View previous topic :: View next topic |
Author |
Message |
Andersson Guru
Joined: 12 Jul 2003 Posts: 525 Location: Göteborg, Sweden
|
Posted: Mon Feb 13, 2006 2:34 am Post subject: |
|
|
The logtail error, could it be the same I had a few pages up? You may have the wrong version of logtail. Try either replacing the "-f" with a single space, or download the other version. See the first few posts in this thread. And keep us updated. _________________ Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking... |
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Mon Feb 13, 2006 8:43 am Post subject: |
|
|
if you need to get in touch with me - please write me a private message/email. i don't get any topic-reply-notifications lately _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
|
JloR n00b
Joined: 29 Jun 2004 Posts: 43 Location: Denmark
|
Posted: Mon Feb 13, 2006 9:45 am Post subject: |
|
|
Woah, that's huge! Thanks a lot - I am getting sick and tired of all those false positives.
Much needed :) _________________ -- Jakob L. O. Rosenlund |
|
Back to top |
|
|
pteppic l33t
Joined: 28 Nov 2005 Posts: 781
|
Posted: Wed Feb 15, 2006 10:23 pm Post subject: |
|
|
I seem to get variants of Code: | Feb 14 02:04:09 holly sshd[27554]: Invalid user for dominique from 209.97.205.xx
Feb 15 21:54:58 admin sshd[14191]: error: PAM: Authentication failure for root from 192.168.1.1
Sep 18 05:08:06 blinkeye sshd[3971]: Failed keyboard-interactive/pam for root from 152.149.148.115 port 44896 ssh2 |
in my logfile, the regex I managed to cobble together to catch all this is Code: | r"(?:error:|Failed|Invalid) (?:user|PAM: Authentication failure|password|keyboard-interactive/pam) (?:none|invalid user)*(?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3})" |
Can someone tell me if there is anything wrong with this, it appears to work fine, but...
Also if no one shoots it down in flames, it's sshd with PAM or RSA key auth only. |
|
Back to top |
|
|
castrik n00b
Joined: 16 Apr 2004 Posts: 31
|
Posted: Sun Feb 19, 2006 12:09 pm Post subject: |
|
|
Does anyone know how to make this into a daemon, so it can be run from startup and without an open terminal? |
|
Back to top |
|
|
pteppic l33t
Joined: 28 Nov 2005 Posts: 781
|
Posted: Sun Feb 19, 2006 12:13 pm Post subject: |
|
|
castrik wrote: | Does anyone know how to make this into a daemon, so it can be run from startup and without an open terminal? |
Add Code: | /usr/bin/blacklist.py & |
or whatever the path you saved it to, to /etc/conf.d/local.start and make sure you have local in the runlevels you want it to run in. |
|
Back to top |
|
|
Andersson Guru
Joined: 12 Jul 2003 Posts: 525 Location: Göteborg, Sweden
|
Posted: Mon Feb 20, 2006 12:38 am Post subject: |
|
|
castrik wrote: | Does anyone know how to make this into a daemon, so it can be run from startup and without an open terminal? |
If you use a firewall, you could run into trouble. Since the script adds new iptables rules (the chain "BLACKLIST"), starting a firewall after the script might erase this chain. However, I think local.start is run after all the initscripts run. You might still need to start the script again if you restart the firewall. If you happen to use shorewall as your firewall, you can add the following lines to /etc/shorewall/start to make it work nice together with the firewall. Replace the path on the last line with your own.
Code: | killall blacklist.py
/root/scripts/blacklist.py & |
(The first line is to make sure only one copy is running, if you restart the firewall for a new configuration.) _________________ Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking... |
|
Back to top |
|
|
guero61 l33t
Joined: 14 Oct 2002 Posts: 811 Location: Behind you
|
Posted: Mon Feb 20, 2006 4:42 pm Post subject: |
|
|
spengy wrote: | I use pure iptables
Code: |
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m recent --update --seconds 360 --hitcount 4 -rttl --name SSH -j DROP
|
|
Even better than DROP, use the TARPIT target - from the iptables manual:
Code: |
TARPIT
Captures and holds incoming TCP connections using no local per-connection resources. Connections are accepted,
but immediately switched to the persist state (0 byte window), in which the remote side stops sending data and
asks to continue every 60-240 seconds. Attempts to close the connection are ignored, forcing the remote side
to time out the connection in 12-24 minutes.
This offers similar functionality to LaBrea <http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
hardware or IPs. Any TCP port that you would normally DROP or REJECT can instead become a tarpit.
To tarpit connections to TCP port 80 destined for the current machine:
iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
To significantly slow down Code Red/Nimda-style scans of unused address space, forward unused ip addresses to
a Linux box not acting as a router (e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
forwarding on the Linux box, and add:
iptables -A FORWARD -p tcp -j TARPIT
iptables -A FORWARD -j DROP
NOTE: If you use the conntrack module while you are using TARPIT, you should also use the NOTRACK target, or
the kernel will unnecessarily allocate resources for each TARPITted connection. To TARPIT incoming con-
nections to the standard IRC port while using conntrack, you could:
iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
iptables -A INPUT -p tcp --dport 6667 -j TARPIT
|
Also, just to be safe I typically do something of the following after my "X in N minutes" rule, both to limit my memory usage and let myself back in (after 45 minutes) if I goof:
Code: |
iptables -A ANTI_L337 -p tcp --dport 22 -m recent --rcheck ! --seconds 2700 --name SSH
iptables -A ANTI_L337 -p tcp --dport 22 -m recent --remove --name SSH -j ACCEPT
|
Of course, I never tested it, so I'm not even certain it works properly... |
|
Back to top |
|
|
MatrixM n00b
Joined: 02 May 2005 Posts: 48 Location: Cyberspace
|
Posted: Mon Feb 20, 2006 6:15 pm Post subject: |
|
|
Andersson wrote: | The logtail error, could it be the same I had a few pages up? You may have the wrong version of logtail. Try either replacing the "-f" with a single space, or download the other version. See the first few posts in this thread. And keep us updated. |
It seems to work fine when it's only trying to catch one regex, it's when I try to modify the script to catch multiple regex's that I get the logtail errors (I'll look into the logtail version I have on the system though to see if that may be the issue at stake or not). |
|
Back to top |
|
|
carneboy n00b
Joined: 11 May 2004 Posts: 63 Location: Riverside, CA
|
Posted: Tue Feb 21, 2006 12:42 am Post subject: |
|
|
thank you so much, this was very easy to setup
i suggest adding to /etc/init.d/iptables (this works good for me)
under start():
Code: | blacklist.py > /dev/null & |
under stop():
Code: | kill `pgrep blacklist.py` |
|
|
Back to top |
|
|
nahpets Veteran
Joined: 05 Oct 2003 Posts: 1178 Location: Montreal, Canada
|
Posted: Tue Feb 21, 2006 9:13 am Post subject: |
|
|
Really cool looking program/script. Is this compatible with Shorewall? I have Shorewall blocking all ports except for 22 and I've disabled password and root login. My box is pretty secure but I'd like to use your program with my current setup cause I guess I'm paranoid _________________ Let me guess, you picked out yet another colorful box with a crank that I'm expected to turn and turn until OOP! big shock, a jack pops out and you laugh and the kids laugh and the dog laughs and I die a little inside. |
|
Back to top |
|
|
Andersson Guru
Joined: 12 Jul 2003 Posts: 525 Location: Göteborg, Sweden
|
Posted: Tue Feb 21, 2006 12:08 pm Post subject: |
|
|
nahpets wrote: | Is this compatible with Shorewall? |
Yes, it is. Although you may have to restart the script if you restart shorewall. See my previous post. _________________ Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking... |
|
Back to top |
|
|
Vlad Apprentice
Joined: 09 Apr 2002 Posts: 264 Location: San Diego, California
|
Posted: Sat Feb 25, 2006 12:04 am Post subject: |
|
|
I've been trying to follow this thread, but it seems that regex matching drops from AllowUsers still hasn't been implemented. Is there any chance this can be added to the script? If so, could someone explain how (or better yet, simply paste/link the script)?
This script would be great if it'd just catch those AllowUsers lines.
Vlad |
|
Back to top |
|
|
spindle Apprentice
Joined: 01 Dec 2003 Posts: 245
|
Posted: Sun Feb 26, 2006 9:23 pm Post subject: rc-update script |
|
|
carneboy wrote: | thank you so much, this was very easy to setup
i suggest adding to /etc/init.d/iptables (this works good for me)
under start():
Code: | blacklist.py > /dev/null & |
under stop():
Code: | kill `pgrep blacklist.py` |
|
This inspired me to take this a step further and I wrote up a separate init script for this,
/etc/init.d/blacklist
Code: | #!/sbin/runscript
# Distributed under the terms of the GNU General Public License v2
# Copyright 2006 spindle aka Mike Nelson
#
# Refer to forum post: http://forums.gentoo.org/viewtopic-p-3141510.html#3141510
# Thanks to: blinkeye aka Reto Glauser for the blacklist.py script and
# carneboy for the inspiration for this script
#
# Date: 2006-02-26
# Version 0.1
# you may want to uncomment the below if using iptables in rc-update, but
# it is probably not necessary
#depend() {
# use iptables
#}
start() {
ebegin "Starting blacklist.py"
start-stop-daemon --start --quiet --background --exec /usr/sbin/blacklist.py
eend $?
}
stop() {
ebegin "Stopping blacklist.py"
start-stop-daemon --stop --quiet --name blacklist.py
eend $?
} |
Copy the above into a file named /etc/init.d/blacklist. Then,
Code: | # chmod 755 /etc/init.d/blacklist |
This script assumes that you put the blacklist.py script in /usr/sbin and that it's executable. You can do that by,
Code: | cp blacklist.py /usr/sbin
chmod a+x /usr/sbin/blacklist.py |
To add to default runlevel, so it starts up automatically,
Code: | # rc-update add blacklist default |
Then you can start stop like other init scripts,
Code: | # /etc/init.d/blacklist start
# /etc/init.d/blacklist stop
# /etc/init.d/blacklist restart |
blacklist.py is a sweet little script, thanks Blinkeye! |
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Tue Feb 28, 2006 5:27 pm Post subject: |
|
|
I don't get any more topic replies. I just pure luck I stumbled on my own thread . thanks for all the input. I'll release a new version soon where I'll take into account your suggestions and features. Some (like the issue where the script is already running and you rerun it or where you're iptable rules for the script have been flushed) have been already implemented and now thoroughly tested. What I want (which on the other hand joines other issues you brought up) is to have several regex lines (in particular for me a ftp regex). I get a lot of login tries there too. When this logic is implemented it will be very easy for anyone to add a new regex. _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
|
Andersson Guru
Joined: 12 Jul 2003 Posts: 525 Location: Göteborg, Sweden
|
Posted: Wed Mar 01, 2006 12:32 am Post subject: |
|
|
I'm looking forward to the update. I get more and more login attempts every day. If you want me to email you every time I see a new reply here, just ask!
I saw a link to this script in another thread: http://www.csc.liv.ac.uk/~greg/sshdfilter/
It is similar to yours, but it has one neat feature. I quote from the web page: "sshdfilter starts sshd itself, having started sshd with the -e and -D options. This means it can see events as they happen."
Very cool. You think we can have that as well? However, that would make my other suggestion a lot harder: support for multiple log files. That way you could block people abusing your web server as well. _________________ Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking... |
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Fri Mar 03, 2006 9:19 pm Post subject: |
|
|
New version 0.4.2 is out (other changes will follow):
2006-03-03
* Added new function handlepid() to check if an instance is already running (thanks to Erik J.)
* Added try/except block to handle the issue if iptables get flushed while the script is running
* Added try/except block to handle the different logtail versions
* Fixed an issue where wrong entries would be written to the LOG_OUTPUT (modifying the hash table while iterating through it without making a copy)
* Minor speed improvement
So, you may safely try to start the script several times (it won't work ) and safely flush/restart your iptable rules. The script will (re)add the necessary iptable rules the next time it will block an IP. _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
|
MrBlc n00b
Joined: 16 Mar 2004 Posts: 30
|
Posted: Thu Mar 09, 2006 12:44 pm Post subject: |
|
|
Great script, but.. i was wondering about the same as Andersson mentioned...
in my auth.log file i get attempts like these:
Code: |
Mar 6 03:47:53 freya proftpd[3773]: freya (219-81-19-30.static.tfn.net.tw[219.81.19.30]) - USER Administrator: no such user found from 219-81-19-30.static.tfn.net.tw [219.81.19.30] to 69.60.118.95:21
Mar 6 03:47:53 freya proftpd[3773]: freya (219-81-19-30.static.tfn.net.tw[219.81.19.30]) - USER Administrator: no such user found from 219-81-19-30.static.tfn.net.tw [219.81.19.30] to 69.60.118.95:21
Mar 6 03:47:54 freya proftpd[3773]: freya (219-81-19-30.static.tfn.net.tw[219.81.19.30]) - USER Administrator: no such user found from 219-81-19-30.static.tfn.net.tw [219.81.19.30] to 69.60.118.95:21
Mar 6 03:47:54 freya proftpd[3773]: freya (219-81-19-30.static.tfn.net.tw[219.81.19.30]) - Maximum login attempts (3) exceeded
|
and that is repeated over and over again..
I would like it if there was a option to add a regex to cover that as well..
fortunately, my proftpd is using sql backend so no real users exist on it, but still.. i have A LOT of attempts on that, and blocking them would save me the headache of wondering wether or not they sooner or later manage to break into an account..
-blc |
|
Back to top |
|
|
pteppic l33t
Joined: 28 Nov 2005 Posts: 781
|
Posted: Thu Mar 09, 2006 2:05 pm Post subject: |
|
|
Andersson wrote: | [snip] support for multiple log files. That way you could block people abusing your web server as well. |
I can see two ways of doing this; Setup syslog-ng to filter all transactions you want scrutinised to a specific log file, and write the regex to cope.
OR setup the logfile variable(s) as a list object, with the index pointing to the relavent regex stored in a dictionary object, then run the check function as a 'for in' loop.
I would tinker with this myself, but as the project is still very much under development I have no wish to be stepping on toes, if this however is not the case, let me know and I'll tinker away.... |
|
Back to top |
|
|
MatrixM n00b
Joined: 02 May 2005 Posts: 48 Location: Cyberspace
|
Posted: Fri Mar 10, 2006 6:02 pm Post subject: |
|
|
(crossposted to actual forum thread as well as PM to BlinkEye with log dumps trimmed for forum post)
Sorry for such a long forum post, just trying to help get in the development of the script as best I can since my coding skills are lacking.
I'm still getting people that are trying to use the root account to login not being blocked. A prime example of this is seen in the below output of my auth.log file. A single site was hammering my system for over 15 minutes trying to get in on the root account. Not only did it not block the account for trying to use root to login, but it also didn't block the account out after 30 seconds of hammering the system.
The only change I had to make to the script for my system was to point it to the proper location of logtail (/usr/bin/logtail instead of /usr/sbin/logtail). I don't believe that change would have disabled the blocking of the root login attempts.
I did a quick grep of my logs just to check to see if any of the non-AllowUsers attempts are being blocked, and it doesn't appear that they are. So I'm including two different grep outputs here, the first is from a grep of just root attempts on the server. The second will be a grep of AllowUsers with the root attempts stripped out via sed (at the very bottom of the root listing).
Hope that the log outputs can help in further development of the script.
grep root /var/log/auth.log wrote: |
Mar 7 02:37:29 tammy sshd[8559]: User root from 61.178.20.170 not allowed because not listed in AllowUsers
Mar 7 02:37:31 tammy sshd[8561]: User root from 61.178.20.170 not allowed because not listed in AllowUsers
Mar 7 02:37:33 tammy sshd[8563]: User root from 61.178.20.170 not allowed because not listed in AllowUsers
Mar 7 12:57:10 tammy sshd[14330]: User root from 205.241.227.14 not allowed because not listed in AllowUsers
Mar 7 12:57:10 tammy sshd[14332]: User root from 205.241.227.14 not allowed because not listed in AllowUsers
Mar 7 12:57:11 tammy sshd[14334]: User root from 205.241.227.14 not allowed because not listed in AllowUsers
Mar 7 14:27:16 tammy sshd[15213]: User root from 218.71.137.69 not allowed because not listed in AllowUsers
<snip>
Mar 7 14:29:16 tammy sshd[15347]: User root from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 16:01:56 tammy sshd[16452]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:03:44 tammy sshd[16510]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:03:49 tammy sshd[16512]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:04:09 tammy sshd[16524]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:04:17 tammy sshd[16526]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:04:22 tammy sshd[16528]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:04:27 tammy sshd[16530]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:04:30 tammy sshd[16532]: User root from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 8 01:11:38 tammy sshd[624]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 8 01:11:38 tammy sshd[626]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 8 01:11:39 tammy sshd[628]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 8 01:11:39 tammy sshd[630]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 8 01:11:40 tammy sshd[632]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 8 01:11:41 tammy sshd[634]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 8 01:11:41 tammy sshd[636]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 8 01:11:42 tammy sshd[638]: User root from 72.36.231.146 not allowed because not listed in AllowUsers
Mar 9 23:52:17 tammy sshd[26705]: User root from lcsworld.propagation.net not allowed because not listed in AllowUsers
<snip>
Mar 9 23:55:15 tammy sshd[26823]: User root from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 10 04:12:04 tammy sshd[29330]: User root from 61.185.217.214 not allowed because not listed in AllowUsers
Mar 10 04:12:06 tammy sshd[29332]: User root from 61.185.217.214 not allowed because not listed in AllowUsers
Mar 10 04:12:08 tammy sshd[29338]: User root from 61.185.217.214 not allowed because not listed in AllowUsers
Mar 10 06:20:23 tammy sshd[30759]: User root from ich-4.com not allowed because not listed in AllowUsers
<snip about 2000 lines>
Mar 10 06:37:48 tammy sshd[1565]: User root from ich-4.com not allowed because not listed in AllowUsers
Mar 10 07:15:30 tammy sshd[1931]: User root from 61.185.217.214 not allowed because not listed in AllowUsers
Mar 10 07:15:32 tammy sshd[1933]: User root from 61.185.217.214 not allowed because not listed in AllowUsers
Mar 10 07:15:34 tammy sshd[1935]: User root from 61.185.217.214 not allowed because not listed in AllowUsers
|
grep AllowUsers /var/log/messages | sed -e '/root/d' wrote: |
Mar 7 14:26:43 tammy sshd[15175]: User alias from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:26:57 tammy sshd[15189]: User cyrus from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:27:02 tammy sshd[15199]: User ftp from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:27:08 tammy sshd[15205]: User postmaster from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:27:10 tammy sshd[15207]: User postfix from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:27:12 tammy sshd[15209]: User postgres from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:27:30 tammy sshd[15231]: User apache from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:27:33 tammy sshd[15235]: User mysql from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:27:43 tammy sshd[15245]: User named from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:29:14 tammy sshd[15345]: User nobody from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:29:41 tammy sshd[15377]: User news from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:29:45 tammy sshd[15381]: User games from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:29:49 tammy sshd[15385]: User mail from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:29:51 tammy sshd[15387]: User adm from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:18 tammy sshd[15431]: User operator from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:25 tammy sshd[15435]: User sshd from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:32 tammy sshd[15447]: User bin from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:34 tammy sshd[15449]: User daemon from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:41 tammy sshd[15451]: User lp from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:43 tammy sshd[15453]: User sync from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:45 tammy sshd[15455]: User shutdown from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:48 tammy sshd[15457]: User halt from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:50 tammy sshd[15459]: User uucp from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:30:51 tammy sshd[15461]: User smmsp from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 14:32:12 tammy sshd[15559]: User rpc from 218.71.137.69 not allowed because not listed in AllowUsers
Mar 7 16:00:10 tammy sshd[16406]: User alias from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:00:58 tammy sshd[16424]: User cyrus from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:01:16 tammy sshd[16434]: User ftp from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:01:36 tammy sshd[16440]: User postmaster from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:01:41 tammy sshd[16446]: User postfix from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:01:46 tammy sshd[16448]: User postgres from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:02:38 tammy sshd[16474]: User apache from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:02:45 tammy sshd[16478]: User mysql from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 7 16:03:09 tammy sshd[16492]: User named from 059148236077.ctinets.com not allowed because not listed in AllowUsers
Mar 9 23:52:15 tammy sshd[26701]: User mysql from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 9 23:52:36 tammy sshd[26719]: User squid from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 9 23:52:42 tammy sshd[26723]: User postmaster from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 9 23:53:01 tammy sshd[26735]: User games from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 9 23:53:13 tammy sshd[26741]: User ftp from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 9 23:53:15 tammy sshd[26745]: User news from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 9 23:54:04 tammy sshd[26775]: User nobody from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 9 23:54:50 tammy sshd[26805]: User lp from lcsworld.propagation.net not allowed because not listed in AllowUsers
Mar 10 06:19:10 tammy sshd[30507]: User bin from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:11 tammy sshd[30509]: User daemon from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:11 tammy sshd[30511]: User adm from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:12 tammy sshd[30513]: User lp from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:12 tammy sshd[30515]: User sync from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:13 tammy sshd[30517]: User shutdown from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:14 tammy sshd[30519]: User halt from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:14 tammy sshd[30525]: User mail from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:15 tammy sshd[30527]: User news from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:16 tammy sshd[30529]: User uucp from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:16 tammy sshd[30531]: User operator from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:17 tammy sshd[30533]: User games from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:18 tammy sshd[30537]: User ftp from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:19 tammy sshd[30539]: User nobody from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:22 tammy sshd[30547]: User sshd from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:22 tammy sshd[30549]: User rpc from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:25 tammy sshd[30559]: User smmsp from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:26 tammy sshd[30561]: User apache from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:27 tammy sshd[30563]: User squid from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:29 tammy sshd[30569]: User xfs from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:29 tammy sshd[30571]: User named from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:31 tammy sshd[30575]: User gdm from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:31 tammy sshd[30577]: User mysql from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:19:33 tammy sshd[30581]: User postfix from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:01 tammy sshd[31271]: User sync from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:02 tammy sshd[31273]: User games from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:03 tammy sshd[31275]: User man from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:03 tammy sshd[31277]: User news from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:04 tammy sshd[31279]: User uucp from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:05 tammy sshd[31283]: User postgres from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:07 tammy sshd[31289]: User operator from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:10 tammy sshd[31297]: User nobody from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:11 tammy sshd[31301]: User man from ich-4.com not allowed because not listed in AllowUsers
Mar 10 06:23:16 tammy sshd[31321]: User postfix from ich-4.com not allowed because not listed in AllowUsers
|
|
|
Back to top |
|
|
Andersson Guru
Joined: 12 Jul 2003 Posts: 525 Location: Göteborg, Sweden
|
Posted: Fri Mar 10, 2006 7:52 pm Post subject: |
|
|
MatrixM: Are all the log lines on the form "user X from Y not allowed because not listed in AllowUsers"? If so, is it the syntax of a regexp for cathing these you are having problems with? Something else? Which regexp are you using in the script right now?
Also, some of the hosts in your log are ip numbers, other are domain names. They should all be ip numbers for the script to work. Do you have that "useDNS" setting enabled or disbled in your sshd config? _________________ Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking... |
|
Back to top |
|
|
MatrixM n00b
Joined: 02 May 2005 Posts: 48 Location: Cyberspace
|
Posted: Sat Mar 11, 2006 1:16 am Post subject: |
|
|
I just checked the sshd_config file, and the useDNS option was commented out, not sure what it's default setting is, but I'll assume that it's on since I'm getting DNS lookups in the auth.log file. I went ahead and changed it to useDNS no and uncommented the section (and remembered to /etc/init.d/sshd restart as well).
The "User X from Y not allowed because not listed in AllowUsers" is the one string that's not being blocked by the script right now. I'm guessing that is why the root attempts aren't being blocked either since they don't match the original REGEX search pattern as well.
I really like this script, I just wish there was some way to get it to ban people who were trying invalid accounts as well (since there are only two accounts not blocked, I wonder why some are even being blocked at all).
I just don't know enough about regex to alter the existing line so that it will search for it's existing stuff as well as the AllowUsers listings (and thus still catch the root attempts like the script seems to supposed to be doing). |
|
Back to top |
|
|
Andersson Guru
Joined: 12 Jul 2003 Posts: 525 Location: Göteborg, Sweden
|
Posted: Sat Mar 11, 2006 2:20 am Post subject: |
|
|
Well, blinkeye promised to support multiple regular expressions in the next version, so I guess you have to wait. Or, you could always run two instances of the script.
I love a quick and dirty fix, so I had to try this immediately. It seems to be working, and I don't see why it shouldn't. So, copy the script to a new file, and make some modifications: You need to change the name of the iptables chain, and it needs a separate offset file for logtail. And, just in case, I gave it a separate log file. It's a few lines you need to change. Actually, it's probably more lines than needed to add support for multiple regexps. But less testing is needed.
Add the "2" to these lines:
Code: | LOG_OUTPUT = "/var/log/blacklist2.log"
PID_FILE = "/var/run/blacklist2.pid"
CUSTOM_CHAIN = "BLACKLIST2" |
and add this line in the same section (feel free to use another file, but keep the space character inside the quotes):
Code: | LOG_OFFSET = " /root/scripts/.blacklist2_offset" |
and change the regexp you're using to this:
Code: | SYSLOG_REGEX = r"sshd[[][0-9]+[]]: User (?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3}) not allowed because not listed in AllowUsers" |
And add the offset file to these two lines (in the scan function at around line 150, they also appear in the test mode around line 220, but you can skip them):
Code: | regex_matches = re_invalid.findall( system_command( LOGTAIL + " -f " + LOG_INPUT + LOG_OFFSET ) ) |
and
Code: | regex_matches = re_invalid.findall( system_command( LOGTAIL + " " + LOG_INPUT + LOG_OFFSET) ) |
(Don't cut and past here, mind the indentation. Python is tricky like that.)
Oh, and the syntax for a specific offset file might actually be different if you use the "-f" version of logtail. Try to type "logtail" and see what it says. _________________ Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking... |
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Mon Mar 13, 2006 9:11 pm Post subject: |
|
|
I'm currently testing a new version (allowing multiple regex for both ssh and ftp). I just wonder why you only get similar lines to
Code: | Mar 8 01:11:39 tammy sshd[630]: User root from 72.36.231.146 not allowed because not listed in AllowUsers |
...
If I explicitly specify which users to allow in sshd_config I get those lines too BUT along with the usual entries.
The lines for one attempt:
Code: | Mar 13 22:08:01 blinkeye sshd[19817]: User test from 10.10.10.3 not allowed because not listed in AllowUsers
Mar 13 22:08:01 blinkeye sshd[19817]: Failed none for invalid user test from 10.10.10.3 port 60991 ssh2
Mar 13 22:08:07 blinkeye sshd(pam_unix)[19822]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.3 user=test
Mar 13 22:08:10 blinkeye sshd[19817]: error: PAM: Authentication failure for illegal user test from 10.10.10.3
Mar 13 22:08:10 blinkeye sshd[19817]: Failed keyboard-interactive/pam for invalid user test from 10.10.10.3 port 60991 ssh2 |
are you really sure you don't get the usual "Failed keyboard-interacitve/pam ..." lines too? _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
|
Andersson Guru
Joined: 12 Jul 2003 Posts: 525 Location: Göteborg, Sweden
|
Posted: Tue Mar 14, 2006 3:12 am Post subject: |
|
|
I get more lines if I try to log in manually:
Code: | Mar 11 03:18:33 clint sshd[8894]: Invalid user test from 193.27.xx.xx
Mar 11 03:18:35 clint sshd(pam_unix)[8900]: check pass; user unknown
Mar 11 03:18:35 clint sshd(pam_unix)[8900]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.27.xx.xx
Mar 11 03:18:37 clint sshd[8894]: error: PAM: Authentication failure for illegal user test from 193.27.xx.xx
Mar 11 03:18:37 clint sshd[8894]: Failed keyboard-interactive/pam for invalid user test from 193.27.xx.xx port 2263 ssh2 |
But the attempts coming from the script kiddies look like this:
Code: | Mar 12 15:55:54 clint sshd[5841]: Did not receive identification string from 83.248.169.252
Mar 12 16:04:01 clint sshd[6122]: User root from 83.248.169.252 not allowed because not listed in AllowUsers
Mar 12 16:04:11 clint sshd[6136]: Invalid user admin from 83.248.169.252
Mar 12 16:04:18 clint sshd[6142]: Invalid user test from 83.248.169.252
Mar 12 16:04:24 clint sshd[6149]: User guest not allowed because shell /dev/null is not executable
Mar 12 16:04:30 clint sshd[6155]: Invalid user webmaster from 83.248.169.252
Mar 12 16:06:25 clint sshd[6155]: fatal: Timeout before authentication for 83.248.169.252 |
_________________ Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking... |
|
Back to top |
|
|
|