Hi all, I have been using Shorewall successfully and easily for almost 2 years now and I love it! Shorewall and Webmin make creating a secure firewall very easy. I have been seeking a solution to a problem I''m sure a majority of users face. I have a DSL connection, and in the past month, I am receiving an alarming number of invalid ssh log in attempts. While I have no worries about my password strength, this does eat up bandwidth, and about 5 pages of my logwatch report. Is it possible to use dynamic blacklist to blacklist an IP from after 5 invalid ssh log in attempts regardless of user name? Thanks, Todd ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
On Sun, 10 Jul 2005, Todd Nine wrote:> Hi all, > I have been using Shorewall successfully and easily for almost 2 > years now and I love it! Shorewall and Webmin make creating a secure > firewall very easy. I have been seeking a solution to a problem I''m > sure a majority of users face. I have a DSL connection, and in the > past month, I am receiving an alarming number of invalid ssh log in > attempts. While I have no worries about my password strength, this > does eat up bandwidth, and about 5 pages of my logwatch report. Is it > possible to use dynamic blacklist to blacklist an IP from after 5 > invalid ssh log in attempts regardless of user name?I used to run a a small script every couple of hour that would scan the recent messages log, find failed ssh logins, and create a blacklist from these addreses. The wrapper script would then force a shorewall reload. Be careful the list doesn''t get too long or shorewall performance will suffer. 1. Set UseIP to No in /etc/ssh/sshd_config 2. grep out the failures grep sshd /var/log/messages | grep ''authentication failure'' | /usr/bin/filter.pl 5 >blacklist ========== filter.pl===========#!/usr/bin/perl -w use strict; sub main { my ($line,$ip,$threshold); my (%addresses); $threshold = ($ARGV[0] || 5); foreach $line (<STDIN>) { if ($line =~ m/(\d+\.\d+\.\d+\.\d+)/) { $ip = $1; next if ($ip =~ m/^192\.168\./); next if ($ip =~ m/216\.117\.196\.95/); if (exists $addresses{$ip}) { $addresses{$ip}++; } else { $addresses{$ip} = 1; } } } foreach $ip (sort ipsort keys %addresses) { print "$ip\n" if $addresses{$ip} >= $threshold;; } } sub ipsort { my ($cntr); my (@aa) = split /\./,$a; my (@bb) = split /\./,$b; for ($cntr = 0;$cntr < 4;$cntr++) { unless ($aa[$cntr] == $bb[$cntr]) { return ($aa[$cntr] <=> $bb[$cntr]); } } return 0; } main(); -- stephen ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
Todd Nine wrote:> Hi all, > I have been using Shorewall successfully and easily for almost 2 > years now and I love it! Shorewall and Webmin make creating a secure > firewall very easy. I have been seeking a solution to a problem I''m > sure a majority of users face. I have a DSL connection, and in the > past month, I am receiving an alarming number of invalid ssh log in > attempts. While I have no worries about my password strength, this > does eat up bandwidth, and about 5 pages of my logwatch report. Is it > possible to use dynamic blacklist to blacklist an IP from after 5 > invalid ssh log in attempts regardless of user name?I suggest moving ssh to different port. I did so and i almost never see ssh authentication attempts. You can use your ~/.ssh/config file to make it less troublesome to remember the port # like this: Host niceshortname Hostname really.long.awful.host.name Port 12345 User georgieporgie -- Paul <http://paulgear.webhop.net> -- Did you know? OpenOffice.org has built-in PDF creation. Better yet, it''s compatible with Microsoft Office, and free! Find out more at <http://www.openoffice.org>.
Todd Nine wrote:>Hi all, > I have been using Shorewall successfully and easily for almost 2 >years now and I love it! Shorewall and Webmin make creating a secure >firewall very easy. I have been seeking a solution to a problem I''m >sure a majority of users face. I have a DSL connection, and in the >past month, I am receiving an alarming number of invalid ssh log in >attempts. While I have no worries about my password strength, this >does eat up bandwidth, and about 5 pages of my logwatch report. Is it >possible to use dynamic blacklist to blacklist an IP from after 5 >invalid ssh log in attempts regardless of user name? > >Thanks, >Todd > >There''s an application that does this. I use it on all my web servers, it blocks any brute force attacks automatically after a number fo failed attempts. BFD by R-FX - http://www.rfxnetworks.com/bfd.php - however, I think it will require APF to be installed, unless you can get it to work with Shorewall. I think that would be possible. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
On Sun, 2005-07-10 at 16:00 +1000, Paul Gear wrote:> I suggest moving ssh to different port. I did so and i almost never > see > ssh authentication attempts.Amen! I use port 5190 since: -Its almost always open at any hotel / hotspot (AOL Instant Messenger). -No one ever seems to scan it for brute force login attempts. ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
Hi all, Thanks for all the help, its really appreciated! I went with Stephens Perl script since it was the solution that was closed to what I needed. Unfortunately, I''m running CVS for some developer buddies, and I don''t want to change the port on them. I simply modified it to read the /var/log/secure log, and added the command to add the IP to the shorewall dynamic blacklist for drop. I put this in cron to run every 5 minutes, and I have the dynamic blacklist being cleared every hour. That way if someone accidentally just screws up more than 5 times, they won''t have to wait indefinitely for access. Thanks, Todd On 7/10/05, Stephen Carville <stephen@totalflood.com> wrote:> On Sun, 10 Jul 2005, Todd Nine wrote: > > > Hi all, > > I have been using Shorewall successfully and easily for almost 2 > > years now and I love it! Shorewall and Webmin make creating a secure > > firewall very easy. I have been seeking a solution to a problem I''m > > sure a majority of users face. I have a DSL connection, and in the > > past month, I am receiving an alarming number of invalid ssh log in > > attempts. While I have no worries about my password strength, this > > does eat up bandwidth, and about 5 pages of my logwatch report. Is it > > possible to use dynamic blacklist to blacklist an IP from after 5 > > invalid ssh log in attempts regardless of user name? > > I used to run a a small script every couple of hour that would scan the > recent messages log, find failed ssh logins, and create a blacklist from > these addreses. The wrapper script would then force a shorewall reload. > Be careful the list doesn''t get too long or shorewall performance will > suffer. > > 1. Set UseIP to No in /etc/ssh/sshd_config > > 2. grep out the failures > > grep sshd /var/log/messages | grep ''authentication failure'' | > /usr/bin/filter.pl 5 >blacklist > > ========== filter.pl===========> #!/usr/bin/perl -w > > use strict; > > sub main { > my ($line,$ip,$threshold); > my (%addresses); > > $threshold = ($ARGV[0] || 5); > > foreach $line (<STDIN>) { > if ($line =~ m/(\d+\.\d+\.\d+\.\d+)/) { > $ip = $1; > next if ($ip =~ m/^192\.168\./); > next if ($ip =~ m/216\.117\.196\.95/); > > if (exists $addresses{$ip}) { > $addresses{$ip}++; > } else { > $addresses{$ip} = 1; > } > } > } > foreach $ip (sort ipsort keys %addresses) { > print "$ip\n" if $addresses{$ip} >= $threshold;; > } > } > > sub ipsort { > my ($cntr); > > my (@aa) = split /\./,$a; > my (@bb) = split /\./,$b; > > for ($cntr = 0;$cntr < 4;$cntr++) { > > unless ($aa[$cntr] == $bb[$cntr]) { > return ($aa[$cntr] <=> $bb[$cntr]); > } > } > return 0; > } > > main(); > > -- > stephen > > > ------------------------------------------------------- > This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening > July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual > core and dual graphics technology at this free one hour event hosted by HP, > AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
2005/7/10, Todd Nine <todd.nine@gmail.com>:> Unfortunately, I''m running CVS for some developer buddies, > and I don''t want to change the port on them.This problem have a solution,migrate to subversion using the apache mod_dav_svn. http://svnbook.red-bean.com/en/1.1/ch06s04.html -- Cristian Rodriguez. "for DVDs in Linux screw the MPAA and ; do dig $DVDs.z.zoy.org ; done | \ perl -ne ''s/\.//g; print pack("H224",$1) if(/^x([^z]*)/)'' | gunzip" ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
Todd Nine wrote:> Hi all, > Thanks for all the help, its really appreciated! I went with > Stephens Perl script since it was the solution that was closed to what > I needed. Unfortunately, I''m running CVS for some developer buddies, > and I don''t want to change the port on them.If you use something like the ~/.ssh/config example i posted earlier, the change can be transparent to CVS. -- Paul <http://paulgear.webhop.net> -- Did you know? Using HTML email (or "Rich Text" email) rather than plain text is less efficient, and makes you more vulnerable to security flaws in your computer software. Learn more about securing your computer at <http://www.kb.cert.org/vuls/id/713878>.
Todd Nine wrote:> Hi all, > Thanks for all the help, its really appreciated! I went with > Stephens Perl script since it was the solution that was closed to what > I needed. Unfortunately, I''m running CVS for some developer buddies, > and I don''t want to change the port on them. I simply modified it to > read the /var/log/secure log, and added the command to add the IP to > the shorewall dynamic blacklist for drop. I put this in cron to run > every 5 minutes, and I have the dynamic blacklist being cleared every > hour. That way if someone accidentally just screws up more than 5 > times, they won''t have to wait indefinitely for access. > > Thanks, > Todd > > On 7/10/05, Stephen Carville <stephen@totalflood.com> wrote: > >>On Sun, 10 Jul 2005, Todd Nine wrote: >> >> >>>Hi all, >>> I have been using Shorewall successfully and easily for almost 2 >>>years now and I love it! Shorewall and Webmin make creating a secure >>>firewall very easy. I have been seeking a solution to a problem I''m >>>sure a majority of users face. I have a DSL connection, and in the >>>past month, I am receiving an alarming number of invalid ssh log in >>>attempts. While I have no worries about my password strength, this >>>does eat up bandwidth, and about 5 pages of my logwatch report. Is it >>>possible to use dynamic blacklist to blacklist an IP from after 5 >>>invalid ssh log in attempts regardless of user name? >> >>I used to run a a small script every couple of hour that would scan the >>recent messages log, find failed ssh logins, and create a blacklist from >>these addreses. The wrapper script would then force a shorewall reload. >>Be careful the list doesn''t get too long or shorewall performance will >>suffer.FWIW, there''s a better method for blacklisting IMHO: /etc/hosts.deny. It takes effect immediately without a shorewall reload, and it doesn''t create new rules in the iptables space. Here''s my script, called every two minutes from cron. As Tom has pointed out, all of these automatic scripts are vulnerable to IP spoofing; using certificates and moving sshd to a different port are the best solutions. [jack@felix jack]$ cat /usr/local/sbin/sshprobeblocker.sh #!/bin/sh # maximum attempts for a nonexistent username before the IP address is blocked MAX_ILLEGAL=2 # maximum attempts for an existent username befroe the IP address is blocked (more generous) MAX_LEGAL=5 # IP addresses to never block--let''s make sure we don''t lock ourselves out DONT_BLOCK=''192.168.2.'' # timestamp for hosts.deny now=`date -R` # make sure no one can touch the blocking files other than root umask 0077 grep "Failed password" /var/log/auth.log | sed "s/^.*Failed password for //g" > /var/log/ssh_recent_failures grep "illegal user" /var/log/ssh_recent_failures | sed -e "s/^.*[ :]\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\)/\1/" -e "s/ .*//g" | grep "[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" | sort | uniq -c | sed -e "s/^ *//g" -e "s/ /_/g" > /var/log/ssh_recent_illegals grep -v "illegal user" /var/log/ssh_recent_failures | sed -e "s/^.*[ :]\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\)/\1/" -e "s/ .*//g" | grep "[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" | sort | uniq -c | sed -e "s/^ *//g" -e "s/ /_/g" > /var/log/ssh_recent_legals grep "Invalid user" /var/log/auth.log | sed -e "s/^.*[ :]\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\)/\1/" -e "s/ .*//g" | grep "[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" | sort | uniq -c | sed -e "s/^ *//g" -e "s/ /_/g" >> /var/log/ssh_recent_illegals for x in `cat /var/log/ssh_recent_illegals | grep -v $DONT_BLOCK` do attempts=${x%_*} ip=${x#*_} if [ $attempts -ge $MAX_ILLEGAL ] then if ( ! grep -q $ip /etc/hosts.deny ) then lookup=`host $ip` if ( echo $lookup | grep -q "not found" ) then lookup=`whois $ip | grep -i "name" | head -1` fi echo \# $now >> /etc/hosts.deny echo \# $lookup >> /etc/hosts.deny echo \# $attempts failed attempts at nonexistent username >> /etc/hosts.deny echo ''ALL: ''$ip >> /etc/hosts.deny echo >> /etc/hosts.deny logger -t password_attempt_checker Banning $ip for nonexistent username attempts. fi fi done -- Jack at Monkeynoodle dot Org: It''s A Scientific Venture... "If this is Paradise, I wish I had a lawnmower." -- The Talking Heads ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click