View previous topic :: View next topic |
Author |
Message |
xoomix Guru
Joined: 02 Jan 2003 Posts: 489
|
Posted: Fri Jun 09, 2006 4:58 pm Post subject: Request ... |
|
|
Has anyone modified this script yet to block port 80 after matching strings from the apache logs? That could be so useful to me - just wish I knew how to go about it. |
|
Back to top |
|
|
magic919 Advocate
Joined: 17 Jun 2005 Posts: 2182 Location: Berkshire, UK
|
Posted: Fri Jun 09, 2006 5:13 pm Post subject: |
|
|
This is not a support forum.
However, check www.pettingers.org to block port 80 stuff. |
|
Back to top |
|
|
xoomix Guru
Joined: 02 Jan 2003 Posts: 489
|
Posted: Sat Jun 10, 2006 11:46 am Post subject: |
|
|
magic919 wrote: | This is not a support forum.
However, check www.pettingers.org to block port 80 stuff. |
It's pretty apparent that everyone comes here for questions/answers - what is that if it's not support? This entire thread is made up specifically of posts from people asking the author how to get his script working and/or configured to do certain things, so I am not sure where you are coming from.
As far as the link you provided thanks for the thought, but I could not find anything there that addresses my specific question, which was "Has anyone modified this script yet to block port 80 after matching strings from the apache logs?" - meaning blacklist.py . I guess it's posssible that it's there but for some reason I just can't find it. |
|
Back to top |
|
|
xoomix Guru
Joined: 02 Jan 2003 Posts: 489
|
Posted: Sat Jun 10, 2006 11:55 am Post subject: I see ... |
|
|
I see now where you are coming from about this not being a support forum (the sticky post) - I did feel it rather strange that I was the only one in there that got a comment on it not being a support forum - go through the thread and count up how many question marks there are in there (people asking quetions) - go figure. |
|
Back to top |
|
|
xoomix Guru
Joined: 02 Jan 2003 Posts: 489
|
Posted: Sat Jun 10, 2006 12:05 pm Post subject: Anywho ... |
|
|
For anyone interested I started a new topic under the unsupported software forum:
Code: | http://forums.gentoo.org/viewtopic-t-470094-highlight-.html |
This is me specifically asking, again, if anyone's configured blacklist.py to do port 80 stuff.
Please feel free to add/reply to that |
|
Back to top |
|
|
Biker Apprentice
Joined: 11 Jun 2003 Posts: 170 Location: A very dark, cold and moisty place...
|
Posted: Fri Jun 16, 2006 10:52 am Post subject: |
|
|
Great script.
If you have logrotate installed you may consider droppping:
Code: | /var/log/blacklist.log {
daily
missingok
notifempty
}
|
into a file named /etc/logrotate.d/blacklist
Biker _________________ The Internet never forgets.
Where 'never' points in the direction of a moment in the very, very far future. |
|
Back to top |
|
|
skakz Guru
Joined: 03 Jul 2004 Posts: 380 Location: Ischia/Napoli/Italia/Terra
|
Posted: Sun Jun 25, 2006 3:25 pm Post subject: |
|
|
hi all!
this tool is powerful!!!!
please check here.. i have modified this script to support http protocol too.
anyway all thanks goes to BlinkEye!!! _________________ Linux Registered User n.340423
Linux User Group Ischia
www.tush.it |
|
Back to top |
|
|
Robert S Guru
Joined: 15 Aug 2004 Posts: 460 Location: Canberra Australia
|
Posted: Thu Aug 31, 2006 11:34 am Post subject: |
|
|
This script doesn't seem to work any longer for me. I can still log in after repeated failures. It used to work fine. I suspect its an iptables problem. After repeated incorrect passwords from 192.168.2.20:
Quote: | # iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
41981 24M ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
253 23657 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
1003 167K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x17/0x02
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 flags:0x17/0x02
<etc etc>
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 255.255.255.255 udp spt:68 dpt:67
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
24 1872 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `iptables:' queue_threshold 1
24 1872 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- !lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 51938 packets, 24M bytes)
pkts bytes target prot opt in out source destination
Chain BLACKLIST (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 202.67.151.139 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 202.67.151.139 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 202.67.151.139 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 192.168.2.20 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
|
Despite this I am still able to log in from my PC at 192.168.2.20. I assume that the reason for 202.67.151.139 being repeatedly rejected is that whoever is at that address is not being blocked.
Unfortunately I'm not cluey enough about iptables to solve this.
