LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 05-03-2013, 04:17 AM   #1
dh2k
Member
 
Registered: Jan 2006
Distribution: Slackware 13.0 (KDE 3.5.10 from 12.2; Xfce 4.6; Fluxbox); Slackware 13.1 (KDE 4.5)
Posts: 203

Rep: Reputation: 44
brute force attack detected in /var/log/messages


Hi Forum,

A brute force attack on sshd has been detected in /var/log/messages
cat /var/log/messages | grep sshd
cat /var/log/messages | grep Failed


I have the IP the attack has come from -
1/ any info on how to blacklist known IPs for sshd (and other/all services)

2/ I would really like to hear peoples imaginative suggestions for the known IPs ;-)

Thanks,

Last edited by dh2k; 05-05-2013 at 01:47 AM.
 
Old 05-03-2013, 04:36 AM   #2
dc_eros
Member
 
Registered: Nov 2006
Distribution: Slackware
Posts: 292

Rep: Reputation: 39
iptables?

Take a look at here: http://www.cyberciti.biz/faq/linux-iptables-drop/

Code:
/sbin/iptables -I INPUT -s {IP-HERE} -j DROP
/sbin/iptables -I INPUT -s 1.2.3.4 -j DROP
In my server though, only port 80 and port 443 are open to public. The rest are restricted to my home and office IP address like sshd.
 
Old 05-03-2013, 04:49 AM   #3
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,592
Blog Entries: 2

Rep: Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046Reputation: 4046
Install and configure fail2ban, exactly the service that you need for your purpose.
 
1 members found this post helpful.
Old 05-03-2013, 06:05 AM   #4
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 2,553

Rep: Reputation: 424Reputation: 424Reputation: 424Reputation: 424Reputation: 424
Or try sshblock which is available on SBo
 
Old 05-03-2013, 06:23 AM   #5
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 1,754

Rep: Reputation: 169Reputation: 169
How about configuring SSH to use shared keys? That way you can disable password logins altogether.
 
Old 05-03-2013, 07:27 AM   #6
pan64
Senior Member
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 4,735

Rep: Reputation: 1265Reputation: 1265Reputation: 1265Reputation: 1265Reputation: 1265Reputation: 1265Reputation: 1265Reputation: 1265Reputation: 1265
Quote:
Originally Posted by rkelsen View Post
How about configuring SSH to use shared keys? That way you can disable password logins altogether.
you can try to duckduckgo (google) on it, you can surely find a solution quickly.

just a comment:
instead of cat filename | grep pattern just use grep pattern filename
 
Old 05-03-2013, 08:10 AM   #7
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,042

Rep: Reputation: 761Reputation: 761Reputation: 761Reputation: 761Reputation: 761Reputation: 761Reputation: 761
There is also DenyHosts (http://denyhosts.sourceforge.net/). Been around for quite a while. It monitors your logs and when it sees this sort of activity it creates an entry for you in iptables or /etc/hosts.deny (either of these will stop a site from connecting); it's a daemon, it works (been using it for years).

Other options are country blocks, see for example http://ipinfodb.com/ip_country_block.php#blocklist. You can get iptables or htaccess entries and just block the entire country (Chine, for example, is a good one to bock along with Russia, both Koreas, and others). You get list and write a little AWK program that creates the iptables entry, pretty easy.

If you're open to the Internet you're going to get whacked by script kiddies and bad actors (such as China); DenyHosts (along with the other methods in other posts above) is a good tool that you don't have fiddle with constantly and does a good job.

Hope this helps some.
 
Old 05-04-2013, 12:47 AM   #8
kite
Member
 
Registered: Aug 2003
Location: Shenzhen, China
Distribution: Slackware
Posts: 301

Rep: Reputation: 47
Why just block IP from China? Do you mean there is no bad hacker from US etc?

For sshd protection, normally I just change the port number.
 
Old 05-04-2013, 01:41 AM   #9
dh2k
Member
 
Registered: Jan 2006
Distribution: Slackware 13.0 (KDE 3.5.10 from 12.2; Xfce 4.6; Fluxbox); Slackware 13.1 (KDE 4.5)
Posts: 203

Original Poster
Rep: Reputation: 44
accesslists are to implemented (whitelists and blacklists) -
I will post more info on how to set these up for other viewers/readers.

Why does slackware have more than one 'messages' file? e.g.
ls -lah /var/log/ | grep messages
-rw-r--r-- 1 root root 460K May 4 07:26 messages
-rw-r--r-- 1 root root 1.8M Apr 26 04:30 messages.1
-rw-r--r-- 1 root root 170K Apr 7 04:34 messages.2
-rw-r--r-- 1 root root 358K Apr 4 04:26 messages.3
-rw-r--r-- 1 root root 190K Mar 24 04:38 messages.4

?
 
Old 05-04-2013, 02:30 AM   #10
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,447

Rep: Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875Reputation: 875
those are just rotated logs ("man logrotate").
 
Old 05-04-2013, 02:30 AM   #11
BrZ
Member
 
Registered: Apr 2009
Distribution: Slackware
Posts: 494

Rep: Reputation: 81
Rotation logs (logrotate). If you don't already, change the default port ASAP!
 
Old 05-04-2013, 03:05 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,285
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
Quote:
Originally Posted by dh2k View Post
any info on how to blacklist known IPs for sshd (and other/all services)
Default answer, the SSH sticky: http://www.linuxquestions.org/questi...tempts-340366/

Reasons for not using DenyHosts in its default configuration: http://www.linuxquestions.org/questi...iptables-3036/
Reasons for not changing the port SSH listens on: /etc/services (as in IANA assigned ports aka interoperability and obfuscation)
Wrt using RBL's like DShield, OpenBL.org I think its use is debatable as it doesn't relate to local conditions. In other words you may be investing resources in banning hosts that may have either scanned your particular ranges ages ago or will never scan your range RSN. (Also see this (2008) and this (more recent).)

