[KLUG Members] auto-nullrouting

Mike Williams knightperson at zuzax.com
Wed Nov 23 22:21:26 EST 2005

Previous message: [KLUG Members] auto-nullrouting
Next message: [KLUG Members] FC1 LDAP/Cron revisited
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jamie McCarthy wrote:

>Hi,
>
>It's a fact of life that any machine exposed to the internet gets
>brute-force password attacks happening pretty much constantly.  The
>attacks try different passwords against common usernames over and
>over.  What shows up in the syslog for my Debian machine is this:
>
>Nov 22 18:14:28 localhost sshd[17004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
>Nov 22 18:14:30 localhost sshd[17004]: Failed password for invalid user db from 200.93.221.165 port 40865 ssh2
>Nov 22 18:14:31 localhost sshd[17007]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
>Nov 22 18:14:33 localhost sshd[17007]: Failed password for invalid user anita from 200.93.221.165 port 41264 ssh2
>Nov 22 18:14:35 localhost sshd[17010]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
>Nov 22 18:14:37 localhost sshd[17010]: Failed password for invalid user test from 200.93.221.165 port 41637 ssh2
>Nov 22 18:14:40 localhost sshd[17013]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
>Nov 22 18:14:42 localhost sshd[17013]: Failed password for invalid user bind from 200.93.221.165 port 42095 ssh2
>
>I always use very strong passwords, but I have a few users on this
>machine who might not, so I'd like to automatically detect this
>kind of attack and reject all traffic from and to that IP number
>for a few hours.  It doesn't have to respond instantaneously or
>anything:  within a few minutes is fine.
>
>(a) Anyone know of a Debian package that does this?
>
>(b) If not, does anyone have a favorite way to build this behavior
>using standard tools?  I could pretty easily write a script to tail
>the log and permanently ban such IPs, but for the sake of a clean
>routing table I'd rather the IPs get unbanned after a few hours,
>which is a somewhat more difficult project.
>  
>
Isn't there an option in iptables or sshd that does exactly that?  I 
can't seem to find it, but I think I remember seeing that option on my 
SuSE box.  You could also require keyboard-interactive authentication, 
which should defeat bot attacks.  <aside>speaking of 
keyboard-interactive, can somebody explain how the heck sshd can tell 
whether the keystrokes are coming from a human at the keyboard?  or what 
it takes to spoof that?</aside>

The script to unbar IPs doesn't seem like it would be much harder to 
write than the one to bar them initially.  Something like:
    if [ grep log ] {
       iptables add rule banning IP
       echo <IP-address> <timestamp> >> banned.list
    }
Then a cron job you run every hour or whatever:
    cat banned.list | grep "[timestamp] < [current time - 1 hour]" | awk 
something | iptables unban

or something.  Looks harder than I thought now that it's on screen, but 
I still think it's doable.  Could also make the ban entries IP 
address-named files, and unban based on the timestamp of the file.

Previous message: [KLUG Members] auto-nullrouting
Next message: [KLUG Members] FC1 LDAP/Cron revisited
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Members mailing list