I'm running Centos 7.8.2003, with firewalld.
I was getting huge numbers of ssh attempts per day from a few specific
ip blocks.
The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24
and 118.0.0.0/24, and they amounted to a multiple thousands of attempts
per day. I installed and configured fail2ban, but still saw a lot of
attempts in the logs, and the ipset created was filling up.
I did some more research, and decided to use a few rich rules to block
these attempts. I currently have these in place:
#firewall-cmd --list-all
public (active)
? target: default
? icmp-block-inversion: no
? interfaces: p3p1
? sources:
? services: dhcpv6-client ftp http https imap imaps pop3 pop3s
smtp-submission smtps ssh
? ports: 110/tcp 995/tcp 143/tcp 993/tcp 25/tcp 21/tcp
? protocols:
? masquerade: no
? forward-ports:
? source-ports:
? icmp-blocks:
? rich rules:
??????? rule family="ipv4" source address="49.0.0.0/24"
reject
??????? rule family="ipv4" source address="51.0.0.0/24"
reject
??????? rule family="ipv4" source address="111.0.0.0/24"
reject
But I still get hundreds of attempts reported in my fail2ban logs from
these ip blocks. How is it that the rich rules don't drop these packets
before pam/ssh/fail2ban ever get to see them?
There must be some precedence in the firewalling I don't understand.
-chuck
--
ACCEL Services, Inc.| Specialists in Gravity, Magnetics | (713)993-0671 ph.
| and Integrated Interpretation | (713)993-0608 fax
448 W. 19th St. #325| Since 1992 | (713)306-5794 cell
Houston, TX, 77008 | Chuck Campbell | campbell at
accelinc.com
| President & Senior Geoscientist |
"Integration means more than having all the maps at the same
scale!"
On Sun, Jun 21, 2020 at 12:33 PM Chuck Campbell <campbell at accelinc.com> wrote:> I'm running Centos 7.8.2003, with firewalld. > > I was getting huge numbers of ssh attempts per day from a few specific > ip blocks. > > The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 > and 118.0.0.0/24, >so just 45.0.0.0 through 45.0.0.255 and not other 45.x.y blocks ? ditto your other networks? sure you didn't mean /8 or another sized subnet on there? doing some whois, the actual 45.0.0.0 block has a netmask of /15, which is 45.0.0.0 through 45.1.255.255, and belongs to Interop, the IT trade show. 45.2.0.0/16 belongs to Frontier Networks in Ontario, CA 45.3.0.0/19 belongs to Start Cable in Ontario 45.3.32.0/19 belongs to someone in Los Vegas. 45.3.64.0/18 belongs to Virginia Polytechnic 45.3.128.0/17 belongs to Charter Cable (formerly Bright House Networks) 45.4.0.0/14 is LANIC, and further diced into a multitude of Latin America networks. 45.8.0.0/13 is RIPE, and diced into various european networks. etc etc etc. anyways, I didn't see your rules explicitly blocking 22/tcp, which is ssh... -- -john r pierce recycling used bits in santa cruz
On Sun, 2020-06-21 at 14:33 -0500, Chuck Campbell wrote:> I'm running Centos 7.8.2003, with firewalld. > > I was getting huge numbers of ssh attempts per day from a few specific > ip blocks. > > The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 > and 118.0.0.0/24, and they amounted to a multiple thousands of attempts > per day.It seems oddly coincidental that they are all x.0.0.y addresses - the netblocks they belong to are all much bigger than /24. I can understand getting attacks from a range of IPs from an ISP or the like, but the 51.0.0.0/24 is part of a UK government network and I think they would be all over it if a range of their network was being used for naughty purposes.> > I did some more research, and decided to use a few rich rules to block > these attempts. I currently have these in place: > > #firewall-cmd --list-all > public (active) > target: default > icmp-block-inversion: no > interfaces: p3p1 > sources: > services: dhcpv6-client ftp http https imap imaps pop3 pop3s > smtp-submission smtps ssh > ports: 110/tcp 995/tcp 143/tcp 993/tcp 25/tcp 21/tcp > protocols: > masquerade: no > forward-ports: > source-ports: > icmp-blocks: > rich rules: > rule family="ipv4" source address="49.0.0.0/24" reject > rule family="ipv4" source address="51.0.0.0/24" reject > rule family="ipv4" source address="111.0.0.0/24" rejectIs that the correct interface referred to in the zone? Can you see the rich rules implemented properly in the output of 'iptables -L'? (They should be in the chain IN_public_deny.)> > But I still get hundreds of attempts reported in my fail2ban logs from > these ip blocks. How is it that the rich rules don't drop these packets > before pam/ssh/fail2ban ever get to see them?Is fail2ban stopping the individual hosts? Do you have the recidive rule enabled to permaban them? Do you get legitimate SSH connections from anywhere? Can you remove the ssh service and add rich rules to allow certain hosts or netblocks to connect via port 22? Finally, do you have a network firewall that can be used to block the connections?> There must be some precedence in the firewalling I don't understand.Yes, there is a precedence, but it should be working in your favour - the chain 'IN_public' contains the public inbound chain and it should contain: # iptables -L IN_public Chain IN_public (2 references) target prot opt source destination IN_public_log all -- anywhere anywhere IN_public_deny all -- anywhere anywhere IN_public_allow all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere So it should be denying packets before the allowing them (and the IN_public_allow chain is what contains your ssh service definition). P.
