Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] Get rid of SSH Brute Force Attempts / Script Kiddies
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
VelVet
n00b
n00b


Joined: 09 Feb 2005
Posts: 21
Location: Belgium

PostPosted: Thu Mar 30, 2006 1:53 am    Post subject: Reply with quote

never mind, got everything to work
great script :-)
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Mon Apr 03, 2006 7:22 am    Post subject: Reply with quote

New observations of my blacklist strange behaviour. Whenever I suffer an ssh attack, blacklist seems to stop running. I've checked this quite a few times. For instance, right now. I've just seen this in my /var/log/auth.log:
Code:
Apr  3 01:08:54 machine sshd[13008]: Invalid user {\\rtf1\\ansi\\ansicpg1252\\deff0{\\fonttbl{\\f0\\fswiss\\fcharset0 from 24.199.204.163
Apr  3 01:08:55 machine sshd[13010]: Invalid user {\\*\\generator from 24.199.204.163
Apr  3 01:08:56 machine sshd[13012]: Invalid user ak from 24.199.204.163
Apr  3 01:08:58 machine sshd[13014]: Invalid user asvn from 24.199.204.163
Apr  3 01:08:59 machine sshd[13016]: Invalid user atemp from 24.199.204.163
Apr  3 01:09:00 machine sshd[13018]: Invalid user aalyssa from 24.199.204.163
Apr  3 01:09:02 machine sshd[13020]: Invalid user amirion from 24.199.204.163
Apr  3 01:09:03 machine sshd[13022]: Invalid user azimbra from 24.199.204.163
Apr  3 01:09:13 machine sshd[13024]: Did not receive identification string from 24.199.204.163
Apr  3 04:46:44 machine sshd[13665]: Invalid user admin from 201.247.150.165
Apr  3 04:46:44 machine sshd[13665]: Invalid user admin from 201.247.150.165
Apr  3 04:40:04 machine sshd[13656]: Did not receive identification string from 201.247.150.165
Apr  3 04:46:29 machine sshd[13657]: Invalid user webmaster from 201.247.150.165
Apr  3 04:46:37 machine sshd[13661]: Invalid user ftp from 201.247.150.165
Apr  3 04:46:39 machine sshd[13663]: Invalid user sales from 201.247.150.165
Apr  3 04:46:44 machine sshd[13665]: Invalid user admin from 201.247.150.165
Apr  3 04:46:47 machine sshd[13667]: Invalid user andrea from 201.247.150.165
Apr  3 04:46:57 machine sshd[13669]: Did not receive identification string from 201.247.150.165
Apr  3 04:40:04 machine sshd[13656]: Did not receive identification string from 201.247.150.165
Apr  3 04:46:29 machine sshd[13657]: Invalid user webmaster from 201.247.150.165
Apr  3 04:46:37 machine sshd[13661]: Invalid user ftp from 201.247.150.165
Apr  3 04:46:39 machine sshd[13663]: Invalid user sales from 201.247.150.165
Apr  3 04:46:44 machine sshd[13665]: Invalid user admin from 201.247.150.165
Apr  3 04:46:47 machine sshd[13667]: Invalid user andrea from 201.247.150.165
Apr  3 04:46:57 machine sshd[13669]: Did not receive identification string from 201.247.150.165


Immediatly, after noticing this morning tonight's attack, I checked out if blacklist was running, but it was not. The following commands have been run in a row:
Code:
# ps aux | grep black
root     14579  0.0  0.0   4056   816 pts/1    S+   09:05   0:00 grep black
# /usr/local/bin/blacklist.py &
[1] 14583
# Removing stale pidfile /var/run/blacklist.pid with pid 1348

# ps aux | grep black
root     14583  0.3  0.3  18664  3936 pts/1    S    09:05   0:00 /usr/bin/python /usr/local/bin/blacklist.py
root     14595  0.0  0.0   4056   804 pts/1    R+   09:05   0:00 grep black
#


However, it was running last night, because I had to re-activate it after if de-activated following the attacks on Sunday morning. Why does blacklist.py quit itself when an attack happens? I understand nothing :?
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Mon Apr 03, 2006 3:24 pm    Post subject: Reply with quote

urcindalo: Run in test mode and see if you get any error messages.

I had problems with it quitting also, for me it was that I had changed the regexp, but forgot to change <host> to <ip>.
_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Mon Apr 03, 2006 4:51 pm    Post subject: Reply with quote

Thanks for your help.

Nope, I got no problems with test mode. Just look at these commands in a row:
Code:
# ps aux | grep black
root     10045  0.0  0.3  18432  3856 ?        Ss   15:59   0:00 /usr/bin/python /usr/local/bin/blacklist.py
root     14398  0.0  0.0   4056   808 pts/5    R+   18:39   0:00 grep black
# /usr/local/bin/blacklist.py "Apr  3 01:08:56 machine sshd[13012]: Invalid user ak from 24.199.204.163"

* Entering test mode
* SSH_REGEX[ 0 ]: No match found
* SSH_REGEX[ 1 ]: Caught ip "24.199.204.163 and username "ak"
* FTP_REGEX[ 0 ]: No match found
* SUCCESS: Sending mail from blacklist@localhost to root@localhost
# /usr/local/bin/blacklist.py "Apr  3 04:46:44 machine sshd[13665]: Invalid user admin from 201.247.150.165"

* Entering test mode
* SSH_REGEX[ 0 ]: No match found
* SSH_REGEX[ 1 ]: Caught ip "201.247.150.165 and username "admin"
* FTP_REGEX[ 0 ]: No match found
* SUCCESS: Sending mail from blacklist@localhost to root@localhost
# ps aux | grep black
root     10045  0.0  0.3  18432  3856 ?        Ss   15:59   0:00 /usr/bin/python /usr/local/bin/blacklist.py
root     14435  0.0  0.0   4056   800 pts/5    R+   18:40   0:00 grep black
#


The examples are real attacks from my previous post. I didn't change the regex's in the script. However, I did change this:
Code:
...
LOGTAIL = "/usr/bin/logtail"
...
PERMITTED_LOGIN_FAILURES = 3
BLOCKING_PERIOD = 604800 #seconds
SUSPECTING_PERIOD = 86400 #seconds
...
DATE_FORMAT = "%Y.%M.%d %X" # e.g.: 02.01.2006 23:49:12 (I changed it from %d.%m.%Y)
...
...
                system_command( IPTABLES + " --insert INPUT 4 --jump " + CUSTOM_CHAIN )
...


Notice the "--insert INPUT 4 --jump". The reason is my iptables config is:
Code:
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.1            0.0.0.0/0
ACCEPT     all  --  80.103.114.34        0.0.0.0/0
ACCEPT     all  --  150.214.212.13       0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
...

and I want blacklist rules to be inserted after the rule for 150.214.212.13
Back to top
View user's profile Send private message
kill[h]er
n00b
n00b


Joined: 02 Sep 2003
Posts: 30

PostPosted: Mon Apr 03, 2006 5:27 pm    Post subject: Reply with quote

if you put it after related/established, that could knock your own existing ssh sessions out for 10 mins too, if you aren't careful.
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Mon Apr 03, 2006 5:39 pm    Post subject: Reply with quote

kill[h]er wrote:
if you put it after related/established, that could knock your own existing ssh sessions out for 10 mins too, if you aren't careful.


That's why I put it before that rule (intented as number 4), so that related/established will be number 5, unless I don't understand the syntax. Am I right or did I make a mistake?
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Wed Apr 05, 2006 11:30 am    Post subject: Reply with quote

urcindalo wrote:
kill[h]er wrote:
if you put it after related/established, that could knock your own existing ssh sessions out for 10 mins too, if you aren't careful.


That's why I put it before that rule (intented as number 4), so that related/established will be number 5, unless I don't understand the syntax. Am I right or did I make a mistake?


[EDIT]
Like kill[h]er said, you most likely want it to be at number 5. You can easily verify the behaviour by running blacklist.py and then making a couple of login attempts yourself. I suggest you run it (without moving it into the background) and then do some login failures and tell us what's happening. If it crashes you should see a debug output ...
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick


Last edited by BlinkEye on Wed Apr 05, 2006 1:30 pm; edited 1 time in total
Back to top
View user's profile Send private message
kill[h]er
n00b
n00b


Joined: 02 Sep 2003
Posts: 30

PostPosted: Wed Apr 05, 2006 1:10 pm    Post subject: Reply with quote

maybe i'm wrong, but i don't think so.

from what I know of iptables, it goes down the list and looks for a match. if a match occurs, it executes the entry.

so if you get to the blacklist chain before you get to the established/related chain, then if your IP is in the blacklist chain as a drop, it will drop your connections and stop processing the chain (ie, it won't bother looking at established/related rule).

but like blinkeye said, try it out and let us all know...
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Wed Apr 05, 2006 2:00 pm    Post subject: Reply with quote

BlinkEye wrote:
Like kill[h]er said, you most likely want it to be at number 5. You can easily verify the behaviour by running blacklist.py and then making a couple of login attempts yourself. I suggest you run it (without moving it into the background) and then do some login failures and tell us what's happening. If it crashes you should see a debug output ...


OK. I changed it to number 5 and ran it in the foreground:
Code:
# ./blacklist.py
Removing stale pidfile /var/run/blacklist.pid with pid 15174


Then I tried to login remotely with a fake username from an OS X box:
Code:
$ ssh -l fakeuser mymachine.mydomain
Password:
Password:
Password:
Permission denied (publickey.keyboard-interactive).
$


And I saw blacklist in my Gentoo box failing this way:
Code:
# ./blacklist.py
Removing stale pidfile /var/run/blacklist.pid with pid 15174

Traceback (most recent call last):
  File "./blacklist.py", line 298, in ?
    scan()
  File "./blacklist.py", line 166, in scan
    create_stat( regex_matches, ssh_list, ssh_list_blocked, len( re_ssh.findall( new_log_entries ) )/100, SSH_PORT )
  File "./blacklist.py", line 150, in create_stat
    block( ip_list_blocked[ 0 ][ 0 ], BLOCKING_PERIOD + delay, port )
  File "./blacklist.py", line 98, in block
    system_command( IPTABLES + " --insert " + CUSTOM_CHAIN + " --source " + ip + " --protocol tcp --dport " + str( port ) + " --jump TARPIT" )
  File "./blacklist.py", line 87, in system_command
    raise IOError( return_value[ 1 ] )
IOError: iptables: No chain/target/match by that name

# ps aux | grep black
root     15323  0.0  0.0   4056   804 pts/2    R+   15:55   0:00 grep black
#


As you can see, it quit after the "IOError: iptables: No chain/target/match by that name" error.

How could I solve it? Again, my iptables are:
Code:
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.1            0.0.0.0/0
ACCEPT     all  --  80.103.114.34        0.0.0.0/0
ACCEPT     all  --  150.214.212.13       0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:137:139
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:426
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:445
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:1417:1420
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:5900:5902
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:5900:5902
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:5800:5802
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:5800:5802
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:5500:5502
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:5500:5502
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  80.103.114.34        0.0.0.0/0
ACCEPT     all  --  150.214.212.13       0.0.0.0/0
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Wed Apr 05, 2006 3:17 pm    Post subject: Reply with quote

Please try replacing TARPIT with REJECT.
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Wed Apr 05, 2006 4:15 pm    Post subject: Reply with quote

I replaced TARPIT with DROP (I don't wanna give'em a clue ;) ), and now it didn't quit after trying to login with a fake user.
What's more, now I see this in iptables:
Code:
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.1            0.0.0.0/0
ACCEPT     all  --  80.103.114.34        0.0.0.0/0
ACCEPT     all  --  150.214.212.13       0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
BLACKLIST  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:137:139
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:426
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:445
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:1417:1420
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:5900:5902
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:5900:5902
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:5800:5802
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:5800:5802
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:5500:5502
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:5500:5502
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  80.103.114.34        0.0.0.0/0
ACCEPT     all  --  150.214.212.13       0.0.0.0/0

Chain BLACKLIST (1 references)
target     prot opt source               destination
DROP       tcp  --  192.168.12.147       0.0.0.0/0           tcp dpt:22


It seems it is working, at last!!
Thanks for your help.
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Thu Apr 06, 2006 7:48 am    Post subject: Reply with quote

Blacklist is now working beautifully. This morning I saw a blocked-out ip :) So, I would like to thank BlinkEye for his impressive work.

I got a request that maybe is off-topic (since this is an ssh/ftp thread). I receive sometimes vnc attacks, also. Since I don't want to close that port, would it be possible to include in blacklist some kind of vnc regex?
Back to top
View user's profile Send private message
Freman
n00b
n00b


Joined: 04 May 2005
Posts: 27

PostPosted: Thu Apr 06, 2006 8:36 am    Post subject: Reply with quote

I cheated, I simply patched openssh to call a pre-configured executable file (be it script or what not) with the IP address on Invalid User.

The script saves which ip's it's blocked to a file and if it hasn't blocked the ip passed to it it'll add it to iptables.

Works GREAT, I even made an ebuild including patch for ease of installing across my entire network (c:

Only get one log entry per IP, it's blocked as fast as it starts.
_________________
To err is human... but to trully mess things up you need a computer
Back to top
View user's profile Send private message
kill[h]er
n00b
n00b


Joined: 02 Sep 2003
Posts: 30

PostPosted: Thu Apr 06, 2006 12:05 pm    Post subject: Reply with quote

Quote:
I got a request that maybe is off-topic (since this is an ssh/ftp thread). I receive sometimes vnc attacks, also. Since I don't want to close that port, would it be possible to include in blacklist some kind of vnc regex?


If they are attacking ssh and vnc at the same time, blacklist will already block them out of your system entirely for the timeout period you defined (10 mins default). If they are just attacking VNC, and if the VNC attacks log to /var/log/auth.log then you could add a regex to the script, and if done right it should block them out entirely as well.

If they are doing nmap scans before attacking your ssh or vnc or both, then if you add the portions I posted before, they'll be blocked for 10 mins (default) immediately, and won't get the chance to attack ssh or vnc.
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Thu Apr 06, 2006 3:12 pm    Post subject: Reply with quote

kill[h]er wrote:
If they are doing nmap scans before attacking your ssh or vnc or both, then if you add the portions I posted before, they'll be blocked for 10 mins (default) immediately, and won't get the chance to attack ssh or vnc.


I modified blacklist.py with your HOST_NAME feature, launched it and I got no error, so I suppose it is working.

Then I went on and modified it again to detect nmap scans. However, I get this error when launching the re-modified script:
Code:
 ./blacklist.py
Removing stale pidfile /var/run/blacklist.pid with pid 8300

Traceback (most recent call last):
  File "./blacklist.py", line 303, in ?
    scan()
  File "./blacklist.py", line 169, in scan
    re_ssh = re.compile( SSH_REGEX[ i ] )
  File "/usr/lib/python2.4/sre.py", line 180, in compile
    return _compile(pattern, flags)
  File "/usr/lib/python2.4/sre.py", line 227, in _compile
    raise error, v # invalid expression
sre_constants.error: redefinition of group name 'user' as group 3; was group 1


My modified lines look like this:
Code:
.....
SSH_REGEX =     [
                                                        r"Failed (?:none|password|keyboard-interactive/pam) for (?:invalid user )*(?P<$
                                                        r"Invalid user (?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\$
                                                        r"Did not receive (?P<user>.*) string from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}$
                                ]

.......
                # no tolerance for a root login attempt
                if ( match.group( 'user' ) == "root" ):
                        entry[ 1 ] += PERMITTED_LOGIN_FAILURES
                if ( match.group( 'user' ) == "identification" ):
                        entry[ 1 ] += PERMITTED_LOGIN_FAILURES


Since your modifications were intended for a previous script version, I wonder if the "user" definition changed somehow in the new script, causing your modifications to fail... :?:
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Thu Apr 06, 2006 3:21 pm    Post subject: Reply with quote

Apart from what I just wrote in the previous post, I'd like to add this comment:

kill[h]er wrote:
If they are just attacking VNC, and if the VNC attacks log to /var/log/auth.log then you could add a regex to the script, and if done right it should block them out entirely as well.


Well, that's the problem. I don't know where the vnc login attempts go. I've just tried to connect to my box using fake vnc passwords and the connection gets refused. However, I see nothing vnc related in /var/log/auth.log nor in /var/log/messages. Even if the connection is successful I see no vnc entries in those files.

Does anybody know where can I look for them?
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Sun Apr 09, 2006 2:07 pm    Post subject: Reply with quote

One more question (the ones posted immediately before this post are still unanswered :cry: ).

In the wiki you can read this:
Quote:
UPDATE: You may safely reset your iptable rules while running blacklist.py. It will (re)add it's needed rules automatically when blocking the next IP.


One of my rules relates to my home box, which has a dynamic ip. So, I signed up with no-ip.com and assigned it to my-machine.no-ip.org, which is the actual address I set up in my iptables.conf file. However, everytime I reboot my DSL modem-router I'm assigned a different ip, so my-machine.no-ip.org points to a different ip periodically. To make the iptables rule regarding my home machine to always point to the correct ip address, I added a cron job to "iptables-restore iptables.conf" every day.

My question is: will any pre-existing BLACKLIST rules in iptables be flushed after cron execs iptables-restore? I interpret it will be in fact the case from the quote above, although I'd like very much to be wrong.

Is there any better way of updating my my-machine.no-ip.org rule without loosing pre-existing blacklist rules?
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Sun Apr 09, 2006 7:52 pm    Post subject: Reply with quote

urcindalo wrote:
One more question (the ones posted immediately before this post are still unanswered :cry: ).

In the wiki you can read this:
Quote:
UPDATE: You may safely reset your iptable rules while running blacklist.py. It will (re)add it's needed rules automatically when blocking the next IP.


One of my rules relates to my home box, which has a dynamic ip. So, I signed up with no-ip.com and assigned it to my-machine.no-ip.org, which is the actual address I set up in my iptables.conf file. However, everytime I reboot my DSL modem-router I'm assigned a different ip, so my-machine.no-ip.org points to a different ip periodically. To make the iptables rule regarding my home machine to always point to the correct ip address, I added a cron job to "iptables-restore iptables.conf" every day.

My question is: will any pre-existing BLACKLIST rules in iptables be flushed after cron execs iptables-restore? I interpret it will be in fact the case from the quote above, although I'd like very much to be wrong.

Is there any better way of updating my my-machine.no-ip.org rule without loosing pre-existing blacklist rules?

Well, if you're IP changes it won't really matter if you continue to block out IPs from previous attacks because it would be quite a coincidence if exactly such a blocked IP would start to attack your new IP. And even if it did, they could try a couple of times and then will (again) be blocked out. This restore would only affect the 10 minutes before your IP change which is 1/144 each day ... Nothing to worry about :wink:.

So, no, it won't add any pre-existing iptables. What I tried to say was it will add the needed CHAIN again (this comment was related to an earlier version where the CHAIN was only added once when starting the script).
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Sun Apr 09, 2006 9:20 pm    Post subject: Reply with quote

BlinkEye wrote:
Well, if you're IP changes ...

So, no, it won't add any pre-existing iptables.


Well, it does NOT change at my Gentoo box (at work), the one running blacklist. I got a static ip.

What I said (or tried to) was that I've added an iptables rule for my box at home to never be excluded from accessing my work computer. My home box is the one with a dynamic ip. Why should I add a rule to one of my computers, in the first place? Because I recently replaced my long-time-used passwd with a new pretty long one, and sometimes I just forget it :lol: Since I set the PERMITTED_LOGIN_FAILURES to 3, that allows me only for one mistake (old passwd), one typo and any other sort of wrong input (maybe CAPS key activated?) before denying me the acces for A WEEK (yeah, I'm drastic here ;) ) So, I decided that rule would someday be useful.

From your explanation I see I was correctly interpreting your wiki. So, I'm going to reduce the blocking period to match the cron job restoring iptables. It's a nonsense to set it up any longer.

The ideal woul be to create a script to update only that particular rule, not the whole iptables. However, I'm no programmer and don't know how to do that :cry:
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Mon Apr 17, 2006 9:34 am    Post subject: Reply with quote

It's me again :roll: It seems I'm monopolizing the thread :lol:

Anyway, first of all I must thank again BlinkEye for his work. It's working like a charm. And I also want to thank kill[h]er. His modifications are now working perfectly. I just made a typo in the ssh regex when inserting them. I also completely removed the reference to my dynamic-address home box in my office box's iptables.conf, since it was causing more trouble than good.

My question is: what must I change in the script to deny access in the blacklist rules to ALL ports, not only to the ssh or ftp port? I just want to deny the access to any port to those ssh or ftp brute-force attacking address, but not to anyone (including myself), that might make a mistake typing a password. Thanks.
Back to top
View user's profile Send private message
brfsa
Tux's lil' helper
Tux's lil' helper


Joined: 01 Aug 2005
Posts: 121
Location: Brazil

PostPosted: Mon Apr 17, 2006 6:17 pm    Post subject: Reply with quote

extremelly nice post...

I read it long ago, but only now that some chinese hackers started to brute force the server at college, i took a tough look at this tutorial.

I backtraced hackers from China and Korea mainly, and some from Malaysia...
Back to top
View user's profile Send private message
brfsa
Tux's lil' helper
Tux's lil' helper


Joined: 01 Aug 2005
Posts: 121
Location: Brazil

PostPosted: Mon Apr 24, 2006 5:06 pm    Post subject: Reply with quote

I like this script... very nice.

when is a new vesion that will support more types of DoS blocking coming out ?

how to block those attepts of wrong password for an allowed user ???

for example:
Quote:

Apr 23 08:40:18 athlon sshd(pam_unix)[21158]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=fred
Apr 23 08:40:19 athlon sshd[21153]: error: PAM: Authentication failure for fred from localhost
Apr 23 08:40:19 athlon sshd[21153]: Excess permission or bad ownership on file /var/log/btmp


8)
Back to top
View user's profile Send private message
scottevil
n00b
n00b


Joined: 29 Apr 2006
Posts: 6

PostPosted: Sat Apr 29, 2006 9:12 pm    Post subject: Reply with quote

great script, made a couple regex and it's on doing it's blocking and so forth...

i'm using proftpd , the log was slightly different,

Code:

Apr 29 09:01:20 poo sshd[21523]: Invalid user erick from 200.31.27.182
Apr 29 08:32:18 poo proftpd[5617]: localhost (test.com[70.85.121.242]) - USER asdf: no such user found from test.com [70.85.121.242] to 127.0.01:21


Code:

proftpd:
r"proftpd(?:.*)\slocalhost(?:.*)\sUSER\s(?P<user>.*)[:]\sno such user found from(?:.*)\[(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]"

sshd:
r"Invalid user (?P<user>.*)\sfrom\s(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"


Anyway, thought I would throw out those regex's for anyone who had the same log format as I do.

Thanks for the script, I think i'll add a section in it for <start> <restart> <stop> ..
Back to top
View user's profile Send private message
eyeL
Tux's lil' helper
Tux's lil' helper


Joined: 13 Nov 2005
Posts: 82
Location: Missouri

PostPosted: Sat May 06, 2006 8:25 pm    Post subject: Reply with quote

Good idea. I've been working on my own version of this. I have a bash script to parse my logs for brute attempts, save them into a file, and then a perl script to run a regex through and harvest the IPs, then another script that reads that script line by line and add a rule to my IPTables to ban them, and then emails me the IP and port which they are banned from. It also includes a DNS lookup, and a whois report, and it gives me the abuse email for their ISP, and then sends out an automated message containing logs of their intrusion attempts. It all runs in cron at midnight each night.

edit;

Code:
SYSLOG_REGEX = r"sshd[[][0-9]+[]]: Invalid user (?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3})"


you wouldn't even need a regex like that, you could just
Code:
 import os
os.system("cat /log/file/ | grep \"Invalid user\" > /invalid/users/file)

_________________
[theNPA - down for updates] | [Adopt an unanswered post]
gentoo 2005.1 [lazy] - gcc 4.1.1
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Mon May 08, 2006 2:36 pm    Post subject: Reply with quote

eyeL wrote:

Code:
SYSLOG_REGEX = r"sshd[[][0-9]+[]]: Invalid user (?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3})"


you wouldn't even need a regex like that, you could just
Code:
 import os
os.system("cat /log/file/ | grep \"Invalid user\" > /invalid/users/file)

Yes I do. This regex catches not only the line but especially the user and host for latter use (iptables).
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Page 4 of 6

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum