Good Morning
I have a shorewall box running successfully, and have done for a few years,
but recently I have noticed that the dynamic script I wrote is not working
correctly.
The issue is basically if the scan through the logs finds FQDNs with hyphens
in them the shorewall drop does not drop the address, it splits the address up
using the hyphen as a demark. If I do a host lookup in the script then the
ones that are in the log files as a quad dotted address resolve differently,
so a host $i | grep "has address" | awk ''{ print
$4}'' doesn''t work properly...
The script is shown below, any ideas? Basically I need to drop any connection
attempts shown as authentication failures, am I trying to re-invent the wheel?
Phil
#!/bin/bash
for i in `cat /var/log/secure | grep "authentication failure" | awk
''{print
$14}''| sort | uniq | grep -v "tty=ssh" |grep -v bigblue |
grep -v btopenworld|
grep -v 81.130| grep -v 212.56.68.42| grep -v 192.168.31.|grep -v
212.219.9.79| grep -v mi079.maninv.com | grep -v uk.ibm.com | grep -v
195.212.29.67 | grep -v 213.249.129.100 | sed s/rhost\=//g`; do
/sbin/shorewall drop $i>/dev/null;
done
for k in ` cat /var/log/secure | grep illegal | grep port | awk ''{print
$13}''
| sort | uniq`; do
/sbin/shorewall drop `host $k | grep -v "not found" |awk
''{print
$4}''` >/dev/null;
done
#for j in `cat /var/log/messages | grep lame | awk ''{print
$12}''| grep -v
192\.168\.31 | grep -v 212.56.68.42| grep -v 212.219.9.79| sed s/\#53//g`; do
# /sbin/shorewall drop $j >/dev/null;
#done
for l in `cat /var/log/httpd/access_log | grep .dll| awk ''{print
$1}''`; do
/sbin/shorewall drop `host $l | grep -v "not found"|awk
''{print
$4}''`>/dev/null;
done
--
Phil Foxton RHCE
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Phil Foxton wrote:> > The script is shown below, any ideas? Basically I need to drop any connection > attempts shown as authentication failures, am I trying to re-invent the wheel? >Pretty much. The preferred method of dealing with SSH dictionary attacks is: a) Configure your SSHD to only allow authentication via shared keys. That way, a dictionary attack can never succeed. b) Use the ''Limit'' built-in action to limit the rate of SSH connection attempts from individual IP addresses (http://www.shorewall.net/PortKnocking.html#Limit). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Thanks for that Tom, just to clarify though, does LIMIT just drop the connections momentarily or is it in effect adding the source to the dynamic list? Thanks Phil -- Phil Foxton RHCE ---------- Original Message ----------- From: Tom Eastep <teastep@shorewall.net> To: Shorewall Users <shorewall-users@lists.sourceforge.net> Sent: Wed, 23 Apr 2008 06:51:10 -0700 Subject: Re: [Shorewall-users] Shorewall drop issue?> Phil Foxton wrote: > > > > > The script is shown below, any ideas? Basically I need to drop any connection > > attempts shown as authentication failures, am I trying to re-invent the wheel? > > > > Pretty much. The preferred method of dealing with SSH dictionary > attacks is: > > a) Configure your SSHD to only allow authentication via shared keys. > That way, a dictionary attack can never succeed. > > b) Use the ''Limit'' built-in action to limit the rate of SSH > connection attempts from individual IP addresses > (http://www.shorewall.net/PortKnocking.html#Limit). > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key------- End of Original Message ------- ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Phil Foxton wrote:> Thanks for that Tom, just to clarify though, does LIMIT just drop the > connections momentarily or is it in effect adding the source to the dynamic list?It does not add the source to the dynamic list. It drops connection attempts from individual IP addresses so long as the connection attempt rate is above the limits that you specify in the Limit rule. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep wrote:>>The script is shown below, any ideas? Basically I need to drop any >>connection >>attempts shown as authentication failures, am I trying to re-invent >>the wheel? >> > >Pretty much. The preferred method of dealing with SSH dictionary attacks is: > >a) Configure your SSHD to only allow authentication via shared keys. >That way, a dictionary attack can never succeed. > >b) Use the ''Limit'' built-in action to limit the rate of SSH >connection attempts from individual IP addresses >(http://www.shorewall.net/PortKnocking.html#Limit).And/or install a tool like fail2ban that will block access from IPs that have authentication failures - actions and conditions are configurable but defaults are ''sane''. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone