Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] Get rid of SSH Brute Force Attempts / Script Kiddies
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4, 5, 6  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Wed Jan 11, 2006 1:37 am    Post subject: [HOWTO] Get rid of SSH Brute Force Attempts / Script Kiddies Reply with quote

Wiki HowTo

I get twice a day a mail from logsentry telling me how many brute force attacks my SSH server got. Generally, I don't care (but I'll explain in the howto why I decided to go against these attacks). Although I've seen several scripts on the www blocking out such attacks I decided to write my own python script. Many of the scripts were just too bloated (like using a database) or too circumstantial and lacking easy configuration and customisation. I wrote an easy understandable, easy adjustable script AND trying to explain what, how and why I'm doing it. Well, see for yourself.

README (if you question the use of this script):
Please don't start a flame of why not using password or using strong passwords and on moving SSH to a different port or using portknocking. I know all these methods - and I wouldn't even mind if someone could login to my server (of course this wouldn't be an account I use because there's no way you bruteforce my passwords within a lifetime). I do have my reasons. Point.

Last update of the script: 2006-03-03
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick


Last edited by BlinkEye on Wed Dec 31, 2014 8:43 am; edited 8 times in total
Back to top
View user's profile Send private message
vladgrigorescu
Guru
Guru


Joined: 11 Jan 2005
Posts: 360

PostPosted: Wed Jan 11, 2006 1:52 am    Post subject: Reply with quote

That is a *really* great and detailed HOWTO, thanks a lot!
Back to top
View user's profile Send private message
thoffmeyer
Apprentice
Apprentice


Joined: 11 Apr 2004
Posts: 208
Location: GMT -5 Hours

PostPosted: Wed Jan 11, 2006 2:31 am    Post subject: Reply with quote

Wow this howto is GREAT!
_________________
Conrad Guide, Current Maintainer

Join us on IRC
Server: irc.freenode.net
Channel: #conrad
Back to top
View user's profile Send private message
zbindere
Guru
Guru


Joined: 27 May 2004
Posts: 356
Location: Switzerland

PostPosted: Wed Jan 11, 2006 12:03 pm    Post subject: Reply with quote

I am using denyhosts.

Code:
emerge denyhosts
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Wed Jan 11, 2006 12:43 pm    Post subject: Reply with quote

zbindere wrote:
I am using denyhosts.

Code:
emerge denyhosts

i bet it's a good tool. my script does very much the same (main difference: uses iptables instead of /etc/hosts.deny - i'll reconsider which way is the better). i explicitly mentioned in the first post that my goal was to provide an easy understandable script and explaining what it actually does. denyhosts has more than 2100 source code lines (not including README, configuration files and so on). don't tell me you've read and understand all those 20 python scripts. i haven't run it but i discovered it while writing the howto and downloaded the source and had a look at it. i decided my script was still for some use. it's just not overhelming and everyone sees what it does.

the statistic upon failed login and used usernames denyhosts does is kind of irrelevant for my approach: too many login failures -> go take a break. for a statistic see list of past login attempts (IP) and list of past login attempts (usernames) sections - a simple sed command. i don't think one needs more than that.

[EDIT]

I'll stay with iptables. i found a good article discussing the linux firewall mechanism( see linux exposed for the full review):

Linux exposed wrote:
Linux Firewall Mechanisms
Most Linux distributions, including Fedora Core, provide two forms of service access control: TCP wrappers and iptables. I use the term access control and not firewalling because TCP wrappers should really not be referred to as a firewall per se. The older TCP wrappers offers centralized daemon host access control in one nice and easy to edit file. It can be configured to monitor incoming requests for a range of daemons, works in tandem with xinetd, and changes to it are instantly applied. TCP wrappers is somewhat insecure if used on an untrusted network, is not very powerful, and so should only really be used on trusted networks or where very specific requirements demand it.

Linux exposed wrote:
Under Linux, there are three ways of controlling service access by hosts or networks: iptables, TCP wrappers, or individual daemon config settings. The first is the only method that can both be considered a truly hardened method of limiting service access on an untrusted network (personal firewall) and be used in either a stand-alone server or a full-blown network firewall configuration.

Linux exposed wrote:
Security that you don't both fully understand and fully control is just an illusion

_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Wed Jan 18, 2006 8:43 pm    Post subject: Reply with quote

I did a major update. Following are the recent changes:

* Completely rewrote the core
* Removing thread logic due to limitation and ressource usage
* Changing datastructure of main list from an array to a hash map to speed up searches
* Adding CHECK_INTERVALL variable
* Adding dynamical BLOCKING_PERIOD (for every hundred login failure an additional second for the is added)
* Thorough testing
* Modified mailing feature so you get one mail per each run (if any IP were blocked) instead of a mail per IP to prevent mail flood/ressource usage upon a DoS
* Adding DoS / Performance / Stress Test
* Modifying Howto
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
_dA_CyANIDe
Apprentice
Apprentice


Joined: 30 Mar 2005
Posts: 196
Location: Czech Republic

PostPosted: Thu Jan 19, 2006 12:05 am    Post subject: Reply with quote

This script doesn't workes for me. Maybe sshd is misconfigured ..

errors in /var/log/auth.log :

Jan 19 01:00:32 a02-0520a sshd[5051]: error: Could not get shadow information for NOUSER
Jan 19 01:00:32 a02-0520a sshd[5051]: Failed password for invalid user fu from 147.229.216.198 port 2664 ssh2
Jan 19 01:00:33 a02-0520a sshd[5051]: Failed password for invalid user fu from 147.229.216.198 port 2664 ssh2
Jan 19 01:01:15 a02-0520a sshd[5086]: Invalid user du from 147.229.216.198
Jan 19 01:01:15 a02-0520a sshd[5086]: Failed none for invalid user du from 147.229.216.198 port 2665 ssh2
Jan 19 01:01:16 a02-0520a sshd[5086]: error: Could not get shadow information for NOUSER
Jan 19 01:01:16 a02-0520a sshd[5086]: Failed password for invalid user du from 147.229.216.198 port 2665 ssh2
Jan 19 01:01:17 a02-0520a sshd[5086]: Failed password for invalid user du from 147.229.216.198 port 2665 ssh2

:(
_________________
AMD64 X2 3800+, 1GB RAM, Gigabyte GF7600
-----
Firewalls cannot block stupidity!
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Thu Jan 19, 2006 12:49 am    Post subject: Reply with quote

everything seems alright:
Code:
# ./blacklist.py "Jan 19 01:00:32 a02-0520a sshd[5051]: error: Could not get shadow information for NOUSER
> Jan 19 01:00:32 a02-0520a sshd[5051]: Failed password for invalid user fu from 147.229.216.198 port 2664 ssh2
> Jan 19 01:00:33 a02-0520a sshd[5051]: Failed password for invalid user fu from 147.229.216.198 port 2664 ssh2
> Jan 19 01:01:15 a02-0520a sshd[5086]: Invalid user du from 147.229.216.198
> Jan 19 01:01:15 a02-0520a sshd[5086]: Failed none for invalid user du from 147.229.216.198 port 2665 ssh2
> Jan 19 01:01:16 a02-0520a sshd[5086]: error: Could not get shadow information for NOUSER
> Jan 19 01:01:16 a02-0520a sshd[5086]: Failed password for invalid user du from 147.229.216.198 port 2665 ssh2
> Jan 19 01:01:17 a02-0520a sshd[5086]: Failed password for invalid user du from 147.229.216.198 port 2665 ssh2
> "
* Entering test mode
* SUCCESS: Caught 147.229.216.198
* SUCCESS: Sending mail from blacklist@yourdomain to ssh@yourdomain

what's not working?
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
_dA_CyANIDe
Apprentice
Apprentice


Joined: 30 Mar 2005
Posts: 196
Location: Czech Republic

PostPosted: Thu Jan 19, 2006 11:11 am    Post subject: Reply with quote

So, the problem is in logtail version. Logtail from logsentry 1.1.1 doesn't workes for me.

Solution:

Replace /usr/bin/logtail from Logsentry with this file : ftp://blinkeye.ch/public/logtail .

Now everything workes fine. :lol:
_________________
AMD64 X2 3800+, 1GB RAM, Gigabyte GF7600
-----
Firewalls cannot block stupidity!
Back to top
View user's profile Send private message
shaped.ch
n00b
n00b


Joined: 19 Dec 2005
Posts: 46
Location: switzerland

PostPosted: Thu Jan 19, 2006 10:15 pm    Post subject: Reply with quote

very good howto!
thanks!
Back to top
View user's profile Send private message
_dA_CyANIDe
Apprentice
Apprentice


Joined: 30 Mar 2005
Posts: 196
Location: Czech Republic

PostPosted: Thu Jan 19, 2006 10:30 pm    Post subject: Reply with quote

Yes. IT IS. :D THX 2 BlinkEye
_________________
AMD64 X2 3800+, 1GB RAM, Gigabyte GF7600
-----
Firewalls cannot block stupidity!
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Sat Jan 21, 2006 12:35 pm    Post subject: Reply with quote

Very nice. I have a pretty random user name and a very good password, but I still feel uncomfortable with all those login attempts in the logs.

On line 137, I think you're missing a space after the " -f" (I got some error message about not finding the file "-f/var/log/auth.log"). I added a space after "-f" and got "IOError: File -f cannot be read." instead. I don't know if I have some light version of logtail, but I don't have an -f option. Replaced " -f " with a single space instead, and it works.

I still have one problem. Whenever someone tries to log in as root, it is logged in a different format:

Code:
Jan 21 13:31:21 clint sshd(pam_unix)[1416]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=irc.******.com  user=root
Jan 21 13:31:23 clint sshd[1411]: error: PAM: Authentication failure for root from irc.******.com

_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Sat Jan 21, 2006 1:09 pm    Post subject: Reply with quote

Andersson wrote:
Very nice. I have a pretty random user name and a very good password, but I still feel uncomfortable with all those login attempts in the logs.

On line 137, I think you're missing a space after the " -f" (I got some error message about not finding the file "-f/var/log/auth.log"). I added a space after "-f" and got "IOError: File -f cannot be read." instead. I don't know if I have some light version of logtail, but I don't have an -f option. Replaced " -f " with a single space instead, and it works.

Yes, I do have the same issue on my boxes. The script does not miss the space after "-f", but there are two logtail version around. And I emerged the logsentry-1.1.1 package on both of the boxes - one is a perl script (which I provided a link for) and which needs the "-f" flag and the other is a (compiled) c program ...
Andersson wrote:
I still have one problem. Whenever someone tries to log in as root, it is logged in a different format:

Code:
Jan 21 13:31:21 clint sshd(pam_unix)[1416]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=irc.******.com  user=root
Jan 21 13:31:23 clint sshd[1411]: error: PAM: Authentication failure for root from irc.******.com

I see. I take it you use
sshd_config wrote:
UseDNS yes

OpenSSH FAQ wrote:
You can disable most of the server-side lookups by setting UseDNS no in sshd_config.

is there a strong reason you use dnslookup? if set to no does this solve the domainname entry?
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Sat Jan 21, 2006 3:07 pm    Post subject: Reply with quote

BlinkEye wrote:
The script does not miss the space after "-f", but there are two logtail version around. And I emerged the logsentry-1.1.1 package on both of the boxes - one is a perl script (which I provided a link for) and which needs the "-f" flag and the other is a (compiled) c program ...

Ok, I understand. How about testing which version is installed? Or having a config variable that can disable the "-f"? Or is the perl script the only supported version? ;)

BlinkEye wrote:
I take it you use
sshd_config wrote:
UseDNS yes

is there a strong reason you use dnslookup? if set to no does this solve the domainname entry?

I didn't know about that option. UseDNS was commented, so I set it to no:
Code:
Jan 21 14:26:33 clint sshd(pam_unix)[2398]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.xx.xx.xx  user=root
Jan 21 14:26:35 clint sshd[2389]: error: PAM: Authentication failure for root from 193.xx.xx.xx

This gives the ip number, but still does not match the regexp in the script. If I log in as any other user name, I get a line that matches, like this below (in addition to two lines like the ones above).
Code:
Jan 21 13:43:43 clint sshd[1610]: Failed keyboard-interactive/pam for invalid user not_a_user from 193.xx.xx.xx port 1198 ssh2

But no such line for root, so I changed the regexp to match the error: PAM: Authentication failure line instead:
Code:
SYSLOG_REGEX = r"sshd[[][0-9]+[]]: error: PAM: Authentication failure for (?:illegal user )?(?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3})"


So anyway, it seems to work exactly as intended now. Thanks for the help. I didn't know about the (?P<user>.*?) thing either (capturing group), so I guess I've learned something new as well from this script. :)
_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
spengy
n00b
n00b


Joined: 30 Oct 2004
Posts: 14

PostPosted: Sat Jan 21, 2006 7:29 pm    Post subject: Reply with quote

I use pure iptables
Code:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m recent --update --seconds 360 --hitcount 4 -rttl --name SSH -j DROP

More than 4 connections in 360 seconds? then they get dropped. It works quite well.

In my sshd log, I will get maybe 2 bruteforce attempts from some n00b before they get dropped.
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Sat Jan 21, 2006 10:19 pm    Post subject: Reply with quote

Andersson wrote:
I didn't know about that option. UseDNS was commented, so I set it to no:
Code:
Jan 21 14:26:33 clint sshd(pam_unix)[2398]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.xx.xx.xx  user=root
Jan 21 14:26:35 clint sshd[2389]: error: PAM: Authentication failure for root from 193.xx.xx.xx

This gives the ip number, but still does not match the regexp in the script. If I log in as any other user name, I get a line that matches, like this below (in addition to two lines like the ones above).
Code:
Jan 21 13:43:43 clint sshd[1610]: Failed keyboard-interactive/pam for invalid user not_a_user from 193.xx.xx.xx port 1198 ssh2

But no such line for root, so I changed the regexp to match the error: PAM: Authentication failure line instead:
Code:
SYSLOG_REGEX = r"sshd[[][0-9]+[]]: error: PAM: Authentication failure for (?:illegal user )?(?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3})"


So anyway, it seems to work exactly as intended now. Thanks for the help. I didn't know about the (?P<user>.*?) thing either (capturing group), so I guess I've learned something new as well from this script. :)

the "error: PAM ..." doesn't appear always. grep your log for sshd and have a look. upon "normal" login tries, like the one we try it would work. but the script used by attackers will not generate such "error: PAM ..." lines. I do have dozens of entries not followed by an "error: PAM ..." entry. it's strange you don't have the same line for a root atempt - I sure do. root login attempts are still the most popular :wink:
could you mail/pm me a series of login attempts with different users and root too? not from localhost please.
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Sat Jan 21, 2006 10:39 pm    Post subject: Reply with quote

spengy wrote:
I use pure iptables
Code:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m recent --update --seconds 360 --hitcount 4 -rttl --name SSH -j DROP

More than 4 connections in 360 seconds? then they get dropped. It works quite well.

In my sshd log, I will get maybe 2 bruteforce attempts from some n00b before they get dropped.

yes, these are the iptables lines you found all over the net.

1. I tried that and I wrote that and the link of how to do it in my howto (where it is actually explained what is done). it doesn't work reliable for me and I get unkown delays for anyone trying to log-in.
2. I've read a lot of posts telling it doesn't work as it should for them
3. what does "it works quite well" mean? I wouldn't be satisfied with "quite well".
4. it limits the possibility/use for user actually working on the server. 4 connection within 360 seconds is way to low for me. if I start work on my server I open instantly 5 connections and other users do that too. sure I could increase that limit but then those failed login attempts of attackers start to increase too.
5. it limits me further because i would try to keep that limit down - but what if I started work, disconnected and just decided to keep on working?
6. using these rules increases the load unnecessary because it must take into account every SSH connection and keep a counter for every IP trying to connect (I don't think this is actually a problem for iptables and I not have hundreds of users working concurrently of course - but then again: why do I get those delays? it must be iptables and the counters)
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Sat Jan 21, 2006 10:53 pm    Post subject: Reply with quote

BlinkEye wrote:
the "error: PAM ..." doesn't appear always. grep your log for sshd and have a look. upon "normal" login tries, like the one we try it would work. but the script used by attackers will not generate such "error: PAM ..." lines. I do have dozens of entries not followed by an "error: PAM ..." entry. it's strange you don't have the same line for a root atempt - I sure do. root login attempts are still the most popular :wink:

Well, in that case I might as well leave the regexp as it was. I do have permitRootLogin no so where's the harm?
BlinkEye wrote:
could you mail/pm me a series of login attempts with different users and root too? not from localhost please.

Sorry, I don't keep my logs more than a couple of weeks, and I've had my ssh port blocked from the outside for a while. It's open again now though, so we'll see how long it takes the port scanners to find me. :)
_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Tue Jan 24, 2006 12:38 pm    Post subject: Reply with quote

Andersson wrote:
BlinkEye wrote:
could you mail/pm me a series of login attempts with different users and root too? not from localhost please.

Sorry, I don't keep my logs more than a couple of weeks, and I've had my ssh port blocked from the outside for a while. It's open again now though, so we'll see how long it takes the port scanners to find me. :)

Ok, now they've found me again. :lol:

I see what you mean, these login attempts don't look like my own. But there is no Failed keyboard-interactive/pam... line either, just a line saying Invalid user.... Also, no root attempts show up in the logs (although I'm sure they try). Now, I don't know much about how security works under the hood. Please correct me, but this is what I believe; sshd uses pam to check the user/password, right? And in case it fails, pam logs the attempt. But a root attempt is never even handed off to pam, since sshd itself denies root to login (permitRootLogin no), which is why it is logged differently.

Anyway, to make this script work for me, I'll have to either change the sshd log verbosity somehow, or change the regexp again to something like this: (And also accept that a root attempt will simply fail, but not result in a blacklisting.)
Code:
SYSLOG_REGEX = r"sshd[[][0-9]+[]]: Invalid user (?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3})"


Here's a sample of my log:
Code:
Jan 22 17:57:55 clint sshd[17822]: Did not receive identification string from 217.58.169.124
Jan 22 18:10:21 clint sshd[18459]: Invalid user admin from 217.58.169.124
Jan 22 18:10:22 clint sshd[18464]: Invalid user admin from 217.58.169.124
Jan 22 18:10:22 clint sshd[18469]: Invalid user admin from 217.58.169.124
Jan 22 18:10:23 clint sshd[18474]: Invalid user admin from 217.58.169.124
Jan 22 18:10:24 clint sshd[18479]: Invalid user administrator from 217.58.169.124
Jan 22 18:10:30 clint sshd[18484]: Invalid user administrator from 217.58.169.124
Jan 22 18:10:30 clint sshd[18489]: Invalid user administrator from 217.58.169.124
Jan 22 18:10:31 clint sshd[18494]: Invalid user tads from 217.58.169.124
Jan 22 18:10:32 clint sshd[18499]: Invalid user tads from 217.58.169.124
Jan 22 18:10:32 clint sshd[18504]: Invalid user tads from 217.58.169.124
Jan 22 18:10:33 clint sshd[18509]: Invalid user tip from 217.58.169.124
Jan 22 18:10:34 clint sshd[18516]: Invalid user tip from 217.58.169.124
Jan 22 18:10:34 clint sshd[18521]: Invalid user tip from 217.58.169.124
Jan 22 18:10:35 clint sshd[18526]: Invalid user myra from 217.58.169.124
Jan 22 18:10:36 clint sshd[18531]: Invalid user myra from 217.58.169.124
Jan 22 18:10:37 clint sshd[18536]: Invalid user myra from 217.58.169.124
[...]
Jan 24 11:34:27 clint sshd[9518]: Did not receive identification string from 61.211.225.12
Jan 24 11:45:25 clint sshd[9590]: Invalid user admin from 61.211.225.12
Jan 24 11:45:28 clint sshd[9595]: Invalid user test from 61.211.225.12
Jan 24 11:45:30 clint sshd[9600]: User guest not allowed because shell /dev/null is not executable
Jan 24 11:45:32 clint sshd[9605]: Invalid user webmaster from 61.211.225.12
Jan 24 11:45:37 clint sshd[9615]: Invalid user oracle from 61.211.225.12
Jan 24 11:45:39 clint sshd[9620]: Invalid user library from 61.211.225.12
Jan 24 11:45:45 clint sshd[9625]: Invalid user info from 61.211.225.12
Jan 24 11:45:47 clint sshd[9630]: Invalid user shell from 61.211.225.12
Jan 24 11:45:50 clint sshd[9635]: Invalid user linux from 61.211.225.12

_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
Kernel_Klink
n00b
n00b


Joined: 18 Jun 2004
Posts: 17

PostPosted: Sun Jan 29, 2006 6:54 pm    Post subject: Reply with quote

Andersson wrote:
Andersson wrote:
BlinkEye wrote:
could you mail/pm me a series of login attempts with different users and root too? not from localhost please.

Sorry, I don't keep my logs more than a couple of weeks, and I've had my ssh port blocked from the outside for a while. It's open again now though, so we'll see how long it takes the port scanners to find me. :)

Ok, now they've found me again. :lol:

I see what you mean, these login attempts don't look like my own. But there is no Failed keyboard-interactive/pam... line either, just a line saying Invalid user.... Also, no root attempts show up in the logs (although I'm sure they try). Now, I don't know much about how security works under the hood. Please correct me, but this is what I believe; sshd uses pam to check the user/password, right? And in case it fails, pam logs the attempt. But a root attempt is never even handed off to pam, since sshd itself denies root to login (permitRootLogin no), which is why it is logged differently.

Anyway, to make this script work for me, I'll have to either change the sshd log verbosity somehow, or change the regexp again to something like this: (And also accept that a root attempt will simply fail, but not result in a blacklisting.)


I am at work and they don't let me ssh home anymore so I will have to look at the script when I get there but I had the same issue. I assumed it was due to the fact that I use AllowUsers in my sshd config. While this works quite well at preventing access from any account other than the one listed in the AllowUsers line in sshd.conf, I liked the idea so I am using this script. Since sshd checks the username against this value first, it never hands off to PAM to authenticate if the username does not match. In order to make it work in my situation I had to modify the script so that it also looked for 'Invalid user'. It was a simple fix but I can't remember where I put it right now. Once the script included Invalid user it would write the IP to iptable list.


Thanks again BlinkEye.


I will update this post in a few hours when I get home.

**EDIT**

Boy am I embarassed. I am not using BlinkEye's script. It is another one that uses iptables but instead of python it uses perl. Anyway this is what I check for
Code:

my($REASONS) = '(Invalid user|Failed password|Failed none)';


Even so, it should just be a matter of updating how BlinkEye's script filters.
_________________
Gentoo, it is a way of life.
Back to top
View user's profile Send private message
El Tazar
n00b
n00b


Joined: 06 Nov 2004
Posts: 57

PostPosted: Mon Jan 30, 2006 2:55 pm    Post subject: Reply with quote

Thanks alot BlinkEye, for the fine nifty little script and for the detailed howto. Been searching for something simple the last few months.
Back to top
View user's profile Send private message
MatrixM
n00b
n00b


Joined: 02 May 2005
Posts: 48
Location: Cyberspace

PostPosted: Mon Feb 06, 2006 2:22 am    Post subject: Reply with quote

Andersson wrote:
Anyway, to make this script work for me, I'll have to either change the sshd log verbosity somehow, or change the regexp again to something like this: (And also accept that a root attempt will simply fail, but not result in a blacklisting.)
Code:
SYSLOG_REGEX = r"sshd[[][0-9]+[]]: Invalid user (?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3})"



Hey Anderson, have you this modification to the REGEX, and did it work for you? I'm in about the same boat you are with regards to getting a large number of invalid attempts from people not in the allowed_user list.

Also, does anyone know if it'd be possible to have the REGEX work on two seperate criteria? My log files have two distinct types of users hitting the box. One is in the form listed above from Anderson, the other is in the form of
Code:
shd[[][0-9]+[]]: User (?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3}) not allowed because not listed in AllowedUsers


So does anyone know if it'd be possible to cause the script to look for both expressions for blocking at the same time? I'll admit, my coding skills are somewhat lacking (read, none) so the line I cobbled together could be wrong in it's form even.
Back to top
View user's profile Send private message
Vlad
Apprentice
Apprentice


Joined: 09 Apr 2002
Posts: 264
Location: San Diego, California

PostPosted: Mon Feb 06, 2006 3:36 pm    Post subject: Reply with quote

Just wanted to pipe in that I have the same problem as MatrixM. All the attacks appear as

Code:

Feb  6 06:16:02 alpha sshd[7613]: User rpc from 200.47.112.149 not allowed becau
se not listed in AllowUsers


in my log files, and they are not 'caught' by blacklist.py. Having support for both those regexs would be awesome. :)
Back to top
View user's profile Send private message
Andersson
Guru
Guru


Joined: 12 Jul 2003
Posts: 525
Location: Göteborg, Sweden

PostPosted: Mon Feb 06, 2006 5:10 pm    Post subject: Reply with quote

Hi. Yes, I changed the regexp to what I wrote above. It works. I also get a mix of different lines in the logs:
Code:
Feb  1 16:30:51 clint sshd[21640]: User guest not allowed because shell /dev/null is not executable
Feb  3 23:18:53 clint sshd[30378]: Invalid user recruit from 69.72.212.18
Feb  3 23:18:54 clint sshd[30383]: User alias from 69.72.212.18 not allowed because not listed in AllowUsers

The first doesn't contain an ip address, so it's useless for blocking. Since all the attacks I've seen have the line "Invalid user..." appear the most, it's enough to block them.

In addition to these two, there are the lines that the script originally looks for.
Code:
Jan  2 21:48:05 blinkeye sshd[4529]: Failed password for invalid user sato from 61.172.192.3 port 54177 ssh2
Sep 18 05:08:06 blinkeye sshd[3971]: Failed keyboard-interactive/pam for root from 152.149.148.115 port 44896 ssh2


It seems this script could use a way to specify more than one regexp. One way to do that is (pattern1|pattern2), but then we have to change the way it catches the ip number and user name. Perhaps a better way is changing
Code:
SYSLOG_REGEX = r"sshd[[][0-9]+[]]: Invalid user (?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3})"

to
Code:
SYSLOG_REGEX1 = r"sshd[[][0-9]+[]]: Invalid user (?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3})"
SYSLOG_REGEX2 = r"sshd[[][0-9]+[]]: User (?P<user>.*?) from (?:::ffff:)*(?P<host>(\d{1,3}\.){3}\d{1,3}) not allowed because not listed in AllowUsers"

and change the function def.scan from:
Code:
def scan():
    global countdown
    # compile regex for the logger
    re_invalid = re.compile( SYSLOG_REGEX )
    regex_matches = re_invalid.findall( system_command( LOGTAIL + " -f" + LOG_INPUT ) )
    create_stat( regex_matches )
    ...

to something like this:
Code:
def scan():
    global countdown
    # compile regex for the logger
    re_invalid1 = re.compile( SYSLOG_REGEX1 )
    re_invalid2 = re.compile( SYSLOG_REGEX2 )
    log = system_command( LOGTAIL + " -f" + LOG_INPUT )
    regex_matches = re_invalid1.findall( log )
    regex_matches += re_invalid2.findall( log )
    create_stat( regex_matches )
    ...

I have not tested this in any way, I'm not even sure what I'm adding. Arrays? Does it need some other syntax? But it's a start if you feel like some programming tonight. (I don't) :P
_________________
Must...resist...posting....
One...step...closer...to...getting...stupid...l33t...ranking...
Back to top
View user's profile Send private message
MatrixM
n00b
n00b


Joined: 02 May 2005
Posts: 48
Location: Cyberspace

PostPosted: Tue Feb 07, 2006 10:43 pm    Post subject: Reply with quote

I'll take some stabs at it over the next couple days and report back what I discover from it's results. It will take a few days for me to get my results posted due to school and work.

Also, I did a quick grep on the script for simply REGEX (using case insensitive search), and there are three total lines in the script. I'll post more data once I've done some testing at home overnight.

So what I'll try doing is imlementing the suggested code changes from Andersson regarding multiple regex lines, and then altering the def.scan function to include the additional regex code searches (at least in theory).

If this works, then I'll toy with adding a third regex to catch the "Failed keyboard-interactive/pam" type messages in the log as well (although in my case, these show up exceedingly seldom that it may not be an issue for me).

[Edit]

Ok, So I tried making the changes as were discussed, and it gives me the following errors:

Code:

tammy ~ # ./blacklist.py
Traceback (most recent call last):
  File "./blacklist.py", line 219, in ?
    scan()
  File "./blacklist.py", line 140, in scan
    log = system_command( LOGTAIL + " -f" + LOG_INPUT )
  File "./blacklist.py", line 92, in system_command
    raise IOError( return_value[ 1 ] )
IOError: File -f/var/log/auth.log cannot be read.
tammy ~ #


I'm not sure if I did something wrong, or if we just haven't got the proper coding for multiple REGEX searches figured out.

The interesting thing is that it appears to be complaining about the LOGTAIL execution ability, yet we know that this works when it's by itself. I even tried replacing

Code:
log = system_command ( LOGTAIL + " -f" + LOG_INPUT )
from the propsed modification and instead added the system_command part directly to the regex_matches lines. Same errors about the ( LOGTAIL + " -f" + LOGINPUT ) IOError. So I'm thinking that there's more going on here than we seem to realize.

I did also change the original script to merely search for the Invalid user so that it appears to be getting some of the people who are hitting my machine now at least.

I also remember there being multiple re_invlaid = re.compile (SYSLOG_REGEX) lines in the script. Maybe over the weekend I can toy with those and see what comes up as well.
[/edit]
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2, 3, 4, 5, 6  Next
Page 1 of 6

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum