Hacked - FreeBSD 7.1-Release
Ian Smith
smithi at nimnet.asn.au
Wed Dec 30 17:16:37 UTC 2009
On Tue, 29 Dec 2009, David Wolfskill wrote:
> On Tue, Dec 29, 2009 at 03:20:37AM -0800, Jeremy Chadwick wrote:
> > ...
> > I've written my own script to do all of this. It parses periodic
> > security mails (on a daily basis), and does WHOIS lookups + parses the
> > results to tell me what netblocks/CIDRs I should consider blocking. For
> > example, for a security mail that contains this:
> >
> > horus.sc1.parodius.com login failures:
> > Dec 28 15:54:49 horus sshd[74684]: Failed password for root from 199.71.214.240 port 51197 ssh2
> > Dec 28 15:54:49 horus sshd[74686]: Invalid user test from 199.71.214.240
> > Dec 28 18:39:24 horus sshd[84742]: Failed password for root from 208.94.235.248 port 42979 ssh2
> > Dec 28 18:39:25 horus sshd[84744]: Failed password for root from 208.94.235.248 port 43056 ssh2
> > Dec 28 18:39:25 horus sshd[84746]: Failed password for root from 208.94.235.248 port 43156 ssh2
> > Dec 28 18:39:26 horus sshd[84749]: Failed password for root from 208.94.235.248 port 43265 ssh2
> > Dec 28 18:39:27 horus sshd[84751]: Failed password for root from 208.94.235.248 port 43356 ssh2
> >
> > The script would output the following:
> >
> > 199.71.214.240
> > 199.71.212.0/22 Psychz Networks, Walnut, CA, US
> > 208.94.235.248
> > 208.94.232.0/22 WZ Communications Inc., Madison, WI, US
> > 208.94.235.0/24 Soft-Com.biz, Inc., Panama, NA, PA
Jeremy, care to share your whois lookup / parsing script for this?
> > Then manually (this is intentional) I go and add the entries I feel
> > are relevant to a file called pf.conf.ssh-deny which our systems use to
> > block SSH access.
> > ...
>
> I do something somewhat similar, though the implementation is rather
> different. Like Jeremy, I choose to make the actual actions intentionally
> manual.
Me too, apart from one script that tails named.run looking for victims
of DNS attacks using our system as a reflector (common here last Jan-Feb
for a while) that popped IPs straight into a block table within minutes.
> Among salient points:
>
> * Because I'm fairly familiar with it, I (still) use IPFW.
No need to apologise, Luigi's beavering away on it again as we speak,
and I'm hoping to try out ipfw+dummynet on Debian fairly soon.
> * I received a bit of a "prod" (thanks, Julian!) to use IPFW tables;
> that's been quite helpful.
>
> * I use a moderately quaint (and probably embarrassing) mixture of Perl
> & Bourne shell scripts, as well as make, to extract the netblock
> information from WHOIS, and to construct a persistent store that's
> referenced at boot time.
Again, I'm interested in how to query and parse whois info; I've been
mostly using iptools.com and such for manual netblock lookups so far.
> * As a general rule, I try to report activity such as the above (to the
> listed contact(s) from WHOIS). (When I do, I Bcc: myself and keep a
> opy of all salient correspondence. Or bounce-o-grams.)
Apart from stuff originating in .au I've about given up on doing that.
> * For SSH (in particular), I do not rely only on the /var/log/security
> entries created by sshd. Rather, I also configure IPFW to log all SSH
> session-establishment requests. If I report the unwanted ativity, I
> provide both sets of log excerpts. (I often find probes logged by
> IPFW that sshd does not log. And yes, I check the "block" list before
> IPFW logs a "sucessful" SSH session-establishment request packet.)
I'm fortunate to be able to only allow SSH access to known hosts; users
on dynamic IPs have to successfully POP their mailbox first which a cron
script notices, adding their current IP to the SSH allow table.
> * I use one table to block access to SSH. I have another for extreme
> cases of abuse, where I block all traffic in either direction, and a
> third for access to my Web server. I suppose I could also do something
> similar for SMTP....
Here table 1 blocks all IP access (repetitive portscanners and such),
table 25 drops heavier mailserver abusers (apart from those denied by
/etc/mail/access), table 53 for DNS abuse, table 80 for port 80,443
abuse (apart from hosts/browsers/referers declined apache access), and
table 22 for those allowed SSH access, saving much spurious logging.
> * I use this for machines that (may) connect directly to the Internet;
> thus, my "firewall" machine certainly qualifies -- but so does my laptop.
> * I have no mechanism in place to identify, let alone prune, stale
> entries.
Maybe this can help, thanks to clues Michael Butler posted last year.
#!/bin/sh
# addr_to_table 24/11/8 smithi + 31/12/9 CIDR matching for updates
# add ipaddr[/masklen|32] and date (seconds from epoch) to table N
usage() {
[ "$1" ] && echo $1
echo "usage: `basename $0` table address [masklen]"
exit 1
}
[ "$2" ] || usage
table=$1
[ $table -ge 1 -a $table -le 127 ] || usage "table '$table' not 1..127"
mlen=32; [ "$3" ] && mlen=$3
[ $mlen -ge 8 -a $mlen -le 32 ] || usage "masklen '$mlen' not 8..32"
address=$2/$mlen
if [ $mlen -lt 32 ]; then # calc CIDR netblock using table 0
ipfw -q table 0 flush; ipfw -q table 0 add $address
address=`ipfw table 0 list | awk '{print $1}'`
fi
for i in `ipfw table $table list | awk '{print $1}'`; do
if [ "$i" = "$address" ]; then
# echo "found existing $address - updating timestamp"
ipfw -q table $table delete $address
break
fi
done
ipfw -q table $table add $address `date "+%s"`
exit 0
Which is used manually or scripted to add IPs or netblocks to tables.
Then to list tables with their timestamps and local date/time:
#!/bin/sh
# tabledates 7/12/9 smithi upd 31/12/9
usage() {
echo "usage: `basename $0` tablenumber (0-127)"
exit 1
}
[ "$1" ] || usage; [ $1 -ge 0 -a $1 -le 127 ] || usage
tab=' '
ipfw table $1 list | while read addr stamp; do
[ $stamp -ge 65536 ] && date=`date -r $stamp` || date=''
echo "$addr $tab $stamp $tab $date"
done
exit 0
eg:
sola# tabledates 80 | sort -nk2 | tail
82.213.28.0/24 1258876629 Sun Nov 22 18:57:09 EST 2009
193.238.231.0/24 1259076672 Wed Nov 25 02:31:12 EST 2009
95.24.0.0/13 1259632087 Tue Dec 1 12:48:07 EST 2009
82.111.231.0/26 1259850310 Fri Dec 4 01:25:10 EST 2009
203.198.128.0/24 1261153705 Sat Dec 19 03:28:25 EST 2009
203.12.2.160/32 1261301176 Sun Dec 20 20:26:16 EST 2009
8.21.4.254/32 1261301189 Sun Dec 20 20:26:29 EST 2009
61.130.246.0/23 1261302926 Sun Dec 20 20:55:26 EST 2009
74.222.2.0/23 1261811025 Sat Dec 26 18:03:45 EST 2009
212.108.5.60/32 1262107458 Wed Dec 30 04:24:18 EST 2009
Removing entries greater than n seconds old? You can do the maths ..
cheers, Ian
More information about the freebsd-stable
mailing list