this?
>
> The attackers are not trying constantly.. Just a few bursts of trys.
>
> Look at denyhosts ( http://denyhosts.sourceforge.net/ ).
> I also have a tool for protecting from brute force attacks called Hawk (
> https://github.com/hackman/Hawk-IDS-IPS ).
Ok, thanks to both of you, it seems the scripts getting better and better.
Will change my iptables rule to keep the blacklist for longer.

Thx
Rainer

You could also try using tcpwrappers along with iptables.


On 04/04/2011 06:34 AM, Marian Marinov wrote:
> On Monday 04 April 2011 12:18:43 Rainer Traut wrote:
>> Hi,
>>
>> to prevent scripted dictionary attacks to sshd
>> I applied those iptables rules:
>>
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent
>> --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set
>> --name SSH --rsource
>>
>> And this is part of logwatch:
>>
>> sshd:
>>      Authentication Failures:
>>         unknown (www.telkom.co.ke): 137 Time(s)
>>         unknown (mkongwe.jambo.co.ke): 130 Time(s)
>>         unknown (212.49.70.24): 107 Time(s)
>>         root (195.191.250.101): 8 Time(s)
>>
>> How is it possible for an attacker to try to logon more then 4 times?
>> Can the attacker do this with only one TCP/IP connection without
>> establishing a new one?
>> Or have the scripts been adapted to this?
> 
> The attackers are not trying constantly.. Just a few bursts of trys.
> 
> Look at denyhosts ( http://denyhosts.sourceforge.net/ ). 
> I also have a tool for protecting from brute force attacks called Hawk ( 
> https://github.com/hackman/Hawk-IDS-IPS ).
> 
> Marian
>>
>> Thx
>> Rainer
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> 
> 
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Rainer Traut <tr.ml at ...> writes:
> 
> Hi,
> 
> to prevent scripted dictionary attacks to sshd
> I applied those iptables rules:
SNIP
> 
Lots of good advice from several people.  All of the suggested solutions mean
you still have to wade through log entries from the unsuccessful attacks.  

I've been quite happy with similar IP tables rules but I moved sshd to
listen on
something other than port 22 for external connections.  I haven't seen a
single
brute force attack since making the move and all unsuccessful attempts to login
via ssh get logged so it's not like attackers can stay below my radar.

It seems that the script kiddies who are responsible for most of these attacks
don't bother scanning (nmap) before the attack.  If port 22 isn't open
they move
elsewhere.  If I ever see any failed login attempts I can assume that the
perpetrator is at least a little more skilled than usual and possibly take
additional action.

Cheers,
Dave

> Hi,
> 
> to prevent scripted dictionary attacks to
sshd
> I applied those iptables rules:
> 
> -A
INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m
recent
>
--update --seconds 60 --hitcount 4 --name SSH --rsource -j
DROP
>
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent
--set
> --name SSH --rsource
What I have done to totally thwart
script-kiddy attacks against SSH is to 

1) Move sshd to another
port, one higher than 5000
2) configure SSH for RSA-KEY
authentication ONLY IE no PAM auth
3) Set up Fail2Ban to auto
ip-table block ANY offending IPs after 5 tries.

Script kiddies
assume ssh is on port 22, and mosr posr scans don't go as high as 5000.

Since I implement this strategy a month ago, I have seen ZERO
attempts against SSH
>
_______________________________________________
> CentOS mailing
list
> CentOS at centos.org
>
http://lists.centos.org/mailman/listinfo/centos
>