Brute Force Detection + Advanced Firewall Policy

Xspeed xspeed75 at gmail.com
Tue Dec 20 05:50:24 PST 2005 

I found this script very good.
http://nullmind.com/2005/02/03/brute-force-detection-linuxbsd/

However, it had a limitation when using IPFW1 to block the attacker.
I made modifications to the script to take care of it.

Below was a post I made to a forum.
===================================
I'm using IPFW1 to block out the attackers.
Using the unblock command "ipfw delete 400" removes all attackers at the
same time. It would allow attackers in before the block period is up if a
previous unblock command was scheduled.
I needed the script to assign diff ipfw block rule numbers, so I can
specifically block an attacker for the specified block time.
I modified the script and set it to use a range of rule number from 230 to
290. You can change this range with your own.

I'm using IPFW1 to block out the attackers. 
As mentioned by lionspark in his post on 03-15-05, 02:17 in that using the
unblock command "ipfw delete 400" removes all attackers at the same time. It
would allow attackers in before the block period is up if a previous unblock
command was scheduled.
I needed the script to assign diff ipfw block rule numbers, so I can
specifically block an attacker for the specified block time.
I modified the script and set it to use a range of rule number from 230 to
290. You can change this range with your own.

1) in the hspherebfd installation directory, under <installdir>/tmp (i.e.
/usr/local/bin/hspherebfd/tmp):
create a file ".rulenum"
insert in the value "230" (this is the starting ipfw rule nos to use. Change
if you are using other nos)
save the file

2) in hspherebfd, i made the following changes (around line 110):
if ($autoblock == 1) {
$rulenum_file="$instdir/tmp/.rulenum";
if ( -e $rulenum_file) {
$curr_rule_nos=`cat $rulenum_file`;
$curr_rule_nos=~s/\n//;
}

$command=$block_cmd;
$command=~s/attacker/$attacker/g;
$command=~s/rulenum/$curr_rule_nos/g;
system("$command");
$actions.="Blocked the attacker at firewall using: " . $command . "\n";

#See if curr_rule_nos is still within the range of ipfw rule nos to use
if ($curr_rule_nos==$rulenummax) {
$new_rule_nos = $rulenumstart;
}
else {
$new_rule_nos = $curr_rule_nos+1;
}
#Write the new rule nos to use into file storing the rulenum
open(FILEWRITER,"> $rulenum_file");
print FILEWRITER $new_rule_nos;
close (FILEWRITER);
}

if ($autounblock == 1) {
$command=$unblock_cmd;
$command=~s/attacker/$attacker/g;
$command=~s/rulenum/$curr_rule_nos/g;
system("echo '$command' | at +" . $timelimit);
$actions.="Set auto unblock of attacker at firewall using: " . $command .
"\n";
}

3) in bfd.conf, i made the following changes (see those in bold red):
#This is the install directory for everything but our binary
$instdir="/usr/local/bin/hspherebfd";

#the directory for the rules files. This probably shouldnt be changed.
$rules=$instdir . "/rules";

#the file to our whitelist. This probably shouldnt be changed.
$excluded=$instdir . "/excluded.hosts";

#Notify Admin? (1 = yes, 0 = no)
$notify=1;

#if notify admin is yes, who do we notify?
$email='someemail at someemail.com';

#subject line of the email?
$email_subject="Brute Force Detection For Host: <hostname>";

#block attackers? (1 = yes, 0 = no)
$autoblock = 1;

#how do we block attackers? This one you are on your own. Everyone runs
different firewalls and OS's.
#the word "attacker" will automatically be replaced.
#$block_cmd="/sbin/ipfw table 1 add attacker";
$block_cmd="/sbin/ipfw add rulenum deny tcp from attacker to any";

#unblock attacker?
$autounblock = 1;

#how long do we leave them blocked?
#eg. 1 day(s) or 30 minute(s)
$timelimit = "2 days";

#how do we unblock the attacker?
#$unblock_cmd="/sbin/ipfw table 1 delete attacker";
$unblock_cmd="/sbin/ipfw delete rulenum";

#what is the range of ipfw1 rule nos limits? Change to fit your range.
Remember to change /tmp/.rulenum
$rulenumstart = 230;
$rulenummax = 290;

----------------------------------------------------------------------

Message: 1
Date: Mon, 19 Dec 2005 15:21:56 -0500
From: "Hadi Maleki" <freebsdlist at nimahost.net>
Subject: Brute Force Detection + Advanced Firewall Policy
To: freebsd-security at freebsd.org
Message-ID: <E1EoRW8-000AqM-82 at host84.nimahost.net>
Content-Type: text/plain; charset=iso-8859-1

Any BFD/AFP softwares available for FreeBSD 4.10?

Im getting flooded with ssh and ftp attempts.



------------------------------

Message: 2
Date: Mon, 19 Dec 2005 15:21:52 -0500
From: "Hadi Maleki" <freebsdlist at nimahost.net>
Subject: Brute Force Detection + Advanced Firewall Policy
To: freebsd-security at freebsd.org
Message-ID: <E1EoRW4-000AqG-O2 at host84.nimahost.net>
Content-Type: text/plain; charset=iso-8859-1

Any BFD/AFP softwares available for FreeBSD 4.10?

Im getting flooded with ssh and ftp attempts.



------------------------------

Message: 3
Date: Mon, 19 Dec 2005 15:22:49 -0500
From: "Hadi Maleki" <freebsdlist at nimahost.net>
Subject: Brute Force Detection + Advanced Firewall Policy
To: freebsd-security at freebsd.org
Message-ID: <E1EoRWz-000Aqs-WA at host84.nimahost.net>
Content-Type: text/plain; charset=iso-8859-1

Any BFD/AFP softwares available for FreeBSD 4.10?

Im getting flooded with ssh and ftp attempts.



------------------------------

Message: 4
Date: Mon, 19 Dec 2005 13:03:29 -0800 (PST)
From: Arne Woerner <arne_woerner at yahoo.com>
Subject: Re: Brute Force Detection + Advanced Firewall Policy
To: freebsd-security at freebsd.org
Message-ID: <20051219210329.90107.qmail at web30311.mail.mud.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1

--- Hadi Maleki <freebsdlist at nimahost.net> wrote:
> Any BFD/AFP softwares available for FreeBSD 4.10?
>
> Im getting flooded with ssh and ftp attempts.
>
What about a "white list"? I mean, three rules that blocks all incoming
traffic to those ports (21, 22, the others), and then a rule for each "good
IP" that allows the connection...

Some time ago I have read in this list something about attempts to guess a
SSH username and password... Maybe u can find that thread in the archive via
the Websearch interface?

Maybe it helps to disallow password athentication, because DSA public key
authentication is much more fun for users and admins...
:-))

-Arne


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com


------------------------------

Message: 5
Date: Mon, 19 Dec 2005 22:28:13 +0100
From: Marian Hettwer <MH at kernel32.de>
Subject: Re: Brute Force Detection + Advanced Firewall Policy
To: Hadi Maleki <freebsdlist at nimahost.net>
Cc: freebsd-security at freebsd.org
Message-ID: <43A725ED.5090502 at kernel32.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed

Hi there,

Hadi Maleki wrote:
> Any BFD/AFP softwares available for FreeBSD 4.10?
>
If you would update to a recent FreeBSD Release, you could probably use
some nice pf(4) things...

> Im getting flooded with ssh and ftp attempts.
>
I recently stumbled over quite a nice pf.conf (see man pfctl for
details), which blacklists for instance ssh connections if the occur to
often in a certain amount of time.
For Example:
# sshspammer table
table <sshspammer> persist
block log quick from <sshspammer>

# sshspammer
# more than 6 ssh attempts in 15 seconds will be blocked ;)
pass in quick on $ext_if proto tcp to ($ext_if) port ssh $tcp_flags
(max-src-conn 10, max-src-conn-rate 6/15, overload <sshspammer> flush
global)

HTH,
Marian


------------------------------

Message: 6
Date: Mon, 19 Dec 2005 13:28:58 -0800
From: Julian Elischer <julian at elischer.org>
Subject: Re: Brute Force Detection + Advanced Firewall Policy
To: Arne Woerner <arne_woerner at yahoo.com>
Cc: freebsd-security at freebsd.org
Message-ID: <43A7261A.3090401 at elischer.org>
Content-Type: text/plain; charset=us-ascii; format=flowed

Arne Woerner wrote:

>--- Hadi Maleki <freebsdlist at nimahost.net> wrote:
> 
>
>>Any BFD/AFP softwares available for FreeBSD 4.10?
>>
>>Im getting flooded with ssh and ftp attempts.
>>
>>   
>>
>What about a "white list"? I mean, three rules that blocks all
>incoming traffic to those ports (21, 22, the others), and then a
>rule for each "good IP" that allows the connection...
>
>Some time ago I have read in this list something about attempts to
>guess a SSH username and password... Maybe u can find that thread
>in the archive via the Websearch interface?
>
>Maybe it helps to disallow password athentication, because DSA
>public key authentication is much more fun for users and admins...
> 
>

possibly look into port-knocking..

>:-))
>
>-Arne
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>_______________________________________________
>freebsd-security at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
> 
>


------------------------------

_______________________________________________
freebsd-security at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

End of freebsd-security Digest, Vol 141, Issue 1
************************************************

More information about the freebsd-security mailing list