Firewall / Security.

4 posts / 0 new
Last post
#1 Mon, 11/28/2005 - 02:22
FaisalMehmood

Firewall / Security.

Hi.

Just another question for the forums members.

I have been seeing a lot of activity from users trying to crack into the system. People trying to access the SSH2 ports and such. Anything to automatically scan and stop these intruders ? Anywhere i could find a set of predefined IP tables etc ?? Any and all solutions are welcome.

THanks. Faisal.

P.S here is a sample log file.

Nov 27 23:33:18 alpha sshd[[12155]]: Invalid user florin from ::ffff:69.111.170.214 Nov 27 23:33:20 alpha sshd[[12155]]: Failed password for invalid user florin from ::ffff:69.111.170.214 port 45168 ssh2 Nov 27 23:33:22 alpha sshd[[12157]]: Invalid user flower from ::ffff:69.111.170.214 Nov 27 23:33:24 alpha sshd[[12157]]: Failed password for invalid user flower from ::ffff:69.111.170.214 port 45305 ssh2 Nov 27 23:33:26 alpha sshd[[12159]]: Invalid user filip from ::ffff:69.111.170.214 Nov 27 23:33:29 alpha sshd[[12159]]: Failed password for invalid user filip from ::ffff:69.111.170.214 port 45449 ssh2 Nov 27 23:33:31 alpha sshd[[12161]]: Invalid user filippo from ::ffff:69.111.170.214 Nov 27 23:33:33 alpha sshd[[12161]]: Failed password for invalid user filippo from ::ffff:69.111.170.214 port 45592 ssh2 Nov 27 23:33:38 alpha sshd[[12163]]: Invalid user fitz from ::ffff:69.111.170.214 Nov 27 23:33:40 alpha sshd[[12163]]: Failed password for invalid user fitz from ::ffff:69.111.170.214 port 45732 ssh2 Nov 27 23:33:42 alpha sshd[[12165]]: Invalid user forest from ::ffff:69.111.170.214 Nov 27 23:33:44 alpha sshd[[12165]]: Failed password for invalid user forest from ::ffff:69.111.170.214 port 45974 ssh2 Nov 27 23:33:46 alpha sshd[[12167]]: Invalid user forrest from ::ffff:69.111.170.214 Nov 27 23:33:48 alpha sshd[[12167]]: Failed password for invalid user forrest from ::ffff:69.111.170.214 port 46113 ssh2 Nov 27 23:33:50 alpha sshd[[12169]]: Invalid user fritz from ::ffff:69.111.170.214 Nov 27 23:33:53 alpha sshd[[12169]]: Failed password for invalid user fritz from ::ffff:69.111.170.214 port 46248 ssh2 Nov 27 23:33:55 alpha sshd[[12171]]: Invalid user foster from ::ffff:69.111.170.214 Nov 27 23:33:57 alpha sshd[[12171]]: Failed password for invalid user foster from ::ffff:69.111.170.214 port 46402 ssh2 Nov 27 23:33:59 alpha sshd[[12173]]: Invalid user fox from ::ffff:69.111.170.214 Nov 27 23:34:01 alpha sshd[[12173]]: Failed password for invalid user fox from ::ffff:69.111.170.214 port 46547 ssh2 Nov 27 23:34:03 alpha sshd[[12175]]: Invalid user fran from ::ffff:69.111.170.214 Nov 27 23:34:06 alpha sshd[[12175]]: Failed password for invalid user fran from ::ffff:69.111.170.214 port 46688 ssh2 Nov 27 23:34:07 alpha sshd[[12177]]: Invalid user francis from ::ffff:69.111.170.214

Tue, 11/29/2005 - 06:47
ChrisBlackwell

Hi Faisal,

This looks like a job for PortSentry or Snort. I havent used either in any detail, only as part of larger packages.

PortSentry and Logcheck can be found[a href="http://sourceforge.net/projects/sentrytools/">http://sourceforge.... They can be managed through Webmin, but the last update to these packages was May 2003 and i don't know if they are still maintained.

Snort (<a href="http://www.snort.org/">www.snort.org</a>) is the alternative, i've never tried to configure it, but i have used it as part of the Smoothwall firewall package and it worked without problem. There is a module for snort available at[a href="http://msbnetworks.net/snort/">msbnetworks.net/snort/</a> but its 4 years old and don't know whether it works with the current release of the snort ids.

Tue, 11/29/2005 - 09:18
ADobkin

This is a very common SSH brute force attack. It eventually happens on all public servers running SSH on port 22. The easiest way to stop it is to run SSH on a different port. This will stop it quite effectively for now, at least until these attack scripts become more advanced. However, changing the SSH port is not always a desired or viable option, especially if it is available to a lot of your users. You could also set your firewall or tcpwrappers (hosts.allow/deny files) to only allow SSH from known IP addresses, but again that may not be a viable option depending on your usage.

There are plenty of other options, including running an I.D.S. (Intrusion Detection System) such as those Chris mentioned. Here is a specific blocker tool that recognizes and attempts to reduce or defeat this attack:

-- sshdfilter V1.4.1 --
<a href="http://www.csc.liv.ac.uk/~greg/sshdfilter/">ssh brute force attack blocker</a>

I have not implemented this tool yet myself, but it looks like a decent solution to the problem. If you try it, please post your results back here.

Wed, 11/30/2005 - 07:09 (Reply to #3)
ADobkin

I remembered after posting my message that there was a similar thread about this issue on the Webmin mailing list a couple of months ago. Vernon Spangler, who is also a Virtualmin user and develops a few plugin modules for Webmin and Virtualmin, has created his own version of a blocker for this type of attack. Refer to[a href="http://sourceforge.net/mailarchive/message.php?msg_id=12991454">his post</a> for more details.

Here is the description from his web site:

<BlockQuote>
SSH Brute Force Black List v1.9

The sshblack script is a real-time security tool for secure shell (ssh). It monitors *nix log files for suspicious activity and reacts appropriately to aggressive attackers by adding them to a "blacklist" created using various firewalling tools -- such as iptables -- available in most modern versions of Unix and Linux. The blacklist is simply a list of source IP addresses that are prohibited from making ssh connections to the protected host. Once a predetermined amount of time has passed, the offending IP address is removed from the blacklist.

It is written in Perl but requires no special modules or libraries unless you utilize the daemon version which only requires one tiny module.

What defines an "attack" is determined by a variable in the source code. This is usually a character string like "Failed password" or "Illegal user" but can be anything that the administrator deems as an undesirable activity.
</BlockQuote>

I'm not sure how Vernon's script compares to the one I posted yesterday. Again, please post your results back here if you try it.

Topic locked