FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-21-2008, 09:30 PM
"Spiro Harvey, Knossos Networks Ltd"
 
Default Ideas for stopping ssh brute force attacks

iptables -N SSHSCAN
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent --set --name SSH
iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name SSH
-j DROP


hey, this is awesome. we're currently filtering log files looking for
multiple failed connections, then adding them to iptables for a few
minutes. this is much cleaner.


thanks.

--
Spiro Harvey Knossos Networks Ltd
021-295-1923 www.knossos.net.nz

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 09:30 PM
"Les Bell"
 
Default Ideas for stopping ssh brute force attacks

"Lanny Marcus" <lmmailinglists@gmail.com> wrote:

>>
The above link is mostly dead. The data isn't there yet.
<<

I did a write-up on generating SSH keys on both Windows and Linux, along
with some additional tips on OpenSSH configuration. It's at
http://www.lesbell.com.au/Home.nsf/web/SSH+for+Server+Administration?OpenDocument
if anyone needs it.

Best,

--- Les Bell
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 10:05 PM
D Steward
 
Default Ideas for stopping ssh brute force attacks

Provided you have ssh set up to ensure that root cannot login directly
and/or keys instead of passwords must be used, you aren't in much danger
of being compromised.

To ensure the logs are mostly kept clean however, you need yet another
solution such as changing the port, port-knocking, or a script such as
fail2ban, denyhosts and blockhosts.

fail2ban is a script which writes blacklisted IPs to iptables then
denies them access to every service including ftp and http, not just
ssh.

Because I don't believe a solution such as fail2ban will scale (it can't
be healthy having tens of thousands of IPs in iptables), I use denyhosts
on my servers and have done so successfully for the past 12 months.
Denyhosts is a script which writes blacklisted IPs to hosts.deny,
preventing them from accessing ssh as well as any other service which
uses tcp wrappers. It has a truly wonderful feature where you can sync
your results with a central server to share IPs for banning. This means
my servers now have about 12000 IPs which are permanently blacklisted.
There are just two disadvantages with denyhosts: with a large number of
entries in hosts.deny, there is a noticeable delay (several seconds in
my case) when logging in with ssh. And you can only deny requests which
use tcp wrappers.

I've never used Blockhosts, but I believe it is similar to fail2ban, in
that it can disallow blacklisted IPs from accessing any service, not
just ssh.

Just one other thing: if you use a script, you need to be careful you
don't accidentally ban your own IP (by entering a wrong password too
many times) when accessing a remote server. :/

Whatever, you decided to use, the more security you have, the more
awkward it will be to access your own server/s.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 10:09 PM
Tim Nelson
 
Default Ideas for stopping ssh brute force attacks

When using denyhosts, you'll want to keep your IP's in hosts.allow so even if you're "banned" you can still get access. :-)

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

----- Original Message -----
From: "D Steward" <dsteward@internode.on.net>
To: "CentOS mailing list" <centos@centos.org>
Sent: Monday, July 21, 2008 5:05:13 PM GMT -06:00 Guadalajara / Mexico City / Monterrey
Subject: Re: [CentOS] Ideas for stopping ssh brute force attacks

Just one other thing: if you use a script, you need to be careful you
don't accidentally ban your own IP (by entering a wrong password too
many times) when accessing a remote server. :/


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 10:27 PM
D Steward
 
Default Ideas for stopping ssh brute force attacks

On Mon, 2008-07-21 at 17:09 -0500, Tim Nelson wrote:
> When using denyhosts, you'll want to keep your IP's in hosts.allow so even if you're "banned" you can still get access. :-)

Yup.
Unfortunately, my ISP's plan uses dynamic IPs, so I have to enter
various subnets to stay safe.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 10:47 PM
Bill Campbell
 
Default Ideas for stopping ssh brute force attacks

On Tue, Jul 22, 2008, D Steward wrote:
>On Mon, 2008-07-21 at 17:09 -0500, Tim Nelson wrote:
>> When using denyhosts, you'll want to keep your IP's in hosts.allow so even if you're "banned" you can still get access. :-)
>
>Yup.
>Unfortunately, my ISP's plan uses dynamic IPs, so I have to enter
>various subnets to stay safe.

If you do not allow password authentication and use good pass
phrases on your identity, the only thing really gained by
restricting on IP ranges is restricting the number of reject
messages in your log files. The fail2ban program does a nice job
of limiting the number of rejection messages in the logs.

Another possibility is to set up OpenVPN on your system, which
authenticates on ssl certificates and works nicely even from
dynamic IPs behind NAT. Then you can ssh into the private LAN
behind your firewall via OpenVPN.

Bill
--
INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186

Foreign aid might be defined as a transfer from poor people in rich
countries to rich people in poor countries -- Douglas Casey
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 10:48 PM
"nate"
 
Default Ideas for stopping ssh brute force attacks

D Steward wrote:

> Because I don't believe a solution such as fail2ban will scale (it can't
> be healthy having tens of thousands of IPs in iptables), I use denyhosts

Wherever possible I use layer 2 bridging OpenBSD firewalls in front of
my networks, I don't have a problem with brute force attacks but it
seems it can scale to tens of thousands of IPs without a problem. I'm
not sure if iptables has similar capabilities or not --

http://www.openbsd.org/faq/pf/tables.html

"[..]Lookups against a table are very fast and consume less memory and
processor time than lists. For this reason, a table is ideal for holding
a large group of addresses as the lookup time on a table holding 50,000
addresses is only slightly more than for one holding 50 addresses"

And the pf equivilent to the iptables throttling:

http://www.openbsd.org/faq/pf/filter.html

An example:

table <abusive_hosts> persist
block in quick from <abusive_hosts>

pass in on $ext_if proto tcp to $web_server
port www flags S/SA keep state
(max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts>
flush)

This does the following:

* Limits the maximum number of connections per source to 100
* Rate limits the number of connections to 15 in a 5 second span
* Puts the IP address of any host that breaks these limits into the
<abusive_hosts> table
* For any offending IP addresses, flush any states created by this rule.
---

I don't like/use OpenBSD for anything other than firewalls. But I
do think as a firewall, pf really can't be beat, the configuration
for typical rules just 'flows'. IPTables by comparison is so cryptic.
(speaking as a past user of ipfwadm, ipfw, ipchains, iptables, pf,
and Cisco PIX, which is probably the worst of the ones I've used).

I use linux pretty much everywhere else other than firewalls. Even
my preferred network gear - load balancers and switches run linux
(commercial variants).

nate

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 11:29 PM
Robert Moskowitz
 
Default Ideas for stopping ssh brute force attacks

Bo Lynch wrote:

just wanted to get some feedback from the community. Over the last few
days I have noticed my web server and email box have attempted to ssh'd to
using weird names like admin,appuser,nobody,etc.... None of these are
valid users. I know that I can block sshd all together with iptables but
that will not work for us. I did a little research on google and found
programs like sshguard and sshdfilter. Just wanted to know if anyone had
any experience with anything like these programs or have any other advice.
I really appreciate it.


I have moved sshd to a different port number.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 11:33 PM
John R Pierce
 
Default Ideas for stopping ssh brute force attacks

nate wrote:

I don't like/use OpenBSD for anything other than firewalls. But I
do think as a firewall, pf really can't be beat, the configuration
for typical rules just 'flows'. IPTables by comparison is so cryptic.
(speaking as a past user of ipfwadm, ipfw, ipchains, iptables, pf,
and Cisco PIX, which is probably the worst of the ones I've used).



while I haven't personally used this, I've heard enough good things
about it from folks I know and trust that I'll stick in a mention of
pfSense... pfSense is a turnkey BSD hybrid, which uses freeBSD's kernel
with openBSD's pf, all wrapped up in a nice easy to use web interface
(and you can still get into shell and manipulate the pf scripts directly).


its optimized so it can run off as little as a 128MB flash card (CF).


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2008, 11:59 PM
"Victor Padro"
 
Default Ideas for stopping ssh brute force attacks

Pfsense rules...in my humble opinion, does the job better than iptables. and like John said it can be easily configured via web.

--
"It is human nature to think wisely and act in an absurd fashion."


"Todo el desorden del mundo proviene de las profesiones mal o mediocremente servidas"

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 04:41 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org