auth.log & intruder prevention

fbsd_user fbsd_user at a1poweruser.com
Thu Jan 26 06:59:40 PST 2006 

What is happening to you is not unique.
There are 4 common solutions to this problem.

1. The simplest is to add a deny rule to your firewall for the
offending ip address.
2. Use the "routed blackhole" command.

Example:

To Add use      route add -host attacker_ip 127.0.0.1 -blackhole

To Delete use   route delete -host attacker_ip 127.0.0.1 -blackhole

To List use     netstat -nr|grep 127

This is executed in the IP stack and is faster than in the firewall
when you have over 20 of those special "deny this IP address" rules
in the firewall. The "attacker_ip" in found in the log records in
/var/log/auth.log file.

You can create a script (route_blackholed_ip.sh) containing route
commands for all the IP address that have attacked you in the past
and save it to /usr/local/etc/rc.d/ so it will be run at boot time.

*********** note **************

The problem using either of the above methods is the attacker may
just use a different ip address in the same range. Depending on
where your authorized traffic is coming from you can deny or
blackhole the complete subnet. Even the whole xxx..0.0.0 by coding
the ip address with /xx after it.

*********** note end **************

3. If you know the ip address of your authorized ssh users then add
rules to your file wall to pass just those authorized ip address to
port 22 and deny all else.

4. All of the about solutions will not stop the flow of traffic to
port 22 driving up your bandwidth usage, just stop it from getting
to ssh which is all ready doing a fine job of stopping it now. The
only way to reduce the unauthorized traffic to your port 22 is not
to have port 22 open. In the ssh logon command you can enter the
port number you have ssh using. So change the port ssh uses and the
scrip kiddies will not be able to find your ssh access port. You can
change the port ssh is listening on by editing the ssh entry in
/etc/services to some high number port of your choosing and then
have all your ssh users include that port number in there remote
login command. Allow that port number to pass in your firewall and
deny port 22.  This way the attackers will not see ssh port open and
not waist time on you any longer.

**********  to get revenge on your attackers
*************************
Attackers who beat on ssh/telnet/ftp are looking to break into your
box so they have to be using there real ip address to receive the
response when they succeed. (ie not using spoofed ip address)  If
you use the ipfilter firewall you can use the FreeBSD port ppars-1.0
to read the log file and auto generate an email to the isp owner of
the ip address range the attacker is using. Most ISP's around the
world have usage user agreements that this attacking behavior is not
allowed. In most cases the ISP will terminate the attackers account.
In time your ip address will become know as place not to probe and
your bandwidth usage will decline.

The install guide at www.a1poweruser.com  (section 6.13 Defending
Against Attacks) has a more detailed explanation.





-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Paul
Hamilton
Sent: Wednesday, January 25, 2006 10:05 PM
To: 'Daniel Gerzo'; Ilias.Sachpazidis at igd.fraunhofer.de
Cc: questions at freebsd.org
Subject: RE: auth.log & intruder prevention


Hi Daniel,

On your web site, you show how easy it is to convert to IPTABLES.  I
presume
then it would be quite easy to reconfigure to use IPFW as well?

Cheers,

Paul

> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Daniel
Gerzo
> Sent: Wednesday, 25 January 2006 7:58 AM
> To: Ilias.Sachpazidis at igd.fraunhofer.de
> Cc: questions at freebsd.org
> Subject: Re: auth.log & intruder prevention
>
>
> On Tue, Jan 24, 2006 at 10:02:26PM +0100, Ilias Sachpazidis wrote:
> > Hi Everyone,
>
> hello,
>
> >
> > In auth.log of my FreeBSD boxes I got many requests to port
> 22, as you
> > can see below. ----begin of snippet
> > Jan 22 11:21:50 zeus sshd[92900]: Failed password for
> illegal user cracking
> > from 65.208.188.105 port 58344 ssh2
> > Jan 22 11:21:53 zeus sshd[92902]: Failed password for
> illegal user hacking
> > from 65.208.188.105 port 58443 ssh2
> > ----end of snippet
> >
> > I am wondering if any script is available to prevent hundreds of
> > attempts on port 22 from external IPs that constantly
> checking user &
> > passwords on my FreeBSD PCs.
> >
> > What I am looking for is a deamon application/script that
> receives the
> > recorded data from auth.log and detects if any remote client (IP
> > address) is checking user and passwords (Detection pattern:
> 5 missing
> > attempts in 1 min). On a successful detection, the script
> should add
> > an ipfw rule rejecting further IP packets from the specific
remote
> > address.
> >
> > Is any script or something similar available so far?
>
> I've written a BruteForceBlocer, you can install it from
> ports as well, check security/bruteforceblocker.
>
> Hope you will like it.
>
> --
> Sincerely,
>    Daniel Gerzo
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
>

_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list