Re: Security blocking question
Aflatoon Aflatooni wrote: Is there a way that I could configure the server so that if there are for example X attempts from an IP address then for the next Y hours all the SSH requests would be ignored from that IP address? There are only a handful of people who have access to that server. Yes. In pf.conf: table persist [...] block drop in log quick on $ext_if from [...] pass in on $ext_if proto tcp \ from any to $ext_if port ssh \ flags S/SA keep state\ (max-src-conn-rate 3/30, overload flush global) plus you'll need to add a cron job to clear old entries out of the ssh-bruteforce table after a suitable amount of time has passed. Use expiretable to do that. Note: in practice I've found that it's a *really good idea* to implement a SSH whitelist of addresses that will never be bruteforce blocked like this -- it's very easy to lock yourself out even if everything you're doing is entirely legitimate. Coding that is left as an exercise for the reader. What is the best way of testing the PF rule? Is there a quick way to mimic a brute force? Is there a way that I could review the content of the table through pfctl -s all To test, you need access to a machine not in your whitelist from where you can try ssh'ing into the protected machine several times in rapid sequence. 3 times in 30s sounds quite fast, but it is actually not to hard to achieve accidentally, especially if you use tools like rsync over SSH transport. You should have a login concurrently from some other IP or on the console, otherwise you will lock yourself out. To see what IPs have been added to the ssh-bruteforce table and when and what traffic has been blocked: # pfctl -vv -t ssh-bruteforce -T show To manually delete an IP from the ssh-bruteforce table: # pfctl -t ssh-bruteforce -T delete 12.34.56.78 As noted elsewhere in this thread, instead of using expiretable, you can run this out of cron to expire addresses over a day old from the ssh-bruteforce blocklist: # pfctl -t ssh-bruteforce -T expire 86400 The pfctl(8) man page is pretty illuminating. Cheers, Matthew PS. Got to love the way that HTML-ising e-mail has deleted the table name from the examples above. I hope you could actually read it unmunged. Plain text rools! -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Security blocking question
Aflatoon Aflatooni wrote:
Is there a way that I could configure the server so that if there are for
example X attempts from an IP address then for the next Y hours all the
SSH
requests would be ignored from that IP address? There are only a handful of
people who have access to that server.
Yes.
In pf.conf:
table persist
[...]
block drop in log quick on $ext_if from
[...]
pass in on $ext_if proto tcp \
from any to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload flush global)
plus you'll need to add a cron job to clear old entries out of the
ssh-bruteforce
table after a suitable amount of time has passed. Use expiretable to do
that. Note: in practice I've found that it's a *really good idea* to
implement a SSH whitelist of addresses that will never be bruteforce blocked
like this -- it's very easy to lock yourself out even if everything you're
doing
is entirely legitimate. Coding that is left as an exercise for the reader.
What is the best way of testing the PF rule? Is there a quick way to mimic
a
brute force? Is there a way that I could review the content of the table
through
pfctl -s all
To test, you need access to a machine not in your whitelist from where you
can try ssh'ing into the protected machine several times in rapid sequence.
3 times in 30s sounds quite fast, but it is actually not to hard to achieve
accidentally, especially if you use tools like rsync over SSH transport. You
should have a login concurrently from some other IP or on the console,
otherwise
you will lock yourself out.
To see what IPs have been added to the ssh-bruteforce table and when and what
traffic has been blocked:
# pfctl -vv -t ssh-bruteforce -T show
To manually delete an IP from the ssh-bruteforce table:
# pfctl -t ssh-bruteforce -T delete 12.34.56.78
As noted elsewhere in this thread, instead of using expiretable, you can run
this
out of cron to expire addresses over a day old from the ssh-bruteforce
blocklist:
# pfctl -t ssh-bruteforce -T expire 86400
The pfctl(8) man page is pretty illuminating.
Cheers,
Matthew
Thanks,
I have the following in my pf.conf:
ext_if=bge0
# Public Services -- smtp, http, pop3s
tcpPubServices = { 25, 80, 995 }
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set limit { states 1, frags 5000 }
#set loginterface none
set optimization normal
set block-policy drop
#set require-order yes
#set fingerprints /etc/pf.os
set skip on lo0
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
pass out all
block in log all
table sshBruteForce { }
block in quick from sshBruteForce to any
pass in on $ext_if inet proto tcp from any to any port $tcpPubServices flags
S/SA synproxy state
pass in on $ext_if inet proto tcp from any to any port ssh modulate state
(source-track rule max-src-nodes 8 max-src-conn 8 max-src-conn-rate 3/60
overload sshBruteForce flush global)
And I have tried to make a lot of ssh connections to the box and killing them
with ctrl-c or bad-password but nothing gets added to the table. There isn't
anything in the log either. How would I go about figuring out what is wrong?
Thanks
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Security blocking question
Aflatoon Aflatooni wrote:
I have the following in my pf.conf:
ext_if=bge0
# Public Services -- smtp, http, pop3s
tcpPubServices = { 25, 80, 995 }
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set limit { states 1, frags 5000 }
#set loginterface none
set optimization normal
set block-policy drop
#set require-order yes
#set fingerprints /etc/pf.os
set skip on lo0
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
pass out all
block in log all
table sshBruteForce { }
^^^ this needs to be 'table sshBruteForce persist' or the OS will delete it
if it's empty.
block in quick from sshBruteForce to any
pass in on $ext_if inet proto tcp from any to any port $tcpPubServices flags
S/SA synproxy state
pass in on $ext_if inet proto tcp from any to any port ssh modulate state
(source-track rule max-src-nodes 8 max-src-conn 8 max-src-conn-rate 3/60 overload
sshBruteForce flush global)
And I have tried to make a lot of ssh connections to the box and killing them
with ctrl-c or bad-password but nothing gets added to the table. There isn't
anything in the log either. How would I go about figuring out what is wrong?
Usually if you leave your machine connected to the internet, some awfully
helpful people in China or some other far off place will test it for you
within a day or so...
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
Re: Security blocking question
Is there a way that I could configure the server so that if there are for example X attempts from an IP address then for the next Y hours all the SSH requests would be ignored from that IP address? There are only a handful of people who have access to that server. Yes. In pf.conf: table persist [...] block drop in log quick on $ext_if from [...] pass in on $ext_if proto tcp \ from any to $ext_if port ssh \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload flush global) plus you'll need to add a cron job to clear old entries out of the ssh-bruteforce table after a suitable amount of time has passed. Use expiretable to do that. Note: in practice I've found that it's a *really good idea* to implement a SSH whitelist of addresses that will never be bruteforce blocked like this -- it's very easy to lock yourself out even if everything you're doing is entirely legitimate. Coding that is left as an exercise for the reader. What is the best way of testing the PF rule? Is there a quick way to mimic a brute force? Is there a way that I could review the content of the table through pfctl -s all Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Security blocking question
Svante Kvarnstrom wrote: On Oct 9, 2009, at 11:56 PM, Matthew Seaman wrote: plus you'll need to add a cron job to clear old entries out of the ssh-bruteforce table after a suitable amount of time has passed. Use expiretable to do that. I believe that security/expiretable is superfluous nowadays since pfctl supports the -T expire directive. Yes -- that is true. Seems '-T expire' works in 7-STABLE and 7.1-RELEASE, 7.2-RELEASE -- not sure about older versions though. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Security blocking question
Hi, The production server that has a public IP address has SSH enabled. This server is continuously under dictionary attack: Oct 8 12:58:40 seven sshd[32248]: Invalid user europa from 83.65.199.91 Oct 8 12:58:40 seven sshd[32250]: Invalid user hacked from 83.65.199.91 Oct 8 12:58:40 seven sshd[32251]: Invalid user cop\r from 83.65.199.91 Oct 8 12:58:41 seven sshd[32254]: Invalid user gel from 83.65.199.91 Oct 8 12:58:41 seven sshd[32255]: Invalid user dork from 83.65.199.91 Oct 8 12:58:41 seven sshd[32258]: Invalid user eva from 83.65.199.91 Oct 8 12:58:41 seven sshd[32260]: Invalid user hacker from 83.65.199.91 Oct 8 12:58:41 seven sshd[32261]: Invalid user copila\r from 83.65.199.91 Oct 8 12:58:42 seven sshd[32265]: Invalid user dorna from 83.65.199.91 Oct 8 12:58:42 seven sshd[32264]: Invalid user gelo from 83.65.199.91 Oct 8 12:58:42 seven sshd[32268]: Invalid user evara from 83.65.199.91 Oct 8 12:58:43 seven sshd[32270]: Invalid user hack from 83.65.199.91 Oct 8 12:58:43 seven sshd[32271]: Invalid user copil\r from 83.65.199.91 Oct 8 12:58:43 seven sshd[32274]: Invalid user Doubled from 83.65.199.91 Oct 8 12:58:43 seven sshd[32275]: Invalid user gelos from 83.65.199.91 Oct 8 12:58:44 seven sshd[32278]: Invalid user eve from 83.65.199.91 Is there a way that I could configure the server so that if there are for example X attempts from an IP address then for the next Y hours all the SSH requests would be ignored from that IP address? There are only a handful of people who have access to that server. Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Security blocking question
On Fri, Oct 9, 2009 at 4:45 PM, Aflatoon Aflatooni aaflato...@yahoo.comwrote: Hi, The production server that has a public IP address has SSH enabled. This server is continuously under dictionary attack: Oct 8 12:58:40 seven sshd[32248]: Invalid user europa from 83.65.199.91 Oct 8 12:58:40 seven sshd[32250]: Invalid user hacked from 83.65.199.91 Oct 8 12:58:40 seven sshd[32251]: Invalid user cop\r from 83.65.199.91 Oct 8 12:58:41 seven sshd[32254]: Invalid user gel from 83.65.199.91 Oct 8 12:58:41 seven sshd[32255]: Invalid user dork from 83.65.199.91 Oct 8 12:58:41 seven sshd[32258]: Invalid user eva from 83.65.199.91 Oct 8 12:58:41 seven sshd[32260]: Invalid user hacker from 83.65.199.91 Oct 8 12:58:41 seven sshd[32261]: Invalid user copila\r from 83.65.199.91 Oct 8 12:58:42 seven sshd[32265]: Invalid user dorna from 83.65.199.91 Oct 8 12:58:42 seven sshd[32264]: Invalid user gelo from 83.65.199.91 Oct 8 12:58:42 seven sshd[32268]: Invalid user evara from 83.65.199.91 Oct 8 12:58:43 seven sshd[32270]: Invalid user hack from 83.65.199.91 Oct 8 12:58:43 seven sshd[32271]: Invalid user copil\r from 83.65.199.91 Oct 8 12:58:43 seven sshd[32274]: Invalid user Doubled from 83.65.199.91 Oct 8 12:58:43 seven sshd[32275]: Invalid user gelos from 83.65.199.91 Oct 8 12:58:44 seven sshd[32278]: Invalid user eve from 83.65.199.91 Is there a way that I could configure the server so that if there are for example X attempts from an IP address then for the next Y hours all the SSH requests would be ignored from that IP address? There are only a handful of people who have access to that server. Thanks /usr/ports/security/denyhosts -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Security blocking question
On Fri, Oct 09, 2009 at 02:45:51PM -0700, Aflatoon Aflatooni wrote: [...] Is there a way that I could configure the server so that if there are for example X attempts from an IP address then for the next Y hours all the SSH requests would be ignored from that IP address? There are only a handful of people who have access to that server. If there are only a handful, then I'd suggest that you put a whitelist of IP addresses in your firewall config. -- Jonathan Chen j...@chen.org.nz -- A little learning is a dangerous thing but a lot of ignorance is just as bad. - Bob Edwards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Security blocking question
On Fri, Oct 9, 2009 at 5:45 PM, Aflatoon Aflatooni aaflato...@yahoo.com wrote: Hi, The production server that has a public IP address has SSH enabled. This server is continuously under dictionary attack: Oct 8 12:58:40 seven sshd[32248]: Invalid user europa from 83.65.199.91 Oct 8 12:58:40 seven sshd[32250]: Invalid user hacked from 83.65.199.91 Oct 8 12:58:40 seven sshd[32251]: Invalid user cop\r from 83.65.199.91 Oct 8 12:58:41 seven sshd[32254]: Invalid user gel from 83.65.199.91 Oct 8 12:58:41 seven sshd[32255]: Invalid user dork from 83.65.199.91 Oct 8 12:58:41 seven sshd[32258]: Invalid user eva from 83.65.199.91 Oct 8 12:58:41 seven sshd[32260]: Invalid user hacker from 83.65.199.91 Oct 8 12:58:41 seven sshd[32261]: Invalid user copila\r from 83.65.199.91 Oct 8 12:58:42 seven sshd[32265]: Invalid user dorna from 83.65.199.91 Oct 8 12:58:42 seven sshd[32264]: Invalid user gelo from 83.65.199.91 Oct 8 12:58:42 seven sshd[32268]: Invalid user evara from 83.65.199.91 Oct 8 12:58:43 seven sshd[32270]: Invalid user hack from 83.65.199.91 Oct 8 12:58:43 seven sshd[32271]: Invalid user copil\r from 83.65.199.91 Oct 8 12:58:43 seven sshd[32274]: Invalid user Doubled from 83.65.199.91 Oct 8 12:58:43 seven sshd[32275]: Invalid user gelos from 83.65.199.91 Oct 8 12:58:44 seven sshd[32278]: Invalid user eve from 83.65.199.91 Is there a way that I could configure the server so that if there are for example X attempts from an IP address then for the next Y hours all the SSH requests would be ignored from that IP address? There are only a handful of people who have access to that server. Thanks I don't think OpenSSH has this feature. You would have to look to a firewall solution for this (I recommend PF). There is also software in the ports collection that I've heard of to help this problem. I've never used any of them, but fail2ban seems to be a popular one. I would also recommend using a non-standard SSH port if possible. It would cut down on the bot spam considerably. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Security blocking question
I might also add, if it's only a handful that have legitimate access requirements, maybe black hole all ip's from locations (countries, etc.) they'll never be in. We see a lot of bad traffic from well, certain countries and we simply null route them. Or if I feel like playing a bit I'll route them to a tar-pit and honey pot just to see what they do. Pretty entertaining sometimes! :) -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Adam Vande More Sent: Friday, October 09, 2009 4:48 PM To: Aflatoon Aflatooni Cc: freebsd-questions@freebsd.org Subject: Re: Security blocking question On Fri, Oct 9, 2009 at 4:45 PM, Aflatoon Aflatooni aaflato...@yahoo.comwrote: Hi, The production server that has a public IP address has SSH enabled. This server is continuously under dictionary attack: Oct 8 12:58:40 seven sshd[32248]: Invalid user europa from 83.65.199.91 Oct 8 12:58:40 seven sshd[32250]: Invalid user hacked from 83.65.199.91 Oct 8 12:58:40 seven sshd[32251]: Invalid user cop\r from 83.65.199.91 Oct 8 12:58:41 seven sshd[32254]: Invalid user gel from 83.65.199.91 Oct 8 12:58:41 seven sshd[32255]: Invalid user dork from 83.65.199.91 Oct 8 12:58:41 seven sshd[32258]: Invalid user eva from 83.65.199.91 Oct 8 12:58:41 seven sshd[32260]: Invalid user hacker from 83.65.199.91 Oct 8 12:58:41 seven sshd[32261]: Invalid user copila\r from 83.65.199.91 Oct 8 12:58:42 seven sshd[32265]: Invalid user dorna from 83.65.199.91 Oct 8 12:58:42 seven sshd[32264]: Invalid user gelo from 83.65.199.91 Oct 8 12:58:42 seven sshd[32268]: Invalid user evara from 83.65.199.91 Oct 8 12:58:43 seven sshd[32270]: Invalid user hack from 83.65.199.91 Oct 8 12:58:43 seven sshd[32271]: Invalid user copil\r from 83.65.199.91 Oct 8 12:58:43 seven sshd[32274]: Invalid user Doubled from 83.65.199.91 Oct 8 12:58:43 seven sshd[32275]: Invalid user gelos from 83.65.199.91 Oct 8 12:58:44 seven sshd[32278]: Invalid user eve from 83.65.199.91 Is there a way that I could configure the server so that if there are for example X attempts from an IP address then for the next Y hours all the SSH requests would be ignored from that IP address? There are only a handful of people who have access to that server. Thanks /usr/ports/security/denyhosts -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Security blocking question
Aflatoon Aflatooni wrote: Hi, The production server that has a public IP address has SSH enabled. This server is continuously under dictionary attack: Oct 8 12:58:40 seven sshd[32248]: Invalid user europa from 83.65.199.91 Oct 8 12:58:40 seven sshd[32250]: Invalid user hacked from 83.65.199.91 Oct 8 12:58:40 seven sshd[32251]: Invalid user cop\r from 83.65.199.91 Oct 8 12:58:41 seven sshd[32254]: Invalid user gel from 83.65.199.91 Oct 8 12:58:41 seven sshd[32255]: Invalid user dork from 83.65.199.91 Oct 8 12:58:41 seven sshd[32258]: Invalid user eva from 83.65.199.91 Oct 8 12:58:41 seven sshd[32260]: Invalid user hacker from 83.65.199.91 Oct 8 12:58:41 seven sshd[32261]: Invalid user copila\r from 83.65.199.91 Oct 8 12:58:42 seven sshd[32265]: Invalid user dorna from 83.65.199.91 Oct 8 12:58:42 seven sshd[32264]: Invalid user gelo from 83.65.199.91 Oct 8 12:58:42 seven sshd[32268]: Invalid user evara from 83.65.199.91 Oct 8 12:58:43 seven sshd[32270]: Invalid user hack from 83.65.199.91 Oct 8 12:58:43 seven sshd[32271]: Invalid user copil\r from 83.65.199.91 Oct 8 12:58:43 seven sshd[32274]: Invalid user Doubled from 83.65.199.91 Oct 8 12:58:43 seven sshd[32275]: Invalid user gelos from 83.65.199.91 Oct 8 12:58:44 seven sshd[32278]: Invalid user eve from 83.65.199.91 Is there a way that I could configure the server so that if there are for example X attempts from an IP address then for the next Y hours all the SSH requests would be ignored from that IP address? There are only a handful of people who have access to that server. Yes. In pf.conf: table ssh-bruteforce persist [...] block drop in log quick on $ext_if from ssh-bruteforce [...] pass in on $ext_if proto tcp \ from any to $ext_if port ssh \ flags S/SA keep state\ (max-src-conn-rate 3/30, overload ssh-bruteforce flush global) plus you'll need to add a cron job to clear old entries out of the ssh-bruteforce table after a suitable amount of time has passed. Use expiretable to do that. Note: in practice I've found that it's a *really good idea* to implement a SSH whitelist of addresses that will never be bruteforce blocked like this -- it's very easy to lock yourself out even if everything you're doing is entirely legitimate. Coding that is left as an exercise for the reader. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Security blocking question
- Original Message From: Gary Gatten ggat...@waddell.com To: Adam Vande More amvandem...@gmail.com; Aflatoon Aflatooni aaflato...@yahoo.com Cc: freebsd-questions@freebsd.org Sent: Fri, October 9, 2009 5:53:10 PM Subject: RE: Security blocking question I might also add, if it's only a handful that have legitimate access requirements, maybe black hole all ip's from locations (countries, etc.) they'll never be in. We see a lot of bad traffic from well, certain countries and we simply null route them. Or if I feel like playing a bit I'll route them to a tar-pit and honey pot just to see what they do. Pretty entertaining sometimes! :) My experience has been that honeypot is good to catch internal hackers. I have also noticed that we get dictionary attacks from zombies in North America. I have managed to capture a Perl script that they use and it just retransmits the command from the IP of the server that have the Perl script installed. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Security blocking question
On Oct 9, 2009, at 11:56 PM, Matthew Seaman wrote: plus you'll need to add a cron job to clear old entries out of the ssh-bruteforce table after a suitable amount of time has passed. Use expiretable to do that. I believe that security/expiretable is superfluous nowadays since pfctl supports the -T expire directive. Best wishes, Svante Kvarnström Mob.: +46 702 38 34 00 PGP.sig Description: This is a digitally signed message part
