Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] Get rid of SSH Brute Force Attempts / Script Kiddies
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
kill[h]er
n00b
n00b


Joined: 02 Sep 2003
Posts: 30

PostPosted: Tue Mar 14, 2006 6:21 pm    Post subject: Reply with quote

Just a quick suggestion.

Would be nice if the email subjects contained the hostname of the station that is triggering the email.

very nice work, though. i just started using this and the backup script you wrote. love em both!
Back to top
View user's profile Send private message
kill[h]er
n00b
n00b


Joined: 02 Sep 2003
Posts: 30

PostPosted: Tue Mar 14, 2006 7:33 pm    Post subject: Reply with quote

so, i got curious and wanted to add the hostname myself...

i'm not python programmer, so if i'm screwing this up or if there's an easier way let me know...

But to add the hostname to the subject line of the email, this is what I did.

after the comments section, in the "import" section, add the following line:
Code:
import socket;

in the variables area, add the following line:
Code:
HOST_NAME = socket.gethostname()

that'll give us the variable with the hostname in it. down in the section labeled "# mail list of IP blocked during this run", add the variable by changing this:

Code:
             p.write( "Subject: Too many SSH login failures from multiple IPs\n\n" )
        else:
                p.write( "Subject: Too many SSH login failures from " + ip + "\n\n" )


to this:

Code:
             p.write( "Subject: " + HOST_NAME + ": Too many SSH login failures from multiple IPs\n\n" )
        else:
                p.write( "Subject: " + HOST_NAME + ": Too many SSH login failures from " + ip + "\n\n" )


that should do it. now the emails will have the hostname in the subject line.
Back to top
View user's profile Send private message
Robert S
Guru
Guru


Joined: 15 Aug 2004
Posts: 415
Location: Canberra Australia

PostPosted: Tue Mar 14, 2006 8:19 pm    Post subject: Reply with quote

Nice little script. I had to get rid of the following lines in my /etc/ssh/sshd_config:
Quote:
AllowGroups ssh_users

.. and had to add the following:
Quote:
UsePAM no
UseDNS no

It would be nice if the regex was changed to allow "AllowGroups" and "UsePAM" to be set as an additional security measure. Any regex masters out there?

Also I had to add a space in SYSLOG_REGEX after ?:invalid user thus:
Quote:
SYSLOG_REGEX = r"Failed (?:none|password|keyboard-interactive/pam) for (?:invalid user )*(?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3
}\d{1,3})"
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1043
Location: Gentoo Forums

PostPosted: Wed Mar 15, 2006 1:05 am    Post subject: Reply with quote

well guys, you don't give me much time to test :wink:
thanks for the feedback so far.

version 0.4.4 is out.

recent changes:

'''2006-03-15'''
* Added new functionality to permit several regexs at once
* Added ftp regex
* Changed subject of the status mail to contain the hostname
* The mail now contains the port an IP is blocked on
* Correctly blocking out invalid users/login tries if the ssh daemon is configured with the "AllowUsers" variable
* Enhanced the test modus to support several loglines

_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1043
Location: Gentoo Forums

PostPosted: Wed Mar 15, 2006 1:10 am    Post subject: Reply with quote

I'm not updating the wiki for another 16 hours or so. give it some time - the script section and the ftp download are up-to-date.

Please use the test modus/function to see if the (new) regexs are working for you. You may now easily add another regex to SSH_REGEX or FTP_REGEX (comma seperated list) - although I don't think it's necessary.
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
carneboy
n00b
n00b


Joined: 11 May 2004
Posts: 63
Location: Riverside, CA

PostPosted: Wed Mar 15, 2006 2:45 am    Post subject: Reply with quote

Thanks once again, it now works on the "script-kiddie" log lines, that constitute 90% of my auth.log. :D
Back to top
View user's profile Send private message
PabOu
Veteran
Veteran


Joined: 11 Feb 2004
Posts: 1073
Location: Hélécine - Belgium

PostPosted: Wed Mar 15, 2006 12:27 pm    Post subject: Reply with quote

Nice script and howto ;)

But what about fail2ban ?
Back to top
View user's profile Send private message
kill[h]er
n00b
n00b


Joined: 02 Sep 2003
Posts: 30

PostPosted: Wed Mar 15, 2006 1:45 pm    Post subject: Reply with quote

Ok, I haven't upgraded to the latest version which was released last night, so if this is fixed in the new version just slap me upside the head.

Woke up this morning and had no emails from the blacklist script. The blacklist log file reported nobody being banned overnight. But looking at /var/log/auth.log, this was in there (en masse):

Code:
Mar 15 07:04:02 setii sshd[31699]: Invalid user teen from 201.6.252.173
Mar 15 07:04:02 setii sshd[31699]: reverse mapping checking getaddrinfo for c906fcad.static.spo.virtua.com.br failed - POSSIBLE BREAKIN ATTEMPT!
Mar 15 07:04:07 setii sshd[31705]: Invalid user theo from 201.6.252.173
Mar 15 07:04:07 setii sshd[31705]: reverse mapping checking getaddrinfo for c906fcad.static.spo.virtua.com.br failed - POSSIBLE BREAKIN ATTEMPT!
Mar 15 07:04:12 setii sshd[31707]: Invalid user teo from 201.6.252.173
Mar 15 07:04:12 setii sshd[31707]: reverse mapping checking getaddrinfo for c906fcad.static.spo.virtua.com.br failed - POSSIBLE BREAKIN ATTEMPT!
Mar 15 07:04:16 setii sshd[31709]: Invalid user theodora from 201.6.252.173
Mar 15 07:04:16 setii sshd[31709]: reverse mapping checking getaddrinfo for c906fcad.static.spo.virtua.com.br failed - POSSIBLE BREAKIN ATTEMPT!
Mar 15 07:04:21 setii sshd[31711]: Invalid user theodore from 201.6.252.173
Mar 15 07:04:21 setii sshd[31711]: reverse mapping checking getaddrinfo for c906fcad.static.spo.virtua.com.br failed - POSSIBLE BREAKIN ATTEMPT!
Mar 15 07:04:26 setii sshd[31713]: Invalid user valentin from 201.6.252.173
Mar 15 07:04:26 setii sshd[31713]: reverse mapping checking getaddrinfo for c906fcad.static.spo.virtua.com.br failed - POSSIBLE BREAKIN ATTEMPT!
Mar 15 07:04:31 setii sshd[31715]: Invalid user vali from 201.6.252.173
Mar 15 07:04:31 setii sshd[31715]: reverse mapping checking getaddrinfo for c906fcad.static.spo.virtua.com.br failed - POSSIBLE BREAKIN ATTEMPT!
Mar 15 07:04:36 setii sshd[31721]: Invalid user anna from 201.6.252.173


Why wasn't blacklist banning this guy?
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1043
Location: Gentoo Forums

PostPosted: Wed Mar 15, 2006 3:33 pm    Post subject: Reply with quote

kill[h]er wrote:
Why wasn't blacklist banning this guy?

because the guy uses a script which somehow does not generate ordinary loglines - in my opinion the script doesn't even try to authenticate ....

it's fixed now anyway.
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
kill[h]er
n00b
n00b


Joined: 02 Sep 2003
Posts: 30

PostPosted: Wed Mar 15, 2006 3:44 pm    Post subject: Reply with quote

cool, i'll be upgrading to the new version today... figgered it'd be fixed there. just got worried.
Back to top
View user's profile Send private message
Robert S
Guru
Guru


Joined: 15 Aug 2004
Posts: 415
Location: Canberra Australia

PostPosted: Thu Mar 16, 2006 12:18 pm    Post subject: Reply with quote

The new version works fine now except I need to use the perl logtail script. Is there any chance of getting it to work with the binary version of logtail that comes with the logsentry package? I assume that being a binary it would put less load on my system than a perl script. I've been able to restore my sshd_config to its original form.

Also - perhaps the .pid file could be cleaned up on exit :wink:

An excellent piece of work!
Back to top
View user's profile Send private message
evermind
Guru
Guru


Joined: 10 Jan 2004
Posts: 322

PostPosted: Tue Mar 21, 2006 8:04 am    Post subject: Reply with quote

nice howto BlinkEye
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1043
Location: Gentoo Forums

PostPosted: Wed Mar 22, 2006 2:50 pm    Post subject: Reply with quote

I made some minor updates to the wiki. You may be interested in the advanced test modus section.
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
kill[h]er
n00b
n00b


Joined: 02 Sep 2003
Posts: 30

PostPosted: Wed Mar 22, 2006 3:08 pm    Post subject: Reply with quote

Disclaimer - When reading this, keep these things in mind:

1) I'm not a Python expert, I'm a Perl man. So there might be better ways of doing what I'm doing, python-wise.
2) I'm not an ssh expert, so the string below might actually be used for something useful, so if you use this change, you might block out such use. Personally, I don't care, because the only people who should be using SSH on my server(s) shouldn't be nmap'ing or scanssh'ing me.
3) I'm not implying that Blinkeye should add this to his script, but if he wants to, he's free to!

------------

Ok, I've been watching this stuff pretty closely (this stuff being the ssh bruteforce attempts), and Blinkeye's Blacklist script is working great... but I've noticed that each bruteforce attempt by these kiddies is preceded by this:

Code:
Mar 22 02:07:46 setii sshd[6383]: Did not receive identification string from 202.28.25.133


This is (from all that i'm aware of) from nmap scans or scanssh with the -I option. After seeing this, the bruteforce attempts start about 3-5 mins later. So I decided to add an immediate block to anybody doing such a scan. I haven't found any legitimate use of ssh that causes that string to come across, so I use it to block any bozos trying to scan me. Here's the changes I made:

Change the SSH_REGEX section:
Code:

SSH_REGEX =     [                                       
                                                        r"Failed (?:none|password|keyboard-interactive/pam) for (?:invalid user )*(?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})",
                                                        r"Invalid user (?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})",
                                                        r"Did not receive (?P<user>.*) string from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
                             ]


In the create_stat subroutine, add another if statement to check the user name (in this case we're using the term "identification" as a user name):
Code:
                # no tolerance for a root login attempt
                if ( match.group( 'user' ) == "root" ):
                        entry[ 1 ] += PERMITTED_LOGIN_FAILURES
                if ( match.group( 'user' ) == "identification" ):
                        entry[ 1 ] += PERMITTED_LOGIN_FAILURES 


And that's it. As soon as some idiot tries to nmap or scanssh -I you, they'll be blocked instantly for 10 minutes. This will cause their bruteforce scripts to fail, even though they initially get a response from you.
Back to top
View user's profile Send private message
codejnki
n00b
n00b


Joined: 08 Aug 2002
Posts: 36

PostPosted: Wed Mar 22, 2006 3:26 pm    Post subject: Reply with quote

kill[h]er wrote:


Code:
Mar 22 02:07:46 setii sshd[6383]: Did not receive identification string from 202.28.25.133


This is (from all that i'm aware of) from nmap scans or scanssh with the -I option. After seeing this, the bruteforce attempts start about 3-5 mins later. So I decided to add an immediate block to anybody doing such a scan. I haven't found any legitimate use of ssh that causes that string to come across, so I use it to block any bozos trying to scan me.


I was wondering what those lines were. That makes a lot of sense though.
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1043
Location: Gentoo Forums

PostPosted: Wed Mar 22, 2006 3:58 pm    Post subject: Reply with quote

codejnki wrote:
kill[h]er wrote:


Code:
Mar 22 02:07:46 setii sshd[6383]: Did not receive identification string from 202.28.25.133


This is (from all that i'm aware of) from nmap scans or scanssh with the -I option. After seeing this, the bruteforce attempts start about 3-5 mins later. So I decided to add an immediate block to anybody doing such a scan. I haven't found any legitimate use of ssh that causes that string to come across, so I use it to block any bozos trying to scan me.


I was wondering what those lines were. That makes a lot of sense though.

So was I. I'll investigate that. Thanks so far.
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
MatrixM
n00b
n00b


Joined: 02 May 2005
Posts: 48
Location: Cyberspace

PostPosted: Wed Mar 22, 2006 10:02 pm    Post subject: Reply with quote

Robert S wrote:
The new version works fine now except I need to use the perl logtail script. Is there any chance of getting it to work with the binary version of logtail that comes with the logsentry package? I assume that being a binary it would put less load on my system than a perl script. I've been able to restore my sshd_config to its original form.


I've got it working with the logsentry logtail with no problems. The only thing I had to change was the location of logtail line in the script:

Code:

LOGTAIL = "/usr/bin/logtail"

instead of
Code:

LOGTAIL = "/usr/sbin/logtail"


With that one change, I don't get any problems stemming from logtail on my system. At least, I don't think I've downloaded the logtail perl script and installed it into /usr/bin on my system.
Back to top
View user's profile Send private message
kill[h]er
n00b
n00b


Joined: 02 Sep 2003
Posts: 30

PostPosted: Fri Mar 24, 2006 2:42 am    Post subject: Reply with quote

Just wanted to update yall... I added the nmap/scanssh blocking to my server's script 2.5 days ago. Since then I've had at least 10 "scans" that resulted in the immediate blocking of their IPs. I have had zero "bruteforce" attempts. This is looking promising.

(Not saying to remove the other checks, just that this one seems to be cutting them off at the knees.)
Back to top
View user's profile Send private message
urcindalo
Guru
Guru


Joined: 08 Feb 2005
Posts: 553
Location: Almeria, Spain

PostPosted: Tue Mar 28, 2006 8:27 am    Post subject: Reply with quote

Hi!

I got blacklist.py installed and activated (as an init script ran after iptables). The thing is today I've seen this in my /var/log/auth.log
Code:
Mar 27 23:17:52 machine-name sshd[14107]: Did not receive identification string from 69.70.19.226
Mar 27 23:21:39 machine-name sshd[14157]: Invalid user admin from 69.70.19.226
Mar 27 23:21:41 machine-name sshd[14159]: Invalid user test from 69.70.19.226
Mar 27 23:21:42 machine-name sshd[14161]: User guest not allowed because shell /dev/null is not executable
Mar 27 23:21:44 machine-name sshd[14163]: Invalid user webmaster from 69.70.19.226
Mar 27 23:21:47 machine-name sshd[14167]: Invalid user oracle from 69.70.19.226


Since blacklist.py is configured this way
Code:
PERMITTED_LOGIN_FAILURES = 3

I assume blacklist only triggers ip blocking when a valid user tries to log in with an invalid password, but not when a non-existent user tries to log in, right? I say this because I've seen no messages from blacklist blocking the 69.70.19.226 ip

So, are fail2ban and blacklist.py mutually exclusive? Or can I have both activated at the same time? I'd like to get rid also of those scans for valid users... :evil:
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1043
Location: Gentoo Forums

PostPosted: Tue Mar 28, 2006 9:13 am    Post subject: Reply with quote

You're using an old version. New versions (>=0.4.4) support catching of invalid users. To make sure have a look at the TestMode .
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
urcindalo
Guru
Guru


Joined: 08 Feb 2005
Posts: 553
Location: Almeria, Spain

PostPosted: Tue Mar 28, 2006 10:02 am    Post subject: Reply with quote

Nope. Version is 0.4.5:
Code:
# cat blacklist.py | grep Version
# Version 0.4.5


There must be something else. This is the output after test mode:
Code:
* Entering test mode
* SSH_REGEX[ 0 ]: Caught ip "61.172.192.3 and username "sato"
* SSH_REGEX[ 0 ]: Caught ip "61.172.192.3 and username "sato"
* SSH_REGEX[ 0 ]: Caught ip "152.149.148.115 and username "root"
* SSH_REGEX[ 0 ]: Caught ip "152.149.148.115 and username "root"
* SSH_REGEX[ 0 ]: Caught ip "152.149.148.115 and username "root"
* SSH_REGEX[ 0 ]: Caught ip "152.149.148.115 and username "root"
* SSH_REGEX[ 1 ]: No match found
* FTP_REGEX[ 0 ]: Caught ip "206.222.29.194" and username "root"
* FTP_REGEX[ 0 ]: Caught ip "206.222.29.194" and username "root"
* SUCCESS: Sending mail from blacklist@localhost to root@localhost


The mail says "A test mail from blacklist.py". To me, it looks like test mode is working.
What else can I check?
Back to top
View user's profile Send private message
kill[h]er
n00b
n00b


Joined: 02 Sep 2003
Posts: 30

PostPosted: Tue Mar 28, 2006 1:43 pm    Post subject: Reply with quote

check and see if your iptables is being updated.

Code:
iptables -v -L
Back to top
View user's profile Send private message
VelVet
n00b
n00b


Joined: 09 Feb 2005
Posts: 21
Location: Belgium

PostPosted: Tue Mar 28, 2006 2:26 pm    Post subject: error starting Reply with quote

I might be stupid :p but i just started using linux and i found this verry usefull,
However when i try to start the script i get
Code:
Traceback (most recent call last):
  File "./blacklist.py", line 227, in ?
    raise IOError, LOGTAIL + " is not executable"
IOError: /usr/sbin/logtail is not executable


though i emerged logsentry anny suggestions or help would be welcome :)
Back to top
View user's profile Send private message
VelVet
n00b
n00b


Joined: 09 Feb 2005
Posts: 21
Location: Belgium

PostPosted: Tue Mar 28, 2006 2:32 pm    Post subject: Reply with quote

never mind me, i found it

had to change
Code:
LOGTAIL = "/usr/sbin/logtail"

back to

LOGTAIL = "/usr/bin/logtail"
Back to top
View user's profile Send private message
urcindalo
Guru
Guru


Joined: 08 Feb 2005
Posts: 553
Location: Almeria, Spain

PostPosted: Tue Mar 28, 2006 3:28 pm    Post subject: Reply with quote

My iptables:
Code:
# iptables -v -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
13436 1508K ACCEPT     all  --  any    any     localhost            anywhere
    0     0 ACCEPT     all  --  any    any     80-103-114-34.mad1.adsl.uni2.es  anywhere
   65  9912 ACCEPT     all  --  any    any     150.214.212.13       anywhere
 3669 3353K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ftp-data
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ftp
    2    96 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpts:netbios-ns:netbios-ssn
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:426
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:microsoft-ds
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpts:1417:1420
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpts:5900:5902
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            state NEW udp dpts:5900:5902
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpts:5800:5802
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            state NEW udp dpts:5800:5802
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpts:5500:5502
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            state NEW udp dpts:5500:5502
 5335  616K REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 16348 packets, 1744K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     80-103-114-34.mad1.adsl.uni2.es  anywhere
    0     0 ACCEPT     all  --  any    any     150.214.212.13       anywhere


By the way, I see nothing when I run the command to get the list of tried login names indicated in the wiki:
Code:
machine log # grep "Failed" /var/log/auth.log | sed "s/.*for\( invalid user\)*\(.*\)\(from.*\)/\2/" | sort | uniq -c
machine log #


However they exist, as I mentioned in my previous post. Maybe there is a problem with the regex expressions and my auth.log output? But it is generated by syslog-ng... :?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Page 3 of 6

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum