[KLUG Members] auto-nullrouting
Mike Williams
knightperson at zuzax.com
Wed Nov 23 22:21:26 EST 2005
Jamie McCarthy wrote:
>Hi,
>
>It's a fact of life that any machine exposed to the internet gets
>brute-force password attacks happening pretty much constantly. The
>attacks try different passwords against common usernames over and
>over. What shows up in the syslog for my Debian machine is this:
>
>Nov 22 18:14:28 localhost sshd[17004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
>Nov 22 18:14:30 localhost sshd[17004]: Failed password for invalid user db from 200.93.221.165 port 40865 ssh2
>Nov 22 18:14:31 localhost sshd[17007]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
>Nov 22 18:14:33 localhost sshd[17007]: Failed password for invalid user anita from 200.93.221.165 port 41264 ssh2
>Nov 22 18:14:35 localhost sshd[17010]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
>Nov 22 18:14:37 localhost sshd[17010]: Failed password for invalid user test from 200.93.221.165 port 41637 ssh2
>Nov 22 18:14:40 localhost sshd[17013]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
>Nov 22 18:14:42 localhost sshd[17013]: Failed password for invalid user bind from 200.93.221.165 port 42095 ssh2
>
>I always use very strong passwords, but I have a few users on this
>machine who might not, so I'd like to automatically detect this
>kind of attack and reject all traffic from and to that IP number
>for a few hours. It doesn't have to respond instantaneously or
>anything: within a few minutes is fine.
>
>(a) Anyone know of a Debian package that does this?
>
>(b) If not, does anyone have a favorite way to build this behavior
>using standard tools? I could pretty easily write a script to tail
>the log and permanently ban such IPs, but for the sake of a clean
>routing table I'd rather the IPs get unbanned after a few hours,
>which is a somewhat more difficult project.
>
>
Isn't there an option in iptables or sshd that does exactly that? I
can't seem to find it, but I think I remember seeing that option on my
SuSE box. You could also require keyboard-interactive authentication,
which should defeat bot attacks. <aside>speaking of
keyboard-interactive, can somebody explain how the heck sshd can tell
whether the keystrokes are coming from a human at the keyboard? or what
it takes to spoof that?</aside>
The script to unbar IPs doesn't seem like it would be much harder to
write than the one to bar them initially. Something like:
if [ grep log ] {
iptables add rule banning IP
echo <IP-address> <timestamp> >> banned.list
}
Then a cron job you run every hour or whatever:
cat banned.list | grep "[timestamp] < [current time - 1 hour]" | awk
something | iptables unban
or something. Looks harder than I thought now that it's on screen, but
I still think it's doable. Could also make the ban entries IP
address-named files, and unban based on the timestamp of the file.
More information about the Members
mailing list