On Mon, 2009-05-04 at 22:49 +0800, John Summerfield wrote:
> Robert G. (Doc) Savage wrote:
> > I'm trying to contend with global SSH brute force attacks with fail2ban.
> > Apparently I have one or more settings/permissions wrong. Iptables is
> > not being updated despite waves of attacks, and I'm not getting any
> > e-mail warnings. Suggestions anybody?
> > 
> > --Doc Savage
> >   Fairview Heights, IL
> > 
> > I've made the following changes to /etc/fail2ban.conf:
> > 
> >   background = true
> >   bantime = -1
> >   ignoreip = 192.168.1.1/24
> > [MAIL] notification 
> >   enabled = true
> > 
> > Here is a sample entry from /var/log/secure for an attack on user
> > 'nagios':
> > 
> > May  3 08:41:20 lion sshd[30068]: reverse mapping checking getaddrinfo for 
> > 51.82.66.200.in-addr.arpa failed - POSSIBLE BREAK-IN ATTEMPT!
> > May  3 08:41:20 lion sshd[30068]: pam_unix(sshd:auth): authentication 
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.66.82.51  
> > user=nagios
> > May  3 08:41:22 lion sshd[30068]: Failed password for nagios from 
> > 200.66.82.51 port 35501 ssh2
> > May  3 08:41:22 lion sshd[30069]: Received disconnect from 200.66.82.51: 
> > 11: Bye Bye
> 
> I am curious.
> 
> I only manage small networks, with little expected ssh traffic. I use 
> iptables to limit the number of connexion attempts per hour to two or so.
> 
> I find I block 90% or so of bad ssh connexions, nothing short of a 
> distributed attach can home to enumerate passwords, and I don't have 
> enough bandwidth for anyone to make a realistic attempt to guess a password.
> 
> I get messages like yours above,. but not enough to trouble me. I don't 
> expect every to get none, but on the other hand it's possible someone 
> might need to connect some time without a key, and maybe get the 
> password wrong in the process of trying to use it.
> 
> I'm sure that there are good reasons my method won't work, but I'd like 
> to know some of them, just in case.
> 
> How many ssh connexions do you expect?
> How many are you receiving?
> 
> Here are my relevant rules:
> 
> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
> state NEW limit: avg 5/hour burst 5 LOG flags 0 level 4 prefix
>   `SSH connexion '
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
> state NEW limit: avg 5/hour burst 5
> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
> LOG flags 0 level 4 prefix `SSH connexion attack dropped '
> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
> 
> Before these, there are rules for sites explicitly allowed, so these 
> rules apply to the rest of the world. Would something of this kind help 
> you? I would think a limit well above your expected rate (or, like me, 
> some rules to permit approved locations) might help.

John,

Today's logwatch e-mail report is smaller than usual, but fairly
typical:

 --------------------- pam_unix Begin ------------------------ 

 sshd:
    Authentication Failures:
       unknown (200.66.82.51): 437 Time(s)
       xxxxx (200.66.82.51): 14 Time(s)
       xxxxxx (200.66.82.51): 8 Time(s)
       xxxxx (200.66.82.51): 8 Time(s)
       xxxxxx (200.66.82.51): 6 Time(s)
       xxx (200.66.82.51): 5 Time(s)
       xxx (200.66.82.51): 4 Time(s)
       xxxxx (200.66.82.51): 4 Time(s)
       xxxxxxx (200.66.82.51): 4 Time(s)
       root (200.66.82.51): 2 Time(s)
       xxxxxxxx (200.66.82.51): 1 Time(s)
       xxxxx (200.66.82.51): 1 Time(s)
       root (nlos-41.222.17.240.iconnect.zm): 1 Time(s)
    Invalid Users:
       Unknown Account: 437 Time(s)
 
 ---------------------- pam_unix End ------------------------- 

 --------------------- SSHD Begin ------------------------ 

 
 Failed logins from:
    41.222.17.240 (nlos-41.222.17.240.iconnect.zm): 1 time
    200.66.82.51 (51.82.66.200.in-addr.arpa): 57 times
 
 Illegal users from:
    200.66.82.51 (51.82.66.200.in-addr.arpa): 437 times
 
 Users logging in through sshd:
    root:
       192.168.1.XXX (xxxxxxxxxx.xxxxxxxxx.xxx): 1 time
 
 
 Received disconnect:
    11: Bye Bye : 494 Time(s)
 
 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user 
CounterStrike : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user tribox : 1 
time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user teamspeak : 
10 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user stephanie : 
4 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user info : 3 
time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user informix : 
8 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user web7 : 16 
time(s)
 ...
 pam_succeed_if(sshd:auth): error retrieving information about user ts : 15 
time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user cod3 : 1 
time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user web4 : 3 
time(s)
 
 ---------------------- SSHD End ------------------------- 


Those 437 Unknown Account failures appear to be typical of your script
kiddie brute force attack. Some days logwatch reports mover 2,000 failed
attempts. What annoys the crap out of me is that most of the attacking
IP addresses resolve to PRC. I'm pretty careful about setting up my
systems to minimize the number of services and accounts, and to use
strong passwords. When I read about fail2ban it seemed to be a solid way
to use iptables to further harden my system against those IP addresses
that demonstrably make obnoxious asses of themselves -- Peoples
Liberation Army or whoever.

--Doc

_______________________________________________
rhelv5-list mailing list
rhelv5-list@redhat.com
https://www.redhat.com/mailman/listinfo/rhelv5-list

Reply via email to