repeated failed logons and ignoring them

repeated failed logons and ignoring them

[tyche]

over the last few days, my server has been attacked. i would 
like to limit remote logon attempts by address so that if 
someone tries to logon from an ip address and fails 3 times, 
my computer will ignore repeated attempts from that ip 
address. any idea how to make a rule for this?

tia

tyche
-- 
Win9x

A 32 bit extention
to a 16 bit patch
for a 8 bit operating system
on a 4 bit machine
by a 2 bit company
that cant stand 1 bit of competition
 
-----------------------------------------------------------------------------
    This Email is powered by ICA Canada OnLine
         http://www.icacanadaonline.com

Re: repeated failed logons and ignoring them

[Sebastien Tricaud]

Netfilter doesn't know about authentication success of failure. Linux
PAM is what you are looking for.
You can simply modify your PAM configuration and use the pam_access
and/or pam_tally module.

You can read documentation about it there :
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html



tyche wrote:
> over the last few days, my server has been attacked. i would 
> like to limit remote logon attempts by address so that if 
> someone tries to logon from an ip address and fails 3 times, 
> my computer will ignore repeated attempts from that ip 
> address. any idea how to make a rule for this?
>
> tia
>
> tyche
>   

Re: repeated failed logons and ignoring them

[Rob Sterenborg]

On Mon, June 26, 2006 13:02, tyche wrote:
> over the last few days, my server has been attacked. i would like to limit
> remote logon attempts by address so that if someone tries to logon from an ip
> address and fails 3 times, my computer will ignore repeated attempts from that
> ip address. any idea how to make a rule for this?

What type of logon? SSH, telnet, ...?

There is a Netfilter authentication project called NuFW. You can find it at:
http://www.nufw.org/index.php3?lang=en.
Maybe it can help you accomplish what you need.


Gr,
Rob

Re: repeated failed logons and ignoring them

[Tim Evans]

On Mon, 26 Jun 2006 07:02:57 -0400, tyche wrote
> over the last few days, my server has been attacked. i would 
> like to limit remote logon attempts by address so that if 
> someone tries to logon from an ip address and fails 3 times, 
> my computer will ignore repeated attempts from that ip 
> address. any idea how to make a rule for this?

For blocking ssh logins, see http://denyhosts.sourceforge.net/
--
Tim Evans, TKEvans.com, Inc.    |    5 Chestnut Court
tkevans@tkevans.com             |    Owings Mills, MD 21117
http://www.tkevans.com/         |    443-394-3864
http://www.come-here.com/News/  |    

Re: repeated failed logons and ignoring them

[Nicolas Mailhot]

tyche a écrit :
> over the last few days, my server has been attacked. i would 
> like to limit remote logon attempts by address so that if 
> someone tries to logon from an ip address and fails 3 times, 
> my computer will ignore repeated attempts from that ip 
> address. any idea how to make a rule for this?

You want to try something like pam_abl

-- 
Nicolas Mailhot

Re: repeated failed logons and ignoring them

[Shane Spencer]

fail2ban is a configuratble daemon for doing just this.. it has a good
default config for ssh and some templates for apache/etc...

Shane

On 6/26/06, tyche <tyche@ica.net> wrote:
> over the last few days, my server has been attacked. i would
> like to limit remote logon attempts by address so that if
> someone tries to logon from an ip address and fails 3 times,
> my computer will ignore repeated attempts from that ip
> address. any idea how to make a rule for this?
>
> tia
>
> tyche
> --
> Win9x
>
> A 32 bit extention
> to a 16 bit patch
> for a 8 bit operating system
> on a 4 bit machine
> by a 2 bit company
> that cant stand 1 bit of competition
>
> -----------------------------------------------------------------------------
>     This Email is powered by ICA Canada OnLine
>          http://www.icacanadaonline.com
>
>
>

Re: repeated failed logons and ignoring them

[tyche]

On Monday 26 June 2006 08:11, Rob Sterenborg wrote:
> On Mon, June 26, 2006 13:02, tyche wrote:
> > over the last few days, my server has been attacked. i
> > would like to limit remote logon attempts by address so
> > that if someone tries to logon from an ip address and
> > fails 3 times, my computer will ignore repeated attempts
> > from that ip address. any idea how to make a rule for
> > this?
>
> What type of logon? SSH, telnet, ...?

sorry, what comes from typing email when your still asleep. 
most seem to be hitting my sshd, tho the username/password 
combo leads me to believe that the person is using a database 
to try to overload the server.

killed some pids that where owned by sshd and they kept 
cropping up faster than i could kill them.

>
> There is a Netfilter authentication project called NuFW.
> You can find it at: http://www.nufw.org/index.php3?lang=en.
> Maybe it can help you accomplish what you need.

thank you will look into that.

tyche


>
>
> Gr,
> Rob

-- 
Win9x

A 32 bit extention
to a 16 bit patch
for a 8 bit operating system
on a 4 bit machine
by a 2 bit company
that cant stand 1 bit of competition
 
-----------------------------------------------------------------------------
    This Email is powered by ICA Canada OnLine
         http://www.icacanadaonline.com

Re: repeated failed logons and ignoring them

[Nicolas Mailhot]

[-- Attachment #1: Type: text/plain, Size: 2251 bytes --]

Le lundi 26 juin 2006 à 15:44 -0400, tyche a écrit :
> On Monday 26 June 2006 08:11, Rob Sterenborg wrote:
> > On Mon, June 26, 2006 13:02, tyche wrote:
> > > over the last few days, my server has been attacked. i
> > > would like to limit remote logon attempts by address so
> > > that if someone tries to logon from an ip address and
> > > fails 3 times, my computer will ignore repeated attempts
> > > from that ip address. any idea how to make a rule for
> > > this?
> >
> > What type of logon? SSH, telnet, ...?
> 
> sorry, what comes from typing email when your still asleep. 
> most seem to be hitting my sshd, tho the username/password 
> combo leads me to believe that the person is using a database 
> to try to overload the server.
> 
> killed some pids that where owned by sshd and they kept 
> cropping up faster than i could kill them.

Installing pam_abl can be an eye-opener

/usr/sbin/pam_abl
Failed users:
...
    aaliyah (1)
        Not blocking
    aaron (9)
        Not blocking
    aarti (1)
        Not blocking
    ab (1)
        Not blocking
    aba (1)
        Not blocking
    abarisic (2)
        Not blocking
    abarros (1)
        Not blocking
    abb (1)
        Not blocking
    abbey (1)
        Not blocking
    abbey1 (1)
        Not blocking
    abbey123 (1)
        Not blocking
...   
    rooot (1)
        Not blocking
    root (367)
        Blocking users [!root]
    root-admin (5)
        Not blocking
    root-oliver (3)
        Not blocking
    root1 (1)
        Not blocking
...
Failed hosts:
...
    wpc0963.amenworld.com (3379)
        Not blocking
    yer91-3-82-245-132-80.fbx.proxad.net (168)
        Blocking users [*]

Meaning sometimes in the last two month wpc0963.amenworld.com tried to
do a brute-force attack with 3379 loggons - but it's old so the host is
allowed to try again, while yer91-3-82-245-132-80.fbx.proxad.net has
already passed the threshold and this is recent, so it's still blocked

This also shows few accounts except root are hammered, most malware just
try every account they can think of once, so non-trivial passwords help
a lot more than unusual account names

Regards,

-- 
Nicolas Mailhot

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

RE: repeated failed logons and ignoring them

[Rob Sterenborg]

>> What type of logon? SSH, telnet, ...?
> 
> sorry, what comes from typing email when your still asleep.
> most seem to be hitting my sshd, tho the username/password
> combo leads me to believe that the person is using a database
> to try to overload the server.
> 
> killed some pids that where owned by sshd and they kept
> cropping up faster than i could kill them.

You may want to use SSH public/private-key auth, not password auth. It's
not really hard to implement and you wouldn'd be bothered by
user/pass-guessing as any attempt to logon that way will just be denied.


Gr,
Rob

Re: repeated failed logons and ignoring them

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 1067 bytes --]

On Mon, Jun 26, 2006 at 10:57:45PM +0200, Rob Sterenborg wrote:
> >> What type of logon? SSH, telnet, ...?
> > 
> > sorry, what comes from typing email when your still asleep.
> > most seem to be hitting my sshd, tho the username/password
> > combo leads me to believe that the person is using a database
> > to try to overload the server.
> > 
> > killed some pids that where owned by sshd and they kept
> > cropping up faster than i could kill them.
> 
> You may want to use SSH public/private-key auth, not password auth. It's
> not really hard to implement and you wouldn'd be bothered by
> user/pass-guessing as any attempt to logon that way will just be denied.

Something that was suggested in the mailing list previously

iptables -I INPUT -p tcp --dport 22 -j SSH

iptables -I SSH --protocol tcp --destination-port 22 --match state
--state NEW -m limit --limit 2/hour --limit-burst 3 --jump ACCEPT

iptables -I SSH -j DROP

Then just refine the initial filter in INPUT


Slows them right down!

> 
> 
> Gr,
> Rob
> 
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: repeated failed logons and ignoring them

[Michael Rash]

Why let arbitrary IP addresses connect to your SSH daemon?  There have
been remotely exploitable vulnerabilities discovered in various SSH
implementations, and these vulnerabilities generally have nothing to
do with trying to brute force passwords.

You might be interested in "fwknop" which implements a passive
authorization scheme called "Single Packet Authorization" in conjunction
with Netfilter configured in a default-drop stance:

http://www.cipherdyne.org/fwknop/

Here is a HOWTO on setting up fwknop to use GnuPG keys:

http://www.cipherdyne.org/fwknop/docs/gpghowto.html

--
Michael Rash
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F


On Jun 26, 2006, tyche wrote:

> over the last few days, my server has been attacked. i would 
> like to limit remote logon attempts by address so that if 
> someone tries to logon from an ip address and fails 3 times, 
> my computer will ignore repeated attempts from that ip 
> address. any idea how to make a rule for this?
> 
> tia
> 
> tyche
> -- 
> Win9x
> 
> A 32 bit extention
> to a 16 bit patch
> for a 8 bit operating system
> on a 4 bit machine
> by a 2 bit company
> that cant stand 1 bit of competition
>  
> -----------------------------------------------------------------------------
>     This Email is powered by ICA Canada OnLine
>          http://www.icacanadaonline.com
>