Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Brian Micek <bmicek@...>
Subject: Re: [OT?] automatically firewalling off IPs
Date: Sun, 02 Oct 2005 22:52:57 -0400
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2">
</HEAD>
<BODY>
I don't know how applicable this is to this list, but lots of the SSH hacks on my boxes come from China (cn) and Korea (kr).&nbsp; The bad news is a lot of the ISP's are out of control over there and cannot manage their networks.&nbsp; Attached are scripts I generate every night to block all packets from those countries.&nbsp; Depending on your applications, you might (or not) want to run these.<BR>
<BR>
Brian Micek<BR>
<BR>
On Sun, 2005-10-02 at 17:29 -0500, J Holder wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">MaxieZ said:</FONT>
<FONT COLOR="#000000">&gt; On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:</FONT>
<FONT COLOR="#000000">&gt;&gt; Hey all,</FONT>
<FONT COLOR="#000000">&gt;&gt;</FONT>
<FONT COLOR="#000000">&gt;&gt; I'm looking for an app/script which can monitor for failed ssh logins,</FONT>
<FONT COLOR="#000000">&gt;&gt; and block using IPTables for $time after $number of failed logins (an</FONT>
<FONT COLOR="#000000">&gt;&gt; exclusion list would be handy as well) so that I can put a quick stop to</FONT>
<FONT COLOR="#000000">&gt;&gt; these niggly brute-force ssh &quot;attacks&quot; I seem to be getting more and</FONT>
<FONT COLOR="#000000">&gt;&gt; more often.</FONT>
<FONT COLOR="#000000">&gt;</FONT>
<FONT COLOR="#000000">&gt; <A HREF="http://kodu.neti.ee/~risto/sec/">http://kodu.neti.ee/~risto/sec/</A></FONT>
<FONT COLOR="#000000">&gt;</FONT>
<FONT COLOR="#000000">&gt; or change ports</FONT>

<FONT COLOR="#000000">Changing ports does a wonderful job of cutting down on spurious connects. </FONT>
<FONT COLOR="#000000">Going one tiny step further, I like to know if anyone has ever connected</FONT>
<FONT COLOR="#000000">to my sshd.  So I do the following:</FONT>

<FONT COLOR="#000000">1. Set loglevel for sshd to verbose</FONT>
<FONT COLOR="#000000">2. cron a connect report to run once an hour.  This tells me the IP and</FONT>
<FONT COLOR="#000000">reverse IP address of every host to do a full connect.  AFAIK, a full</FONT>
<FONT COLOR="#000000">connect would be necessary to see the banner and identify the port as</FONT>
<FONT COLOR="#000000">running sshd.</FONT>

<FONT COLOR="#000000">My connect-report script is as follows:</FONT>
<FONT COLOR="#000000">echo &quot;Remote SSH Connection report for $HOSTNAME&quot;</FONT>
<FONT COLOR="#000000">echo &quot;------------------------------------------&quot;</FONT>
<FONT COLOR="#000000">echo</FONT>
<FONT COLOR="#000000">egrep &quot;Connection from&quot; &lt; /var/log/auth.log | egrep -o</FONT>
<FONT COLOR="#000000">[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ | sort | uniq | /root/bin/phost</FONT>

<FONT COLOR="#000000">The above script relies on phost; a small helper script (because I</FONT>
<FONT COLOR="#000000">couldn't stand to spend more than 5 minutes trying to figure out which IP</FONT>
<FONT COLOR="#000000">lookups would accept input from stdin):</FONT>
<FONT COLOR="#000000">#!/usr/bin/perl</FONT>
<FONT COLOR="#000000">while (&lt;STDIN&gt;) {</FONT>
<FONT COLOR="#000000">  $output = `host $_`;</FONT>
<FONT COLOR="#000000">    print $output;</FONT>
<FONT COLOR="#000000">}</FONT>

<FONT COLOR="#000000">I have never seen a connect from an IP I didn't expect, and if I ever do,</FONT>
<FONT COLOR="#000000">I can just move sshd to another port if I am feeling excessively paranoid.</FONT>


</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>
Attachment:
block-cn.sh (application/shellscript)
Attachment:
block-kr.sh (application/shellscript)
Attachment:
undo-block-cn.sh (application/shellscript)
Attachment:
undo-block-kr.sh (application/shellscript)
Attachment:
signature.asc (This is a digitally signed message part)
References:
[OT?] automatically firewalling off IPs
-- Jeremy Brake
Re: [OT?] automatically firewalling off IPs
-- MaxieZ
Re: [OT?] automatically firewalling off IPs
-- J Holder
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: [OT?] automatically firewalling off IPs
Next by thread:
Re: [OT?] automatically firewalling off IPs
Previous by date:
Re: [OT?] automatically firewalling off IPs
Next by date:
Re: [OT?] automatically firewalling off IPs


Updated Oct 31, 2011

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.