View previous topic :: View next topic |
Author |
Message |
kill[h]er n00b
Joined: 02 Sep 2003 Posts: 30
|
Posted: Tue Mar 14, 2006 6:21 pm Post subject: |
|
|
Just a quick suggestion.
Would be nice if the email subjects contained the hostname of the station that is triggering the email.
very nice work, though. i just started using this and the backup script you wrote. love em both! |
|
Back to top |
|
|
kill[h]er n00b
Joined: 02 Sep 2003 Posts: 30
|
Posted: Tue Mar 14, 2006 7:33 pm Post subject: |
|
|
so, i got curious and wanted to add the hostname myself...
i'm not python programmer, so if i'm screwing this up or if there's an easier way let me know...
But to add the hostname to the subject line of the email, this is what I did.
after the comments section, in the "import" section, add the following line:
in the variables area, add the following line:
Code: | HOST_NAME = socket.gethostname() |
that'll give us the variable with the hostname in it. down in the section labeled "# mail list of IP blocked during this run", add the variable by changing this:
Code: | p.write( "Subject: Too many SSH login failures from multiple IPs\n\n" )
else:
p.write( "Subject: Too many SSH login failures from " + ip + "\n\n" )
|
to this:
Code: | p.write( "Subject: " + HOST_NAME + ": Too many SSH login failures from multiple IPs\n\n" )
else:
p.write( "Subject: " + HOST_NAME + ": Too many SSH login failures from " + ip + "\n\n" )
|
that should do it. now the emails will have the hostname in the subject line. |
|
Back to top |
|
|
Robert S Guru
Joined: 15 Aug 2004 Posts: 460 Location: Canberra Australia
|
Posted: Tue Mar 14, 2006 8:19 pm Post subject: |
|
|
Nice little script. I had to get rid of the following lines in my /etc/ssh/sshd_config:
Quote: | AllowGroups ssh_users |
.. and had to add the following:
Quote: | UsePAM no
UseDNS no |
It would be nice if the regex was changed to allow "AllowGroups" and "UsePAM" to be set as an additional security measure. Any regex masters out there?
Also I had to add a space in SYSLOG_REGEX after ?:invalid user thus:
Quote: | SYSLOG_REGEX = r"Failed (?:none|password|keyboard-interactive/pam) for (?:invalid user )*(?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3
}\d{1,3})" |
|
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Wed Mar 15, 2006 1:05 am Post subject: |
|
|
well guys, you don't give me much time to test
thanks for the feedback so far.
version 0.4.4 is out.
recent changes:
'''2006-03-15'''
* Added new functionality to permit several regexs at once
* Added ftp regex
* Changed subject of the status mail to contain the hostname
* The mail now contains the port an IP is blocked on
* Correctly blocking out invalid users/login tries if the ssh daemon is configured with the "AllowUsers" variable
* Enhanced the test modus to support several loglines _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Wed Mar 15, 2006 1:10 am Post subject: |
|
|
I'm not updating the wiki for another 16 hours or so. give it some time - the script section and the ftp download are up-to-date.
Please use the test modus/function to see if the (new) regexs are working for you. You may now easily add another regex to SSH_REGEX or FTP_REGEX (comma seperated list) - although I don't think it's necessary. _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
|
carneboy n00b
Joined: 11 May 2004 Posts: 63 Location: Riverside, CA
|
Posted: Wed Mar 15, 2006 2:45 am Post subject: |
|
|
Thanks once again, it now works on the "script-kiddie" log lines, that constitute 90% of my auth.log. |
|
Back to top |
|
|
PabOu Veteran
Joined: 11 Feb 2004 Posts: 1088 Location: Hélécine - Belgium
|
Posted: Wed Mar 15, 2006 12:27 pm Post subject: |
|
|
Nice script and howto ;)
But what about fail2ban ? |
|
Back to top |
|
|
kill[h]er n00b
Joined: 02 Sep 2003 Posts: 30
|
Posted: Wed Mar 15, 2006 1:45 pm Post subject: |
|
|
Ok, I haven't upgraded to the latest version which was released last night, so if this is fixed in the new version just slap me upside the head.
Woke up this morning and had no emails from the blacklist script. The blacklist log file reported nobody being banned overnight. But looking at /var/log/auth.log, this was in there (en masse):
Code: | Mar 15 07:04:02 setii sshd[31699]: Invalid user teen from 201.6.252.173
Mar 15 07:04:02 setii sshd[31699]: reverse mapping checking getaddrinfo for c906fcad.static.spo.virtua.com.br failed - POSSIBLE BREAKIN ATTEMPT!
Mar 15 07:04:07 setii sshd[31705]: Invalid user theo from 201.6.252.173
Mar 15 07:04:07 setii sshd[31705]: reverse mapping checking getaddrinfo for c906fcad.static.spo.virtua.com.br failed - POSSIBLE BREAKIN ATTEMPT!
Mar 15 07:04:12 setii sshd[31707]: Invalid user teo from 201.6.252.173
Mar 15 07:04:12 setii sshd[31707]: reverse mapping checking getaddrinfo for c906fcad.static.spo.virtua.com.br failed - POSSIBLE BREAKIN ATTEMPT!
Mar 15 07:04:16 setii sshd[31709]: Invalid user theodora from 201.6.252.173
Mar 15 07:04:16 setii sshd[31709]: reverse mapping checking getaddrinfo for c906fcad.static.spo.virtua.com.br failed - POSSIBLE BREAKIN ATTEMPT!
Mar 15 07:04:21 setii sshd[31711]: Invalid user theodore from 201.6.252.173
Mar 15 07:04:21 setii sshd[31711]: reverse mapping checking getaddrinfo for c906fcad.static.spo.virtua.com.br failed - POSSIBLE BREAKIN ATTEMPT!
Mar 15 07:04:26 setii sshd[31713]: Invalid user valentin from 201.6.252.173
Mar 15 07:04:26 setii sshd[31713]: reverse mapping checking getaddrinfo for c906fcad.static.spo.virtua.com.br failed - POSSIBLE BREAKIN ATTEMPT!
Mar 15 07:04:31 setii sshd[31715]: Invalid user vali from 201.6.252.173
Mar 15 07:04:31 setii sshd[31715]: reverse mapping checking getaddrinfo for c906fcad.static.spo.virtua.com.br failed - POSSIBLE BREAKIN ATTEMPT!
Mar 15 07:04:36 setii sshd[31721]: Invalid user anna from 201.6.252.173
|
Why wasn't blacklist banning this guy? |
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Wed Mar 15, 2006 3:33 pm Post subject: |
|
|
kill[h]er wrote: | Why wasn't blacklist banning this guy? |
because the guy uses a script which somehow does not generate ordinary loglines - in my opinion the script doesn't even try to authenticate ....
it's fixed now anyway. _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
|
kill[h]er n00b
Joined: 02 Sep 2003 Posts: 30
|
Posted: Wed Mar 15, 2006 3:44 pm Post subject: |
|
|
cool, i'll be upgrading to the new version today... figgered it'd be fixed there. just got worried. |
|
Back to top |
|
|
Robert S Guru
Joined: 15 Aug 2004 Posts: 460 Location: Canberra Australia
|
Posted: Thu Mar 16, 2006 12:18 pm Post subject: |
|
|
The new version works fine now except I need to use the perl logtail script. Is there any chance of getting it to work with the binary version of logtail that comes with the logsentry package? I assume that being a binary it would put less load on my system than a perl script. I've been able to restore my sshd_config to its original form.
Also - perhaps the .pid file could be cleaned up on exit
An excellent piece of work! |
|
Back to top |
|
|
evermind Guru
Joined: 10 Jan 2004 Posts: 322
|
Posted: Tue Mar 21, 2006 8:04 am Post subject: |
|
|
nice howto BlinkEye |
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Wed Mar 22, 2006 2:50 pm Post subject: |
|
|
I made some minor updates to the wiki. You may be interested in the advanced test modus section. _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
|
kill[h]er n00b
Joined: 02 Sep 2003 Posts: 30
|
Posted: Wed Mar 22, 2006 3:08 pm Post subject: |
|
|
Disclaimer - When reading this, keep these things in mind:
1) I'm not a Python expert, I'm a Perl man. So there might be better ways of doing what I'm doing, python-wise.
2) I'm not an ssh expert, so the string below might actually be used for something useful, so if you use this change, you might block out such use. Personally, I don't care, because the only people who should be using SSH on my server(s) shouldn't be nmap'ing or scanssh'ing me.
3) I'm not implying that Blinkeye should add this to his script, but if he wants to, he's free to!
------------
Ok, I've been watching this stuff pretty closely (this stuff being the ssh bruteforce attempts), and Blinkeye's Blacklist script is working great... but I've noticed that each bruteforce attempt by these kiddies is preceded by this:
Code: | Mar 22 02:07:46 setii sshd[6383]: Did not receive identification string from 202.28.25.133 |
This is (from all that i'm aware of) from nmap scans or scanssh with the -I option. After seeing this, the bruteforce attempts start about 3-5 mins later. So I decided to add an immediate block to anybody doing such a scan. I haven't found any legitimate use of ssh that causes that string to come across, so I use it to block any bozos trying to scan me. Here's the changes I made:
Change the SSH_REGEX section:
Code: |
SSH_REGEX = [
r"Failed (?:none|password|keyboard-interactive/pam) for (?:invalid user )*(?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})",
r"Invalid user (?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})",
r"Did not receive (?P<user>.*) string from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
]
|
In the create_stat subroutine, add another if statement to check the user name (in this case we're using the term "identification" as a user name):
Code: | # no tolerance for a root login attempt
if ( match.group( 'user' ) == "root" ):
entry[ 1 ] += PERMITTED_LOGIN_FAILURES
if ( match.group( 'user' ) == "identification" ):
entry[ 1 ] += PERMITTED_LOGIN_FAILURES
|
And that's it. As soon as some idiot tries to nmap or scanssh -I you, they'll be blocked instantly for 10 minutes. This will cause their bruteforce scripts to fail, even though they initially get a response from you. |
|
Back to top |
|
|
codejnki n00b
Joined: 08 Aug 2002 Posts: 36
|
Posted: Wed Mar 22, 2006 3:26 pm Post subject: |
|
|
kill[h]er wrote: |
Code: | Mar 22 02:07:46 setii sshd[6383]: Did not receive identification string from 202.28.25.133 |
This is (from all that i'm aware of) from nmap scans or scanssh with the -I option. After seeing this, the bruteforce attempts start about 3-5 mins later. So I decided to add an immediate block to anybody doing such a scan. I haven't found any legitimate use of ssh that causes that string to come across, so I use it to block any bozos trying to scan me.
|
I was wondering what those lines were. That makes a lot of sense though. |
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Wed Mar 22, 2006 3:58 pm Post subject: |
|
|
codejnki wrote: | kill[h]er wrote: |
Code: | Mar 22 02:07:46 setii sshd[6383]: Did not receive identification string from 202.28.25.133 |
This is (from all that i'm aware of) from nmap scans or scanssh with the -I option. After seeing this, the bruteforce attempts start about 3-5 mins later. So I decided to add an immediate block to anybody doing such a scan. I haven't found any legitimate use of ssh that causes that string to come across, so I use it to block any bozos trying to scan me.
|
I was wondering what those lines were. That makes a lot of sense though. |
So was I. I'll investigate that. Thanks so far. _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
|
MatrixM n00b
Joined: 02 May 2005 Posts: 48 Location: Cyberspace
|
Posted: Wed Mar 22, 2006 10:02 pm Post subject: |
|
|
Robert S wrote: | The new version works fine now except I need to use the perl logtail script. Is there any chance of getting it to work with the binary version of logtail that comes with the logsentry package? I assume that being a binary it would put less load on my system than a perl script. I've been able to restore my sshd_config to its original form. |
I've got it working with the logsentry logtail with no problems. The only thing I had to change was the location of logtail line in the script:
Code: |
LOGTAIL = "/usr/bin/logtail"
|
instead of
Code: |
LOGTAIL = "/usr/sbin/logtail"
|
With that one change, I don't get any problems stemming from logtail on my system. At least, I don't think I've downloaded the logtail perl script and installed it into /usr/bin on my system. |
|
Back to top |
|
|
kill[h]er n00b
Joined: 02 Sep 2003 Posts: 30
|
Posted: Fri Mar 24, 2006 2:42 am Post subject: |
|
|
Just wanted to update yall... I added the nmap/scanssh blocking to my server's script 2.5 days ago. Since then I've had at least 10 "scans" that resulted in the immediate blocking of their IPs. I have had zero "bruteforce" attempts. This is looking promising.
(Not saying to remove the other checks, just that this one seems to be cutting them off at the knees.) |
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Tue Mar 28, 2006 8:27 am Post subject: |
|
|
Hi!
I got blacklist.py installed and activated (as an init script ran after iptables). The thing is today I've seen this in my /var/log/auth.log Code: | Mar 27 23:17:52 machine-name sshd[14107]: Did not receive identification string from 69.70.19.226
Mar 27 23:21:39 machine-name sshd[14157]: Invalid user admin from 69.70.19.226
Mar 27 23:21:41 machine-name sshd[14159]: Invalid user test from 69.70.19.226
Mar 27 23:21:42 machine-name sshd[14161]: User guest not allowed because shell /dev/null is not executable
Mar 27 23:21:44 machine-name sshd[14163]: Invalid user webmaster from 69.70.19.226
Mar 27 23:21:47 machine-name sshd[14167]: Invalid user oracle from 69.70.19.226 |
Since blacklist.py is configured this way Code: | PERMITTED_LOGIN_FAILURES = 3 |
I assume blacklist only triggers ip blocking when a valid user tries to log in with an invalid password, but not when a non-existent user tries to log in, right? I say this because I've seen no messages from blacklist blocking the 69.70.19.226 ip
So, are fail2ban and blacklist.py mutually exclusive? Or can I have both activated at the same time? I'd like to get rid also of those scans for valid users... |
|
Back to top |
|
|
BlinkEye Veteran
Joined: 21 Oct 2003 Posts: 1046 Location: Gentoo Forums
|
Posted: Tue Mar 28, 2006 9:13 am Post subject: |
|
|
You're using an old version. New versions (>=0.4.4) support catching of invalid users. To make sure have a look at the TestMode . _________________ Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Tue Mar 28, 2006 10:02 am Post subject: |
|
|
Nope. Version is 0.4.5: Code: | # cat blacklist.py | grep Version
# Version 0.4.5
|
There must be something else. This is the output after test mode: Code: | * Entering test mode
* SSH_REGEX[ 0 ]: Caught ip "61.172.192.3 and username "sato"
* SSH_REGEX[ 0 ]: Caught ip "61.172.192.3 and username "sato"
* SSH_REGEX[ 0 ]: Caught ip "152.149.148.115 and username "root"
* SSH_REGEX[ 0 ]: Caught ip "152.149.148.115 and username "root"
* SSH_REGEX[ 0 ]: Caught ip "152.149.148.115 and username "root"
* SSH_REGEX[ 0 ]: Caught ip "152.149.148.115 and username "root"
* SSH_REGEX[ 1 ]: No match found
* FTP_REGEX[ 0 ]: Caught ip "206.222.29.194" and username "root"
* FTP_REGEX[ 0 ]: Caught ip "206.222.29.194" and username "root"
* SUCCESS: Sending mail from blacklist@localhost to root@localhost |
The mail says "A test mail from blacklist.py". To me, it looks like test mode is working.
What else can I check? |
|
Back to top |
|
|
kill[h]er n00b
Joined: 02 Sep 2003 Posts: 30
|
Posted: Tue Mar 28, 2006 1:43 pm Post subject: |
|
|
check and see if your iptables is being updated.
|
|
Back to top |
|
|
VelVet n00b
Joined: 09 Feb 2005 Posts: 21 Location: Belgium
|
Posted: Tue Mar 28, 2006 2:26 pm Post subject: error starting |
|
|
I might be stupid :p but i just started using linux and i found this verry usefull,
However when i try to start the script i get
Code: | Traceback (most recent call last):
File "./blacklist.py", line 227, in ?
raise IOError, LOGTAIL + " is not executable"
IOError: /usr/sbin/logtail is not executable
|
though i emerged logsentry anny suggestions or help would be welcome |
|
Back to top |
|
|
VelVet n00b
Joined: 09 Feb 2005 Posts: 21 Location: Belgium
|
Posted: Tue Mar 28, 2006 2:32 pm Post subject: |
|
|
never mind me, i found it
had to change
Code: | LOGTAIL = "/usr/sbin/logtail"
back to
LOGTAIL = "/usr/bin/logtail"
|
|
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Tue Mar 28, 2006 3:28 pm Post subject: |
|
|
My iptables: Code: | # iptables -v -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13436 1508K ACCEPT all -- any any localhost anywhere
0 0 ACCEPT all -- any any 80-103-114-34.mad1.adsl.uni2.es anywhere
65 9912 ACCEPT all -- any any 150.214.212.13 anywhere
3669 3353K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp-data
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp
2 96 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpts:netbios-ns:netbios-ssn
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:426
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:microsoft-ds
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpts:1417:1420
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpts:5900:5902
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpts:5900:5902
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpts:5800:5802
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpts:5800:5802
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpts:5500:5502
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpts:5500:5502
5335 616K REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16348 packets, 1744K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any 80-103-114-34.mad1.adsl.uni2.es anywhere
0 0 ACCEPT all -- any any 150.214.212.13 anywhere |
By the way, I see nothing when I run the command to get the list of tried login names indicated in the wiki: Code: | machine log # grep "Failed" /var/log/auth.log | sed "s/.*for\( invalid user\)*\(.*\)\(from.*\)/\2/" | sort | uniq -c
machine log # |
However they exist, as I mentioned in my previous post. Maybe there is a problem with the regex expressions and my auth.log output? But it is generated by syslog-ng... |
|
Back to top |
|
|
|