ssh: fail2ban now obsolete?

Message

eccerr0r · Post by **eccerr0r** » Mon Oct 22, 2007 8:37 am

I don't know if you guys all noticed it, but I'm currently being attacked by a random, new host every 2 minutes. This sort of obsoletes fail2ban as a new IP is checking every 2 minutes.

While this is not as bad as them flooding my connection with logins, this is still annoying. It looks like I will have to resort to port knocking or port relocation.

Stever · Post by **Stever** » Mon Oct 22, 2007 3:39 pm

I'm seeing the same thing on my server for the past couple days.
I think anyone who is relying on fail2ban or similar tools to cover for weak passwords may be in big trouble.

Code: Select all

Oct 22 11:23:34 myhost sshd[12052]: ... illegal user root from rueckziegel.de
Oct 22 11:26:01 myhost sshd[19761]: ... illegal user root from 213.203.197.86
Oct 22 11:27:55 myhost sshd[22394]: ... illegal user root from 200.69.219.189
Oct 22 11:29:48 myhost sshd[1803]: ... illegal user root from chello080108092234.22.11.vie.surfer.at
Oct 22 11:32:17 myhost sshd[24030]: ... illegal user root from gw.ptr-62-65-142-213.customer.ch.netstream.com
Oct 22 11:34:10 myhost sshd[8171]: ... illegal user root from devel.teracode.com
Oct 22 11:36:07 myhost sshd[14195]: ... illegal user root from www.asigen.cl
Oct 22 11:38:34 myhost sshd[28546]: ... illegal user root from 200.62.227.204
Oct 22 11:40:25 myhost sshd[21858]: ... illegal user root from 148.245.157.217
Oct 22 11:42:25 myhost sshd[17660]: ... illegal user root from mtl93-10-88-173-209-112.fbx.proxad.net
Oct 22 11:44:52 myhost sshd[19517]: ... illegal user root from 61.9.8.115
Oct 22 11:46:43 myhost sshd[7317]: ... illegal user root from 67.105.126.195.ptr.us.xo.net
Oct 22 11:49:07 myhost sshd[22314]: ... illegal user root from 64.14.4.11
Oct 22 11:51:12 myhost sshd[29988]: ... illegal user root from mailux.bendux.de
Oct 22 11:53:14 myhost sshd[10153]: ... illegal user root from 200.152.205.106
Oct 22 11:55:47 myhost sshd[20075]: ... illegal user root from static-098-027-160.dsl.nextra.sk
Oct 22 11:57:28 myhost sshd[32395]: ... illegal user root from 203.227.15.13
Oct 22 11:59:26 myhost sshd[7889]: ... illegal user root from jaysus.de
Oct 22 12:01:55 myhost sshd[17593]: ... illegal user root from 213.203.197.86
Oct 22 12:03:49 myhost sshd[18269]: ... illegal user root from 124x39x168x43.ap124.ftth.ucom.ne.jp

eccerr0r · Post by **eccerr0r** » Mon Oct 22, 2007 4:11 pm

I suppose I like having clean logfiles, as far as I know, my friends have decent passwords (I hope!) but I guess I dislike seeing so much trash login attempts...

I should ignore them, but, it's still ugly...

gregf · Post by **gregf** » Mon Oct 22, 2007 7:22 pm

Been seeing this a lot myself. I use denyhosts but getting more than normal. Personally I'm not to worried since I require anyone using the server to generate a ssh key rather than using passwords. If your getting this many hits you might want to consider coming up with a similar policy. That way even if they were to guess you're password it will not do them any good without the key.

pteppic · Post by **pteppic** » Mon Oct 22, 2007 9:17 pm

Hmm, haven't seen it myself yet, but will certainly keep my eyes on the log files now.
I currently use the ssh-blacklist program, written in python and posted on these forums somewhere. If I start to see this kind of behavior then some new rules for matching are going to have to be generated.

