LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-11-2009, 02:00 PM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Rep: Reputation: 30
squid - prevent brute force attacks on ncsa auth


Is there a way to prevent or perhaps racks multiple failed logins though ncsa_auth on squid?
I am getting a whole host of 407 errors in the access.logs

Code:
USERID	IP/NAME	DATE/TIME	ACCESSED SITE
122.227.164.96	122.227.164.96	08/10/2009-06:28:51	http://proxyjudge1.proxyfire.net/fastenv
123.134.95.243	123.134.95.243	08/10/2009-12:54:18	http://www.spedia.net/sp_login.htm
		08/10/2009-13:23:31	http://www.spedia.net/sp_login.htm
174.36.237.104	174.36.237.104-static.reverse.softlayer.com	08/10/2009-07:05:06	http://74.63.225.44/phps.php
		08/10/2009-07:22:54	http://74.63.225.44/phps.php
		08/10/2009-07:05:06	http://www.yahoo.com/
		08/10/2009-07:22:54	http://www.yahoo.com/
208.112.91.102	goodsportmedia.com	08/10/2009-07:56:45	http://proxyjudge.securityscanner.org/
		08/10/2009-07:57:45	http://proxyjudge.securityscanner.org/
		08/10/2009-07:56:45	www.google.com:443
		08/10/2009-07:57:45	www.google.com:443
221.195.40.70	221.195.40.70	08/09/2009-10:51:27	http://www.yahoo.com/
		08/09/2009-10:51:28	http://www.yahoo.com/
		08/09/2009-18:37:24	http://www.yahoo.com/
		08/09/2009-18:37:24	http://www.yahoo.com/
221.195.73.68	221.195.73.68	08/09/2009-12:30:43	http://pv.wantsfly.com/prx.php?
		08/09/2009-12:30:43	http://pv.wantsfly.com/prx.php?
		08/10/2009-19:57:21	http://pv.wantsfly.com/prx.php?
		08/10/2009-19:57:21	http://pv.wantsfly.com/prx.php?
222.208.183.218	222.208.183.218	08/10/2009-18:26:39	http://proxyjudge1.proxyfire.net/fastenv
		08/10/2009-19:36:59	http://proxyjudge2.proxyfire.net/fastenv
		08/10/2009-19:39:53	http://sevy.eu.org/azenv.php
		08/10/2009-20:45:33	http://sevy.eu.org/azenv.php
		08/10/2009-20:49:33	http://sevy.eu.org/azenv.php
		08/10/2009-18:28:12	http://zerg.helllabs.net/cgi-bin/textenv.pl
		08/10/2009-21:56:23	http://zerg.helllabs.net/cgi-bin/textenv.pl
		08/10/2009-21:57:11	http://zerg.helllabs.net/cgi-bin/textenv.pl
61.160.216.187	61.160.216.187	08/10/2009-14:26:30	http://www.wantsfly.com/prx.php?
		08/10/2009-14:26:39	http://www.wantsfly.com/prx.php?
74.63.225.44	44-225-63-74.reverse.lstn.net	08/09/2009-23:51:44	http://74.63.225.44/phps.php
		08/10/2009-01:09:14	http://74.63.225.44/phps.php
		08/10/2009-01:09:14	http://www.yahoo.com/
88.80.7.248	a7-248-n44.cust.prq.se	08/09/2009-19:25:41	http://88.80.7.248/pp/anp.php?

Last edited by qwertyjjj; 08-11-2009 at 02:14 PM.
 
Old 08-11-2009, 06:30 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
If a client access the proxy without providing authentication information the proxy will return the 407 error code. That is a Good Thing.
 
Old 08-12-2009, 03:07 AM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
If a client access the proxy without providing authentication information the proxy will return the 407 error code. That is a Good Thing.
Yes! But I want to know if they are trying repeatedly to brute force their way by the ncsa_auth.
There doesn't seem to be a way in squid to log IP auth requests through ncsa_auth - or is there?
 
Old 08-12-2009, 07:29 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by qwertyjjj View Post
Yes! But I want to know if they are trying repeatedly to brute force their way by the ncsa_auth.
There doesn't seem to be a way in squid to log IP auth requests through ncsa_auth - or is there?
Doesn't Sarg provides authentication failures reporting? Doesn't your log include lines showing "DENIED/407"? Any log watcher that is capable of filtering regexes from the log and responding with custom actions should be able to work on lines like this:
Code:
1140701230.827 781 192.168.11.01 TCP_DENIED/407 1785 GET http://www.linuxquestions.org/ user NONE/- text/html
 
Old 08-12-2009, 07:33 AM   #5
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
Doesn't Sarg provides authentication failures reporting? Doesn't your log include lines showing "DENIED/407"? Any log watcher that is capable of filtering regexes from the log and responding with custom actions should be able to work on lines like this:
Code:
1140701230.827 781 192.168.11.01 TCP_DENIED/407 1785 GET http://www.linuxquestions.org/ user NONE/- text/html
Yes, sarg gave me those lines.
But there's nothing automatic that can ban them as soon as they try logging in say x times in x minutes?
I thought fail2ban only did ssh and a few other things.
 
Old 08-12-2009, 07:41 AM   #6
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by qwertyjjj View Post
Yes, sarg gave me those lines.
But there's nothing automatic that can ban them as soon as they try logging in say x times in x minutes?
I thought fail2ban only did ssh and a few other things.
fail2ban blocks ssh and http by default
 
Old 08-12-2009, 07:45 AM   #7
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by centosboy View Post
fail2ban blocks ssh and http by default
but not squid ncsa_auth ?
 
Old 08-12-2009, 07:47 AM   #8
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by qwertyjjj View Post
but not squid ncsa_auth ?
i dont know if you can configure it to do so, as that was beyond the realm of what i needed it for.

this will tell you - if you can be bothered to read it

Code:
http://www.fail2ban.org/wiki/index.php/HOWTOs
 
Old 08-12-2009, 07:52 AM   #9
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by centosboy View Post
i dont know if you can configure it to do so, as that was beyond the realm of what i needed it for.

this will tell you - if you can be bothered to read it

Code:
http://www.fail2ban.org/wiki/index.php/HOWTOs
Looks like something needs to be coded in the regex to look through the denied 407 lines in the logs.
http://www.ducea.com/2006/07/03/usin...force-attacks/

Something would need to check the squid access log for TCP/DENIED 407 errors.
I'll check on the squid user group and post back here.

Last edited by qwertyjjj; 08-12-2009 at 07:58 AM.
 
Old 08-13-2009, 06:34 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
IMO regexes are general stuff, I doubt the Squid user group is the right place for it, rather the fail2ban mailing list. The problem is that Squid logs in epoch-stylee and not syslog-like or human readable. I'm not sure about the timeregex / timepattern (%s?) vars but since 'awk '/TCP_DENIED\/407/ {print $3}' /path/to/logfile' prints the IP you need, maybe the failregex could look like ": .*TCP_DENIED\/407.*"?..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] MySql-ban brute force attacks? qwertyjjj Linux - Software 3 08-10-2009 05:28 AM
LXer: Prevent brute force attacks on SSH servers with DenyHosts LXer Syndicated Linux News 0 07-07-2009 08:20 AM
Does anyone know if guardian can be set to block brute force attacks and only brute f abefroman Linux - Software 2 06-05-2008 10:55 AM
LXer: Preventing Brute Force Attacks With Fail2ban On OpenSUSE 10.3 LXer Syndicated Linux News 0 10-15-2007 03:50 PM
Question on Brute Force Attacks Mad Mike Linux - Security 4 10-16-2006 10:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration