attack

Mon May 9 14:48:42 UTC 2005

On 5/9/05, roland brouwers <roland at cat.be> wrote:
> Someone is attacking for a certain time on port SSH2
> He is trying to login as root and uses all kind of usernames.
> See annexed textfile
> 
> How can I block a user after x failed logins?
> Can I do something else?
> 

This looks like something VERY common. Wanna-be hackers ("script
kiddies") try to make repeated connections using common names, hoping
to find a valid user name on your system, and will try to break in
using that connection. Of course, for them to be successful, would
require them to continue hitting your machine over and over again
until they finally get through.

You may see references to an application called denyhosts, which does
work, but because of the way it works, it is not so reliable. What I
mean by that, is that it is fired off from cron to check your logs
every so often and then blocks addresses that repeatedly show up with
bad connection attempts. Unfortunately, even if you run it every 5
minutes, that means that a whole bunch of connection attempts
(hundreds) can get through before it is caught.

One of the practices that I use to help prevent this, is to
automatically have my firewall block them for a time after a certain
number of failed attempts. I'll give credit where it's due, I borrowed
the code from a previous poster on this forum named Brian Gaynor. If
you happen to go back into the archives, and search for posts on April
8th from Brian with the subject line of "Questions concerning Security
Log" you will see a whole thread of information, and Brian's solution.

Here is an excerpt of what he wrote, and the method that I am now
currently using:

-----------
You can also configure IPTABLES to look for failed attempts to log on
and block the IP temporarily (say for 5 minutes) after a number of
failed logon attempts (say 5 within 60 seconds). That's what we do and
it reduces the log noise and limits the attacks. Here's what I use in
IPTABLES (I'm sure members of this list could improve on this - also
code may wrap):

#!/bin/sh
#  Modprobe the extra modules we need
modprobe ipt_recent
modprobe ip_conntrack

#  Remove any old rules
iptables -F
iptables -X
iptables -Z

#  Some variables - REPLACE WITH YOUR IP
IFACE="eth0"
IPADDR="192.168.1.1"

#  Kill ssh hackers - watch for more than 5 connection attempts in under
#  60 seconds and reject for 5 minutes
iptables -N SSH-EVIL
iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level
DEBUG --log-prefix "evil SSH user: "
iptables -A SSH-EVIL -j REJECT

iptables -N SSH
iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds
300 -j REJECT
iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds
60 --hitcount 5 -j SSH-EVIL
iptables -A SSH -p tcp --syn -m recent --name sshconn --set
iptables -A SSH -p tcp --syn -j ACCEPT

#  Allow unlimited traffic on the loopback interface
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#  Send ssh down our user-defined chain, allow ftp ...
iptables -A INPUT -i $IFACE -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --dport 22 -j SSH

... rest of IPTABLES rules
---------------

-- 

David
Registered Linux User 383030 (since everyone else was doing it 8-)
-----------------------------------------------------------------------
There are only 10 kinds of people in this world,
those who understand binary, and those who don't.