On 2020-06-21 15:33, Chuck Campbell wrote:> I'm running Centos 7.8.2003, with firewalld. > > I was getting huge numbers of ssh attempts per day from a few specific > ip blocks.If you can control the ssh clients, switch your port number to a non-standard port. Pick one in /etc/services that does not seem to be allocated. Then change "Port" in ssh_config and sshd_config; If other clients are being used (like Putty), it is easy to change it there. We used to get at least 50 probes per day on port 22. Now we get zero. Todd Merriman Software Toolz, Inc.
On Sun, 2020-06-21 at 16:47 -0400, mailist wrote:> On 2020-06-21 15:33, Chuck Campbell wrote: > > I'm running Centos 7.8.2003, with firewalld. > > > > I was getting huge numbers of ssh attempts per day from a few specific > > ip blocks. > > If you can control the ssh clients, switch your port number to a > non-standard > port. Pick one in /etc/services that does not seem to be allocated. > Then change > "Port" in ssh_config and sshd_config; If other clients are being used > (like Putty), > it is easy to change it there. > > We used to get at least 50 probes per day on port 22. Now we get zero. >I used this technique for a number of years - then it got leaked to the script kiddies the port that was used. We don't have anything particularly valuable that they were looking for (I don't think!), but there are lists of subnets & ports out there that the kiddies use so once one found it, the flood gates opened. SSH is now protected behind a VPN. It's a valid thing to do and makes things much saner, but don't assume it is a forever solution and don't use it as an excuse to reduce other protections you may have. P.
On Sun, Jun 21, 2020 at 02:33:18PM -0500, Chuck Campbell wrote:> I'm running Centos 7.8.2003, with firewalld. > > I was getting huge numbers of ssh attempts per day from a few specific ip > blocks. > > The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 and > 118.0.0.0/24, and they amounted to a multiple thousands of attempts per day. > I installed and configured fail2ban, but still saw a lot of attempts in the > logs, and the ipset created was filling up. >What type of ipset did you create, perhaps hash:ip where individual addresses are listed? If so, consider switching to hash:net which uses CIDR style entries. Individual addresses become 1.2.3.4/32 but blocks can be included with a single entry. My ipset has about 40,000 entries, but covers millions of IP addresses. If you do switch look on the net for a program called "cidrmerge". It takes a list of IP addresses and CIDR networks, sorts them and merges multiple entries into a single network where possible. Jon -- Jon H. LaBadie jcu at labadie.us
working on it. some other issues got in the way of testing. -- Ted Buchanan Computer/Network Analyst - Vincennes University tbuchanan at vinu.edu From: "Jon LaBadie" <jcu at labadie.us> To: "Jon LaBadie" <centos at centos.org> Date: 06/22/2020 04:57 PM Subject: Re: [CentOS] firewall questions Sent by: "CentOS" <centos-bounces at centos.org> On Sun, Jun 21, 2020 at 02:33:18PM -0500, Chuck Campbell wrote:> I'm running Centos 7.8.2003, with firewalld. > > I was getting huge numbers of ssh attempts per day from a few specificip> blocks. > > The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24and> 118.0.0.0/24, and they amounted to a multiple thousands of attempts perday.> I installed and configured fail2ban, but still saw a lot of attempts inthe> logs, and the ipset created was filling up. >What type of ipset did you create, perhaps hash:ip where individual addresses are listed? If so, consider switching to hash:net which uses CIDR style entries. Individual addresses become 1.2.3.4/32 but blocks can be included with a single entry. My ipset has about 40,000 entries, but covers millions of IP addresses. If you do switch look on the net for a program called "cidrmerge". It takes a list of IP addresses and CIDR networks, sorts them and merges multiple entries into a single network where possible. Jon -- Jon H. LaBadie jcu at labadie.us _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos