| 1 |
Steve пишет: |
| 2 |
> I've recently discovered a curious pattern emerging in my system log |
| 3 |
> with failed login attempts via ssh. |
| 4 |
> |
| 5 |
> Previously, I noticed dictionary attacks launched - which were easy to |
| 6 |
> detect... and I've a process to block the IP address of any host that |
| 7 |
> repeatedly fails to authenticate. |
| 8 |
> |
| 9 |
> What I see now is quite different... I'm seeing a dictionary attack |
| 10 |
> originating from a wide range of IP addresses - testing user-names in |
| 11 |
> sequence... it has been in progress since 22nd November 2008 and has |
| 12 |
> tried 7195 user names in alphabetical order from 521 distinct hosts - |
| 13 |
> with no successive two attempts from the same host. |
| 14 |
> |
| 15 |
> I'm not particularly concerned - since I'm confident that all my users |
| 16 |
> have strong passwords... but it strikes me that this data identifies a |
| 17 |
> bot-net that is clearly malicious attempting to break passwords. |
| 18 |
> |
| 19 |
> Sure, I could use IPtables to block all these bad ports... or... I could |
| 20 |
> disable password authentication entirely... but I keep thinking that |
| 21 |
> there has to be something better I can do... any suggestions? Is there |
| 22 |
> a simple way to integrate a block-list of known-compromised hosts into |
| 23 |
> IPtables - rather like my postfix is configured to drop connections from |
| 24 |
> known spam sources from the sbl-xbl.spamhaus.org DNS block list, for |
| 25 |
> example. |
| 26 |
> |
| 27 |
> Break in attempts today (attempted username/IP address): |
| 28 |
> -- |
| 29 |
> |
| 30 |
> |
| 31 |
Hi. |
| 32 |
Best of all you can add iptables rules. It's better then use any script. |
| 33 |
Also take a note that there are no "known-compromised hosts" because ANY |
| 34 |
IP can be forged. |
| 35 |
I've sometimes seen such rules in the internet. These I use in my firewall: |
| 36 |
|
| 37 |
iptables -A INPUT -i eth0 -p tcp -m state --state NEW --dport 22 -m |
| 38 |
recent --name sshattack --set |
| 39 |
iptables -A INPUT -i eth0 -p tcp -m state --state NEW --dport 22 -m |
| 40 |
recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j LOG -m |
| 41 |
limit --limit 3/minute --limit-burst 3 --log-level 4 --log-prefix 'SSH |
| 42 |
REJECT: ' |
| 43 |
iptables -A INPUT -i eth0 -p tcp -m state --state NEW --dport 22 -m |
| 44 |
recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j REJECT |
| 45 |
--reject-with tcp-reset |
| 46 |
|
| 47 |
These rules give you possibility to use your ssh service from any IP but |
| 48 |
reject repeated login attempts from malicious users. You can tune |
| 49 |
parameter --hitcount to limit amount of |
| 50 |
sequential login attempts per minute. Also you can look at |
| 51 |
/proc/net/ipt_recent/sshattack for malicious IPs and how often they were |
| 52 |
used. |
| 53 |
|
| 54 |
Best regards, |
| 55 |
Evgeniy B. |
Archives