Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] Get rid of SSH Brute Force Attempts / Script Kiddies
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
xoomix
Guru
Guru


Joined: 02 Jan 2003
Posts: 489

PostPosted: Fri Jun 09, 2006 4:58 pm    Post subject: Request ... Reply with quote

Has anyone modified this script yet to block port 80 after matching strings from the apache logs? That could be so useful to me - just wish I knew how to go about it.
Back to top
View user's profile Send private message
magic919
Advocate
Advocate


Joined: 17 Jun 2005
Posts: 2173
Location: Berkshire, UK

PostPosted: Fri Jun 09, 2006 5:13 pm    Post subject: Reply with quote

This is not a support forum.

However, check www.pettingers.org to block port 80 stuff.
Back to top
View user's profile Send private message
xoomix
Guru
Guru


Joined: 02 Jan 2003
Posts: 489

PostPosted: Sat Jun 10, 2006 11:46 am    Post subject: Reply with quote

magic919 wrote:
This is not a support forum.

However, check www.pettingers.org to block port 80 stuff.


It's pretty apparent that everyone comes here for questions/answers - what is that if it's not support? This entire thread is made up specifically of posts from people asking the author how to get his script working and/or configured to do certain things, so I am not sure where you are coming from.

As far as the link you provided thanks for the thought, but I could not find anything there that addresses my specific question, which was "Has anyone modified this script yet to block port 80 after matching strings from the apache logs?" - meaning blacklist.py . I guess it's posssible that it's there but for some reason I just can't find it.
Back to top
View user's profile Send private message
xoomix
Guru
Guru


Joined: 02 Jan 2003
Posts: 489

PostPosted: Sat Jun 10, 2006 11:55 am    Post subject: I see ... Reply with quote

I see now where you are coming from about this not being a support forum (the sticky post) - I did feel it rather strange that I was the only one in there that got a comment on it not being a support forum - go through the thread and count up how many question marks there are in there (people asking quetions) - go figure.
Back to top
View user's profile Send private message
xoomix
Guru
Guru


Joined: 02 Jan 2003
Posts: 489

PostPosted: Sat Jun 10, 2006 12:05 pm    Post subject: Anywho ... Reply with quote

For anyone interested I started a new topic under the unsupported software forum:
Code:
http://forums.gentoo.org/viewtopic-t-470094-highlight-.html

This is me specifically asking, again, if anyone's configured blacklist.py to do port 80 stuff.
Please feel free to add/reply to that :)
Back to top
View user's profile Send private message
Biker
Apprentice
Apprentice


Joined: 11 Jun 2003
Posts: 156
Location: A very dark, cold and moisty place...

PostPosted: Fri Jun 16, 2006 10:52 am    Post subject: Reply with quote

Great script.

If you have logrotate installed you may consider droppping:

Code:
/var/log/blacklist.log {
    daily
    missingok
    notifempty
}


into a file named /etc/logrotate.d/blacklist


Biker
_________________
The "Freedom of the Press" belongs to those that have a press.
Back to top
View user's profile Send private message
skakz
Guru
Guru


Joined: 03 Jul 2004
Posts: 380
Location: Ischia/Napoli/Italia/Terra

PostPosted: Sun Jun 25, 2006 3:25 pm    Post subject: Reply with quote

hi all!
this tool is powerful!!!! :twisted:
please check here.. i have modified this script to support http protocol too.
anyway all thanks goes to BlinkEye!!!
_________________
Linux Registered User n.340423
Linux User Group Ischia
www.tush.it
Back to top
View user's profile Send private message
Robert S
Guru
Guru


Joined: 15 Aug 2004
Posts: 415
Location: Canberra Australia

PostPosted: Thu Aug 31, 2006 11:34 am    Post subject: Reply with quote

This script doesn't seem to work any longer for me. I can still log in after repeated failures. It used to work fine. I suspect its an iptables problem. After repeated incorrect passwords from 192.168.2.20:
Quote:
# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
41981 24M ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
253 23657 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
1003 167K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x17/0x02
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 flags:0x17/0x02

<etc etc>

0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 255.255.255.255 udp spt:68 dpt:67
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
24 1872 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `iptables:' queue_threshold 1
24 1872 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- !lo * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 51938 packets, 24M bytes)
pkts bytes target prot opt in out source destination

Chain BLACKLIST (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 202.67.151.139 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 202.67.151.139 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 202.67.151.139 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 192.168.2.20 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable

Despite this I am still able to log in from my PC at 192.168.2.20. I assume that the reason for 202.67.151.139 being repeatedly rejected is that whoever is at that address is not being blocked.

Unfortunately I'm not cluey enough about iptables to solve this.

Also - at certain times my iptables rules get mysteriously dropped ie:
Quote:
# iptables -nvL |less
Chain INPUT (policy ACCEPT 2339 packets, 750K bytes)
pkts bytes target prot opt in out source destination


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination


Chain OUTPUT (policy ACCEPT 64608 packets, 27M bytes)
pkts bytes target prot opt in out source destination


Chain BLACKLIST (0 references)
pkts bytes target prot opt in out source destination

- with no intervention on my part.

Can anybody help?
Back to top
View user's profile Send private message
Robert S
Guru
Guru


Joined: 15 Aug 2004
Posts: 415
Location: Canberra Australia

PostPosted: Wed Sep 13, 2006 11:59 am    Post subject: Reply with quote

This seems to have solved the problem. I've changed "yes" to "no":
Quote:
$ cat /etc/conf.d/iptables
SAVE_ON_STOP="no"

It looks as if the saved iptables rules have mucked up the script when it restarts.
Back to top
View user's profile Send private message
mudrii
l33t
l33t


Joined: 26 Jun 2003
Posts: 789
Location: Singapore

PostPosted: Sat May 26, 2007 7:16 am    Post subject: Reply with quote

Nice script jumping into it for trial ;)
_________________
www.gentoo.ro
Back to top
View user's profile Send private message
Ishiki
Tux's lil' helper
Tux's lil' helper


Joined: 31 Aug 2005
Posts: 86

PostPosted: Mon Jun 04, 2007 12:57 pm    Post subject: Reply with quote

Magnificent script !
Thank you very much.
Back to top
View user's profile Send private message
predatorfreak
l33t
l33t


Joined: 13 Jan 2005
Posts: 708
Location: USA, Michigan.

PostPosted: Tue Jun 05, 2007 2:50 pm    Post subject: Reply with quote

In my own experience, using iptable's recent match support you can achieve the same results (blocks all bruteforce attempts at SSH) without parsing ANY logs. It also doesn't require any fancy blacklist or somesuch, iptables will keep the blacklist internal until the host in question has stopped ramming ports, if they continue to port ram, they're banned for longer periods of time.

In practice, this works extremely well. I use something to this effect on my server, although it's wrapped in my iptables system that handles pretty much all my firewall rules.

Here's a basic example of iptables recent match being used to defeat bruteforce attacks:
Code:
iptables -N BRUTEFORCE_DEFEAT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRUTEFORCE_DEFEAT
iptables -A BRUTEFORCE_DEFEAT -m recent --update --seconds 15 -j DROP
iptables -A BRUTEFORCE_DEFEAT -m recent --set -j RETURN


Of course, this might not meet everyone's needs, but it's significantly simpler AND faster, it will defeat bruteforce attempts, DDoS's on ports, etc, without parsing any logs or some such.

Also, changing the --seconds 15 to any other value means that if they hit the port more than once in X amount of time, they're banned. Most bruteforcers just hit as much as possible, so they're banned after the first attempt, generally. If you wanted the ban to last longer though, you could use say 500 seconds or whatever and they'd be banned for 500 seconds.
_________________
System: predatorbox
Distro: Arch Linux x86_64
Current projects: blackhole, convmedia and anything else I cook up.
Back to top
View user's profile Send private message
funkoolow
Guru
Guru


Joined: 21 Sep 2004
Posts: 526
Location: er paese delle anguille

PostPosted: Sat Jun 09, 2007 12:17 pm    Post subject: Reply with quote

hi there,

I think this is a great tool, but, if allowed, i suggest some improvements that would make it greater:
1) the max_attempts variable: number of max attempts over which the ban time for an attacking ip will increase.
2) the increase_time variable: number of seconds to increase the ban time for an attacking ip once the max_attempts has been passed.

actually, if i read correctly, those two parameters are set but in a static way to max_attempts=100 and increase_time=1sec so that at the 101st login attempt the ban time will increase to BLOCKING_PERIOD+1. Otherwise, i'd rather prefer the script to increase the ban time by 30sec every 10 wrong login attempts.

Is it possible to add those values in a dynamic way as actually happens e.g. for the blocking_period parameter?

thanks a lot :)
_________________
SabaziaLUG: il LUG a nord di Roma
nulab.it
squarepusher.it
natural-selection.it
Back to top
View user's profile Send private message
LJM9000
Tux's lil' helper
Tux's lil' helper


Joined: 31 Aug 2006
Posts: 76
Location: United States

PostPosted: Mon Mar 10, 2008 5:08 pm    Post subject: Reply with quote

Ok, I think I must be retarded I cannot get this to work.

I have compiled IPTables into my kernel
Then I ran
Code:
iptables-restore  /etc/iptables.bak

Then
Code:
/etc/init.d/iptables save


I started IPTables by running
Code:
/etc/init.d/iptables start

I then ran the blacklist init script posted here
Code:
/etc/init.d/blacklist


Then when I fail logging in from a different computer on purpose /var/log/blacklist.log never changes. It just remains empty. My /var/log/auth.log shows failed connections.

I have installed the logsentry package as well, per the instructions.

Help!
Back to top
View user's profile Send private message
LJM9000
Tux's lil' helper
Tux's lil' helper


Joined: 31 Aug 2006
Posts: 76
Location: United States

PostPosted: Wed Mar 12, 2008 2:50 am    Post subject: Reply with quote

I fixed it. It seems that there was an error in the code.
I changed it to the following since Logtail doesn't need the -f anymore.
Code:
try:
      new_log_entries = system_command( LOGTAIL + " " + LOG_INPUT )
   except:
      new_log_entries  =  system_command( LOGTAIL + " " + LOG_INPUT )


Yes it makes no sense that I should need the except in there. But when I removed it the program errored.

Also I don't know python so that could have been the problem too.
Everythings working correctly now.
Back to top
View user's profile Send private message
Raposatul
n00b
n00b


Joined: 25 Sep 2007
Posts: 53

PostPosted: Wed Apr 02, 2008 10:15 am    Post subject: Reply with quote

LJM9000 wrote:
Ok, I think I must be retarded I cannot get this to work.

I have compiled IPTables into my kernel
Then I ran
Code:
iptables-restore  /etc/iptables.bak

Then
Code:
/etc/init.d/iptables save


I started IPTables by running
Code:
/etc/init.d/iptables start

I then ran the blacklist init script posted here
Code:
/etc/init.d/blacklist


Then when I fail logging in from a different computer on purpose /var/log/blacklist.log never changes. It just remains empty. My /var/log/auth.log shows failed connections.

I have installed the logsentry package as well, per the instructions.

Help!

iptables-save > /etc/iptables.bak
iptables-restore < /etc/iptables.bak
Back to top
View user's profile Send private message
dr4cul4
n00b
n00b


Joined: 19 Mar 2008
Posts: 17

PostPosted: Wed May 14, 2008 1:06 pm    Post subject: Reply with quote

I have a small fix for init.d script (assuming pid file is the same as in original blacklist.py script). It fixes stopping and restarting issues.

Code:
#!/sbin/runscript
# Distributed under the terms of the GNU General Public License v2
#
# Refer to forum post: http://forums.gentoo.org/viewtopic-p-3141510.html#3141510
#
# Date: 2008-05-14
# Version 0.2 by dr4cul4


# you may want to uncomment the below if using iptables in rc-update, but
# it is probably not necessary
depend() {
       use iptables sshd
}

start() {
        ebegin "Starting blacklist"
        start-stop-daemon --start --quiet --background \
                --exec /usr/bin/python /usr/sbin/blacklist.py
        eend $?
}

stop() {
        ebegin "Stopping blacklist"
        start-stop-daemon --stop --quiet --pidfile /var/run/blacklist.pid
        eend $?
}
Back to top
View user's profile Send private message
sam_i_am
Tux's lil' helper
Tux's lil' helper


Joined: 19 Sep 2003
Posts: 124

PostPosted: Fri Jun 13, 2008 7:29 pm    Post subject: Reply with quote

Hi all,

I've pared down this script even further and used the ability of syslog-ng to create filters to match a regexp as well as the ability to send the log to another program. So, no need for a separate thread and polling.

Here's how to use it:

Modify syslog-ng.conf by adding the following filter and destination
Code:

# destination is the python script which will insert an iptable rule to block the ip
destination sshd_ban    { program("/sbin/block_ip.py");  };

# create a filter that will pick suspicions log statements from sshd daemon
filter f_sshd_attack { program(sshd) and (
                        match('Did not receive identification string from') or
                        match('Invalid user') or
                        match('Failed password for root')
                       );
                     };

# connect the filter to the destination
log { source(src);     filter(f_sshd_attack);    destination(sshd_ban);   };


Save the following script as /sbin/block_ip and edit the variables at the top to suit your environment. I've removed the timeout part as it wasn't important in my case.

BEWARE: once an ip is blocked, it stays blocked until the rule is removed (or the system is rebooted)

One nice thing about this is that the hack attempts that I've seen starts with a port scan on port 22 which generates the log message "Did not receive identification from xx.xx.xx.xx". This will immediately trigger the block and the hapless script kiddie is locked out forever without being able to try even a single username :twisted:
Code:

#!/usr/bin/python

# block_ip.py is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# block_ip.py is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# Original Copyright: Reto Glauser aka blinkeye
# Adapted by academic.sam at gmail.com for invocation by syslog-ng
# Version 0.1

import re;
import commands;
import sys;
from syslog import *;
import os;
from os import access, R_OK, W_OK, X_OK;

DATE_FORMAT = "%b %d %X" # e.g.: May 25 23:49:12
BLOCKED_LIST = "/tmp/blocked_ip"
IPTABLES = "/sbin/iptables"
CUSTOM_CHAIN = "BLACKLIST"
SSH_PORT = 22

SSH_REGEXC = [
       re.compile( r"Did not receive identification string from (?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" ),
      re.compile( r"Failed (?:none|password|keyboard-interactive/pam) for (?:invalid user )*(?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" ),
       re.compile( r"Invalid user (?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" )
      ]

# Wrapper function for commands
def system_command( string_command ):
   return_value = []
   return_value = ( commands.getstatusoutput( string_command ) )
   if not return_value[ 0 ] == 0:
      raise IOError( return_value[ 1 ] )
   return return_value[ 1 ]


# block ip for the duration of time
def block( ip, port ):
   try:
      system_command( IPTABLES + " --new-chain " + CUSTOM_CHAIN )
      system_command( IPTABLES + " --insert INPUT --jump " + CUSTOM_CHAIN )
   except:
      None      
   system_command( IPTABLES + " --insert " + CUSTOM_CHAIN + " --source " + ip + " --protocol tcp --dport " + str( port ) + " --jump DROP" )
   syslog( "Blocking " + ip )

# Do we have iptables ?
if not access( IPTABLES, X_OK ):
   raise IOError, IPTABLES + " is not executable"

ip_list = []

try:
   ipf = open( BLOCKED_LIST, "r")
except IOError:
   pass
else:
   for line in ipf:
      ip_list.append( line.strip() )
   ipf.close()
   
openlog( "block_ip" )
syslog("Reading initial list: " + ", ".join( ip_list ) )

while 1:
   line = sys.stdin.readline()
   if not len( line ):
      break
   for i in range( 0, len( SSH_REGEXC ) ):
      if len( SSH_REGEXC[ i ].findall( line ) ):
         regex_matches = SSH_REGEXC[ i ].finditer( line )
         for match in regex_matches:
            ip = match.group( 'ip' )
            if ip not in ip_list:
               ip_list.append( ip )
               block( ip, SSH_PORT)

try:
   ipf = file( BLOCKED_LIST, "w")
except IOError:
   syslog( "Could not write blocked IP list to " + BLOCKED_LIST)
else:
   ipf.write( "\n".join(ip_list))
   ipf.close()

Back to top
View user's profile Send private message
brfsa
Tux's lil' helper
Tux's lil' helper


Joined: 01 Aug 2005
Posts: 121
Location: Brazil

PostPosted: Mon Jun 30, 2008 1:02 am    Post subject: Reply with quote

sam_i_am,
Very nice and neat implementation u have in there man...

Works great!!!

if I put my password wrong? means Im locked out?

Anyone, better add your public ssh key to the authorized file just in case.

Thanks for sharing your script.
:D
Back to top
View user's profile Send private message
haarp
Guru
Guru


Joined: 31 Oct 2007
Posts: 372

PostPosted: Mon Jul 07, 2008 5:15 pm    Post subject: Reply with quote

Hey,

I added/modified a few filters. If anyone's interested, here's the relevant sections of my blacklist.py. Just add what you need to your own blacklist...

Code:
SSH_REGEX =     [
                        r"Failed (?:none|password|keyboard-interactive/pam) for (?:invalid user )*(?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})",
                        r"Invalid user (?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})",
                        r"Did not receive (?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})",
                        r"Address (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) maps to (?:.*), but this does not map back to the address - (?P<user>.*)",
                        r"reverse mapping checking getaddrinfo for (?:.*) \[(?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\] failed - (?P<user>.*)"
                ]
# SSH_REGEX catches following similar entries:
# Jan  2 21:48:05 blinkeye sshd[4529]: Failed password for invalid user sato from 61.172.192.3 port 54177 ssh2
# Jan  2 21:48:05 blinkeye sshd[4529]: Failed password for invalid user sato from ::ffff:61.172.192.3 port 54177 ssh2
# Oct 21 18:52:01 blinkeye sshd[31286]: Failed password for root from 152.149.148.115 port 36667 ssh2
# Oct 21 18:52:01 blinkeye sshd[31286]: Failed password for root from ::ffff:152.149.148.115 port 36667 ssh2
# Sep 18 05:08:06 blinkeye sshd[3971]: Failed keyboard-interactive/pam for root from 152.149.148.115 port 44896 ssh2
# Sep 18 05:08:06 blinkeye sshd[3971]: Failed keyboard-interactive/pam for root from ::ffff:152.149.148.115 port 44896 ssh2                 
# Feb 16 15:07:33 madcat sshd[30582]: Did not receive identification string from 204.191.10.60
# Mar 30 06:14:36 madcat sshd[13621]: Address 218.28.166.67 maps to pc0.zz.ha.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
# Jul  3 12:36:25 madcat sshd[1586]: reverse mapping checking getaddrinfo for 66962125.hostnoc.net [66.96.212.5] failed - POSSIBLE BREAK-IN ATTEMPT!


FTP_REGEX =    [
             r"ftp(?:.*) authentication failure(?:.*) rhost=(?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?: user=)*(?P<user>.*)",
             r"proftpd(?:.*)USER (?P<user>.*): no such user found(?:.*)\[(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]"
      ]
# FTP_REGEX catches following similar entries:
# Oct  3 19:35:41 blinkeye ftp(pam_unix)[8746]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=206.222.29.194
# Oct  3 19:35:43 blinkeye ftp(pam_unix)[8746]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=206.222.29.194  user=root
# Feb 14 08:38:47 madcat proftpd[3247]: madcat (202.96.5.29[202.96.5.29]) - USER Administrator: no such user found from 202.96.5.29 [202.96.5.29] to 192.168.0.5:21


Code:

   # no tolerance for root login attempts
   if ( match.group( 'user' ) == "root" ):
       entry[ 1 ] += PERMITTED_LOGIN_FAILURES
       
   # no tolerance for Administrator login attempts
        if ( match.group( 'user' ) == "Administrator" ):
            entry[ 1 ] += PERMITTED_LOGIN_FAILURES

   # no tolerance for NMAP scans
   if ( match.group( 'user' ) == "identification string" ):
       entry[ 1 ] += PERMITTED_LOGIN_FAILURES

   # no tolerance for possible break-in attempts
   if ( match.group( 'user' ) == "POSSIBLE BREAK-IN ATTEMPT!" ):
       entry[ 1 ] += PERMITTED_LOGIN_FAILURES



Last edited by haarp on Tue Oct 14, 2008 9:11 pm; edited 1 time in total
Back to top
View user's profile Send private message
sam_i_am
Tux's lil' helper
Tux's lil' helper


Joined: 19 Sep 2003
Posts: 124

PostPosted: Wed Aug 06, 2008 3:02 pm    Post subject: Reply with quote

brfsa wrote:
sam_i_am,
if I put my password wrong? means Im locked out?


I'm afraid so. Like you suggested, I don't recommend this if you are using password based logins as there are plenty of chances of getting locked out.

In fact it happened to me just today even with a public key :oops: I was logging in from a XP machine using cygwin and it had my username with first letter in upper case which triggered the block. Fortunately I got in through another machine. I guess a time out feature would make it a bit more forgiving.

Sam
Back to top
View user's profile Send private message
crimson
Guru
Guru


Joined: 27 Apr 2002
Posts: 430
Location: Cedar Rapids, IA

PostPosted: Tue Aug 19, 2008 11:05 pm    Post subject: Reply with quote

I use fail2ban to block failed attempts, and I get quite a few, but I'm curious is there a way to tell what passwords they are trying to use? It only tells me the username. ie: Invalid user test from 123.45.67.89. Out of curiosity I'd like to know what passwords they're using.
Back to top
View user's profile Send private message
haarp
Guru
Guru


Joined: 31 Oct 2007
Posts: 372

PostPosted: Tue Aug 19, 2008 11:07 pm    Post subject: Reply with quote

If your apps log the passwords that are tried then somethings inherently broken. No, that's impossible
Back to top
View user's profile Send private message
crimson
Guru
Guru


Joined: 27 Apr 2002
Posts: 430
Location: Cedar Rapids, IA

PostPosted: Tue Aug 19, 2008 11:11 pm    Post subject: Reply with quote

haarp wrote:
If your apps log the passwords that are tried then somethings inherently broken. No, that's impossible

I guess I would have to write a fake ssh server to log passwords then. I don't know that I'm that curious, but that probably wouldn't be too hard to do.
Back to top
View user's profile Send private message
crimson
Guru
Guru


Joined: 27 Apr 2002
Posts: 430
Location: Cedar Rapids, IA

PostPosted: Tue Aug 19, 2008 11:20 pm    Post subject: Reply with quote

Actually here is an article that shows some researchers doing just that by patching ssh to record passwords, this nearly satisfies my curiosity.
http://www.securityfocus.com/infocus/1876
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Page 5 of 6

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum