On Mon, 2009-05-04 at 22:49 +0800, John Summerfield wrote: > Robert G. (Doc) Savage wrote: > > I'm trying to contend with global SSH brute force attacks with fail2ban. > > Apparently I have one or more settings/permissions wrong. Iptables is > > not being updated despite waves of attacks, and I'm not getting any > > e-mail warnings. Suggestions anybody? > > > > --Doc Savage > > Fairview Heights, IL > > > > I've made the following changes to /etc/fail2ban.conf: > > > > background = true > > bantime = -1 > > ignoreip = 192.168.1.1/24 > > [MAIL] notification > > enabled = true > > > > Here is a sample entry from /var/log/secure for an attack on user > > 'nagios': > > > > May 3 08:41:20 lion sshd[30068]: reverse mapping checking getaddrinfo for > > 51.82.66.200.in-addr.arpa failed - POSSIBLE BREAK-IN ATTEMPT! > > May 3 08:41:20 lion sshd[30068]: pam_unix(sshd:auth): authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.66.82.51 > > user=nagios > > May 3 08:41:22 lion sshd[30068]: Failed password for nagios from > > 200.66.82.51 port 35501 ssh2 > > May 3 08:41:22 lion sshd[30069]: Received disconnect from 200.66.82.51: > > 11: Bye Bye > > I am curious. > > I only manage small networks, with little expected ssh traffic. I use > iptables to limit the number of connexion attempts per hour to two or so. > > I find I block 90% or so of bad ssh connexions, nothing short of a > distributed attach can home to enumerate passwords, and I don't have > enough bandwidth for anyone to make a realistic attempt to guess a password. > > I get messages like yours above,. but not enough to trouble me. I don't > expect every to get none, but on the other hand it's possible someone > might need to connect some time without a key, and maybe get the > password wrong in the process of trying to use it. > > I'm sure that there are good reasons my method won't work, but I'd like > to know some of them, just in case. > > How many ssh connexions do you expect? > How many are you receiving? > > Here are my relevant rules: > > LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 > state NEW limit: avg 5/hour burst 5 LOG flags 0 level 4 prefix > `SSH connexion ' > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 > state NEW limit: avg 5/hour burst 5 > LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 > LOG flags 0 level 4 prefix `SSH connexion attack dropped ' > DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 > > Before these, there are rules for sites explicitly allowed, so these > rules apply to the rest of the world. Would something of this kind help > you? I would think a limit well above your expected rate (or, like me, > some rules to permit approved locations) might help.
John, Today's logwatch e-mail report is smaller than usual, but fairly typical: --------------------- pam_unix Begin ------------------------ sshd: Authentication Failures: unknown (200.66.82.51): 437 Time(s) xxxxx (200.66.82.51): 14 Time(s) xxxxxx (200.66.82.51): 8 Time(s) xxxxx (200.66.82.51): 8 Time(s) xxxxxx (200.66.82.51): 6 Time(s) xxx (200.66.82.51): 5 Time(s) xxx (200.66.82.51): 4 Time(s) xxxxx (200.66.82.51): 4 Time(s) xxxxxxx (200.66.82.51): 4 Time(s) root (200.66.82.51): 2 Time(s) xxxxxxxx (200.66.82.51): 1 Time(s) xxxxx (200.66.82.51): 1 Time(s) root (nlos-41.222.17.240.iconnect.zm): 1 Time(s) Invalid Users: Unknown Account: 437 Time(s) ---------------------- pam_unix End ------------------------- --------------------- SSHD Begin ------------------------ Failed logins from: 41.222.17.240 (nlos-41.222.17.240.iconnect.zm): 1 time 200.66.82.51 (51.82.66.200.in-addr.arpa): 57 times Illegal users from: 200.66.82.51 (51.82.66.200.in-addr.arpa): 437 times Users logging in through sshd: root: 192.168.1.XXX (xxxxxxxxxx.xxxxxxxxx.xxx): 1 time Received disconnect: 11: Bye Bye : 494 Time(s) **Unmatched Entries** pam_succeed_if(sshd:auth): error retrieving information about user CounterStrike : 1 time(s) pam_succeed_if(sshd:auth): error retrieving information about user tribox : 1 time(s) pam_succeed_if(sshd:auth): error retrieving information about user teamspeak : 10 time(s) pam_succeed_if(sshd:auth): error retrieving information about user stephanie : 4 time(s) pam_succeed_if(sshd:auth): error retrieving information about user info : 3 time(s) pam_succeed_if(sshd:auth): error retrieving information about user informix : 8 time(s) pam_succeed_if(sshd:auth): error retrieving information about user web7 : 16 time(s) ... pam_succeed_if(sshd:auth): error retrieving information about user ts : 15 time(s) pam_succeed_if(sshd:auth): error retrieving information about user cod3 : 1 time(s) pam_succeed_if(sshd:auth): error retrieving information about user web4 : 3 time(s) ---------------------- SSHD End ------------------------- Those 437 Unknown Account failures appear to be typical of your script kiddie brute force attack. Some days logwatch reports mover 2,000 failed attempts. What annoys the crap out of me is that most of the attacking IP addresses resolve to PRC. I'm pretty careful about setting up my systems to minimize the number of services and accounts, and to use strong passwords. When I read about fail2ban it seemed to be a solid way to use iptables to further harden my system against those IP addresses that demonstrably make obnoxious asses of themselves -- Peoples Liberation Army or whoever. --Doc _______________________________________________ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list