View previous topic :: View next topic |
Author |
Message |
VelVet n00b
Joined: 09 Feb 2005 Posts: 21 Location: Belgium
|
Posted: Thu Mar 30, 2006 1:53 am Post subject: |
|
|
never mind, got everything to work
great script |
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Mon Apr 03, 2006 7:22 am Post subject: |
|
|
New observations of my blacklist strange behaviour. Whenever I suffer an ssh attack, blacklist seems to stop running. I've checked this quite a few times. For instance, right now. I've just seen this in my /var/log/auth.log: Code: | Apr 3 01:08:54 machine sshd[13008]: Invalid user {\\rtf1\\ansi\\ansicpg1252\\deff0{\\fonttbl{\\f0\\fswiss\\fcharset0 from 24.199.204.163
Apr 3 01:08:55 machine sshd[13010]: Invalid user {\\*\\generator from 24.199.204.163
Apr 3 01:08:56 machine sshd[13012]: Invalid user ak from 24.199.204.163
Apr 3 01:08:58 machine sshd[13014]: Invalid user asvn from 24.199.204.163
Apr 3 01:08:59 machine sshd[13016]: Invalid user atemp from 24.199.204.163
Apr 3 01:09:00 machine sshd[13018]: Invalid user aalyssa from 24.199.204.163
Apr 3 01:09:02 machine sshd[13020]: Invalid user amirion from 24.199.204.163
Apr 3 01:09:03 machine sshd[13022]: Invalid user azimbra from 24.199.204.163
Apr 3 01:09:13 machine sshd[13024]: Did not receive identification string from 24.199.204.163
Apr 3 04:46:44 machine sshd[13665]: Invalid user admin from 201.247.150.165
Apr 3 04:46:44 machine sshd[13665]: Invalid user admin from 201.247.150.165
Apr 3 04:40:04 machine sshd[13656]: Did not receive identification string from 201.247.150.165
Apr 3 04:46:29 machine sshd[13657]: Invalid user webmaster from 201.247.150.165
Apr 3 04:46:37 machine sshd[13661]: Invalid user ftp from 201.247.150.165
Apr 3 04:46:39 machine sshd[13663]: Invalid user sales from 201.247.150.165
Apr 3 04:46:44 machine sshd[13665]: Invalid user admin from 201.247.150.165
Apr 3 04:46:47 machine sshd[13667]: Invalid user andrea from 201.247.150.165
Apr 3 04:46:57 machine sshd[13669]: Did not receive identification string from 201.247.150.165
Apr 3 04:40:04 machine sshd[13656]: Did not receive identification string from 201.247.150.165
Apr 3 04:46:29 machine sshd[13657]: Invalid user webmaster from 201.247.150.165
Apr 3 04:46:37 machine sshd[13661]: Invalid user ftp from 201.247.150.165
Apr 3 04:46:39 machine sshd[13663]: Invalid user sales from 201.247.150.165
Apr 3 04:46:44 machine sshd[13665]: Invalid user admin from 201.247.150.165
Apr 3 04:46:47 machine sshd[13667]: Invalid user andrea from 201.247.150.165
Apr 3 04:46:57 machine sshd[13669]: Did not receive identification string from 201.247.150.165 |
Immediatly, after noticing this morning tonight's attack, I checked out if blacklist was running, but it was not. The following commands have been run in a row: Code: | # ps aux | grep black
root 14579 0.0 0.0 4056 816 pts/1 S+ 09:05 0:00 grep black
# /usr/local/bin/blacklist.py &
[1] 14583
# Removing stale pidfile /var/run/blacklist.pid with pid 1348
# ps aux | grep black
root 14583 0.3 0.3 18664 3936 pts/1 S 09:05 0:00 /usr/bin/python /usr/local/bin/blacklist.py
root 14595 0.0 0.0 4056 804 pts/1 R+ 09:05 0:00 grep black
# |
However, it was running last night, because I had to re-activate it after if de-activated following the attacks on Sunday morning. Why does blacklist.py quit itself when an attack happens? I understand nothing |
|
Back to top |
|
|
Andersson Guru
Joined: 12 Jul 2003 Posts: 525 Location: Göteborg, Sweden
|
Posted: Mon Apr 03, 2006 3:24 pm Post subject: |
|
|
urcindalo: Run in test mode and see if you get any error messages.
I had problems with it quitting also, for me it was that I had changed the regexp, but forgot to change <host> to <ip>. _________________ Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking... |
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Mon Apr 03, 2006 4:51 pm Post subject: |
|
|
Thanks for your help.
Nope, I got no problems with test mode. Just look at these commands in a row: Code: | # ps aux | grep black
root 10045 0.0 0.3 18432 3856 ? Ss 15:59 0:00 /usr/bin/python /usr/local/bin/blacklist.py
root 14398 0.0 0.0 4056 808 pts/5 R+ 18:39 0:00 grep black
# /usr/local/bin/blacklist.py "Apr 3 01:08:56 machine sshd[13012]: Invalid user ak from 24.199.204.163"
* Entering test mode
* SSH_REGEX[ 0 ]: No match found
* SSH_REGEX[ 1 ]: Caught ip "24.199.204.163 and username "ak"
* FTP_REGEX[ 0 ]: No match found
* SUCCESS: Sending mail from blacklist@localhost to root@localhost
# /usr/local/bin/blacklist.py "Apr 3 04:46:44 machine sshd[13665]: Invalid user admin from 201.247.150.165"
* Entering test mode
* SSH_REGEX[ 0 ]: No match found
* SSH_REGEX[ 1 ]: Caught ip "201.247.150.165 and username "admin"
* FTP_REGEX[ 0 ]: No match found
* SUCCESS: Sending mail from blacklist@localhost to root@localhost
# ps aux | grep black
root 10045 0.0 0.3 18432 3856 ? Ss 15:59 0:00 /usr/bin/python /usr/local/bin/blacklist.py
root 14435 0.0 0.0 4056 800 pts/5 R+ 18:40 0:00 grep black
# |
The examples are real attacks from my previous post. I didn't change the regex's in the script. However, I did change this: Code: | ...
LOGTAIL = "/usr/bin/logtail"
...
PERMITTED_LOGIN_FAILURES = 3
BLOCKING_PERIOD = 604800 #seconds
SUSPECTING_PERIOD = 86400 #seconds
...
DATE_FORMAT = "%Y.%M.%d %X" # e.g.: 02.01.2006 23:49:12 (I changed it from %d.%m.%Y)
...
...
system_command( IPTABLES + " --insert INPUT 4 --jump " + CUSTOM_CHAIN )
... |
Notice the "--insert INPUT 4 --jump". The reason is my iptables config is: Code: | # iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 80.103.114.34 0.0.0.0/0
ACCEPT all -- 150.214.212.13 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
... |
and I want blacklist rules to be inserted after the rule for 150.214.212.13 |
|
Back to top |
|
|
kill[h]er n00b
Joined: 02 Sep 2003 Posts: 30
|
Posted: Mon Apr 03, 2006 5:27 pm Post subject: |
|
|
if you put it after related/established, that could knock your own existing ssh sessions out for 10 mins too, if you aren't careful. |
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Mon Apr 03, 2006 5:39 pm Post subject: |
|
|
kill[h]er wrote: | if you put it after related/established, that could knock your own existing ssh sessions out for 10 mins too, if you aren't careful. |
That's why I put it before that rule (intented as number 4), so that related/established will be number 5, unless I don't understand the syntax. Am I right or did I make a mistake? |
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Wed Apr 05, 2006 11:30 am Post subject: |
|
|
urcindalo wrote: | kill[h]er wrote: | if you put it after related/established, that could knock your own existing ssh sessions out for 10 mins too, if you aren't careful. |
That's why I put it before that rule (intented as number 4), so that related/established will be number 5, unless I don't understand the syntax. Am I right or did I make a mistake? |
[EDIT]
Like kill[h]er said, you most likely want it to be at number 5. You can easily verify the behaviour by running blacklist.py and then making a couple of login attempts yourself. I suggest you run it (without moving it into the background) and then do some login failures and tell us what's happening. If it crashes you should see a debug output ... _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Last edited by BlinkEye on Wed Apr 05, 2006 1:30 pm; edited 1 time in total |
|
Back to top |
|
|
kill[h]er n00b
Joined: 02 Sep 2003 Posts: 30
|
Posted: Wed Apr 05, 2006 1:10 pm Post subject: |
|
|
maybe i'm wrong, but i don't think so.
