Is it possible to block an IP address after x amount of login failures?

plisken · 04-11-2012, 03:31 AM

As per subject, I'm lookinmg to find a way of blocking IP addresses automatically, temporarily or otherwise after so many failed login attempts.

I guess I'd want this to cover ssh, http, pop

My messages log is filled with:

Apr 9 08:45:22 morpheus sshd[8845]: Failed password for invalid user oracle from 119.82.75.221 port 48998 ssh2
Apr 9 08:45:30 morpheus sshd[8847]: Invalid user test from 119.82.75.221
Apr 9 08:45:30 morpheus sshd[8847]: Failed password for invalid user test from 119.82.75.221 port 49193 ssh2
Apr 9 08:46:51 morpheus popa3d[8851]: Authentication passed for plisken
Apr 9 08:46:53 morpheus popa3d[8851]: 12426 messages (148807652 bytes) loaded
Apr 9 08:47:06 morpheus popa3d[8851]: 0 (0) deleted, 12426 (148807652) left
Apr 9 08:59:20 morpheus popa3d[8920]: Authentication passed for maggie
Apr 9 08:59:20 morpheus popa3d[8920]: 5 messages (289465 bytes) loaded
Apr 9 08:59:20 morpheus popa3d[8920]: 0 (0) deleted, 5 (289465) left
Apr 9 09:16:19 morpheus -- MARK --
Apr 9 09:26:41 morpheus sshd[9016]: Failed password for root from 119.82.75.221 port 56424 ssh2
Apr 9 09:26:44 morpheus sshd[9018]: Failed password for root from 119.82.75.221 port 56575 ssh2
Apr 9 09:26:47 morpheus sshd[9020]: Failed password for root from 119.82.75.221 port 56733 ssh2
Apr 9 09:26:50 morpheus sshd[9022]: Failed password for root from 119.82.75.221 port 56894 ssh2
Apr 9 09:26:52 morpheus sshd[9024]: Failed password for root from 119.82.75.221 port 57089 ssh2
Apr 9 09:26:56 morpheus sshd[9026]: Failed password for root from 119.82.75.221 port 57197 ssh2
Apr 9 09:27:03 morpheus sshd[9028]: Failed password for root from 119.82.75.221 port 57423 ssh2
Apr 9 09:27:06 morpheus sshd[9030]: Failed password for root from 119.82.75.221 port 57857 ssh2
Apr 9 09:27:09 morpheus sshd[9032]: Failed password for root from 119.82.75.221 port 58071 ssh2
Apr 9 09:27:16 morpheus sshd[9034]: Failed password for root from 119.82.75.221 port 58222 ssh2
Apr 9 09:27:20 morpheus sshd[9036]: Failed password for root from 119.82.75.221 port 58653 ssh2
Apr 9 09:27:23 morpheus sshd[9038]: Failed password for root from 119.82.75.221 port 58920 ssh2
Apr 9 09:27:25 morpheus sshd[9040]: Failed password for root from 119.82.75.221 port 59069 ssh2
Apr 9 09:27:27 morpheus sshd[9042]: Invalid user oracle from 119.82.75.221
Apr 9 09:27:27 morpheus sshd[9042]: Failed password for invalid user oracle from 119.82.75.221 port 59203 ssh2
Apr 9 09:27:29 morpheus sshd[9044]: Invalid user test from 119.82.75.221
Apr 9 09:27:29 morpheus sshd[9044]: Failed password for invalid user test from 119.82.75.221 port 59342 ssh2

In the past, I manually added IP addresses to the /etc/hosts.deny file.
I'm guessing I could search the log files for a specific string and then add the IP address to this file. something tells me I tried this method years ago without much sucess though.

All help/comments appreciated.

descendant_command · 04-11-2012, 03:32 AM

fail2ban FTW!

It watches arbitrary log files and generates iptables rules to block the offenders.

Very flexible.

TommyC7 · 04-11-2012, 04:07 AM

I too recommend fail2ban, but remember that the attacker might be behind a proxy (they usually are), and even then that IP might not be the router the person is using at home.

plisken · 04-14-2012, 02:26 PM

Fail2ban now up and running nicely, well it is working LOL (and rather well)

Any tips on using the iptables route or the deny.hosts route?

Additionally, I couldnt find any mail configurations (jails) in there, I'd like to cover pop3 failures too. At the moment, only using ssh/apache/proftpd

unSpawn · 04-14-2012, 02:34 PM

Quote:

Originally Posted by plisken

Any tips on using the iptables route or the deny.hosts route?