Also - at certain times my iptables rules get mysteriously dropped ie:
Quote: | # iptables -nvL |less
Chain INPUT (policy ACCEPT 2339 packets, 750K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 64608 packets, 27M bytes)
pkts bytes target prot opt in out source destination
Chain BLACKLIST (0 references)
pkts bytes target prot opt in out source destination
|
- with no intervention on my part.
Can anybody help? |
|
Back to top |
|
|
Robert S Guru
Joined: 15 Aug 2004 Posts: 460 Location: Canberra Australia
|
Posted: Wed Sep 13, 2006 11:59 am Post subject: |
|
|
This seems to have solved the problem. I've changed "yes" to "no":
Quote: | $ cat /etc/conf.d/iptables
SAVE_ON_STOP="no" |
It looks as if the saved iptables rules have mucked up the script when it restarts. |
|
Back to top |
|
|
mudrii l33t
Joined: 26 Jun 2003 Posts: 789 Location: Singapore
|
Posted: Sat May 26, 2007 7:16 am Post subject: |
|
|
Nice script jumping into it for trial _________________ www.gentoo.ro |
|
Back to top |
|
|
Ishiki Tux's lil' helper
Joined: 31 Aug 2005 Posts: 86
|
Posted: Mon Jun 04, 2007 12:57 pm Post subject: |
|
|
Magnificent script !
Thank you very much. |
|
Back to top |
|
|
predatorfreak l33t
Joined: 13 Jan 2005 Posts: 708 Location: USA, Michigan.
|
Posted: Tue Jun 05, 2007 2:50 pm Post subject: |
|
|
In my own experience, using iptable's recent match support you can achieve the same results (blocks all bruteforce attempts at SSH) without parsing ANY logs. It also doesn't require any fancy blacklist or somesuch, iptables will keep the blacklist internal until the host in question has stopped ramming ports, if they continue to port ram, they're banned for longer periods of time.
In practice, this works extremely well. I use something to this effect on my server, although it's wrapped in my iptables system that handles pretty much all my firewall rules.
Here's a basic example of iptables recent match being used to defeat bruteforce attacks:
Code: | iptables -N BRUTEFORCE_DEFEAT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRUTEFORCE_DEFEAT
iptables -A BRUTEFORCE_DEFEAT -m recent --update --seconds 15 -j DROP
iptables -A BRUTEFORCE_DEFEAT -m recent --set -j RETURN |
Of course, this might not meet everyone's needs, but it's significantly simpler AND faster, it will defeat bruteforce attempts, DDoS's on ports, etc, without parsing any logs or some such.
Also, changing the --seconds 15 to any other value means that if they hit the port more than once in X amount of time, they're banned. Most bruteforcers just hit as much as possible, so they're banned after the first attempt, generally. If you wanted the ban to last longer though, you could use say 500 seconds or whatever and they'd be banned for 500 seconds. _________________ System: predatorbox
Distro: Arch Linux x86_64
Current projects: blackhole, convmedia and anything else I cook up. |
|
Back to top |
|
|
funkoolow Guru
Joined: 21 Sep 2004 Posts: 545 Location: er paese delle anguille
|
Posted: Sat Jun 09, 2007 12:17 pm Post subject: |
|
|
hi there,
I think this is a great tool, but, if allowed, i suggest some improvements that would make it greater:
1) the max_attempts variable: number of max attempts over which the ban time for an attacking ip will increase.
2) the increase_time variable: number of seconds to increase the ban time for an attacking ip once the max_attempts has been passed.
actually, if i read correctly, those two parameters are set but in a static way to max_attempts=100 and increase_time=1sec so that at the 101st login attempt the ban time will increase to BLOCKING_PERIOD+1. Otherwise, i'd rather prefer the script to increase the ban time by 30sec every 10 wrong login attempts.
Is it possible to add those values in a dynamic way as actually happens e.g. for the blocking_period parameter?
thanks a lot _________________ SabaziaLUG: il LUG a nord di Roma |
|
Back to top |
|
|
LJM9000 Tux's lil' helper
Joined: 31 Aug 2006 Posts: 76 Location: United States
|
Posted: Mon Mar 10, 2008 5:08 pm Post subject: |
|
|
Ok, I think I must be retarded I cannot get this to work.
I have compiled IPTables into my kernel
Then I ran
Code: | iptables-restore /etc/iptables.bak |
Then Code: | /etc/init.d/iptables save |
I started IPTables by running
Code: | /etc/init.d/iptables start |
I then ran the blacklist init script posted here
Code: | /etc/init.d/blacklist |
Then when I fail logging in from a different computer on purpose /var/log/blacklist.log never changes. It just remains empty. My /var/log/auth.log shows failed connections.
I have installed the logsentry package as well, per the instructions.
Help! |
|
Back to top |
|
|
LJM9000 Tux's lil' helper
Joined: 31 Aug 2006 Posts: 76 Location: United States
|
Posted: Wed Mar 12, 2008 2:50 am Post subject: |
|
|
I fixed it. It seems that there was an error in the code.
I changed it to the following since Logtail doesn't need the -f anymore.
Code: | try:
new_log_entries = system_command( LOGTAIL + " " + LOG_INPUT )
except:
new_log_entries = system_command( LOGTAIL + " " + LOG_INPUT )
|
Yes it makes no sense that I should need the except in there. But when I removed it the program errored.
Also I don't know python so that could have been the problem too.
Everythings working correctly now. |
|
Back to top |
|
|
Raposatul n00b
Joined: 25 Sep 2007 Posts: 53
|
Posted: Wed Apr 02, 2008 10:15 am Post subject: |
|
|
LJM9000 wrote: | Ok, I think I must be retarded I cannot get this to work.
I have compiled IPTables into my kernel
Then I ran
Code: | iptables-restore /etc/iptables.bak |
Then Code: | /etc/init.d/iptables save |
I started IPTables by running
Code: | /etc/init.d/iptables start |
I then ran the blacklist init script posted here
Code: | /etc/init.d/blacklist |
Then when I fail logging in from a different computer on purpose /var/log/blacklist.log never changes. It just remains empty. My /var/log/auth.log shows failed connections.
I have installed the logsentry package as well, per the instructions.
Help! |
iptables-save > /etc/iptables.bak
iptables-restore < /etc/iptables.bak |
|
Back to top |
|
|
dr4cul4 n00b
Joined: 19 Mar 2008 Posts: 17
|
Posted: Wed May 14, 2008 1:06 pm Post subject: |
|
|
I have a small fix for init.d script (assuming pid file is the same as in original blacklist.py script). It fixes stopping and restarting issues.
Code: | #!/sbin/runscript
# Distributed under the terms of the GNU General Public License v2
#
# Refer to forum post: http://forums.gentoo.org/viewtopic-p-3141510.html#3141510
#
# Date: 2008-05-14
# Version 0.2 by dr4cul4
# you may want to uncomment the below if using iptables in rc-update, but
# it is probably not necessary
depend() {
use iptables sshd
}
start() {
ebegin "Starting blacklist"
start-stop-daemon --start --quiet --background \
--exec /usr/bin/python /usr/sbin/blacklist.py
eend $?
}
stop() {
ebegin "Stopping blacklist"
start-stop-daemon --stop --quiet --pidfile /var/run/blacklist.pid
eend $?
} |
|
|
Back to top |
|
|
sam_i_am Tux's lil' helper
Joined: 19 Sep 2003 Posts: 131
|
Posted: Fri Jun 13, 2008 7:29 pm Post subject: |
|
|
Hi all,
I've pared down this script even further and used the ability of syslog-ng to create filters to match a regexp as well as the ability to send the log to another program. So, no need for a separate thread and polling.
Here's how to use it:
Modify syslog-ng.conf by adding the following filter and destination
Code: |
# destination is the python script which will insert an iptable rule to block the ip
destination sshd_ban { program("/sbin/block_ip.py"); };
# create a filter that will pick suspicions log statements from sshd daemon
filter f_sshd_attack { program(sshd) and (
match('Did not receive identification string from') or
match('Invalid user') or
match('Failed password for root')
);
};
# connect the filter to the destination
log { source(src); filter(f_sshd_attack); destination(sshd_ban); };
|
Save the following script as /sbin/block_ip and edit the variables at the top to suit your environment. I've removed the timeout part as it wasn't important in my case.
BEWARE: once an ip is blocked, it stays blocked until the rule is removed (or the system is rebooted)
One nice thing about this is that the hack attempts that I've seen starts with a port scan on port 22 which generates the log message "Did not receive identification from xx.xx.xx.xx". This will immediately trigger the block and the hapless script kiddie is locked out forever without being able to try even a single username
Code: |
#!/usr/bin/python
# block_ip.py is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# block_ip.py is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Original Copyright: Reto Glauser aka blinkeye
# Adapted by academic.sam at gmail.com for invocation by syslog-ng
# Version 0.1
import re;
import commands;
import sys;
from syslog import *;
import os;
from os import access, R_OK, W_OK, X_OK;
DATE_FORMAT = "%b %d %X" # e.g.: May 25 23:49:12
BLOCKED_LIST = "/tmp/blocked_ip"
IPTABLES = "/sbin/iptables"
CUSTOM_CHAIN = "BLACKLIST"
SSH_PORT = 22
SSH_REGEXC = [
re.compile( r"Did not receive identification string from (?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" ),
re.compile( r"Failed (?:none|password|keyboard-interactive/pam) for (?:invalid user )*(?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" ),
re.compile( r"Invalid user (?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" )
]
# Wrapper function for commands
def system_command( string_command ):
return_value = []
return_value = ( commands.getstatusoutput( string_command ) )
if not return_value[ 0 ] == 0:
raise IOError( return_value[ 1 ] )
return return_value[ 1 ]
# block ip for the duration of time
def block( ip, port ):
try:
system_command( IPTABLES + " --new-chain " + CUSTOM_CHAIN )
system_command( IPTABLES + " --insert INPUT --jump " + CUSTOM_CHAIN )
except:
None
system_command( IPTABLES + " --insert " + CUSTOM_CHAIN + " --source " + ip + " --protocol tcp --dport " + str( port ) + " --jump DROP" )
syslog( "Blocking " + ip )
# Do we have iptables ?
if not access( IPTABLES, X_OK ):
raise IOError, IPTABLES + " is not executable"
ip_list = []
try:
ipf = open( BLOCKED_LIST, "r")
except IOError:
pass
else:
for line in ipf:
ip_list.append( line.strip() )
ipf.close()
openlog( "block_ip" )
syslog("Reading initial list: " + ", ".join( ip_list ) )
while 1:
line = sys.stdin.readline()
if not len( line ):
break
for i in range( 0, len( SSH_REGEXC ) ):
if len( SSH_REGEXC[ i ].findall( line ) ):
regex_matches = SSH_REGEXC[ i ].finditer( line )
for match in regex_matches:
ip = match.group( 'ip' )
if ip not in ip_list:
ip_list.append( ip )
block( ip, SSH_PORT)
try:
ipf = file( BLOCKED_LIST, "w")
except IOError:
syslog( "Could not write blocked IP list to " + BLOCKED_LIST)
else:
ipf.write( "\n".join(ip_list))
ipf.close()
|
|
|
Back to top |
|
|
brfsa Tux's lil' helper
Joined: 01 Aug 2005 Posts: 121 Location: Brazil
|
Posted: Mon Jun 30, 2008 1:02 am Post subject: |
|
|
sam_i_am,
Very nice and neat implementation u have in there man...
Works great!!!
if I put my password wrong? means Im locked out?
Anyone, better add your public ssh key to the authorized file just in case.
Thanks for sharing your script.
|
|
Back to top |
|
|
haarp Guru
Joined: 31 Oct 2007 Posts: 535
|
Posted: Mon Jul 07, 2008 5:15 pm Post subject: |
|
|
Hey,
I added/modified a few filters. If anyone's interested, here's the relevant sections of my blacklist.py. Just add what you need to your own blacklist...
Code: | SSH_REGEX = [
r"Failed (?:none|password|keyboard-interactive/pam) for (?:invalid user )*(?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})",
r"Invalid user (?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})",
r"Did not receive (?P<user>.*) from (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})",
r"Address (?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) maps to (?:.*), but this does not map back to the address - (?P<user>.*)",
r"reverse mapping checking getaddrinfo for (?:.*) \[(?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\] failed - (?P<user>.*)"
]
# SSH_REGEX catches following similar entries:
# Jan 2 21:48:05 blinkeye sshd[4529]: Failed password for invalid user sato from 61.172.192.3 port 54177 ssh2
# Jan 2 21:48:05 blinkeye sshd[4529]: Failed password for invalid user sato from ::ffff:61.172.192.3 port 54177 ssh2
# Oct 21 18:52:01 blinkeye sshd[31286]: Failed password for root from 152.149.148.115 port 36667 ssh2
# Oct 21 18:52:01 blinkeye sshd[31286]: Failed password for root from ::ffff:152.149.148.115 port 36667 ssh2
# Sep 18 05:08:06 blinkeye sshd[3971]: Failed keyboard-interactive/pam for root from 152.149.148.115 port 44896 ssh2
# Sep 18 05:08:06 blinkeye sshd[3971]: Failed keyboard-interactive/pam for root from ::ffff:152.149.148.115 port 44896 ssh2
# Feb 16 15:07:33 madcat sshd[30582]: Did not receive identification string from 204.191.10.60
# Mar 30 06:14:36 madcat sshd[13621]: Address 218.28.166.67 maps to pc0.zz.ha.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
# Jul 3 12:36:25 madcat sshd[1586]: reverse mapping checking getaddrinfo for 66962125.hostnoc.net [66.96.212.5] failed - POSSIBLE BREAK-IN ATTEMPT!
FTP_REGEX = [
r"ftp(?:.*) authentication failure(?:.*) rhost=(?:::ffff:)*(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?: user=)*(?P<user>.*)",
r"proftpd(?:.*)USER (?P<user>.*): no such user found(?:.*)\[(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]"
]
# FTP_REGEX catches following similar entries:
# Oct 3 19:35:41 blinkeye ftp(pam_unix)[8746]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=206.222.29.194
# Oct 3 19:35:43 blinkeye ftp(pam_unix)[8746]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=206.222.29.194 user=root
# Feb 14 08:38:47 madcat proftpd[3247]: madcat (202.96.5.29[202.96.5.29]) - USER Administrator: no such user found from 202.96.5.29 [202.96.5.29] to 192.168.0.5:21 |
Code: |
# no tolerance for root login attempts
if ( match.group( 'user' ) == "root" ):
entry[ 1 ] += PERMITTED_LOGIN_FAILURES
# no tolerance for Administrator login attempts
if ( match.group( 'user' ) == "Administrator" ):
entry[ 1 ] += PERMITTED_LOGIN_FAILURES
# no tolerance for NMAP scans
if ( match.group( 'user' ) == "identification string" ):
entry[ 1 ] += PERMITTED_LOGIN_FAILURES
# no tolerance for possible break-in attempts
if ( match.group( 'user' ) == "POSSIBLE BREAK-IN ATTEMPT!" ):
entry[ 1 ] += PERMITTED_LOGIN_FAILURES
|
Last edited by haarp on Tue Oct 14, 2008 9:11 pm; edited 1 time in total |
|
Back to top |
|
|
sam_i_am Tux's lil' helper
Joined: 19 Sep 2003 Posts: 131
|
Posted: Wed Aug 06, 2008 3:02 pm Post subject: |
|
|
brfsa wrote: | sam_i_am,
if I put my password wrong? means Im locked out?
|
I'm afraid so. Like you suggested, I don't recommend this if you are using password based logins as there are plenty of chances of getting locked out.
In fact it happened to me just today even with a public key I was logging in from a XP machine using cygwin and it had my username with first letter in upper case which triggered the block. Fortunately I got in through another machine. I guess a time out feature would make it a bit more forgiving.
Sam |
|
Back to top |
|
|
crimson Guru
Joined: 27 Apr 2002 Posts: 430 Location: Cedar Rapids, IA
|
Posted: Tue Aug 19, 2008 11:05 pm Post subject: |
|
|
I use fail2ban to block failed attempts, and I get quite a few, but I'm curious is there a way to tell what passwords they are trying to use? It only tells me the username. ie: Invalid user test from 123.45.67.89. Out of curiosity I'd like to know what passwords they're using. |
|
Back to top |
|
|
haarp Guru
Joined: 31 Oct 2007 Posts: 535
|
Posted: Tue Aug 19, 2008 11:07 pm Post subject: |
|
|
If your apps log the passwords that are tried then somethings inherently broken. No, that's impossible |
|
Back to top |
|
|
crimson Guru
Joined: 27 Apr 2002 Posts: 430 Location: Cedar Rapids, IA
|
Posted: Tue Aug 19, 2008 11:11 pm Post subject: |
|
|
haarp wrote: | If your apps log the passwords that are tried then somethings inherently broken. No, that's impossible |
I guess I would have to write a fake ssh server to log passwords then. I don't know that I'm that curious, but that probably wouldn't be too hard to do. |
|
Back to top |
|
|
crimson Guru
Joined: 27 Apr 2002 Posts: 430 Location: Cedar Rapids, IA
|
Posted: Tue Aug 19, 2008 11:20 pm Post subject: |
|
|
Actually here is an article that shows some researchers doing just that by patching ssh to record passwords, this nearly satisfies my curiosity.
http://www.securityfocus.com/infocus/1876 |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|