Re: is there a way to block sshd trolling?

2005-09-29 Thread Rico
Hi Nick I managed to get it working like this.. I am mainly writing this also if other users might benefit from it :-) In /etc/pf.conf I added only the following line: block quick on $ext_if inet proto { tcp udp } from to $ext_if I then placed the following in /root/swatchrc: watchfor /Invali

Re: Summary: Is there a way to block sshd trolling?

2005-09-29 Thread terry tyson
On 9/28/05, John Marten <[EMAIL PROTECTED]> wrote: > Thank you to all who replied. (There were several dozen) > If I had to name everyone, there would not be room on this page! This > list is great. > > Solution #1) Change the port number in sshd_config to something obscure. > > Solution #2) Edit t

Summary: Is there a way to block sshd trolling?

2005-09-28 Thread John Marten
Thank you to all who replied. (There were several dozen) If I had to name everyone, there would not be room on this page! This list is great. Solution #1) Change the port number in sshd_config to something obscure. Solution #2) Edit the sshd_config file, and include or create this entry: MaxAut

Re: is there a way to block sshd trolling?

2005-09-28 Thread Nick Ryan
Hi Rico, I'd probably do that the other way - get rid of the log file bit out of the swatch config and let that update the pf table. Set up a separate cronjob to dump the table contents to a file every hour or so with a pfctl -t sshdtrolls -T show > LOGFILENAME This way the pf table is insta

Re: is there a way to block sshd trolling?

2005-09-28 Thread Rico
Hi Nick Nick Ryan wrote: Strange. It's working for me - I've just tested my own setup again and it blocks me. Although the file logging isn't working though - not sure why that is... This, I think, is the interresting part because I want that very log file to be the "blacklist" file and then

Re: is there a way to block sshd trolling?

2005-09-28 Thread Rico
Alexander Hall wrote: Rico wrote: I am using this 'table persist file "/root/pf/sshdhackers"' I don't get any entries in the sshdhackers file and I don't get blocked from the system. A table modification is not automatically added to the file the table was once populated from. Use # p

Re: is there a way to block sshd trolling?

2005-09-28 Thread Alexander Hall
Rico wrote: I am using this 'table persist file "/root/pf/sshdhackers"' I don't get any entries in the sshdhackers file and I don't get blocked from the system. A table modification is not automatically added to the file the table was once populated from. Use # pfctl -t sshdtrolls -T sho

Re: is there a way to block sshd trolling?

2005-09-28 Thread Nick Ryan
Strange. It's working for me - I've just tested my own setup again and it blocks me. Although the file logging isn't working though - not sure why that is... Can you confirm that your pf rules have the block line in before the permit rule and that it's correct for your firewall rules - ie. no

Re: is there a way to block sshd trolling?

2005-09-28 Thread Rico
Dear Nick I have tried your setup below. I too have the setup and file placement as you, but I am not using keys. When I try to log on as an illegal user, the atempt is logged by authlog, and having swatch runing from the console it says: 1/1 addresses added. I am using this 'table persis

Re: is there a way to block sshd trolling?

2005-09-28 Thread Nick Ryan
What you could also do is install swatch from ports or packages and have a table in your pf.conf like this: table persist and a rule #stop ssh trolls block in log quick on $EXT_IF inet proto {tcp,udp} from to $EXT_IF port ssh label "SSHDTrolls" A swatchrc file of: watchfor /Failed passw

Re: is there a way to block sshd trolling?

2005-09-27 Thread Kevin Frand
I use an "intruder" table within pf table file "/etc/pf.intruders" Then in pf rules: block drop in log-all from to any Then I run this script out of cron on a periodic basis (remove the echo statements for cron use - I like to run it manually, too) #!/usr/local/bin/bash # This counts the nu

Re: is there a way to block sshd trolling?

2005-09-26 Thread Joakim Aronius
I second that. Blocking ssh access from Linux hosts removes 95% of these attacks. Simple and effective. block drop in log quick on $ext_if proto { tcp, udp } from any os Linux to any port ssh label "Block ssh from Linux hosts" /jkm * Nick Ryan ([EMAIL PROTECTED]) wrote: > You could use pf to b

Re: is there a way to block sshd trolling?

2005-09-25 Thread Juan J.
El vie, 23-09-2005 a las 21:24 -0700, Ray Percival escribis: > [...] > > I wonder if it's possible to "fingerprint" these programs. I actually > > have a copy of the ssh-scanner that they use. I got it by looking at > > the hack logs on a Linux server and going to the same FTP site they > > used

Re: is there a way to block sshd trolling?

2005-09-24 Thread frantisek holop
just a minor variation (in B dur) for what the others had said: relevant parts of /etc/pf.conf: SSH_LIMIT="(max-src-conn-rate 3/30, overload flush global)" table persist block return-rst log quick proto tcp from label "ssh-pirate" block in pass in on $ext_if proto tcp from any to ($ext_if)

Re: is there a way to block sshd trolling?

2005-09-24 Thread Stuart Henderson
--On 24 September 2005 13:31 +0100, ed wrote: What they did was to exploit gzip, I'm fairly certain. I could not apt-get of course and thus left helpless. I no longer have faith in user passwords. I do my best to prevent people using common user names (besides myself who uses 'ed' of course, but

Re: is there a way to block sshd trolling?

2005-09-24 Thread ed
On Fri, 23 Sep 2005 21:24:26 -0700 Ray Percival <[EMAIL PROTECTED]> wrote: > Yeah. This is only a threat against *really* weak boxes. Having said > that I've seen a lot of posts talking about changing ports. That's a > line that I won't cross. I refuse to hide from the bots and it's not > even a s

Re: is there a way to block sshd trolling?

2005-09-24 Thread Matthias Kilian
On Fri, Sep 23, 2005 at 08:07:35PM -0600, jared r r spiegel wrote: > caveat is that i currently haven't implemented a way to expire entries > out, however until you get something fancier tested/implemented, > some simple pf action like that above might fly /usr/ports/sysutils/expiretable in

Re: is there a way to block sshd trolling?

2005-09-23 Thread Ray Percival
On Fri, Sep 23, 2005 at 08:24:15PM -0700, Bryan Irvine wrote: > > Some intelligent scripts look at tcp responses to port scans, ssh > > responds with SSH-2.0, which isn't too hard to identify. I don't know if > > changing the greeting would break the protocol, but I suspect it might > > break certa

Re: is there a way to block sshd trolling?

2005-09-23 Thread Bryan Irvine
> Some intelligent scripts look at tcp responses to port scans, ssh > responds with SSH-2.0, which isn't too hard to identify. I don't know if > changing the greeting would break the protocol, but I suspect it might > break certain clients. I wonder if it's possible to "fingerprint" these programs

Re: is there a way to block sshd trolling?

2005-09-23 Thread Eike Lantzsch
On Friday 23 September 2005 14:40, John Marten wrote: > You know what i mean? Every day I get some script kiddie, or adult > trying to guess usernames or passwords. > I've installed the newest version of SSH, so i'm covered there. But I > still get a dozen or 2 of the > "sshd Invalid user somename

Re: is there a way to block sshd trolling?

2005-09-23 Thread jared r r spiegel
On Fri, Sep 23, 2005 at 11:40:36AM -0700, John Marten wrote: > "input_userauth_request: ivalid user somename" > "Failed password for invalid user somename" haven't read the entire thread yet, so doubtless this has come up, but i use: -- e = sis2 tablepersist

Re: is there a way to block sshd trolling?

2005-09-23 Thread Wolfgang S. Rupprecht
"Spruell, Darren-Perot" <[EMAIL PROTECTED]> writes: > From: Wolfgang S. Rupprecht >> 2) Forging the source IP in a TCP packet and succeeding in negotiating >>the 3-way handshake isn't all that simple any more. I wouldn't >>worry about it. If someone could forge that reliably, there is >>

Re: is there a way to block sshd trolling?

2005-09-23 Thread Spruell, Darren-Perot
From: Wolfgang S. Rupprecht > 2) Forging the source IP in a TCP packet and succeeding in negotiating >the 3-way handshake isn't all that simple any more. I wouldn't >worry about it. If someone could forge that reliably, there is >much better game to go after (like breaking into machin

Re: is there a way to block sshd trolling?

2005-09-23 Thread Abraham Al-Saleh
just to add my $0.02. The best they could hope for would be disallowing your default gateway from connecting to your ssh server... whoop-de-doo. On 9/23/05, Wolfgang S. Rupprecht < [EMAIL PROTECTED]> wrote: > > <[EMAIL PROTECTED]> writes: > > My only question is what if I traceroute to you, find o

Re: is there a way to block sshd trolling?

2005-09-23 Thread Rogier Krieger
On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote: > There's got to be a better way, and I'm open to suggestions. This is really something well dealt with in the archives, so please search those for other suggestions. I'm sure there are better options. Personally, I use the following combination

Re: is there a way to block sshd trolling?

2005-09-23 Thread Wolfgang S. Rupprecht
<[EMAIL PROTECTED]> writes: > My only question is what if I traceroute to you, find out the IP number of > your upstream router? Then I make a bunch of connection attempts to your IP > but forge the packets to make them look like they came from your upstream. > Don't *you* end up blacklisting

Re: is there a way to block sshd trolling?

2005-09-23 Thread Matthew Powell
John Marten wrote: > You know what i mean? Every day I get some script kiddie, or adult > trying to guess usernames or passwords. > I've installed the newest version of SSH, so i'm covered there. But I > still get a dozen or 2 of the > "sshd Invalid user somename from ###.##.##.###" > "input_userau

Re: is there a way to block sshd trolling?

2005-09-23 Thread Stuart Henderson
--On 23 September 2005 15:05 -0500, [EMAIL PROTECTED] wrote: My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. The su

Re: is there a way to block sshd trolling?

2005-09-23 Thread Spruell, Darren-Perot
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > My only question is what if I traceroute to you, find out the > IP number of your upstream router? Then I make a bunch of > connection attempts to your IP but forge the packets to make > them look like they came from your upstream. Don't *you

Re: is there a way to block sshd trolling?

2005-09-23 Thread Joe S
John Marten wrote: There's got to be a better way, and I'm open to suggestions. Use public key authentication to start with. It's very easy to setup and much more secure than password authentication. With public key authentication, passwords will never work. You might also want to make it a

Re: is there a way to block sshd trolling?

2005-09-23 Thread ed
On Fri, 23 Sep 2005 21:55:12 +0200 Tomasz Baranowski <[EMAIL PROTECTED]> wrote: > You can change the port number in /etc/ssh/sshd_config . It's 100% > effective against that kind of bots. Some intelligent scripts look at tcp responses to port scans, ssh responds with SSH-2.0, which isn't too hard

Re: is there a way to block sshd trolling?

2005-09-23 Thread Joe S
[EMAIL PROTECTED] wrote: My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. Don't *you* end up blacklisting your defa

Re: is there a way to block sshd trolling?

2005-09-23 Thread Chris Smith
On Friday 23 September 2005 03:15 pm, Mr.Slippery wrote: > That's how I handle this type of annoyance: > http://data.homeip.net/projects/ssh_wall.php Slick. Er...slippery, that is.

Re: is there a way to block sshd trolling?

2005-09-23 Thread Brandon Mercer
Roy Morris wrote: > why not use max-connections ? and dump them into a > table with no access. Or if this is a home machine just > move the port to some high port, most scripts wont bother > looking. Yup, I forgot to add that you can put another thing in that max-conn... that handles the overflow

Re: is there a way to block sshd trolling?

2005-09-23 Thread ober
Use the tarpit patch that I wrote http://www.linbsd.org/openssh-samepasswd.patch -Ober -Ober On Fri, 23 Sep 2005, Abraham Al-Saleh wrote: You could use connection throttling, it won't eliminate them, but it will make it take longer. If you don't need ssh on that host (although, you probably

Re: is there a way to block sshd trolling?

2005-09-23 Thread Thordur I. Bjornsson
On Fri, 23 Sep 2005 11:40:36 -0700 "John Marten" <[EMAIL PROTECTED]> wrote: > You know what i mean? Every day I get some script kiddie, or adult > trying to guess usernames or passwords. > I've installed the newest version of SSH, so i'm covered there. But I > still get a dozen or 2 of the > "sshd

Re: is there a way to block sshd trolling?

2005-09-23 Thread Nick Ryan
You could use pf to block linux ssh access. block in log quick on $EXT_IF inet proto tcp from any os "Linux" to port 22 label "Blocked Linux ssh access: " That'll reduce it quite a lot. John Marten wrote: You know what i mean? Every day I get some script kiddie, or adult trying to guess u

Re: is there a way to block sshd trolling?

2005-09-23 Thread jabbott
My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. Don't *you* end up blacklisting your default route and you become 's

Re: is there a way to block sshd trolling?

2005-09-23 Thread Tomasz Baranowski
On Fri, Sep 23, 2005 at 11:40:36AM -0700, John Marten wrote: > You know what i mean? Every day I get some script kiddie, or adult > trying to guess usernames or passwords. You can change the port number in /etc/ssh/sshd_config . It's 100% effective against that kind of bots. Greetings, Tomasz Bar

Re: is there a way to block sshd trolling?

2005-09-23 Thread Rob Copsey
- Original Message: From: Bryan Irvine <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Friday, September 23 2005 09:55 AM Subject: Re: is there a way to block sshd trolling? >Have snort or portsentry add those ips to a table in pf.conf. > >--Bryan >

Re: is there a way to block sshd trolling?

2005-09-23 Thread Abraham Al-Saleh
You could use connection throttling, it won't eliminate them, but it will make it take longer. If you don't need ssh on that host (although, you probably do, I'd be lost without it) disable it. You could bind sshd to a different port, and disable port 22 (most of these attacks are automated bots).

Re: is there a way to block sshd trolling?

2005-09-23 Thread Brandon Mercer
John Marten wrote: >You know what i mean? Every day I get some script kiddie, or adult >trying to guess usernames or passwords. >I've installed the newest version of SSH, so i'm covered there. But I >still get a dozen or 2 of the >"sshd Invalid user somename from ###.##.##.###" >"input_userauth_re

Re: is there a way to block sshd trolling?

2005-09-23 Thread Chris Smith
On Friday 23 September 2005 02:40 pm, John Marten wrote: > There's got to be a better way, and I'm open to suggestions. Use a non-standard port and/or public key exchange. Chris

Re: is there a way to block sshd trolling?

2005-09-23 Thread Roy Morris
why not use max-connections ? and dump them into a table with no access. Or if this is a home machine just move the port to some high port, most scripts wont bother looking. cheers rm John Marten wrote: You know what i mean? Every day I get some script kiddie, or adult trying to guess usernam

Re: is there a way to block sshd trolling?

2005-09-23 Thread Will H. Backman
> On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote: > > You know what i mean? Every day I get some script kiddie, or adult > > trying to guess usernames or passwords. > > I've installed the newest version of SSH, so i'm covered there. But I > > still get a dozen or 2 of the > > "sshd Invalid user

Re: is there a way to block sshd trolling?

2005-09-23 Thread Mr.Slippery
John Marten ([EMAIL PROTECTED]) dixit: > You know what i mean? Every day I get some script kiddie, or adult > trying to guess usernames or passwords. > I've installed the newest version of SSH, so i'm covered there. But I > still get a dozen or 2 of the > "sshd Invalid user somename from ###.##.##.

Re: is there a way to block sshd trolling?

2005-09-23 Thread Bryan Irvine
Have snort or portsentry add those ips to a table in pf.conf. --Bryan On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote: > You know what i mean? Every day I get some script kiddie, or adult > trying to guess usernames or passwords. > I've installed the newest version of SSH, so i'm covered there.

Re: is there a way to block sshd trolling?

2005-09-23 Thread Mike Hernandez
IIRC there are scripts what will automatically add lines to your hosts.deny file. Sorry, but I can't remember the names. I suggest you also create some keys for yourself to use and disable password authentication. With password auth disabled the attacks won't go be more than an annoyance for the mo

is there a way to block sshd trolling?

2005-09-23 Thread John Marten
You know what i mean? Every day I get some script kiddie, or adult trying to guess usernames or passwords. I've installed the newest version of SSH, so i'm covered there. But I still get a dozen or 2 of the "sshd Invalid user somename from ###.##.##.###" "input_userauth_request: ivalid user somenam