Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: David vasil <vasil@...>
Subject: Re: [OT?] automatically firewalling off IPs
Date: Mon, 03 Oct 2005 09:01:03 -0400
MaxieZ wrote:
> On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:
> 
>>Hey all,
>>
>>I'm looking for an app/script which can monitor for failed ssh logins, 
>>and block using IPTables for $time after $number of failed logins (an 
>>exclusion list would be handy as well) so that I can put a quick stop to 
>>these niggly brute-force ssh "attacks" I seem to be getting more and 
>>more often.
> 
> http://kodu.neti.ee/~risto/sec/

Jeremy,
   I agree with MaxieZ, a combination of SEC and Iptables work nicely in 
this situation and could be extended to other services like FTP, IMAP, 
Web authentication, etc.  I personally do not feel that security through 
obscurity by changing the port numbers is a viable solution.  Here is 
what I do:

First, I have SEC scanning my logs using the two rules from the attached 
sec.rules file.  The first rule looks for connections to the sshd port 
that do not send an identification string.  If it sees this message in 
syslog, it then uses iptables to insert a rule to drop all packets from 
the source address.  The second rule looks for attempted logins using an 
invalid user id.  It then creates an iptables rule like the first one. 
I added in a commented out action line for both of those rules which 
creates a 24 hour context, which after 24 hours will delete the iptable 
rule it created for that ip address.

Second, I have three normal iptables rules which rate limit the number 
of connections to port 22.  This is to defend against brute force 
attacks on a valid account.

# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m 
recent   --update --seconds 600 --hitcount 2 -j  LOG --log-level 4 
--log-prefix "iptables-drop: "
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m 
recent   --update --seconds 600 --hitcount 2 -j DROP
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m 
recent   --set

I highly recommend SEC for this type of log monitoring.

-dave
# kill IP address trying to log in with invalid account
# Sep 19 05:40:25 apathy sshd[13234]: Did not receive identification string from 69.60.114.13
type= single
continue= dontcont
ptype= regexp
pattern= sshd\[[0-9]+\]: Did not receive identification string from ([A-z0-9._-]+)
desc= ssh_no_ident_$1
action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $1 -j DROP; write /var/log/sec.log "%t iptables-insert: dropping all traffic from $1 because no identification string was given"
# Use this action instead if you would like contexts to automatically be cleaned after 24 hours
#action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $1 -j DROP; write /var/log/sec.log "%t iptables-insert: dropping all traffic from $1 because no identification string was given"; create ssh_no_ident_$1 86400 shellcmd /sbin/iptables -D INPUT -i eth0 -s $1 -j DROP

# Sep 19 05:50:23 apathy sshd[13252]: Invalid user foto from 69.60.114.13
type= single
continue= dontcont
ptype= regexp
pattern= sshd\[[0-9]+\]: Invalid user ([A-z0-9._-]+) from ([A-z0-9._-]+)
desc= ssh_invalid_user_$1_$2
action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $2 -j DROP; write /var/log/sec.log "%t iptables-insert: dropping all traffic from $2 because attempted to log in with invalid user $1"
# Use this action instead if you would like contexts to automatically be cleaned after 24 hours
#action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $2 -j DROP; write /var/log/sec.log "%t iptables-insert: dropping all traffic from $2 because attempted to log in with invalid user $1"; create ssh_invalid_user_$1_$2 86400 shellcmd /sbin/iptables -D INPUT -i eth0 -s $2 -j DROP
Replies:
Re: [OT?] automatically firewalling off IPs
-- rpfc
References:
[OT?] automatically firewalling off IPs
-- Jeremy Brake
Re: [OT?] automatically firewalling off IPs
-- MaxieZ
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: [OT?] automatically firewalling off IPs
Next by thread:
Re: [OT?] automatically firewalling off IPs
Previous by date:
Re: [OT?] automatically firewalling off IPs
Next by date:
Re: [OT?] automatically firewalling off IPs


Updated Oct 31, 2011

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.