I used a program recently on a Doze system that had 'instaban' attached to certain log in usernames, I think this approach could be applied here, c'mon, who allows 'root' to log in on an external SSH box?

eccerr0r · Post by **eccerr0r** » Mon Oct 22, 2007 9:33 pm

Well, it's not that attempting log in as 'root' is the issue, I wish to not see these attempts at all, I wish my computer not even bother replying with an invitation to try to login if it knows it will be a fruitless attempt.

Unfortunately my internet link is limited, I do not want to be transmitting more packets than needed.

I wish everyone would fix their computers. *sigh*

gregf · Post by **gregf** » Mon Oct 22, 2007 9:41 pm

Theres more than just root user being attacked though, a few times the logs looked they they were using a random name generator as well. Although I have not seen my login name listed just yet. :) Attacks seem to have stepped up over this last week though.

pteppic · Post by **pteppic** » Mon Oct 22, 2007 9:47 pm

gregf wrote:Attacks seem to have stepped up over this last week though.

X2, your right there. I've had more in the last week than the previous 6.

/me considers installing the TARPIT patches again...

gimpel · Post by **gimpel** » Mon Oct 22, 2007 10:12 pm

/me suggests handing out publickeys to those allowed to access the box, and disable pw logins in general.

upengan78 · Post by **upengan78** » Thu Nov 08, 2007 5:52 pm

what exactly is lacked by fail2ban here that it does not scan these lines in log files

Are we missing something in filter files ?

eccerr0r · Post by **eccerr0r** » Thu Nov 08, 2007 6:17 pm

The problem is that they're using a multi-thousand-strong zombie bot force. If each machine sends *one* attempt to your computer, three thousand unique host attempts has been sent to your machine. Your machine will have _no_ way to figure out whether they're legit or not.

This is different than using _one_ of the random zombie bots to send 3000 attempts to your computer. That is easily covered by fail2ban.

That being said, the random host storm has subsided a bit. I think they may be afraid of people putting up port knocking.

upengan78 · Post by **upengan78** » Thu Nov 08, 2007 6:19 pm

Thanks

what does it mean by port knocking that they are afraid of it?

vaguy02 · Post by **vaguy02** » Thu Nov 08, 2007 6:55 pm

Port Knocking is where you have your ssh port closed to everyone.

In order to open it you hit certain ports with requests, say tcp 123 udp 234 tcp 345. This is observed by the computer, if it's the right combination. It adds a line to iptables saying accept ssh from this one specific ipaddress. You can set time limits and the rest.

The only problem with port knocking is if someone is sitting with a network sniffer, they can see which ports are hit and which order and they will be able to send the right signal and open it up for themselves as well.

It's all tradeoffs with security.

Robert

upengan78 · Post by **upengan78** » Thu Nov 08, 2007 6:58 pm

Ahh Cool, Thanks

Can you tell me what r steps to get this working

I installed knock 0.5
and started knock with default configuration.

How does it work after this?

vaguy02 · Post by **vaguy02** » Fri Nov 09, 2007 1:59 pm

I've personally never used it. I've just researched it as a possiblity for my network. I find that it is much more effective to just block A class networks that I would never use. Example, No one that would access my network would ever come from the ASIA Pacific Network Information Centre (Big problem ISP for me) located in AU. Anyways, I block all of their class A networks, example 122.0.0.0/255.0.0.0 This has been very effective against alot of brute force attempts I've had. I only leave the US and a couple other country actually on.

Sorry I couldn't better answer your question. I defer this to someone with more experience with Knock.

Robert

upengan78 · Post by **upengan78** » Fri Nov 09, 2007 3:52 pm

Thanks !

How does one come to know what ranges are used in USA and what not. This idea of blocking IP range is nice when you know that really no one is going to access ssh from that range.

vaguy02 · Post by **vaguy02** » Fri Nov 09, 2007 4:01 pm

This is somewhat helpful at determining who owns entire A class networks.
http://www.iana.org/assignments/ipv4-address-space

003.0.0.0 - May 94 General Electric Company
Etc.....

You see what I mean.

APNIC - is Asia Pacific that I talked about
RIPE NCC - is an ISP in europe.
AfriNic - you can guess.
So on and so forth.

If you detect a brute force attempt, I usually use
http://www.analysespider.com/ip2country/lookup.html (you get 10 free a day)

And if you want contact info or how large their subnet is I personally use this
http://www.arin.net/whois/ it will tell you the registered owner and if they own the whole A class 122.0.0.0 - 122.255.255.255 or if they just own part of it, ex. 122.150.0.0 - 122.255.0.0.0

Hope this helps, I have yet to find a complete free comprehensive listing of all US based ip networks.

Robert

upengan78 · Post by **upengan78** » Fri Nov 09, 2007 4:06 pm

Thank you very much !!!!

vaguy02 · Post by **vaguy02** » Fri Nov 09, 2007 4:11 pm

No problem. Let me know if you have any other question.

If anyone reads this and knows of a good free comprehensive US ipv4 listing, please let me know!

linuxkrn · Post by **linuxkrn** » Tue Nov 13, 2007 7:52 pm

Try this:

http://www.iana.org/assignments/ipv4-address-space

The big ones such as RIPE/APNIC are non-us.

And this for fun: http://www.circleid.com/images/uploads/ ... ternet.jpg

vaguy02 · Post by **vaguy02** » Tue Nov 13, 2007 8:09 pm

I already had that link in my message, it's the first one. Good try though.

upengan78 · Post by **upengan78** » Tue Nov 13, 2007 8:10 pm

upengan78 · Post by **upengan78** » Thu Nov 15, 2007 5:31 pm

I have banned these guys on my machine !

222.0.0.0/8
221.0.0.0/8
220.0.0.0/8
219.0.0.0/8
218.0.0.0/8
217.0.0.0/8
213.0.0.0/8
212.0.0.0/8
211.0.0.0/8
210.0.0.0/8
203.0.0.0/8
202.0.0.0/8
196.0.0.0/8
195.0.0.0/8
194.0.0.0/8
193.0.0.0/8
126.0.0.0/8
125.0.0.0/8
124.0.0.0/8
123.0.0.0/8
122.0.0.0/8
121.0.0.0/8
120.0.0.0/8
119.0.0.0/8
118.0.0.0/8
117.0.0.0/8
116.0.0.0/8
115.0.0.0/8
114.0.0.0/8
95.0.0.0/8
94.0.0.0/8
93.0.0.0/8
92.0.0.0/8
91.0.0.0/8
90.0.0.0/8
89.0.0.0/8
88.0.0.0/8
87.0.0.0/8
86.0.0.0/8
85.0.0.0/8
84.0.0.0/8
83.0.0.0/8
82.0.0.0/8
81.0.0.0/8
80.0.0.0/8
79.0.0.0/8
78.0.0.0/8
77.0.0.0/8
62.0.0.0/8
61.0.0.0/8
60.0.0.0/8
59.0.0.0/8
58.0.0.0/8
41.0.0.0/8

I am sorry !

upengan78 · Post by **upengan78** » Thu Nov 15, 2007 5:38 pm

DROP all -- 207.138.124.4 0.0.0.0/0
DROP all -- 203.156.240.75 0.0.0.0/0
DROP all -- 222.246.132.212 0.0.0.0/0
DROP all -- 77.221.134.130 0.0.0.0/0
DROP all -- 60.6.237.55 0.0.0.0/0
DROP all -- 159.226.4.155 0.0.0.0/0
DROP all -- 218.76.217.234 0.0.0.0/0
DROP all -- 85.68.243.85 0.0.0.0/0
DROP all -- 203.193.135.82 0.0.0.0/0

vaguy02 · Post by **vaguy02** » Thu Nov 15, 2007 5:54 pm

Code: Select all

 iptables -A BADDOMAINS -s 6.0.0.0/255.0.0.0 -j DROP #DoD - AISC
 iptables -A BADDOMAINS -s 11.0.0.0/255.0.0.0 -j DROP #DoD - Intel
 iptables -A BADDOMAINS -s 21.0.0.0/255.0.0.0 -j DROP #DoD
 iptables -A BADDOMAINS -s 22.0.0.0/255.0.0.0 -j DROP #DoD - DISA
 iptables -A BADDOMAINS -s 25.0.0.0/255.0.0.0 -j DROP #UK - MoD
 iptables -A BADDOMAINS -s 26.0.0.0/255.0.0.0 -j DROP #DoD - DISA
 iptables -A BADDOMAINS -s 29.0.0.0/255.0.0.0 -j DROP #DoD - DISA
 iptables -A BADDOMAINS -s 30.0.0.0/255.0.0.0 -j DROP #DoD - DISA
 iptables -A BADDOMAINS -s 51.0.0.0/255.0.0.0 -j DROP #UK - Social Security
 iptables -A BADDOMAINS -s 55.0.0.0/255.0.0.0 -j DROP #DoD - NIC
 iptables -A BADDOMAINS -s 60.0.0.0/255.0.0.0 -j DROP #APNIC - AU
 iptables -A BADDOMAINS -s 61.0.0.0/255.0.0.0 -j DROP #APNIC - AU
 iptables -A BADDOMAINS -s 80.0.0.0/255.0.0.0 -j DROP #RIPE - NL
 iptables -A BADDOMAINS -s 81.0.0.0/255.0.0.0 -j DROP #RIPE - NL
 iptables -A BADDOMAINS -s 83.0.0.0/255.0.0.0 -j DROP #RIPE - NL
 iptables -A BADDOMAINS -s 86.0.0.0/255.0.0.0 -j DROP #RIPE - NL
 iptables -A BADDOMAINS -s 87.0.0.0/255.0.0.0 -j DROP #RIPE - NL
 iptables -A BADDOMAINS -s 89.0.0.0/255.0.0.0 -j DROP #RIPE - NL

 iptables -A BADDOMAINS -s 122.0.0.0/255.0.0.0 -j DROP #APNIC - AU
 iptables -A BADDOMAINS -s 125.0.0.0/255.0.0.0 -j DROP #APNIC - AU
 iptables -A BADDOMAINS -s 134.0.0.0/255.0.0.0 -j DROP
 iptables -A BADDOMAINS -s 189.0.0.0/255.0.0.0 -j DROP #LACNIC -UY
 iptables -A BADDOMAINS -s 190.0.0.0/255.0.0.0 -j DROP #LACNIC - UY
 iptables -A BADDOMAINS -s 193.0.0.0/255.0.0.0 -j DROP #RIPE - NL

 iptables -A BADDOMAINS -s 200.0.0.0/255.0.0.0 -j DROP #LACNIC - UY
 iptables -A BADDOMAINS -s 201.0.0.0/255.0.0.0 -j DROP #LACNIC - UY
 iptables -A BADDOMAINS -s 202.0.0.0/255.0.0.0 -j DROP #APNIC - AU
 iptables -A BADDOMAINS -s 203.0.0.0/255.0.0.0 -j DROP #APNIC - AU
 iptables -A BADDOMAINS -s 207.253.73.0/255.255.255.0 -j DROP # Canada
 iptables -A BADDOMAINS -s 210.0.0.0/255.0.0.0 -j DROP #APNIC - AU
 iptables -A BADDOMAINS -s 211.0.0.0/255.0.0.0 -j DROP #APNIC - AU
 iptables -A BADDOMAINS -s 213.0.0.0/255.0.0.0 -j DROP #RIPE - NL
 iptables -A BADDOMAINS -s 214.0.0.0/255.0.0.0 -j DROP #DoD
 iptables -A BADDOMAINS -s 215.0.0.0/255.0.0.0 -j DROP #DoD
 iptables -A BADDOMAINS -s 217.0.0.0/255.0.0.0 -j DROP #RIPE - NL
 iptables -A BADDOMAINS -s 218.0.0.0/255.0.0.0 -j DROP #APNIC - AU
 iptables -A BADDOMAINS -s 219.0.0.0/255.0.0.0 -j DROP #APNIC - AU
 iptables -A BADDOMAINS -s 221.0.0.0/255.0.0.0 -j DROP #APNIC - AU

I've blocked Most APNIC, LACNIC, RIPE subnets I could find, as well as DoD (military and intel) subnets that I could get my hands on.

Robert