Re: denying spam hosts ssh access - good idea?
On Tue, Jan 12, 2010 at 11:36:11PM +0100, Erik Norgaard wrote: > Anton Shterenlikht wrote: > > >> - why not let your firewall do the blocking? If your blocking is IP > >> based that's the place to block. > > > > I'm already under the University firewall. Only port 22 is let through. > > But even that filles my logs. > > What I meant was that if you want to block IPs or ranges of IPs then a > firewall is the place to block, it's efficient and simple. > > If your university firewall doesn't satisfy you there is nothing that > hinders you from configuring firewall rules on your server. thank you, I get it now. anton -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: denying spam hosts ssh access - good idea?
Anton Shterenlikht wrote: - why not let your firewall do the blocking? If your blocking is IP based that's the place to block. I'm already under the University firewall. Only port 22 is let through. But even that filles my logs. What I meant was that if you want to block IPs or ranges of IPs then a firewall is the place to block, it's efficient and simple. If your university firewall doesn't satisfy you there is nothing that hinders you from configuring firewall rules on your server. Cheers, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: denying spam hosts ssh access - good idea?
On Tue, Jan 12, 2010 at 10:42:06AM +0100, Erik Norgaard wrote: > Anton Shterenlikht wrote: > > I'm thinking of denying ssh access to host from which > > I get brute force ssh attacks. > > This is a returning topic, search the archives. Anyway, the returning > answer: > > - why not let your firewall do the blocking? If your blocking is IP > based that's the place to block. I'm already under the University firewall. Only port 22 is let through. But even that filles my logs. > - why do you default to allow? How about default block, and then add the > few good networks you know that actually need access? Restricting access > to your own continent is a good start. I made this tool to create lists > of ip ranges for individual countries: > >http://www.locolomo.org/pub/src/toolbox/inet.pl > > if you're in US then it may not work since some US companies have ranges > delegated directly by IANA rather than ARIN, but these are few so it's > easy to add ranges manually, check the list here: > > http://www.iana.net/assignments/ipv4-address-space/ipv4-address-space.xml thanks, will look at this > - why allow password based authentication? disable password based > authentication and rely on keys, then you can ignore all the brute force > attempts. I don't allow password based authentication. > - above not a solution? See if you can tweak the sshd_config: > > MaxAuthTries > MaxStartups > > can slow down brute force attacks preventing it from sucking up resources. also a good idea, will look at this. > Disable root login, restrict login to real users, if you have a group > "users" just restrict to that using AllowGroups. yes, this is in place. > - trying to block individual offending hosts is futile, the attacker > will usually try maybe a 1000 times, but the next one will likely come > from a different address. I guess this answers my question most directly. >From all the replies I got so far I gather that /etc/hosts.allow exists a historical heritage and no real use is made of it nowadays. Although some people appear to like it (e.g. Samuel Martín Moro). many thanks for your help and support. anton -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: denying spam hosts ssh access - good idea?
Anton Shterenlikht wrote: I'm thinking of denying ssh access to host from which I get brute force ssh attacks. This is a returning topic, search the archives. Anyway, the returning answer: - why not let your firewall do the blocking? If your blocking is IP based that's the place to block. - why do you default to allow? How about default block, and then add the few good networks you know that actually need access? Restricting access to your own continent is a good start. I made this tool to create lists of ip ranges for individual countries: http://www.locolomo.org/pub/src/toolbox/inet.pl if you're in US then it may not work since some US companies have ranges delegated directly by IANA rather than ARIN, but these are few so it's easy to add ranges manually, check the list here: http://www.iana.net/assignments/ipv4-address-space/ipv4-address-space.xml - why allow password based authentication? disable password based authentication and rely on keys, then you can ignore all the brute force attempts. - above not a solution? See if you can tweak the sshd_config: MaxAuthTries MaxStartups can slow down brute force attacks preventing it from sucking up resources. Disable root login, restrict login to real users, if you have a group "users" just restrict to that using AllowGroups. - trying to block individual offending hosts is futile, the attacker will usually try maybe a 1000 times, but the next one will likely come from a different address. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: denying spam hosts ssh access - good idea?
On Mon, Jan 11, 2010 at 7:01 AM, Anton Shterenlikht wrote: > I'm thinking of denying ssh access to host from which > I get brute force ssh attacks. > > HOwever, I see in /etc/hosts.allow: > > # Wrapping sshd(8) is not normally a good idea, but if you > # need to do it, here's how > #sshd : .evil.cracker.example.com : deny > > Why is it not a good idea? > > Also, apparently in older ssh there was DenyHosts option, > but no longer in the current version. > Is there a replacement for DenyHOsts? > Or is there a good reason for such option not to be used? Anton- In the general theme of this thread -- not answering your question, but providing an alternate solution -- sshguard from ports work fantastically for me. It interfaces with both ipfw and pf firewalls (I use it with pf) and has builtin timeout. I use syslog on several machine behind my firewall to forward SSH authentication failures to my FreeBSD firewall that uses PF and it quickly identifies and blocks bruteforce attacks. From my syslog.conf: !sshd auth.info @wall The handy thing here is that it has builtin timeout rules so if you do something silly and block yourself out temporarily, it'll eventually straighten itself out. Cheers, Ben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: denying spam hosts ssh access - good idea?
I had the same ssh-bruteforce troubles. Here's the script I use against that. It's in cron, launched every 2 minutes. #!/bin/sh AUTH=/var/log/auth.log BKLST=/var/log/blacklist.log HOSTS=/etc/hosts DHOSTS=/etc/hosts.deny cat $AUTH | egrep -i "(illegal|invalid|failed)" | awk -F "from" '{print $2}' | awk '{print $1}' | sort -u >$BKLST for i in `cat $BKLST`; do nerr=`cat $AUTH | egrep -i "(illegal|invalid|failed)" | grep $i | wc -l` if [ "$nerr" -ge "3" -a -z "`cat $HOSTS | grep $i`" -a -z "`cat $DHOSTS | grep $i`" ]; then echo "ALL : $i # matched on `date`" >>$DHOSTS fi done #nota: I added my home & work IPs to /etc/hosts I can't use ssh-keys (many of my users don't know how that works/what it is). But if you can do it, you should. Samuel Martín Moro On Mon, Jan 11, 2010 at 4:59 PM, Anton Shterenlikht wrote: > On Mon, Jan 11, 2010 at 03:25:04PM +, Matthew Seaman wrote: > > Anton Shterenlikht wrote: > > > I'm thinking of denying ssh access to host from which > > > I get brute force ssh attacks. > > > > > > HOwever, I see in /etc/hosts.allow: > > > > > > # Wrapping sshd(8) is not normally a good idea, but if you > > > # need to do it, here's how > > > #sshd : .evil.cracker.example.com : deny > > > > > > Why is it not a good idea? > > > > Probably because ssh is likely to be the only method of login access > > you have to a remote server, and hosts.allow could conceivably be spoofed > > into blocking your legitimate access? In any case, hosts.allow is a > poor relation to using a real firewall -- it has no access to the lower > level bits > > of the networking code, so has to allow a full tcp connection setup > before it > > can block anything. Some daemons allow quite a lot of interaction with > the > > remote site when using hosts.allow functionality -- eg. sendmail will > > apparently go through all of the stages of accepting an incoming e-mail > from > > a denied host, right up to the 'MAIL FROM...' section of the SMTP > transaction > > where it will respond with a 500 permanent failure error code. > [admittedly > > this does have the benefit that the other side will then immediately give > up > > trying to send the message if it's playing by the RFC rules. (Most > spam-bots > > don't, of course.) Otherwise, you'ld get the remote side retrying the > message > > several times an hour over the next 5 days before it timed out and gave > up. > > > > > Also, apparently in older ssh there was DenyHosts option, > > > but no longer in the current version. > > > Is there a replacement for DenyHOsts? > > > Or is there a good reason for such option not to be used? > > > > I believe you can do something like this: > > > > match address 192.168.23.0/24,172.16.0.0/16 > > ForceCommand /usr/sbin/nologin > > > > but this is not foolproof, as it is run via the users' login shell > > and a sufficiently cunning person can arrange for all sorts of > interesting > > things to happen from their shell initialization files... > > Matthew, this makes sense > > many thanks > anton > > -- > Anton Shterenlikht > Room 2.6, Queen's Building > Mech Eng Dept > Bristol University > University Walk, Bristol BS8 1TR, UK > Tel: +44 (0)117 331 5944 > Fax: +44 (0)117 929 4423 > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: denying spam hosts ssh access - good idea?
Anton Shterenlikht writes: > I'm very grateful for all advice, but I'm still unsure > why denying ssh access to a particular host via /etc/hosts.allow > is a bad idea. As far as I recall, the reason the warning was added to the manual was that it's fairly heavy on resources to implement that way (especially back before the wrapper support was added to sshd; running it out of inetd added quite a bit of lag). It is also liable to problems from the idiosyncratic configuration syntax. By and large, you'd be better off with a firewall, but hosts.allow will certainly work if you want to do that. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: denying spam hosts ssh access - good idea?
On Mon, Jan 11, 2010 at 03:25:04PM +, Matthew Seaman wrote: > Anton Shterenlikht wrote: > > I'm thinking of denying ssh access to host from which > > I get brute force ssh attacks. > > > > HOwever, I see in /etc/hosts.allow: > > > > # Wrapping sshd(8) is not normally a good idea, but if you > > # need to do it, here's how > > #sshd : .evil.cracker.example.com : deny > > > > Why is it not a good idea? > > Probably because ssh is likely to be the only method of login access > you have to a remote server, and hosts.allow could conceivably be spoofed > into blocking your legitimate access? In any case, hosts.allow is a poor > relation to using a real firewall -- it has no access to the lower level bits > of the networking code, so has to allow a full tcp connection setup before it > can block anything. Some daemons allow quite a lot of interaction with the > remote site when using hosts.allow functionality -- eg. sendmail will > apparently go through all of the stages of accepting an incoming e-mail from > a denied host, right up to the 'MAIL FROM...' section of the SMTP transaction > where it will respond with a 500 permanent failure error code. [admittedly > this does have the benefit that the other side will then immediately give up > trying to send the message if it's playing by the RFC rules. (Most spam-bots > don't, of course.) Otherwise, you'ld get the remote side retrying the > message > several times an hour over the next 5 days before it timed out and gave up. > > > Also, apparently in older ssh there was DenyHosts option, > > but no longer in the current version. > > Is there a replacement for DenyHOsts? > > Or is there a good reason for such option not to be used? > > I believe you can do something like this: > > match address 192.168.23.0/24,172.16.0.0/16 > ForceCommand /usr/sbin/nologin > > but this is not foolproof, as it is run via the users' login shell > and a sufficiently cunning person can arrange for all sorts of interesting > things to happen from their shell initialization files... Matthew, this makes sense many thanks anton -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: denying spam hosts ssh access - good idea?
Anton Shterenlikht wrote: I'm thinking of denying ssh access to host from which I get brute force ssh attacks. HOwever, I see in /etc/hosts.allow: # Wrapping sshd(8) is not normally a good idea, but if you # need to do it, here's how #sshd : .evil.cracker.example.com : deny Why is it not a good idea? Probably because ssh is likely to be the only method of login access you have to a remote server, and hosts.allow could conceivably be spoofed into blocking your legitimate access? In any case, hosts.allow is a poor relation to using a real firewall -- it has no access to the lower level bits of the networking code, so has to allow a full tcp connection setup before it can block anything. Some daemons allow quite a lot of interaction with the remote site when using hosts.allow functionality -- eg. sendmail will apparently go through all of the stages of accepting an incoming e-mail from a denied host, right up to the 'MAIL FROM...' section of the SMTP transaction where it will respond with a 500 permanent failure error code. [admittedly this does have the benefit that the other side will then immediately give up trying to send the message if it's playing by the RFC rules. (Most spam-bots don't, of course.) Otherwise, you'ld get the remote side retrying the message several times an hour over the next 5 days before it timed out and gave up. Also, apparently in older ssh there was DenyHosts option, but no longer in the current version. Is there a replacement for DenyHOsts? Or is there a good reason for such option not to be used? I believe you can do something like this: match address 192.168.23.0/24,172.16.0.0/16 ForceCommand /usr/sbin/nologin but this is not foolproof, as it is run via the users' login shell and a sufficiently cunning person can arrange for all sorts of interesting things to happen from their shell initialization files... Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: denying spam hosts ssh access - good idea?
Tim Judd wrote: I've been meaning to check this out. My firewall ssh rules are very strict, in fact, if the remote IP is "unknown" meaning, I don't know where the heck it's coming from, it's blocked. It's easier to say it this way: I allow ssh connections from IPs I know, preferably static IPs. Given that there are more than one general blacklists out there that list unwanted behavior, and that we have ports that make use of these lists, I wonder if we can use a list (in this case, for spam) effective for blocking ssh connections. This means: install spamd setup pf (requirement for spamd, it is built by OpenBSD after all) in the pf rules, block *ANYTHING* coming from the blacklisted IPs I don't know how effective it is, but since the spamd blacklist IPs are hosted on what seems to be only one server/server farm, I am also looking for any way I can provide a mirror (even if it's slightly outdated) of this data. Sure you can do this -- you don't even need to install spamd(8) to do it. If all you're going to do is use the uatraps and nixspam lists to block all traffic to your server, then you can just create a table in pf, and load the list of addresses from those lists into it. You may need some very small shell scripts to strip out anything other than IP numbers from the lists (if you use the original sources for the Nixspam stuff from heise.de), and then print out the list of addresses into a file, one per line. You can load that file into a PF table very easily: table persist file "/var/db/blacklisted.txt" and use it to block any traffic: block log in quick on $ext_if from to any Then whenever you update your blacklisted.txt file, just run: # pfctl -t blacklisted -T replace -f /var/db/blacklisted.txt As you say, the places where you can download those lists are few and far between, plus they're not particularly comprehensive. There are bigger and better spam blocklists out there, but those are generally served as DNS rbls which aren't feasible for hooking into PF configs. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: denying spam hosts ssh access - good idea?
On Mon, Jan 11, 2010 at 07:18:04AM -0700, Tim Judd wrote: > On 1/11/10, David Southwell wrote: > >> I'm thinking of denying ssh access to host from which > >> I get brute force ssh attacks. > >> > >> HOwever, I see in /etc/hosts.allow: > >> > >> # Wrapping sshd(8) is not normally a good idea, but if you > >> # need to do it, here's how > >> #sshd : .evil.cracker.example.com : deny > >> > >> Why is it not a good idea? > >> > >> Also, apparently in older ssh there was DenyHosts option, > >> but no longer in the current version. > >> Is there a replacement for DenyHOsts? > >> Or is there a good reason for such option not to be used? > >> > >> many thanks > >> anton > >> > > I use denyhosts ( /usr/ports/security/denyhosts ) works well for me. I also > > use blackhole and sshguard > > > > david > > > I've been meaning to check this out. My firewall ssh rules are very > strict, in fact, if the remote IP is "unknown" meaning, I don't know > where the heck it's coming from, it's blocked. It's easier to say it > this way: I allow ssh connections from IPs I know, preferably static > IPs. > > Given that there are more than one general blacklists out there that > list unwanted behavior, and that we have ports that make use of these > lists, I wonder if we can use a list (in this case, for spam) > effective for blocking ssh connections. This means: > install spamd > setup pf (requirement for spamd, it is built by OpenBSD after all) > in the pf rules, block *ANYTHING* coming from the blacklisted IPs > > > I don't know how effective it is, but since the spamd blacklist IPs > are hosted on what seems to be only one server/server farm, I am also > looking for any way I can provide a mirror (even if it's slightly > outdated) of this data. I'm very grateful for all advice, but I'm still unsure why denying ssh access to a particular host via /etc/hosts.allow is a bad idea. many thanks anton -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: denying spam hosts ssh access - good idea?
On 1/11/10, David Southwell wrote: >> I'm thinking of denying ssh access to host from which >> I get brute force ssh attacks. >> >> HOwever, I see in /etc/hosts.allow: >> >> # Wrapping sshd(8) is not normally a good idea, but if you >> # need to do it, here's how >> #sshd : .evil.cracker.example.com : deny >> >> Why is it not a good idea? >> >> Also, apparently in older ssh there was DenyHosts option, >> but no longer in the current version. >> Is there a replacement for DenyHOsts? >> Or is there a good reason for such option not to be used? >> >> many thanks >> anton >> > I use denyhosts ( /usr/ports/security/denyhosts ) works well for me. I also > use blackhole and sshguard > > david I've been meaning to check this out. My firewall ssh rules are very strict, in fact, if the remote IP is "unknown" meaning, I don't know where the heck it's coming from, it's blocked. It's easier to say it this way: I allow ssh connections from IPs I know, preferably static IPs. Given that there are more than one general blacklists out there that list unwanted behavior, and that we have ports that make use of these lists, I wonder if we can use a list (in this case, for spam) effective for blocking ssh connections. This means: install spamd setup pf (requirement for spamd, it is built by OpenBSD after all) in the pf rules, block *ANYTHING* coming from the blacklisted IPs I don't know how effective it is, but since the spamd blacklist IPs are hosted on what seems to be only one server/server farm, I am also looking for any way I can provide a mirror (even if it's slightly outdated) of this data. --Tim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: denying spam hosts ssh access - good idea?
David Southwell wrote: I'm thinking of denying ssh access to host from which I get brute force ssh attacks. HOwever, I see in /etc/hosts.allow: # Wrapping sshd(8) is not normally a good idea, but if you # need to do it, here's how #sshd : .evil.cracker.example.com : deny Why is it not a good idea? Also, apparently in older ssh there was DenyHosts option, but no longer in the current version. Is there a replacement for DenyHOsts? Or is there a good reason for such option not to be used? many thanks anton I use denyhosts ( /usr/ports/security/denyhosts ) works well for me. I also use blackhole and sshguard david ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" Take a look at fail2ban: http://www.fail2ban.org/ This hooks in IPtables and really does a nice job of preventing DoS attacks from not just SSH but many other ports and protocols too. Regards, Kaya ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: denying spam hosts ssh access - good idea?
> I'm thinking of denying ssh access to host from which > I get brute force ssh attacks. > > HOwever, I see in /etc/hosts.allow: > > # Wrapping sshd(8) is not normally a good idea, but if you > # need to do it, here's how > #sshd : .evil.cracker.example.com : deny > > Why is it not a good idea? > > Also, apparently in older ssh there was DenyHosts option, > but no longer in the current version. > Is there a replacement for DenyHOsts? > Or is there a good reason for such option not to be used? > > many thanks > anton > I use denyhosts ( /usr/ports/security/denyhosts ) works well for me. I also use blackhole and sshguard david ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
denying spam hosts ssh access - good idea?
I'm thinking of denying ssh access to host from which I get brute force ssh attacks. HOwever, I see in /etc/hosts.allow: # Wrapping sshd(8) is not normally a good idea, but if you # need to do it, here's how #sshd : .evil.cracker.example.com : deny Why is it not a good idea? Also, apparently in older ssh there was DenyHosts option, but no longer in the current version. Is there a replacement for DenyHOsts? Or is there a good reason for such option not to be used? many thanks anton -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"