Last edited by unSpawn; 05-04-2013 at 05:01 AM. Reason: //More *is* more
 
Old 05-04-2013, 07:26 AM   #13
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,042

Rep: Reputation: 761Reputation: 761Reputation: 761Reputation: 761Reputation: 761Reputation: 761Reputation: 761
Quote:
Originally Posted by kite View Post
Why just block IP from China? Do you mean there is no bad hacker from US etc?
Of course there is "bad hacker" activity in/from the US (and pretty much every other country in the world); however, the lion's share originates in China.
Quote:
Top 10 Source IPs

IP Address Reports Target IPs First Seen Last Seen
180.153.224.106 () 358,888 111,812 2013-02-28 2013-05-04
218.059.215.185 (CN) 194,838 98,392 2013-04-01 2013-05-04
061.156.238.056 (CN) 264,319 92,567 2013-03-06 2013-05-04
114.112.069.049 (CN) 152,481 89,301 2013-03-18 2013-05-03
094.142.155.123 (IS) 436,078 83,118 2013-03-05 2013-05-04
178.172.235.046 (BY) 92,085 83,118 2013-03-28 2013-05-03
176.010.035.241 (IS) 564,139 78,938 2013-01-26 2013-05-04
118.244.014.049 (CN) 156,341 70,269 2013-03-16 2013-05-04
178.255.087.241 (GB) 70,226 68,918 2012-05-15 2013-05-04
060.214.233.220 (CN) 373,227 68,343 2013-03-17 2013-05-04
Who is 180.153.224.106 (the one with no country code)?
Code:
whois 180.153.224.106
% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:        180.152.0.0 - 180.159.255.255
netname:        CHINANET-SH
descr:          CHINANET SHANGHAI PROVINCE NETWORK
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
admin-c:        WWQ4-AP
tech-c:         WWQ4-AP
country:        CN
status:         ALLOCATED PORTABLE
remarks:        service provider
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:        This object can only be updated by APNIC hostmasters.
remarks:        To update this object, please contact APNIC
remarks:        hostmasters and include your organisation's account
remarks:        name in the subject line.
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed:        hm-changed@apnic.net 20090821
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-SH
source:         APNIC

person:         Weng Wen Qian
address:        Room 2405,357 Songlin Road,Shanghai 200122
country:        CN
phone:          +86-21-68405784
fax-no:         +86-21-50623458
e-mail:         wengwq@online.sh.cn
nic-hdl:        WWQ4-AP
mnt-by:         MAINT-CHINANET-SH
changed:        ip-admin@mail.online.sh.cn 20050403
source:         APNIC
The source for the above is SANS Internet Storm Center (https://isc.sans.edu/). Go look for yourself, all sorts of interesting data and reports.

While you're about it, go read http://www.economist.com/news/specia...bashed-masters and make up your own mind.

Script kiddies and port scanners are one thing, state-sponsored attacks are quite another. Do countries spy on one another? Of course they do and have done so for thousands of years in one form or another. It seem, though, that China has taken it to a new level.

Hope this helps some.
 
Old 05-04-2013, 08:13 AM   #14
chemfire
Member
 
Registered: Sep 2012
Posts: 69

Rep: Reputation: Disabled
Personally I don't see the need for fail2ban in this situation. Its one more package he has to install and one more thing that has to be memory resident. The kernel and some iptables rules already offer what is needed.

If you use a strong password or disable password authentication and use ssh keys than slowing down an attacker is enough to prevent a brute force attack from working and spare your logs.


Code:
iptables -A INPUT -p TCP -m state --state NEW -m recent --name probe_list --update --seconds 300 --hitcount 5 -j DROP

iptables -A INPUT -p TCP -s 0/0 --destination-port 22 -m state --state NEW -m recent --name probe_list --set

iptables -A INPUT -p TCP -s 0/0 --destination-port 22 -j ACCEPT
What this will do is cause netfilter to keep track of recent connection setups on port 22. It will have a hold time of 300 seconds, if there are more than 5 entries from the same source ip in that time it will refuse new connections. You can play with the hold time and hitcounts but I have found these values are very effective at stopping brute force attacks (they just give up and move on when they start seeing the port as closed after 5 hits) and not causing me any usability problems.

I would reserve things like fail2ban for other services like web applications where its normal for a client to be repeatedly establishing TCP sessions or anything UDP.

Last edited by chemfire; 05-04-2013 at 08:16 AM.
 
Old 05-04-2013, 08:39 AM   #15
metageek
Member
 
Registered: Jun 2007
Location: manchester, uk
Distribution: Slackware
Posts: 118

Rep: Reputation: 23
Disable password logins and allow only ssh keys. In addition disable remote root logins. Oh, and make your root password long.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
POP3 brute force attack help glyn3332 Linux - Security 2 10-13-2008 05:12 AM
brute-force-ssh-attack saavik Linux - Security 6 09-05-2008 01:01 AM
Protect server from brute force attack via ssh babysparrow Linux - Security 6 03-31-2006 09:00 PM
Brute-force attack - How can I assess the damage? thew00t Linux - Security 4 09-27-2005 06:08 PM
How did the NASA get hacked, was it just a brute force attack? abefroman Linux - Security 2 05-18-2005 05:33 AM


All times are GMT -5. The time now is 03:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration