Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] Get rid of SSH Brute Force Attempts / Script Kiddies
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Mon Feb 13, 2006 2:34 am    Post subject: Reply with quote

The logtail error, could it be the same I had a few pages up? You may have the wrong version of logtail. Try either replacing the "-f" with a single space, or download the other version. See the first few posts in this thread. And keep us updated. :)
_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1043
Location: Gentoo Forums

PostPosted: Mon Feb 13, 2006 8:43 am    Post subject: Reply with quote

if you need to get in touch with me - please write me a private message/email. i don't get any topic-reply-notifications lately :oops:
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
JloR
n00b
n00b


Joined: 29 Jun 2004
Posts: 43
Location: Denmark

PostPosted: Mon Feb 13, 2006 9:45 am    Post subject: Reply with quote

Woah, that's huge! Thanks a lot - I am getting sick and tired of all those false positives.

Much needed :)
_________________
-- Jakob L. O. Rosenlund
Back to top
View user's profile Send private message
pteppic
l33t
l33t


Joined: 28 Nov 2005
Posts: 781

PostPosted: Wed Feb 15, 2006 10:23 pm    Post subject: Reply with quote

I seem to get variants of
Code:
Feb 14 02:04:09 holly sshd[27554]: Invalid user for dominique from 209.97.205.xx
Feb 15 21:54:58 admin sshd[14191]: error: PAM: Authentication failure for root from 192.168.1.1
Sep 18 05:08:06 blinkeye sshd[3971]: Failed keyboard-interactive/pam for root from 152.149.148.115 port 44896 ssh2

in my logfile, the regex I managed to cobble together to catch all this is
Code:
r"(?:error:|Failed|Invalid) (?:user|PAM: Authentication failure|password|keyboard-interactive/pam) (?:none|invalid user)*(?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3})"


Can someone tell me if there is anything wrong with this, it appears to work fine, but...

Also if no one shoots it down in flames, it's sshd with PAM or RSA key auth only.
Back to top
View user's profile Send private message
castrik
n00b
n00b


Joined: 16 Apr 2004
Posts: 31

PostPosted: Sun Feb 19, 2006 12:09 pm    Post subject: Reply with quote

Does anyone know how to make this into a daemon, so it can be run from startup and without an open terminal?
Back to top
View user's profile Send private message
pteppic
l33t
l33t


Joined: 28 Nov 2005
Posts: 781

PostPosted: Sun Feb 19, 2006 12:13 pm    Post subject: Reply with quote

castrik wrote:
Does anyone know how to make this into a daemon, so it can be run from startup and without an open terminal?


Add
Code:
/usr/bin/blacklist.py &

or whatever the path you saved it to, to /etc/conf.d/local.start and make sure you have local in the runlevels you want it to run in.
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Mon Feb 20, 2006 12:38 am    Post subject: Reply with quote

castrik wrote:
Does anyone know how to make this into a daemon, so it can be run from startup and without an open terminal?

If you use a firewall, you could run into trouble. Since the script adds new iptables rules (the chain "BLACKLIST"), starting a firewall after the script might erase this chain. However, I think local.start is run after all the initscripts run. You might still need to start the script again if you restart the firewall. If you happen to use shorewall as your firewall, you can add the following lines to /etc/shorewall/start to make it work nice together with the firewall. Replace the path on the last line with your own.
Code:
killall blacklist.py
/root/scripts/blacklist.py &

(The first line is to make sure only one copy is running, if you restart the firewall for a new configuration.)
_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
guero61
l33t
l33t


Joined: 14 Oct 2002
Posts: 811
Location: Behind you

PostPosted: Mon Feb 20, 2006 4:42 pm    Post subject: Reply with quote

spengy wrote:
I use pure iptables
Code:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m recent --update --seconds 360 --hitcount 4 -rttl --name SSH -j DROP



Even better than DROP, use the TARPIT target - from the iptables manual:

Code:

   TARPIT
       Captures and holds incoming TCP connections using no local per-connection resources. Connections are accepted,
       but immediately switched to the persist state (0 byte window), in which the remote side stops sending data and
       asks  to continue every 60-240 seconds.  Attempts to close the connection are ignored, forcing the remote side
       to time out the connection in 12-24 minutes.

       This offers similar functionality to LaBrea <http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
       hardware or IPs. Any TCP port that you would normally DROP or REJECT can instead become a tarpit.

       To tarpit connections to TCP port 80 destined for the current machine:

              iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT

       To  significantly slow down Code Red/Nimda-style scans of unused address space, forward unused ip addresses to
       a Linux box not acting as a router (e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable  IP
       forwarding on the Linux box, and add:

              iptables -A FORWARD -p tcp -j TARPIT

              iptables -A FORWARD -j DROP

       NOTE:  If  you use the conntrack module while you are using TARPIT, you should also use the NOTRACK target, or
              the kernel will unnecessarily allocate resources for each TARPITted connection. To TARPIT incoming con-
              nections to the standard IRC port while using conntrack, you could:

              iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK

              iptables -A INPUT -p tcp --dport 6667 -j TARPIT


Also, just to be safe I typically do something of the following after my "X in N minutes" rule, both to limit my memory usage and let myself back in (after 45 minutes) if I goof:
Code:

iptables -A ANTI_L337 -p tcp --dport 22 -m recent --rcheck ! --seconds 2700 --name SSH
iptables -A ANTI_L337 -p tcp --dport 22 -m recent --remove --name SSH -j ACCEPT


Of course, I never tested it, so I'm not even certain it works properly...
Back to top
View user's profile Send private message
MatrixM
n00b
n00b


Joined: 02 May 2005
Posts: 48
Location: Cyberspace

PostPosted: Mon Feb 20, 2006 6:15 pm    Post subject: Reply with quote

Andersson wrote:
The logtail error, could it be the same I had a few pages up? You may have the wrong version of logtail. Try either replacing the "-f" with a single space, or download the other version. See the first few posts in this thread. And keep us updated. :)


It seems to work fine when it's only trying to catch one regex, it's when I try to modify the script to catch multiple regex's that I get the logtail errors (I'll look into the logtail version I have on the system though to see if that may be the issue at stake or not).
Back to top
View user's profile Send private message
carneboy
n00b
n00b


Joined: 11 May 2004
Posts: 63
Location: Riverside, CA

PostPosted: Tue Feb 21, 2006 12:42 am    Post subject: Reply with quote

thank you so much, this was very easy to setup

i suggest adding to /etc/init.d/iptables (this works good for me)

under start():

Code:
blacklist.py > /dev/null &


under stop():

Code:
kill `pgrep blacklist.py`
Back to top
View user's profile Send private message
nahpets
Veteran
Veteran


Joined: 05 Oct 2003
Posts: 1178
Location: Montreal, Canada

PostPosted: Tue Feb 21, 2006 9:13 am    Post subject: Reply with quote

Really cool looking program/script. Is this compatible with Shorewall? I have Shorewall blocking all ports except for 22 and I've disabled password and root login. My box is pretty secure but I'd like to use your program with my current setup cause I guess I'm paranoid 8O
_________________
Let me guess, you picked out yet another colorful box with a crank that I'm expected to turn and turn until OOP! big shock, a jack pops out and you laugh and the kids laugh and the dog laughs and I die a little inside.
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Tue Feb 21, 2006 12:08 pm    Post subject: Reply with quote

nahpets wrote:
Is this compatible with Shorewall?

Yes, it is. Although you may have to restart the script if you restart shorewall. See my previous post.
_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
Vlad
Apprentice
Apprentice


Joined: 09 Apr 2002
Posts: 264
Location: San Diego, California

PostPosted: Sat Feb 25, 2006 12:04 am    Post subject: Reply with quote

I've been trying to follow this thread, but it seems that regex matching drops from AllowUsers still hasn't been implemented. Is there any chance this can be added to the script? If so, could someone explain how (or better yet, simply paste/link the script)?

This script would be great if it'd just catch those AllowUsers lines.

Vlad
Back to top
View user's profile Send private message
spindle
Apprentice
Apprentice


Joined: 01 Dec 2003
Posts: 239

PostPosted: Sun Feb 26, 2006 9:23 pm    Post subject: rc-update script Reply with quote

carneboy wrote:
thank you so much, this was very easy to setup

i suggest adding to /etc/init.d/iptables (this works good for me)

under start():

Code:
blacklist.py > /dev/null &


under stop():

Code:
kill `pgrep blacklist.py`


This inspired me to take this a step further and I wrote up a separate init script for this,

/etc/init.d/blacklist
Code:
#!/sbin/runscript
# Distributed under the terms of the GNU General Public License v2
# Copyright 2006 spindle aka Mike Nelson
#
# Refer to forum post: http://forums.gentoo.org/viewtopic-p-3141510.html#3141510
# Thanks to: blinkeye aka Reto Glauser for the blacklist.py script and
# carneboy for the inspiration for this script
#
# Date: 2006-02-26
# Version 0.1


# you may want to uncomment the below if using iptables in rc-update, but
# it is probably not necessary
#depend() {
#       use iptables
#}

start() {
        ebegin "Starting blacklist.py"
        start-stop-daemon --start --quiet --background --exec /usr/sbin/blacklist.py
        eend $?
}

stop() {
        ebegin "Stopping blacklist.py"
        start-stop-daemon --stop --quiet --name blacklist.py
        eend $?
}

Copy the above into a file named /etc/init.d/blacklist. Then,
Code:
# chmod 755 /etc/init.d/blacklist

This script assumes that you put the blacklist.py script in /usr/sbin and that it's executable. You can do that by,
Code:
cp blacklist.py /usr/sbin
chmod a+x /usr/sbin/blacklist.py

To add to default runlevel, so it starts up automatically,
Code:
# rc-update add blacklist default

Then you can start stop like other init scripts,
Code:
# /etc/init.d/blacklist start
# /etc/init.d/blacklist stop
# /etc/init.d/blacklist restart



blacklist.py is a sweet little script, thanks Blinkeye!
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1043
Location: Gentoo Forums

PostPosted: Tue Feb 28, 2006 5:27 pm    Post subject: Reply with quote

:oops:

I don't get any more topic replies. I just pure luck I stumbled on my own thread 8O. thanks for all the input. I'll release a new version soon where I'll take into account your suggestions and features. Some (like the issue where the script is already running and you rerun it or where you're iptable rules for the script have been flushed) have been already implemented and now thoroughly tested. What I want (which on the other hand joines other issues you brought up) is to have several regex lines (in particular for me a ftp regex). I get a lot of login tries there too. When this logic is implemented it will be very easy for anyone to add a new regex.
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Wed Mar 01, 2006 12:32 am    Post subject: Reply with quote

I'm looking forward to the update. I get more and more login attempts every day. If you want me to email you every time I see a new reply here, just ask! ;)

I saw a link to this script in another thread: http://www.csc.liv.ac.uk/~greg/sshdfilter/
It is similar to yours, but it has one neat feature. I quote from the web page: "sshdfilter starts sshd itself, having started sshd with the -e and -D options. This means it can see events as they happen."

Very cool. You think we can have that as well? However, that would make my other suggestion a lot harder: support for multiple log files. That way you could block people abusing your web server as well. :)
_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1043
Location: Gentoo Forums

PostPosted: Fri Mar 03, 2006 9:19 pm    Post subject: Reply with quote

New version 0.4.2 is out (other changes will follow):

2006-03-03
* Added new function handlepid() to check if an instance is already running (thanks to Erik J.)
* Added try/except block to handle the issue if iptables get flushed while the script is running
* Added try/except block to handle the different logtail versions
* Fixed an issue where wrong entries would be written to the LOG_OUTPUT (modifying the hash table while iterating through it without making a copy)
* Minor speed improvement

So, you may safely try to start the script several times (it won't work :wink: ) and safely flush/restart your iptable rules. The script will (re)add the necessary iptable rules the next time it will block an IP.
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
MrBlc
n00b
n00b


Joined: 16 Mar 2004
Posts: 30

PostPosted: Thu Mar 09, 2006 12:44 pm    Post subject: Reply with quote

Great script, but.. i was wondering about the same as Andersson mentioned...