That's no contest: iptables.

Quote:

Originally Posted by plisken

I couldnt find any mail configurations (jails) in there, I'd like to cover pop3 failures too.

If there isn't one then we will create one. What application do you use and what messages does it emit (use the source, Luke)?

plisken · 04-14-2012, 07:13 PM

@ unSpawn your rep is at 1337, you got to be fookin kiding me LOL

I'm using:

pop3d-0.6.3-i486
sendmail-0.8.12.10
procmail-3.15.2 (if relevent)

Having searched my /var/log/messages I cant actually find a failed pop3d login attempt, but I'd still like to cover this off

Thanks...

unSpawn · 04-15-2012, 06:14 AM

Quote:

Originally Posted by plisken

Having searched my /var/log/messages I cant actually find a failed pop3d login attempt

Well then fake a few for me, OK? ;-p

So far I've got

Code:

^%(__prefix_line)spop3.* badlogin: .*\[<HOST>\] .* PAM auth error\s*$
^%(__prefix_line)spop3.* badlogin: .*\[<HOST>\] .* authentication failure\s*$
^%(__prefix_line)spop3.* error: PAM: authentication error for illegal user .* from <HOST>\s*$
^%(__prefix_line)s(?:auth: PAM error: )?Authentication failure for .* from <HOST>\s*$

w/o knowing if it's complete or current.

plisken · 04-15-2012, 09:07 AM

This is what failed pop stuff looks like in my /var/log/messages

Note, no sign of an IP address unline my ssh failures.

Code:

Apr 15 14:10:50 morpheus popa3d[2833]: Authentication failed for UNKNOWN USER
Apr 15 14:11:01 morpheus popa3d[2842]: Authentication failed for UNKNOWN USER
Apr 15 14:11:11 morpheus popa3d[2852]: Authentication failed for UNKNOWN USER
Apr 15 14:11:22 morpheus popa3d[2859]: Authentication failed for UNKNOWN USER
Apr 15 14:11:32 morpheus popa3d[2867]: Authentication failed for UNKNOWN USER

my /var/log/maillog shows:

Code:

Apr 15 14:10:40 morpheus sm-mta[2832]: q3FDAeAC002832: server.blackgate.nl [94.1
03.145.204] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection
to MTA
Apr 15 14:10:51 morpheus sm-mta[2841]: q3FDApAC002841: server.blackgate.nl [94.1
03.145.204] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection
to MTA
Apr 15 14:11:01 morpheus sm-mta[2851]: q3FDB1AC002851: server.blackgate.nl [94.1
03.145.204] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection
to MTA
Apr 15 14:11:12 morpheus sm-mta[2858]: q3FDBCAC002858: server.blackgate.nl [94.1
03.145.204] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection
to MTA
Apr 15 14:11:22 morpheus sm-mta[2866]: q3FDBMAC002866: server.blackgate.nl [94.1
03.145.204] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection
to MTA
Apr 15 14:11:32 morpheus sm-mta[2872]: q3FDBWAC002872: server.blackgate.nl [94.1
03.145.204] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection
to MTA

unSpawn · 04-15-2012, 10:07 AM

Your var/log/messages (do test with fail2ban-regex) should be like

Code:

^%(__prefix_line)spopa3d .* Authentication failed .* from <HOST>\s*$

but sm-mta from /var/log/maillog AFAIK are MTA messages, not POP.

plisken · 04-16-2012, 05:42 AM

This is where one of my problems arise, as there is no <host> in my logs:

Code:

Apr 15 14:10:50 morpheus popa3d[2833]: Authentication failed for UNKNOWN USER
Apr 15 14:11:01 morpheus popa3d[2842]: Authentication failed for UNKNOWN USER
Apr 15 14:11:11 morpheus popa3d[2852]: Authentication failed for UNKNOWN USER
Apr 15 14:11:22 morpheus popa3d[2859]: Authentication failed for UNKNOWN USER
Apr 15 14:11:32 morpheus popa3d[2867]: Authentication failed for UNKNOWN USER

Quote:

but sm-mta from /var/log/maillog AFAIK are MTA messages, not POP.

I just thought the enties in both messages and maillog were related as you can see the times and also the PIDs match up

A failed pop authentication looks like this in /var/log/messages:

Code:

Apr 16 11:47:35 morpheus popa3d[13635]: Authentication failed for realUsername

I guess I may have two options, one to try and force the pop3d to log IP addresses as well and the other option is to use the IP address in the maillog instead.

unSpawn · 04-16-2012, 10:54 AM

Quote:

Originally Posted by plisken

This is where one of my problems arise, as there is no <host> in my logs

Crap. I suppose popa3d doesn't support PAM auth either?

Quote:

Originally Posted by plisken

I just thought the enties in both messages and maillog were related as you can see the times and also the PIDs match up

A failed MTA send doesn't necessarily mean a failed POP3(S) login?..

Quote:

Originally Posted by plisken

I guess I may have two options, one to try and force the pop3d to log IP addresses as well and the other option is to use the IP address in the maillog instead.

IMHO if you have two options then it's to make pop3d to log IP addresses or run the daemon from a super server like Xinetd.

Linux_Kidd · 04-16-2012, 10:59 AM

i use combo of PAM pam_passwdqc.so and denyhosts service. so i'll share what i do on a rhel 5.7

denyhosts will write sshd specific entries into hosts.deny, 3 failed logins for a known account gets the src a 15min block, after that another 3 failed gets PAM to block for 1hr, so essentially 1hr:15min lockout per 6 failed attempts, then the system will dynamically allow the src IP to auth again after that time period.

for ssh specifically they all work together to deny IP as follows:

Code:

********** PASSWORD REQUIREMENTS AND LOCKOUT **********
changed password requirements and lockout using PAM modules in
/etc/pam.d/system-auth config file
perhaps use the switch "quiet" in pam_tally2 auth for more
"dark" systems, this basically locks the account without 
telling user the account was locked. perhaps omit "unlock_time" 
for more secure systems, this would force the sys admin to 
manually unlock the auth. lockout time is set to 3600 (1hr). 
also note the deny is set to 6 (this coincides with sshd_config 
and denyhosts). "root" will be tallied. please note, this is 
not the same as "passwd -l [user]". we also change the strength 
of password hashes for shadow, so in password section notice 
that pam_unix.so uses sha512 instead of the default md5.

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
# added pam_tally2 in auth and account
# added use of pam_passwdqc and disabled pam_cracklib in password
auth        required      pam_tally2.so onerr=fail deny=6 unlock_time=3600 audit
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

#password    requisite     pam_cracklib.so try_first_pass retry=3
password    requisite      pam_passwdqc.so min=disabled,disabled,12,8,8 random=0 passphrase=0 retry=3 similar=deny enforce=everyone ask_oldauthtok
password    sufficient    pam_unix.so sha512 shadow remember=12 try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so


================================================

********** hosts.allow AND hosts.deny **********
these files are read by tcpwrappers (/usr/sbin/tcpd)
lets protect inet services from IP that should not be connecting,
etc. note, only services that are wrapped with tcpd will read 
these files, etc. hosts.deny will send a email alert if connection
is not from RFC1918, etc. "denyhosts" will also dynamically update
hosts.deny. if hosts.deny gets mucked up real bad then it can be
fixed by copying /etc/hosts.deny.orig.bak back to hosts.deny, etc.

allow localhost IP
# /etc/hosts.allow
# allow all localhost connections
ALL: 127.0.0.0/255.0.0.0


this hosts.deny file will flat-out deny connectivity from any
non-RFC1918 IP.
# /etc/hosts.deny
# deny all non-RFC1918 addresses and alert on such
#
ALL: ALL EXCEPT 10.0.0.0/255.0.0.0, 172.16.0.0/255.240.0.0, 192.168.0.0/255.255.0.0 \
: spawn (/bin/mail -s "ALERT\: ILLEGAL %d ATTEMPT from IP %h" "1@.gov \
2@.gov 3@.gov 4@.gov 5@.gov") &
#######################################################


and yes, i have a line of hashes in there because denyhosts will
dynamically add/remove entries after this line, makes it easy 
to see denyhosts entries, etc.

=======================================================

********** denyhosts SERVICE INSTALL **********
denyhosts is a control used to thwart off brute force login attacks,
etc.

this service is used to dynamically update /etc/hosts.deny. 
out-of-the-box it watches for failed logins to sshd but can be 
used for watching any log for anything you want. this install 
is "DenyHosts version: 2.6". two DoS fixes (one REGEX5 and one
REGEX7) were applied to usr/lib/python2.4/site-packages/DenyHosts/regex.py (see https://bugzilla.redhat.com/show_bug.cgi?id=244943
and https://bugzilla.redhat.com/attachment.cgi?id=157433&action=diff). 

python is a pre-req (see documentation, etc).

the denyhosts package will install on Red Hat / Fedora, Mandrake,
FreeBSD / OpenBSD, SuSE, Mac OS X. the denyhosts package will
install to /usr/share/denyhosts and there is a README there which
explains everything about denyhosts. this service is setup as a
daemon (a runtime init 2-5 service, run "chkconfig --list |grep
denyhosts" to see. you can control the service using the "service"
command). see the README.


this Linux rhel 5.7 system has access/account controls at several
layers. the 1st layer is network access, and from the host side is
controlled through tcp wrappers (tcpd). sshd by default uses tcpd
(not all services do). sshd_config limits auth tries to 3 before
disconnecting the connection, but this alone does not stop the src
from connecting again, so this is where denyhosts comes in to
assist. denyhosts is configured to block source after 3 consecutive
failed logins (for known accounts) and 10 failed logins (for 
unknown accounts) which will result in a 15min src IP network 
deny. after 15min the src IP will be purged from the deny list 
and is again allowed to connect. after 6 consecutive failed 
logins PAM will lock a valid account for 1hr.

configuration is held in /usr/share/denyhosts/denyhosts.cfg (config
options are explained in the README file).

(settings that were changed, all others left at default)
# PURGE_DENY:
PURGE_DENY = 15m

# PURGE_THRESHOLD
PURGE_THRESHOLD = 0

# DENY_THRESHOLD_INVALID
DENY_THRESHOLD_INVALID = 10

# DENY_THRESHOLD_VALID
DENY_THRESHOLD_VALID = 3

# DENY_THRESHOLD_ROOT
DENY_THRESHOLD_ROOT = 3

# DENY_THRESHOLD_RESTRICTED
DENY_THRESHOLD_RESTRICTED = 1

# HOSTNAME_LOOKUP
HOSTNAME_LOOKUP=no

# ADMIN_EMAIL
ADMIN_EMAIL = 1@.gov, 2@.gov, 3@.gov, 4@.gov, 5@.gov

# SMTP_HOST and SMTP_PORT
SMTP_HOST = 10.21.0.59
SMTP_PORT = 25

# SMTP_FROM
SMTP_FROM = DenyHosts <no-reply@myHost.gov>

# SYSLOG_REPORT
SYSLOG_REPORT=YES

# AGE_RESET_VALID
AGE_RESET_VALID=25d

# AGE_RESET_ROOT
AGE_RESET_ROOT=25d

# AGE_RESET_RESTRICTED
AGE_RESET_RESTRICTED=25d

# AGE_RESET_INVALID
AGE_RESET_INVALID=25d

# RESET_ON_SUCCESS
RESET_ON_SUCCESS = yes

# DAEMON_LOG_TIME_FORMAT
DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S

# DAEMON_SLEEP
DAEMON_SLEEP = 15s

# DAEMON_PURGE
DAEMON_PURGE = 5m

# SYNC_INTERVAL
SYNC_INTERVAL = 10000h

# SYNC_UPLOAD
SYNC_UPLOAD = no

# SYNC_DOWNLOAD
SYNC_DOWNLOAD = no

unSpawn · 04-16-2012, 11:21 AM

Quote:

Originally Posted by Linux_Kidd

denyhosts will write sshd specific entries into hosts.deny,

Please read the link I posted in #5 again.

Quote:

Originally Posted by Linux_Kidd

for ssh specifically

...but we're talking POP3 here?

Linux_Kidd · 04-16-2012, 12:47 PM

what exactly is "pop3d-0.6.3-i486" ?? google search returns nothing.

plisken · 04-16-2012, 01:26 PM

Quote:

IMHO if you have two options then it's to make pop3d to log IP addresses or run the daemon from a super server like Xinetd.

I was sure the pop3d was running from inetd and the lines below, shows this (think):

Code:

# Post Office Protocol version 3 (POP3) server:
pop3    stream  tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/popa3d

Quote:

what exactly is "pop3d-0.6.3-i486"

Just the version of the pop3 daemon running. http://www.openwall.com/popa3d/

I think I'm looking at maybe using a different pop3 service or perhaps recompiling this with options (if possible) to log IP's