from what I know of iptables, it goes down the list and looks for a match. if a match occurs, it executes the entry.
so if you get to the blacklist chain before you get to the established/related chain, then if your IP is in the blacklist chain as a drop, it will drop your connections and stop processing the chain (ie, it won't bother looking at established/related rule).
but like blinkeye said, try it out and let us all know... |
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Wed Apr 05, 2006 2:00 pm Post subject: |
|
|
BlinkEye wrote: | Like kill[h]er said, you most likely want it to be at number 5. You can easily verify the behaviour by running blacklist.py and then making a couple of login attempts yourself. I suggest you run it (without moving it into the background) and then do some login failures and tell us what's happening. If it crashes you should see a debug output ... |
OK. I changed it to number 5 and ran it in the foreground: Code: | # ./blacklist.py
Removing stale pidfile /var/run/blacklist.pid with pid 15174 |
Then I tried to login remotely with a fake username from an OS X box: Code: | $ ssh -l fakeuser mymachine.mydomain
Password:
Password:
Password:
Permission denied (publickey.keyboard-interactive).
$ |
And I saw blacklist in my Gentoo box failing this way: Code: | # ./blacklist.py
Removing stale pidfile /var/run/blacklist.pid with pid 15174
Traceback (most recent call last):
File "./blacklist.py", line 298, in ?
scan()
File "./blacklist.py", line 166, in scan
create_stat( regex_matches, ssh_list, ssh_list_blocked, len( re_ssh.findall( new_log_entries ) )/100, SSH_PORT )
File "./blacklist.py", line 150, in create_stat
block( ip_list_blocked[ 0 ][ 0 ], BLOCKING_PERIOD + delay, port )
File "./blacklist.py", line 98, in block
system_command( IPTABLES + " --insert " + CUSTOM_CHAIN + " --source " + ip + " --protocol tcp --dport " + str( port ) + " --jump TARPIT" )
File "./blacklist.py", line 87, in system_command
raise IOError( return_value[ 1 ] )
IOError: iptables: No chain/target/match by that name
# ps aux | grep black
root 15323 0.0 0.0 4056 804 pts/2 R+ 15:55 0:00 grep black
# |
As you can see, it quit after the "IOError: iptables: No chain/target/match by that name" error.
How could I solve it? Again, my iptables are: Code: | # iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 80.103.114.34 0.0.0.0/0
ACCEPT all -- 150.214.212.13 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:137:139
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:426
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:445
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:1417:1420
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:5900:5902
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:5900:5902
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:5800:5802
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:5800:5802
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:5500:5502
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:5500:5502
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 80.103.114.34 0.0.0.0/0
ACCEPT all -- 150.214.212.13 0.0.0.0/0 |
|
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Wed Apr 05, 2006 3:17 pm Post subject: |
|
|
Please try replacing TARPIT with REJECT. _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Wed Apr 05, 2006 4:15 pm Post subject: |
|
|
I replaced TARPIT with DROP (I don't wanna give'em a clue ), and now it didn't quit after trying to login with a fake user.
What's more, now I see this in iptables: Code: | # iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 80.103.114.34 0.0.0.0/0
ACCEPT all -- 150.214.212.13 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:137:139
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:426
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:445
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:1417:1420
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:5900:5902
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:5900:5902
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:5800:5802
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:5800:5802
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:5500:5502
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:5500:5502
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 80.103.114.34 0.0.0.0/0
ACCEPT all -- 150.214.212.13 0.0.0.0/0
Chain BLACKLIST (1 references)
target prot opt source destination
DROP tcp -- 192.168.12.147 0.0.0.0/0 tcp dpt:22 |
It seems it is working, at last!!
Thanks for your help. |
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Thu Apr 06, 2006 7:48 am Post subject: |
|
|
Blacklist is now working beautifully. This morning I saw a blocked-out ip So, I would like to thank BlinkEye for his impressive work.
I got a request that maybe is off-topic (since this is an ssh/ftp thread). I receive sometimes vnc attacks, also. Since I don't want to close that port, would it be possible to include in blacklist some kind of vnc regex? |
|
Back to top |
|
|
Freman n00b
Joined: 04 May 2005 Posts: 27
|
Posted: Thu Apr 06, 2006 8:36 am Post subject: |
|
|
I cheated, I simply patched openssh to call a pre-configured executable file (be it script or what not) with the IP address on Invalid User.
The script saves which ip's it's blocked to a file and if it hasn't blocked the ip passed to it it'll add it to iptables.
Works GREAT, I even made an ebuild including patch for ease of installing across my entire network (c:
Only get one log entry per IP, it's blocked as fast as it starts. _________________ To err is human... but to trully mess things up you need a computer |
|
Back to top |
|
|
kill[h]er n00b
Joined: 02 Sep 2003 Posts: 30
|
Posted: Thu Apr 06, 2006 12:05 pm Post subject: |
|
|
Quote: | I got a request that maybe is off-topic (since this is an ssh/ftp thread). I receive sometimes vnc attacks, also. Since I don't want to close that port, would it be possible to include in blacklist some kind of vnc regex? |
If they are attacking ssh and vnc at the same time, blacklist will already block them out of your system entirely for the timeout period you defined (10 mins default). If they are just attacking VNC, and if the VNC attacks log to /var/log/auth.log then you could add a regex to the script, and if done right it should block them out entirely as well.
If they are doing nmap scans before attacking your ssh or vnc or both, then if you add the portions I posted before, they'll be blocked for 10 mins (default) immediately, and won't get the chance to attack ssh or vnc. |
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Thu Apr 06, 2006 3:12 pm Post subject: |
|
|
kill[h]er wrote: | If they are doing nmap scans before attacking your ssh or vnc or both, then if you add the portions I posted before, they'll be blocked for 10 mins (default) immediately, and won't get the chance to attack ssh or vnc. |
I modified blacklist.py with your HOST_NAME feature, launched it and I got no error, so I suppose it is working.
Then I went on and modified it again to detect nmap scans. However, I get this error when launching the re-modified script: Code: | ./blacklist.py
Removing stale pidfile /var/run/blacklist.pid with pid 8300
Traceback (most recent call last):
File "./blacklist.py", line 303, in ?
scan()
File "./blacklist.py", line 169, in scan
re_ssh = re.compile( SSH_REGEX[ i ] )
File "/usr/lib/python2.4/sre.py", line 180, in compile
return _compile(pattern, flags)
File "/usr/lib/python2.4/sre.py", line 227, in _compile
raise error, v # invalid expression
sre_constants.error: redefinition of group name 'user' as group 3; was group 1 |
My modified lines look like this: Code: | .....
SSH_REGEX = [
r"Failed (?:none|password|keyboard-interactive/pam) for (?:invalid user )*(?P<$
r"Invalid user (?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\$
r"Did not receive (?P<user>.*) string from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}$
]
.......
# no tolerance for a root login attempt
if ( match.group( 'user' ) == "root" ):
entry[ 1 ] += PERMITTED_LOGIN_FAILURES
if ( match.group( 'user' ) == "identification" ):
entry[ 1 ] += PERMITTED_LOGIN_FAILURES |
Since your modifications were intended for a previous script version, I wonder if the "user" definition changed somehow in the new script, causing your modifications to fail... |
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Thu Apr 06, 2006 3:21 pm Post subject: |
|
|
Apart from what I just wrote in the previous post, I'd like to add this comment:
kill[h]er wrote: | If they are just attacking VNC, and if the VNC attacks log to /var/log/auth.log then you could add a regex to the script, and if done right it should block them out entirely as well. |
Well, that's the problem. I don't know where the vnc login attempts go. I've just tried to connect to my box using fake vnc passwords and the connection gets refused. However, I see nothing vnc related in /var/log/auth.log nor in /var/log/messages. Even if the connection is successful I see no vnc entries in those files.
Does anybody know where can I look for them? |
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Sun Apr 09, 2006 2:07 pm Post subject: |
|
|
One more question (the ones posted immediately before this post are still unanswered ).
In the wiki you can read this: Quote: | UPDATE: You may safely reset your iptable rules while running blacklist.py. It will (re)add it's needed rules automatically when blocking the next IP. |
One of my rules relates to my home box, which has a dynamic ip. So, I signed up with no-ip.com and assigned it to my-machine.no-ip.org, which is the actual address I set up in my iptables.conf file. However, everytime I reboot my DSL modem-router I'm assigned a different ip, so my-machine.no-ip.org points to a different ip periodically. To make the iptables rule regarding my home machine to always point to the correct ip address, I added a cron job to "iptables-restore iptables.conf" every day.
My question is: will any pre-existing BLACKLIST rules in iptables be flushed after cron execs iptables-restore? I interpret it will be in fact the case from the quote above, although I'd like very much to be wrong.
Is there any better way of updating my my-machine.no-ip.org rule without loosing pre-existing blacklist rules? |
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Sun Apr 09, 2006 7:52 pm Post subject: |
|
|
urcindalo wrote: | One more question (the ones posted immediately before this post are still unanswered ).
In the wiki you can read this: Quote: | UPDATE: You may safely reset your iptable rules while running blacklist.py. It will (re)add it's needed rules automatically when blocking the next IP. |
One of my rules relates to my home box, which has a dynamic ip. So, I signed up with no-ip.com and assigned it to my-machine.no-ip.org, which is the actual address I set up in my iptables.conf file. However, everytime I reboot my DSL modem-router I'm assigned a different ip, so my-machine.no-ip.org points to a different ip periodically. To make the iptables rule regarding my home machine to always point to the correct ip address, I added a cron job to "iptables-restore iptables.conf" every day.
My question is: will any pre-existing BLACKLIST rules in iptables be flushed after cron execs iptables-restore? I interpret it will be in fact the case from the quote above, although I'd like very much to be wrong.
Is there any better way of updating my my-machine.no-ip.org rule without loosing pre-existing blacklist rules? |
Well, if you're IP changes it won't really matter if you continue to block out IPs from previous attacks because it would be quite a coincidence if exactly such a blocked IP would start to attack your new IP. And even if it did, they could try a couple of times and then will (again) be blocked out. This restore would only affect the 10 minutes before your IP change which is 1/144 each day ... Nothing to worry about .
So, no, it won't add any pre-existing iptables. What I tried to say was it will add the needed CHAIN again (this comment was related to an earlier version where the CHAIN was only added once when starting the script). _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Sun Apr 09, 2006 9:20 pm Post subject: |
|
|
BlinkEye wrote: | Well, if you're IP changes ...
So, no, it won't add any pre-existing iptables. |
Well, it does NOT change at my Gentoo box (at work), the one running blacklist. I got a static ip.
What I said (or tried to) was that I've added an iptables rule for my box at home to never be excluded from accessing my work computer. My home box is the one with a dynamic ip. Why should I add a rule to one of my computers, in the first place? Because I recently replaced my long-time-used passwd with a new pretty long one, and sometimes I just forget it Since I set the PERMITTED_LOGIN_FAILURES to 3, that allows me only for one mistake (old passwd), one typo and any other sort of wrong input (maybe CAPS key activated?) before denying me the acces for A WEEK (yeah, I'm drastic here ) So, I decided that rule would someday be useful.
From your explanation I see I was correctly interpreting your wiki. So, I'm going to reduce the blocking period to match the cron job restoring iptables. It's a nonsense to set it up any longer.
The ideal woul be to create a script to update only that particular rule, not the whole iptables. However, I'm no programmer and don't know how to do that |
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Mon Apr 17, 2006 9:34 am Post subject: |
|
|
It's me again It seems I'm monopolizing the thread
Anyway, first of all I must thank again BlinkEye for his work. It's working like a charm. And I also want to thank kill[h]er. His modifications are now working perfectly. I just made a typo in the ssh regex when inserting them. I also completely removed the reference to my dynamic-address home box in my office box's iptables.conf, since it was causing more trouble than good.
My question is: what must I change in the script to deny access in the blacklist rules to ALL ports, not only to the ssh or ftp port? I just want to deny the access to any port to those ssh or ftp brute-force attacking address, but not to anyone (including myself), that might make a mistake typing a password. Thanks. |
|
Back to top |
|
|
brfsa Tux's lil' helper
Joined: 01 Aug 2005 Posts: 121 Location: Brazil
|
Posted: Mon Apr 17, 2006 6:17 pm Post subject: |
|
|
extremelly nice post...
I read it long ago, but only now that some chinese hackers started to brute force the server at college, i took a tough look at this tutorial.
I backtraced hackers from China and Korea mainly, and some from Malaysia... |
|
Back to top |
|
|
brfsa Tux's lil' helper
Joined: 01 Aug 2005 Posts: 121 Location: Brazil
|
Posted: Mon Apr 24, 2006 5:06 pm Post subject: |
|
|
I like this script... very nice.
when is a new vesion that will support more types of DoS blocking coming out ?
how to block those attepts of wrong password for an allowed user ???
for example:
Quote: |
Apr 23 08:40:18 athlon sshd(pam_unix)[21158]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=fred
Apr 23 08:40:19 athlon sshd[21153]: error: PAM: Authentication failure for fred from localhost
Apr 23 08:40:19 athlon sshd[21153]: Excess permission or bad ownership on file /var/log/btmp |
|
|
Back to top |
|
|
scottevil n00b
Joined: 29 Apr 2006 Posts: 6
|
Posted: Sat Apr 29, 2006 9:12 pm Post subject: |
|
|
great script, made a couple regex and it's on doing it's blocking and so forth...
i'm using proftpd , the log was slightly different,
Code: |
Apr 29 09:01:20 poo sshd[21523]: Invalid user erick from 200.31.27.182
Apr 29 08:32:18 poo proftpd[5617]: localhost (test.com[70.85.121.242]) - USER asdf: no such user found from test.com [70.85.121.242] to 127.0.01:21
|
Code: |
proftpd:
r"proftpd(?:.*)\slocalhost(?:.*)\sUSER\s(?P<user>.*)[:]\sno such user found from(?:.*)\[(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]"
sshd:
r"Invalid user (?P<user>.*)\sfrom\s(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
|
Anyway, thought I would throw out those regex's for anyone who had the same log format as I do.
Thanks for the script, I think i'll add a section in it for <start> <restart> <stop> .. |
|
Back to top |
|
|
eyeL Tux's lil' helper
Joined: 13 Nov 2005 Posts: 82 Location: Missouri
|
Posted: Sat May 06, 2006 8:25 pm Post subject: |
|
|
Good idea. I've been working on my own version of this. I have a bash script to parse my logs for brute attempts, save them into a file, and then a perl script to run a regex through and harvest the IPs, then another script that reads that script line by line and add a rule to my IPTables to ban them, and then emails me the IP and port which they are banned from. It also includes a DNS lookup, and a whois report, and it gives me the abuse email for their ISP, and then sends out an automated message containing logs of their intrusion attempts. It all runs in cron at midnight each night.
edit;
Code: | SYSLOG_REGEX = r"sshd[[][0-9]+[]]: Invalid user (?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3})" |
you wouldn't even need a regex like that, you could just
Code: | import os
os.system("cat /log/file/ | grep \"Invalid user\" > /invalid/users/file)
|
_________________ [theNPA - down for updates] | [Adopt an unanswered post]
gentoo 2005.1 [lazy] - gcc 4.1.1 |
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Mon May 08, 2006 2:36 pm Post subject: |
|
|
eyeL wrote: |
Code: | SYSLOG_REGEX = r"sshd[[][0-9]+[]]: Invalid user (?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3})" |
you wouldn't even need a regex like that, you could just
Code: | import os
os.system("cat /log/file/ | grep \"Invalid user\" > /invalid/users/file)
|
|
Yes I do. This regex catches not only the line but especially the user and host for latter use (iptables). _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|