in my auth.log file i get attempts like these:
Code:

Mar  6 03:47:53 freya proftpd[3773]: freya (219-81-19-30.static.tfn.net.tw[219.81.19.30]) - USER Administrator: no such user found from 219-81-19-30.static.tfn.net.tw [219.81.19.30] to 69.60.118.95:21
Mar  6 03:47:53 freya proftpd[3773]: freya (219-81-19-30.static.tfn.net.tw[219.81.19.30]) - USER Administrator: no such user found from 219-81-19-30.static.tfn.net.tw [219.81.19.30] to 69.60.118.95:21
Mar  6 03:47:54 freya proftpd[3773]: freya (219-81-19-30.static.tfn.net.tw[219.81.19.30]) - USER Administrator: no such user found from 219-81-19-30.static.tfn.net.tw [219.81.19.30] to 69.60.118.95:21
Mar  6 03:47:54 freya proftpd[3773]: freya (219-81-19-30.static.tfn.net.tw[219.81.19.30]) - Maximum login attempts (3) exceeded


and that is repeated over and over again..

I would like it if there was a option to add a regex to cover that as well..

fortunately, my proftpd is using sql backend so no real users exist on it, but still.. i have A LOT of attempts on that, and blocking them would save me the headache of wondering wether or not they sooner or later manage to break into an account..

-blc
Back to top
View user's profile Send private message
pteppic
l33t
l33t


Joined: 28 Nov 2005
Posts: 781

PostPosted: Thu Mar 09, 2006 2:05 pm    Post subject: Reply with quote

Andersson wrote:
[snip] support for multiple log files. That way you could block people abusing your web server as well. :)


I can see two ways of doing this; Setup syslog-ng to filter all transactions you want scrutinised to a specific log file, and write the regex to cope.
OR setup the logfile variable(s) as a list object, with the index pointing to the relavent regex stored in a dictionary object, then run the check function as a 'for in' loop.

I would tinker with this myself, but as the project is still very much under development I have no wish to be stepping on toes, if this however is not the case, let me know and I'll tinker away....
Back to top
View user's profile Send private message
MatrixM
n00b
n00b


Joined: 02 May 2005
Posts: 48
Location: Cyberspace

PostPosted: Fri Mar 10, 2006 6:02 pm    Post subject: Reply with quote

(crossposted to actual forum thread as well as PM to BlinkEye with log dumps trimmed for forum post)

Sorry for such a long forum post, just trying to help get in the development of the script as best I can since my coding skills are lacking.

I'm still getting people that are trying to use the root account to login not being blocked. A prime example of this is seen in the below output of my auth.log file. A single site was hammering my system for over 15 minutes trying to get in on the root account. Not only did it not block the account for trying to use root to login, but it also didn't block the account out after 30 seconds of hammering the system.

The only change I had to make to the script for my system was to point it to the proper location of logtail (/usr/bin/logtail instead of /usr/sbin/logtail). I don't believe that change would have disabled the blocking of the root login attempts.

I did a quick grep of my logs just to check to see if any of the non-AllowUsers attempts are being blocked, and it doesn't appear that they are. So I'm including two different grep outputs here, the first is from a grep of just root attempts on the server. The second will be a grep of AllowUsers with the root attempts stripped out via sed (at the very bottom of the root listing).

Hope that the log outputs can help in further development of the script.

grep root /var/log/auth.log wrote:

Mar 7 02:37:29 tammy sshd[8559]: User root from 61.178.20.170 not allowed because not listed in AllowUsers
Mar 7 02:37:31 tammy sshd[8561]: User root from 61.178.20.170 not allowed because not listed in AllowUsers
Mar 7 02:37:33 tammy sshd[8563]: User root from 61.178.20.170 not allowed because not listed in AllowUsers
Mar 7 12:57:10 tammy sshd[14330]: User root from 205.241.227.14 not allowed because not listed in AllowUsers
Mar 7 12:57:10 tammy sshd[14332]: User root from 205.241.227.14 not allowed because not listed in AllowUsers
Mar 7 12:57:11 tammy sshd[14334]: User root from 205.241.227.14 not allowed because not listed in AllowUsers
Mar 7 14:27:16 tammy sshd[15213]: User root from 218.71.137.69 not allowed because not listed in AllowUsers
<snip>
Mar 7 14:29:16 tammy sshd[15347]: User root from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 16:01:56 tammy sshd[16452]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:03:44 tammy sshd[16510]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:03:49 tammy sshd[16512]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:04:09 tammy sshd[16524]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:04:17 tammy sshd[16526]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:04:22 tammy sshd[16528]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:04:27 tammy sshd[16530]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:04:30 tammy sshd[16532]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 8 01:11:38 tammy sshd[624]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 8 01:11:38 tammy sshd[626]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 8 01:11:39 tammy sshd[628]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 8 01:11:39 tammy sshd[630]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 8 01:11:40 tammy sshd[632]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 8 01:11:41 tammy sshd[634]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 8 01:11:41 tammy sshd[636]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 8 01:11:42 tammy sshd[638]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 9 23:52:17 tammy sshd[26705]: User root from lcsworld.propagation.net not allowed because not listed in AllowUsers
<snip>
Mar 9 23:55:15 tammy sshd[26823]: User root from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 10 04:12:04 tammy sshd[29330]: User root from 61.185.217.214 not allowed because not listed in AllowUsers
Mar 10 04:12:06 tammy sshd[29332]: User root from 61.185.217.214 not allowed because not listed in AllowUsers
Mar 10 04:12:08 tammy sshd[29338]: User root from 61.185.217.214 not allowed because not listed in AllowUsers
Mar 10 06:20:23 tammy sshd[30759]: User root from ich-4.com not allowed because not listed in AllowUsers
<snip about 2000 lines>
Mar 10 06:37:48 tammy sshd[1565]: User root from ich-4.com not allowed because not listed in AllowUsers
Mar 10 07:15:30 tammy sshd[1931]: User root from 61.185.217.214 not allowed because not listed in AllowUsers
Mar 10 07:15:32 tammy sshd[1933]: User root from 61.185.217.214 not allowed because not listed in AllowUsers
Mar 10 07:15:34 tammy sshd[1935]: User root from 61.185.217.214 not allowed because not listed in AllowUsers


grep AllowUsers /var/log/messages | sed -e '/root/d' wrote:

Mar 7 14:26:43 tammy sshd[15175]: User alias from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:26:57 tammy sshd[15189]: User cyrus from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:27:02 tammy sshd[15199]: User ftp from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:27:08 tammy sshd[15205]: User postmaster from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:27:10 tammy sshd[15207]: User postfix from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:27:12 tammy sshd[15209]: User postgres from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:27:30 tammy sshd[15231]: User apache from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:27:33 tammy sshd[15235]: User mysql from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:27:43 tammy sshd[15245]: User named from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:29:14 tammy sshd[15345]: User nobody from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:29:41 tammy sshd[15377]: User news from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:29:45 tammy sshd[15381]: User games from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:29:49 tammy sshd[15385]: User mail from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:29:51 tammy sshd[15387]: User adm from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:18 tammy sshd[15431]: User operator from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:25 tammy sshd[15435]: User sshd from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:32 tammy sshd[15447]: User bin from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:34 tammy sshd[15449]: User daemon from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:41 tammy sshd[15451]: User lp from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:43 tammy sshd[15453]: User sync from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:45 tammy sshd[15455]: User shutdown from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:48 tammy sshd[15457]: User halt from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:50 tammy sshd[15459]: User uucp from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:51 tammy sshd[15461]: User smmsp from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:32:12 tammy sshd[15559]: User rpc from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 16:00:10 tammy sshd[16406]: User alias from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:00:58 tammy sshd[16424]: User cyrus from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:01:16 tammy sshd[16434]: User ftp from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:01:36 tammy sshd[16440]: User postmaster from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:01:41 tammy sshd[16446]: User postfix from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:01:46 tammy sshd[16448]: User postgres from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:02:38 tammy sshd[16474]: User apache from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:02:45 tammy sshd[16478]: User mysql from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:03:09 tammy sshd[16492]: User named from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 9 23:52:15 tammy sshd[26701]: User mysql from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 9 23:52:36 tammy sshd[26719]: User squid from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 9 23:52:42 tammy sshd[26723]: User postmaster from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 9 23:53:01 tammy sshd[26735]: User games from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 9 23:53:13 tammy sshd[26741]: User ftp from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 9 23:53:15 tammy sshd[26745]: User news from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 9 23:54:04 tammy sshd[26775]: User nobody from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 9 23:54:50 tammy sshd[26805]: User lp from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 10 06:19:10 tammy sshd[30507]: User bin from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:11 tammy sshd[30509]: User daemon from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:11 tammy sshd[30511]: User adm from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:12 tammy sshd[30513]: User lp from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:12 tammy sshd[30515]: User sync from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:13 tammy sshd[30517]: User shutdown from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:14 tammy sshd[30519]: User halt from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:14 tammy sshd[30525]: User mail from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:15 tammy sshd[30527]: User news from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:16 tammy sshd[30529]: User uucp from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:16 tammy sshd[30531]: User operator from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:17 tammy sshd[30533]: User games from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:18 tammy sshd[30537]: User ftp from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:19 tammy sshd[30539]: User nobody from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:22 tammy sshd[30547]: User sshd from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:22 tammy sshd[30549]: User rpc from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:25 tammy sshd[30559]: User smmsp from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:26 tammy sshd[30561]: User apache from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:27 tammy sshd[30563]: User squid from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:29 tammy sshd[30569]: User xfs from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:29 tammy sshd[30571]: User named from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:31 tammy sshd[30575]: User gdm from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:31 tammy sshd[30577]: User mysql from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:33 tammy sshd[30581]: User postfix from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:01 tammy sshd[31271]: User sync from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:02 tammy sshd[31273]: User games from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:03 tammy sshd[31275]: User man from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:03 tammy sshd[31277]: User news from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:04 tammy sshd[31279]: User uucp from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:05 tammy sshd[31283]: User postgres from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:07 tammy sshd[31289]: User operator from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:10 tammy sshd[31297]: User nobody from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:11 tammy sshd[31301]: User man from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:16 tammy sshd[31321]: User postfix from ich-4.com not allowed because not listed in AllowUsers
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Fri Mar 10, 2006 7:52 pm    Post subject: Reply with quote

MatrixM: Are all the log lines on the form "user X from Y not allowed because not listed in AllowUsers"? If so, is it the syntax of a regexp for cathing these you are having problems with? Something else? Which regexp are you using in the script right now?

Also, some of the hosts in your log are ip numbers, other are domain names. They should all be ip numbers for the script to work. Do you have that "useDNS" setting enabled or disbled in your sshd config?
_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
MatrixM
n00b
n00b


Joined: 02 May 2005
Posts: 48
Location: Cyberspace

PostPosted: Sat Mar 11, 2006 1:16 am    Post subject: Reply with quote

I just checked the sshd_config file, and the useDNS option was commented out, not sure what it's default setting is, but I'll assume that it's on since I'm getting DNS lookups in the auth.log file. I went ahead and changed it to useDNS no and uncommented the section (and remembered to /etc/init.d/sshd restart as well).

The "User X from Y not allowed because not listed in AllowUsers" is the one string that's not being blocked by the script right now. I'm guessing that is why the root attempts aren't being blocked either since they don't match the original REGEX search pattern as well.

I really like this script, I just wish there was some way to get it to ban people who were trying invalid accounts as well (since there are only two accounts not blocked, I wonder why some are even being blocked at all).

I just don't know enough about regex to alter the existing line so that it will search for it's existing stuff as well as the AllowUsers listings (and thus still catch the root attempts like the script seems to supposed to be doing).
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Sat Mar 11, 2006 2:20 am    Post subject: Reply with quote

Well, blinkeye promised to support multiple regular expressions in the next version, so I guess you have to wait. Or, you could always run two instances of the script. :D

I love a quick and dirty fix, so I had to try this immediately. It seems to be working, and I don't see why it shouldn't. So, copy the script to a new file, and make some modifications: You need to change the name of the iptables chain, and it needs a separate offset file for logtail. And, just in case, I gave it a separate log file. It's a few lines you need to change. Actually, it's probably more lines than needed to add support for multiple regexps. But less testing is needed. ;)

Add the "2" to these lines:
Code:
LOG_OUTPUT = "/var/log/blacklist2.log"
PID_FILE = "/var/run/blacklist2.pid"
CUSTOM_CHAIN = "BLACKLIST2"

and add this line in the same section (feel free to use another file, but keep the space character inside the quotes):
Code:
LOG_OFFSET = " /root/scripts/.blacklist2_offset"

and change the regexp you're using to this:
Code:
SYSLOG_REGEX = r"sshd[[][0-9]+[]]: User (?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3}) not allowed because not listed in AllowUsers"

And add the offset file to these two lines (in the scan function at around line 150, they also appear in the test mode around line 220, but you can skip them):
Code:
              regex_matches = re_invalid.findall( system_command( LOGTAIL + " -f " + LOG_INPUT + LOG_OFFSET ) )

and
Code:
              regex_matches = re_invalid.findall( system_command( LOGTAIL + " " + LOG_INPUT + LOG_OFFSET) )

(Don't cut and past here, mind the indentation. Python is tricky like that.)

Oh, and the syntax for a specific offset file might actually be different if you use the "-f" version of logtail. Try to type "logtail" and see what it says.
_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1043
Location: Gentoo Forums

PostPosted: Mon Mar 13, 2006 9:11 pm    Post subject: Reply with quote

I'm currently testing a new version (allowing multiple regex for both ssh and ftp). I just wonder why you only get similar lines to
Code:
Mar 8 01:11:39 tammy sshd[630]: User root from 72.36.231.146 not allowed because not listed in AllowUsers

...

If I explicitly specify which users to allow in sshd_config I get those lines too BUT along with the usual entries.

The lines for one attempt:
Code:
Mar 13 22:08:01 blinkeye sshd[19817]: User test from 10.10.10.3 not allowed because not listed in AllowUsers
Mar 13 22:08:01 blinkeye sshd[19817]: Failed none for invalid user test from 10.10.10.3 port 60991 ssh2
Mar 13 22:08:07 blinkeye sshd(pam_unix)[19822]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.3  user=test
Mar 13 22:08:10 blinkeye sshd[19817]: error: PAM: Authentication failure for illegal user test from 10.10.10.3
Mar 13 22:08:10 blinkeye sshd[19817]: Failed keyboard-interactive/pam for invalid user test from 10.10.10.3 port 60991 ssh2


are you really sure you don't get the usual "Failed keyboard-interacitve/pam ..." lines too?
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Tue Mar 14, 2006 3:12 am    Post subject: Reply with quote

I get more lines if I try to log in manually:
Code:
Mar 11 03:18:33 clint sshd[8894]: Invalid user test from 193.27.xx.xx
Mar 11 03:18:35 clint sshd(pam_unix)[8900]: check pass; user unknown
Mar 11 03:18:35 clint sshd(pam_unix)[8900]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.27.xx.xx
Mar 11 03:18:37 clint sshd[8894]: error: PAM: Authentication failure for illegal user test from 193.27.xx.xx
Mar 11 03:18:37 clint sshd[8894]: Failed keyboard-interactive/pam for invalid user test from 193.27.xx.xx port 2263 ssh2

But the attempts coming from the script kiddies look like this:
Code:
Mar 12 15:55:54 clint sshd[5841]: Did not receive identification string from 83.248.169.252
Mar 12 16:04:01 clint sshd[6122]: User root from 83.248.169.252 not allowed because not listed in AllowUsers
Mar 12 16:04:11 clint sshd[6136]: Invalid user admin from 83.248.169.252
Mar 12 16:04:18 clint sshd[6142]: Invalid user test from 83.248.169.252
Mar 12 16:04:24 clint sshd[6149]: User guest not allowed because shell /dev/null is not executable
Mar 12 16:04:30 clint sshd[6155]: Invalid user webmaster from 83.248.169.252
Mar 12 16:06:25 clint sshd[6155]: fatal: Timeout before authentication for 83.248.169.252

_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Page 2 of 6

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum