Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED]SSH attack ongoing - any advice?
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
gerdesj
l33t
l33t


Joined: 29 Sep 2005
Posts: 621
Location: Yeovil, Somerset, UK

PostPosted: Sun Jul 04, 2010 9:31 pm    Post subject: Reply with quote

Have you considered OpenVPN?

Its not too hard to setup and the Gentoo configuration is very good allowing you to create multiple instance of OVPN as both clients and servers. The docs on the upstream website are excellent and I'll bet there are Gentoo HOWTOs all over the shop.

I look after/manage around 150 separate OVPNs running between various systems and it is seriously reliable. It runs on Linux, Windows, *BSD (eg pfSense).

Then block port 22 on your external interface - hack that you buggers.

Another approach I have used is (excerpt from firewall bits embedded in /etc/conf.d/net):

Code:
 
einfo "${FW4} SSH chain"
iptables -N SSH
iptables -F SSH
iptables -A SSH -m state --state NEW -m recent --set
iptables -A SSH -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A SSH -j LOG --log-prefix "${FW4} SSH ALLOWED "
iptables -A SSH -j ACCEPT
iptables -A SSH -j DROP


Note the -m recent lines.

This is not perfect because I probably need to extend the time period it looks at. I notice that the bot nets are co-ordinated. One host at a time will try a few names and then bug out for a day or so and let another one have a go.

Just use a VPN - simples!

Cheers
Jon
Back to top
View user's profile Send private message
Dr.Willy
Guru
Guru


Joined: 15 Jul 2007
Posts: 521
Location: NRW, Germany

PostPosted: Mon Jul 05, 2010 1:23 pm    Post subject: Reply with quote

kimmie wrote:
...
Hmm... just had a thought. Of course, it needs a little more wrapping, but why not
Code:
alias ssh='\ssh -p 8421'

Nothing like a nice wrapper rug to shove the dirt under!

man ssh_config
Back to top
View user's profile Send private message
kimmie
Guru
Guru


Joined: 08 Sep 2004
Posts: 531
Location: Australia

PostPosted: Mon Jul 05, 2010 1:43 pm    Post subject: Reply with quote

Dr.Willy wrote:
man ssh_config

Why did I never think of that?? Thanks!!!
Back to top
View user's profile Send private message
Havin_it
Veteran
Veteran


Joined: 17 Jul 2005
Posts: 1187
Location: Edinburgh, UK

PostPosted: Mon Jul 05, 2010 8:25 pm    Post subject: Reply with quote

gerdesj wrote:
Have you considered OpenVPN?

Its not too hard to setup and the Gentoo configuration is very good allowing you to create multiple instance of OVPN as both clients and servers. The docs on the upstream website are excellent and I'll bet there are Gentoo HOWTOs all over the shop.

I look after/manage around 150 separate OVPNs running between various systems and it is seriously reliable. It runs on Linux, Windows, *BSD (eg pfSense).

Then block port 22 on your external interface - hack that you buggers.

Another approach I have used is (excerpt from firewall bits embedded in /etc/conf.d/net):

Code:
 
einfo "${FW4} SSH chain"
iptables -N SSH
iptables -F SSH
iptables -A SSH -m state --state NEW -m recent --set
iptables -A SSH -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A SSH -j LOG --log-prefix "${FW4} SSH ALLOWED "
iptables -A SSH -j ACCEPT
iptables -A SSH -j DROP


Note the -m recent lines.

This is not perfect because I probably need to extend the time period it looks at. I notice that the bot nets are co-ordinated. One host at a time will try a few names and then bug out for a day or so and let another one have a go.

Just use a VPN - simples!

Cheers
Jon


Hi Jon,

I agree about OpenVPN - I've brought it in as VPN solution for my workplace, where the server is Windows and the clients are mixed OS, and it's far better than any of the Windows built-in solutions. However this'd be no good for my Nokia phone, as there's no OVPN client for Symbian -- in fact there's *no* VPN client, as the Nokia IPSec one won't work with dynamic IP. I'd certainly love it if such a thing existed, but PuTTY is all I have at present.

However I'm very impressed by your iptables-fu. Can you tell us a bit more about what that listing means, how it works, and would similar tactics work with other servers such as Apache, Postfix (SMTP) or Dovecot (IMAP)? I'd love to see a pure iptables solution handling the tasks Fail2Ban is currently covering, but it's so daunting to configure on its own that I've no idea.
Back to top
View user's profile Send private message
gerdesj
l33t
l33t


Joined: 29 Sep 2005
Posts: 621
Location: Yeovil, Somerset, UK

PostPosted: Thu Jul 08, 2010 12:05 am    Post subject: Reply with quote

Havin_it wrote:
gerdesj wrote:
Have you considered OpenVPN?

Its not too hard to setup and the Gentoo configuration is very good allowing you to create multiple instance of OVPN as both clients and servers. The docs on the upstream website are excellent and I'll bet there are Gentoo HOWTOs all over the shop.

I look after/manage around 150 separate OVPNs running between various systems and it is seriously reliable. It runs on Linux, Windows, *BSD (eg pfSense).

Then block port 22 on your external interface - hack that you buggers.

Another approach I have used is (excerpt from firewall bits embedded in /etc/conf.d/net):

Code:
 
einfo "${FW4} SSH chain"
iptables -N SSH
iptables -F SSH
iptables -A SSH -m state --state NEW -m recent --set
iptables -A SSH -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A SSH -j LOG --log-prefix "${FW4} SSH ALLOWED "
iptables -A SSH -j ACCEPT
iptables -A SSH -j DROP


Note the -m recent lines.

This is not perfect because I probably need to extend the time period it looks at. I notice that the bot nets are co-ordinated. One host at a time will try a few names and then bug out for a day or so and let another one have a go.

Just use a VPN - simples!

Cheers
Jon


Hi Jon,

I agree about OpenVPN - I've brought it in as VPN solution for my workplace, where the server is Windows and the clients are mixed OS, and it's far better than any of the Windows built-in solutions. However this'd be no good for my Nokia phone, as there's no OVPN client for Symbian -- in fact there's *no* VPN client, as the Nokia IPSec one won't work with dynamic IP. I'd certainly love it if such a thing existed, but PuTTY is all I have at present.

However I'm very impressed by your iptables-fu. Can you tell us a bit more about what that listing means, how it works, and would similar tactics work with other servers such as Apache, Postfix (SMTP) or Dovecot (IMAP)? I'd love to see a pure iptables solution handling the tasks Fail2Ban is currently covering, but it's so daunting to configure on its own that I've no idea.


Err, I have to confess I copied it somewhat from elsewhere and rereading, its a bit specific but here goes:

The excerpt is adding a chain that I have called SSH and flushes it (the script is designed to clear everything down that might be configured already and I have gone a bit over the top to try and mitigate errors whilst messing around by always overdoing the flushing etc!)

The SSH chain is branched to by any connection to port 22.

Then the important bit (this is from memory - get the search engine out). First add any NEW connections (--set). Then the next rule will fire if four or more connections within 60 seconds arrive from the same IP and drop them.

On reflection it probably needs a few changes. The set of addresses for this rule probably needs a name to differentiate it from other sets and also a much longer period to look at. However I have to balance that with my fumbled attempts to type my own password.

The possible good solution to my mind would seem to be setting up RSA keys - ie passwordless and a long --update period with a low --hitcount. That way you avoid your own mistakes and a long lock out but keep the baddies away.

Based on some firewall logs I've seen, keeping around 7 days or more for the set might be needed.

Thinking about it I have a customer that was hit by around 14 million separate IPs per month bashing against their mail server (I have Exim passing logs to rsyslog to MySQL to see what the hell was going on - its quite a big DB now!) I think they would make a good test case for seeing just how many addresses the --set thing can realistically deal with. OK we are looking at ssh here but smtp gets a hammering as well. Must get around to having another look to see how things are going.

I'm surprised that the Simbian IPSEC client does not work. Do you mean that the server is behind a dynamic address or the phone? If you only mean the phone then you need to look into IPSEC road warrior configs. That's a standard IPSEC setup and I'd be *very* surprised if it wont work. Get IPSEC working and that is your real solution. Unless someone ports OVPN to Simbian ...

Cheers
Jon
Back to top
View user's profile Send private message
Havin_it
Veteran
Veteran


Joined: 17 Jul 2005
Posts: 1187
Location: Edinburgh, UK

PostPosted: Thu Jul 08, 2010 10:55 am    Post subject: Reply with quote

gerdesj wrote:

I'm surprised that the Simbian IPSEC client does not work. Do you mean that the server is behind a dynamic address or the phone? If you only mean the phone then you need to look into IPSEC road warrior configs. That's a standard IPSEC setup and I'd be *very* surprised if it wont work. Get IPSEC working and that is your real solution. Unless someone ports OVPN to Simbian ...

Cheers
Jon


Unfortunately, both :( The home network my server is on has actually picked up a new external IP since I wrote the first post, so it hasn't "gone static" after all. (I suspect what happened was my previous reconnects were during the day, so no one else connected to my ISP and took that IP while I was disconnected, so I just got it back.) I've yet to try doing it with the current server IP configured in the client, just to prove it works, but that would be of limited value anyway I guess.

Symbian is open-source now, so it's not impossible that someone might port OVPN (as long as the platform just doesn't die soon), or maybe I'll get an Android or Meego phone next time, which should be an easier port.
Back to top
View user's profile Send private message
gerdesj
l33t
l33t


Joined: 29 Sep 2005
Posts: 621
Location: Yeovil, Somerset, UK

PostPosted: Thu Jul 08, 2010 1:57 pm    Post subject: Reply with quote

Havin_it wrote:
gerdesj wrote:

I'm surprised that the Simbian IPSEC client does not work. Do you mean that the server is behind a dynamic address or the phone? If you only mean the phone then you need to look into IPSEC road warrior configs. That's a standard IPSEC setup and I'd be *very* surprised if it wont work. Get IPSEC working and that is your real solution. Unless someone ports OVPN to Simbian ...

Cheers
Jon


Unfortunately, both :( The home network my server is on has actually picked up a new external IP since I wrote the first post, so it hasn't "gone static" after all. (I suspect what happened was my previous reconnects were during the day, so no one else connected to my ISP and took that IP while I was disconnected, so I just got it back.) I've yet to try doing it with the current server IP configured in the client, just to prove it works, but that would be of limited value anyway I guess.

Symbian is open-source now, so it's not impossible that someone might port OVPN (as long as the platform just doesn't die soon), or maybe I'll get an Android or Meego phone next time, which should be an easier port.


You should be able to do IPSEC using DNS names. Try using a dynamic DNS service to get your self an A record that changes with your ISP assigned IP address and then use that for the phone to connect to. In theory that is all that is needed. You may get a connection blip at hand over time but you can run a script or one of the daemons available on your IPSEC "server" which can test for its own external IP address and then update the dynamic DNS server.

On an Android I suspect you can use the full OpenSWAN or StrongSWAN thing ...

Cheers
Jon
Back to top
View user's profile Send private message
Havin_it
Veteran
Veteran


Joined: 17 Jul 2005
Posts: 1187
Location: Edinburgh, UK

PostPosted: Fri Jul 09, 2010 11:25 am    Post subject: Reply with quote

I did try to setup the Nokia VPN using a dyndns hostname, but after much frustration I gave up. I'd just get a "Failed to activate access point, Reason code -5257" (no idea what that means, can't find it) on the phone, and nothing that leaps out as an obvious point of failure in the openswan debug output. Even connecting from within the LAN failed, but for different reasons (xauth password not being accepted for some reason), so I quit.
Back to top
View user's profile Send private message
coolsnowmen
Veteran
Veteran


Joined: 30 Jun 2004
Posts: 1479
Location: No.VA

PostPosted: Thu Jul 15, 2010 5:52 am    Post subject: Reply with quote

Noticed this was a recent thread-
Recently: I had to set up ssh on very public ips, on port 22, w/o port knocking, and with user/password acceptance.

Because I am not that well versed at iptables, I came up with a solution that works pretty well for me. Looking at the logs, I analyzed the annoying break in attempts and found that 99.9% of them came from china, indea, korea, and japan. After checking with my boss (we are US based), I simply made a hosts.deny file with ALL of their ip/subnet ranges. This is my good enough solution, and requires only for me to copy this file when we add a new computer to the network.
PM me with an email if you'ld like a copy of it.

PS it was easy for me to find the ip/cidr of the countries but I had to write a program to convert the ip/n format to ip/aaa.bbb.ccc.ddd format, and then cat'ed them all together.
_________________
emerge: there are no ebuilds to satisfy "moo"
Back to top
View user's profile Send private message
Havin_it
Veteran
Veteran


Joined: 17 Jul 2005
Posts: 1187
Location: Edinburgh, UK

PostPosted: Thu Jul 15, 2010 6:47 pm    Post subject: Reply with quote

Hi coolsnowmen :D

I've heard of this approach before, and I've always been unhappy with the idea - it's like collective punishment (even though it's hardly a "punishment" being denied access to my home server).

However, it sounds like something that might be of interest as an addition to Fail2Ban: instead of (or on top of) banning single IPs, which as discussed above is not always the answer for a botnet attack, the same program could look for whole netblocks sending a lot of attack requests and temporarily ban them.

I'd be interested to see the script you used to convert the IP/subnets - would you be prepared to post that here?

PS - I'm still not safe on port 222, I have even had about a dozen bans since I switched! Is the attacker reading this thread? 8O
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7583
Location: almost Mile High in the USA

PostPosted: Thu Jul 15, 2010 9:14 pm    Post subject: Reply with quote

It looks like port 222 is used for rsh, anotther frequently used login mechanism hackers like to exploit. However the protocol for rsh and ssh are different so I'm not sure how successful the attacks would be. Try another port.

Be glad you have that option to change ports...

(though right now perhaps I can do the same now... now that I have an alternate method of connecting back home: cell phone internet!)
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 2836
Location: Canada

PostPosted: Thu Jul 15, 2010 11:57 pm    Post subject: Reply with quote

coolsnowmen wrote:
Noticed this was a recent thread-
Recently: I had to set up ssh on very public ips, on port 22, w/o port knocking, and with user/password acceptance.

Because I am not that well versed at iptables, I came up with a solution that works pretty well for me. Looking at the logs, I analyzed the annoying break in attempts and found that 99.9% of them came from china, indea, korea, and japan. After checking with my boss (we are US based), I simply made a hosts.deny file with ALL of their ip/subnet ranges. This is my good enough solution, and requires only for me to copy this file when we add a new computer to the network.
PM me with an email if you'ld like a copy of it.

PS it was easy for me to find the ip/cidr of the countries but I had to write a program to convert the ip/n format to ip/aaa.bbb.ccc.ddd format, and then cat'ed them all together.


I hope you don't plan to do business with these countries or expect customers from there.
Back to top
View user's profile Send private message
Havin_it
Veteran
Veteran


Joined: 17 Jul 2005
Posts: 1187
Location: Edinburgh, UK

PostPosted: Fri Jul 16, 2010 10:41 am    Post subject: Reply with quote

dmpogo wrote:
coolsnowmen wrote:
Noticed this was a recent thread-
Recently: I had to set up ssh on very public ips, on port 22, w/o port knocking, and with user/password acceptance.

Because I am not that well versed at iptables, I came up with a solution that works pretty well for me. Looking at the logs, I analyzed the annoying break in attempts and found that 99.9% of them came from china, indea, korea, and japan. After checking with my boss (we are US based), I simply made a hosts.deny file with ALL of their ip/subnet ranges. This is my good enough solution, and requires only for me to copy this file when we add a new computer to the network.
PM me with an email if you'ld like a copy of it.

PS it was easy for me to find the ip/cidr of the countries but I had to write a program to convert the ip/n format to ip/aaa.bbb.ccc.ddd format, and then cat'ed them all together.


I hope you don't plan to do business with these countries or expect customers from there.


I assume he meant he was just blocking them from port 22, not the whole server.
Back to top
View user's profile Send private message
coolsnowmen
Veteran
Veteran


Joined: 30 Jun 2004
Posts: 1479
Location: No.VA

PostPosted: Thu Jul 22, 2010 12:44 am    Post subject: Reply with quote

Havin_it wrote:
Hi coolsnowmen :D

...
However, it sounds like something that might be of interest as an addition to Fail2Ban: instead of (or on top of) banning single IPs, which as discussed above is not always the answer for a botnet attack, the same program could look for whole netblocks sending a lot of attack requests and temporarily ban them.

I'd be interested to see the script you used to convert the IP/subnets - would you be prepared to post that here
...



So, its not so much a script as a program, I wrote it myself, so be nice if there is something you don't like. Released Free to all Gentooers
(compile simply with g++)
Code:

//Filename: cidr2subnet.cpp
#include <fstream>
#include <iostream>
#include <cstring>
using namespace std;

char ERR_S[32]="Failure";

int bits2mask(const int &bits)
{
   static int val,counter;
   static int mask=128;  //0x80

   val=0;
   for (counter=0; counter<bits; counter++)
   {
      val>>=1;
      val|=mask;
   }
   return val;
}

void cidr2mask(const char * cidr_s,char * mask_s)
{
  static int one, two, three, four, cidr, masks[4];
  if (sscanf(cidr_s,"%i.%i.%i.%i/%i",&one,&two,&three,&four,&cidr)<5)
  { strcpy(mask_s,ERR_S);  return; //ERROR
  }
 
  for( int idx=0; idx<cidr/8; idx++)
    masks[idx]=255;
  for( int idx=cidr/8 + 1; idx<4; idx++)
    masks[idx]=0;
  masks[cidr/8]=bits2mask(cidr % 8);

  //printf("\n Parsed to: %i.%i.%i.%i/%i", one, two, three, four, cidr);
  sprintf(mask_s,"%i.%i.%i.%i/%i.%i.%i.%i", one, two, three, four, masks[0], masks[1], masks[2], masks[3]);
}

int main (int argc, char ** argv)
{

  if (argc<2)
    cout << "\n No Argument given to cidr2subnet"
         << "\n Written my jon malachowski"
         << "\n   converts ip4/cidr to ip4/sub.net.mask.0\n"
         << "\n    ex:  " << argv[0] << " 1.2.3.4/24"
         << "\n should return: 1.2.3.4/255.255.255.0\n"
         << "\n also in bash try: "
         << "\n for a in `cat testfile.cidr`"
         << "\n   do ./a.out $a;"
         << "\n done" << endl;
  else {
    char mask_s[32];
    for (int arg_idx=1; arg_idx < argc; arg_idx++)
    { cidr2mask(argv[arg_idx],mask_s);
      cout << mask_s << endl;
    }
  }

return 0;
}

_________________
emerge: there are no ebuilds to satisfy "moo"
Back to top
View user's profile Send private message
coolsnowmen
Veteran
Veteran


Joined: 30 Jun 2004
Posts: 1479
Location: No.VA

PostPosted: Thu Jul 22, 2010 5:38 pm    Post subject: Reply with quote

Havin_it wrote:
dmpogo wrote:
coolsnowmen wrote:
Noticed this was a recent thread-
Recently: I had to set up ssh on very public ips, on port 22, w/o port knocking, and with user/password acceptance.

Because I am not that well versed at iptables, I came up with a solution that works pretty well for me. Looking at the logs, I analyzed the annoying break in attempts and found that 99.9% of them came from china, indea, korea, and japan. After checking with my boss (we are US based), I simply made a hosts.deny file with ALL of their ip/subnet ranges. This is my good enough solution, and requires only for me to copy this file when we add a new computer to the network.
PM me with an email if you'ld like a copy of it.

PS it was easy for me to find the ip/cidr of the countries but I had to write a program to convert the ip/n format to ip/aaa.bbb.ccc.ddd format, and then cat'ed them all together.


I hope you don't plan to do business with these countries or expect customers from there.


I assume he meant he was just blocking them from port 22, not the whole server.


no and no. putting ips in hosts.deny does in fact block everything from that ip (ssh/http/cifs/*). If the incoming ip is in range, the host is directed to drop the packet no matter what it contains, with no response (effectively invisible). As I said before, I did ask my boss at the time and told him the implications. I use this on my home server because only me and a few friends need to even see it. It is a quick and dirty way of reducing your vulnerability in general based on a statistical analysis of my log files. If you are being paid by a business that need an international web presence in those countries, perhaps this method is not for you. For a user who simply wants ssh/http connectivity to his home computer, this is the fasted method if you find setting up fail2ban (and other things like it) confusing/consuming.
_________________
emerge: there are no ebuilds to satisfy "moo"
Back to top
View user's profile Send private message
Havin_it
Veteran
Veteran


Joined: 17 Jul 2005
Posts: 1187
Location: Edinburgh, UK

PostPosted: Thu Jul 22, 2010 11:01 pm    Post subject: Reply with quote

Entries in hosts.deny don't have to be a blanket ban though: when I used denyhosts before Fail2ban, it would respond to SSH hammering by adding this type of line:
Code:
sshd : x.x.x.x

So only SSH connections were banned - the banned IP could still access Apache on that server, for example.

Also, isn't it the case that only services with support for tcpd refer to this file? Do you have another component in your setup?
Back to top
View user's profile Send private message
xibo
Apprentice
Apprentice


Joined: 21 Aug 2007
Posts: 152
Location: moving between kubuntu and ubuntu kde edition

PostPosted: Mon Jul 26, 2010 10:54 pm    Post subject: Reply with quote

ker - be - ros

i can't believe i'm really the first one to name it here.

if you know your clients you can also whitelist port 22 for them and block everything else from it via firewall. using a different port might drive off lesser worms but not a human attacker or smart trojan, for later will have nmap scan for what service is running where.

also, emerging threats maintains a daily updated list of malicious hosts/nets known for botnetting which wouldn't hurt your security when being introduced to your firewall via cron job.
Back to top
View user's profile Send private message
coolsnowmen
Veteran
Veteran


Joined: 30 Jun 2004
Posts: 1479
Location: No.VA

PostPosted: Tue Aug 03, 2010 4:31 pm    Post subject: Reply with quote

xibo wrote:

if you know your clients you can also whitelist port 22 for them and block everything else from it via firewall.


That is done by whitelisting their ip right? Well that was always a non starter for me. Because they they could never just pick up a computer and ssh in to do something. It also became more of a pain when adding people to a system. Then when removing people you have to know which ip went with which person, on every firewall.

IMO, if I ever went that far, it would simply be better to do to .ssh/id_dsa files. That way at least the user gains something for their trouble.
_________________
emerge: there are no ebuilds to satisfy "moo"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum