autoblocking many ssh failed logins from the same IP....

fbsd_user fbsd_user at a1poweruser.com
Fri Jul 1 14:42:37 GMT 2005 

Defending Against Attacks

A firewall is your first line of defense, But if you allow public
access to ports 22, SSH (secure shell), 23, Telnet, or 21, FTP these
ports can be bombarded with login attempts using common ID/PW
combinations probing for access. In the case of port 80, Web server
it can be bombarded with access requests designed to consume server
resources resulting in a denial of service to legitimate user
requests. To the firewall these all look like legitimate packets.


Know Who Your Attacker is

All most 98 percent of the attackers are script kiddies. Their
attacks are all most totally based on indiscriminate rolling through
a range of sequential IP address. (IE: They never use DNS to lookup
your domain name.) You were found by plain bad luck. They run
scripts that only address the know ports listened on by those
services. You use this knowledge to defend against this type of
attack.

The simplest defense is to change the port numbers these services
use. The /etc/services is where SSH, Telnet, and FTP port numbers
are defined and where you would change them at. For Apache web
server you specify the access port number in httpd.conf definitions.
Remote clients who want to access your public services on the
alternate port number will have to enter the alternate port number
as part of the login command.

After setting up alternate port numbers you can have your firewall
log all access to ports 21,22,23,or 80 and report the abuse to the
ISP owner of the sending IP address
using the FreeBSD port ppars-1.0

Or if you don't want to use the automated Abuse reporting system you
can take the sending IP address from your firewall log and do manual
whois command to find the ISP owner of the offending IP address
along with the ISP's abuse reporting email address and send your own
email to them about their client sending you attack packets.


Stopping Login Attacks

Using the customary port numbers or alternate port numbers for SSH,
FTP, or Telnet all failed logins are logged to /var/log/auth.log
file. In most cases the sending IP address is the real IP address of
the attacker. In the long term the solution is to do whois on the
attackers IP address and report him to the ISP who owns the IP
address.

In the short term to stop the login attack in progress many people
will add a "deny this IP address" rule to their firewall rule set
file. Yes this will stop the attack immediately, but when a firewall
keeps all these special "deny this IP address" rules the firewall
becomes very hard to maintain as that list of denied IP address
rules grows longer. A far better solution is to separate the denied
IP address list from the firewall rule set. This can be done using
the "routed blackhole" command.

Example:
To Add use      route add -host attacker_ip  127.0.0.1 -blackhole
To Delete use   route delete -host attacker_ip  127.0.0.1 -blackhole

To List use     netstat -nr|grep 127

This is executed in the IP stack and is faster than in the firewall
when you have over 20 of those special "deny this IP address" rules
in the firewall. The "attacker_ip" in found in the log records in
/var/log/auth.log file.

You can create a script (route_blackholed_ip.sh) containing route
commands for all the IP address that have attacked you in the past
and save it to /usr/local/etc/rc.d/ so it will be run at boot time.

The same process used by the abuse reporting system to process the
/var/log/security log file can be modified by you to automate the
processing of the /var/log/auth.log file to create the route
blackhole commands on the fly while the attack is occurring.


Stopping Web Server attacks

Web server attacks are denial of service (Dos) attacks. There is no
trigger that will notify you when this occurs. Most likely your
first warning something is wrong is when people start asking you why
is your web server down. When you have reason to suspect your web
server is under attack you can check /var/log/hpptd-access.log file.
This log file gets a log record for every file accessed by your web
server. Part of the log record is the requesting IP address or it's
DNS name. When you see a lot of log records (in the hundreds) from
the same IP address, that is your attacker. In most all cases the
requesting IP address is spoofed. Spoofed means the IP address is a
real public internet routable IP address belonging to a legitimate
user that unknown to him, the attacker has used to hide his real
identity.

Like with Login attacks you can add a special "deny this IP address"
rule to your firewall rule set file or use the "routed blackhole"
command.

The same process used by the abuse reporting system to process the
/var/log/security log file can be modified by you to automate the
processing of the /var/log/hpptd-access.log file to create the route
blackhole commands on the fly while the attack is occurring.


-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of John
Cholewa
Sent: Friday, July 01, 2005 9:43 AM
To: freebsd-questions at freebsd.org
Subject: autoblocking many ssh failed logins from the same IP....


Jun 30 10:36:05 phantom sshd[70478]: Failed password for news from
212.88.182.121 port 51218 ssh2
Jun 30 10:36:16 phantom sshd[70500]: Failed password for sshd from
212.88.182.121 port 51608 ssh2
Jun 30 10:36:39 phantom sshd[70569]: Failed password for root from
212.88.182.121 port 52297 ssh2

I get the above a lot in my logs (except more of it).  Each day, a
couple hundred failed attempts to log in from one or sometimes two
IP addresses shows up.  I don't have anything like ipf running, and
since this machine is about fifteen hundred miles away from me, I
don't want to experiment with software firewalling right now.

That known, is there any way to tell sshd (or some more powerful
daemon) to stop accepting login attempts from a given IP if it tries
and fails to log in too many times in a limited duration (like in
the same minute)?

I suppose, now that I'm thinking about it, that it'd be best to
actually just read the man pages and figure out how to get sshd to
ignore any attempt to attach from ports other than 22.  I mean, why
are other machines trying to ssh in at ports over fifty thousand
anyway?

--
  -JC
  http://www.livejournal.com/users/jcholewa/

PS:  Oh, yeah ... "FreeBSD 4.8-RELEASE #0: Thu Apr  3 10:53:38 GMT
2003" ; openssh-3.6.1_5 ; openssl-0.9.7d_1



_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list