More SSH 'trolling'
dave
drinker at dsrtech.com
Fri Oct 15 10:24:08 UTC 2004
David,
Sorry depends on what IP your coming from. Some networks are blocked due
to hack attempts.
Below is information located at that URL.
Thanks,
Dave
Blocking repeat SSH attacks with IPTables
The following information will
assist you in configuring your Linux
host to block repeat SSH connections
that are not authorized to access
your host without having to identify
the source IP address.
Requirements:
a) Linux host to be protected with
IPTables installed
b) OpenSSH on the host to be
accessed
c) Swatch "simple watchdog" log
analyzer v3.0.8
(http://swatch.sourceforge.net)
d) The configuration example below
Most Linux flavors provide IPTables
and OpenSSH in the form of a
package. Check with your
distribution and ensure IPTables is
installed before continuing this
tutorial.
How it Works:
The Swatch application follows or
"tails" your message syslog and acts
on information that is defined in
the configuration file below. This
implementation will enter a "drop"
line to your IPTables configuration
when someone attempts to login to
your host with the username "root"
or any username that is not defined
on the host.
An example would be of the recent
SSH scans on the internet utilizing
the usernames "root" and "test".
Below are two examples of what will
be displayed in your message log
that will be acted upon.
linuxhost sshd[19657]: Failed
password for root from 192.168.0.150
port 34753 ssh2
linuxhost sshd[20049]: Failed
password for illegal user test from
192.168.0.151 port 34749 ssh2
In this example the host IP
192.168.0.150 would be blocked as it
attempted to login as the user
"root" and IP 192.168.0.151 would be
blocked as it attempted to login ad
the user "test" which does not exist
on this host.
Preliminary Configuration:
A basic security measure is to not
permit login to any server with the
username "root". After making the
changes below you will not be able
to login to your host with the user
root. Ensure you have a user
configured for remote access which
you can then "su" (superuser) to the
root user.
Modify your /etc/ssh/sshd_config
file to reflect the following.
PermitRootLogin no
Make sure you restart your SSH
server or reboot your host for this
change to take effect.
After downloading Swatch 3.0.8 (the
version that worked correctly for
this implementation) unpack the file
and follow the "INSTALL" directions.
You may have to install four PERL
modules which are identified in the
directions. You can download these
modules from www.cpan.org.
Swatch SSH DROP Configuration:
Replace the "myaddress" field with
the e-mail address you wish to be
alerted on when a match occurs. Also
make sure your ethernet interface is
"eth0" with the command
/sbin/ifconfig. If not change the
eth0 to whatever is defined on your
host. Save the configuration to your
/root/ directory as a file named
sshblock.conf. You will be
referencing this file in your run
command.
#start
watchfor /sshd.*: Failed password for root from/
mail=myaddress,subject=Root_Login_Attempt
exec /sbin/iptables -I INPUT -i eth0 -s $11 -d 0/0 -p tcp --dport 22 -j DROP
watchfor /sshd.*: Illegal user/
mail=myaddress,subject=Illegal_user_attempt
exec /sbin/iptables -I INPUT -i eth0 -s $10 -d 0/0 -p tcp --dport 22 -j DROP
#end
Starting the SSH Block:
As root from the command line of the
server run the following command.
/usr/bin/swatch
--config-file=/root/sshblock.conf
--tail-file=/var/log/messages
--restart-time=01:00am &
This statement will tail the
"/var/log/messages" syslog file
while looking for matches in our
sshblock.conf file. The restart time
is implemented to enable the re-read
of the messages file in the event
the logs roled for archival
purposes.
If you wish this application to run
every time you restart your server
add the above command line to your
/etc/rc.local file without the
trailing "&".
Viewing your IPTables:
After you receive a message in your
mailbox you can confirm your
IPTables block by running the
following command as root.
/sbin/iptables -L
A successfull implementation would
be as indicated below.
[root at linuxhost username]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 192.168.0.150 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.151 anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root at linuxhost username]#
UPDATE:
The "time" restart in the command
line above did not function and
every week when the logs rolled
swatch stopped reading the messages
log.
The fix was to use this rc script
and run a cron job that restarted
the swatch process on each log roll.
You can use a cron that restarts
twice a day as below.
0 1,13 * * * /etc/rc.d/init.d/swatchrc restart > /dev/null 2>&1
**** RC SCRIPT ********
#!/bin/sh
#
# swatch swatch is monitaring for logs and specific action from external
# will send mail for specific users.
#
# chkconfig: 2345 42 42
# description: monitaring logs tool.
# processname: swatch
# config: /etc/swatch/swatch_secure
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -f /usr/bin/swatch ] || exit 0
RETVAL=0
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting Swatch: "
/usr/bin/swatch --config-file=/etc/swatch/sshblock.conf --tail-file=/var/log/messages &
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/swatch
;;
stop)
# Stop daemons.
echo -n "Shutting down Swatch: "
#killproc swatch
#pid=`pidof tail`
# pid_secure=`ps ax | grep secure | awk '{print $1}'`
pid_message=`ps ax | grep message | awk '{print $1}'`
#kill -9 $pid > /dev/null 2>&1
# kill -9 $pid_secure > /dev/null 2>&1
kill -9 $pid_message > /dev/null 2>&1
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/swatch
;;
status)
status swatch
RETVAL=$?
;;
restart|reload)
$0 stop
$0 start
RETVAL=$?
;;
*)
echo "Usage: swatch {start|stop|restart|reload|status}"
exit 1
esac
exit $RETVAL
On Fri, 2004-10-15 at 01:47, david walcroft wrote:
> dave wrote:
> >
> > Blocking repeat SSH attacks with IPTables
> >
> > http://www.dsrtech.com/sshblock/
> >
> >
> dave,
> On this URL it times out and when I did get
> through it was a 404 on 'sshblock'
>
> david
More information about the fedora-list
mailing list