Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion
  Previous topic | Next topic 
Author Message
absolutefunk
 Post subject:
PostPosted: Thu Jun 30, 2005 9:07 pm 
Offline
Junior Member

Joined: Sat May 07, 2005 3:45 am
Posts: 35
Yahoo Messenger: funksolution
Location: DFW Texas
So I guess this kinda thing is pretty common eh? Took a look in my logs the other day and saw a bunch of these attacks. However I'm gonna be redoing my linode in the next month or two, so I don't care :D I have only a couple user accounts with good passwords so I'm good. It's just annoying having my logs full of this garbage but I'll worry bout it later.

-Brian
Top
   
Reply with quote  
drware
 Post subject: Fail2Ban Python App
PostPosted: Thu Aug 25, 2005 10:02 pm 
Offline
Senior Newbie

Joined: Thu Aug 12, 2004 9:44 pm
Posts: 9
I just found this Python app that will scan log files and then update iptables rules to block after to many failures.

http://fail2ban.sourceforge.net/

Quote from the website: "Fail2Ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address."

See also:

http://devmike.com/blog/archives/2005-0 ... 58_57.html

Installed smoothly on my Debian Linode. The program banned two script kiddies in the first 5 minutes.
Top
   
Reply with quote  
mikegrb
 Post subject: Re: Fail2Ban Python App
PostPosted: Thu Aug 25, 2005 10:16 pm 
Offline
Linode Staff
User avatar

Joined: Fri Oct 17, 2003 12:38 am
Posts: 287
Location: Dr Wierd's Lab, South Jersey Shore
drware wrote:
I just found this Python app that will scan log files and then update iptables rules to block after to many failures.


Did you miss http://www.linode.com/forums/viewtopic.php?p=6935#6935? It has the advantage of not running a script from cron every X minutes and thus eating unnecessary resources. In addition, it will block someone after the third attempt rather then an IP not being blocked until the first time the cron script runs. A problem with cron scripts is, these bruteforce attempts rarely last longer then a minute so by the time the cron script blocks them, they are already done.

Michael
Top
   
Reply with quote  
drware
 Post subject:
PostPosted: Fri Aug 26, 2005 9:18 am 
Offline
Senior Newbie

Joined: Thu Aug 12, 2004 9:44 pm
Posts: 9
Yep, guess I missed that post...

This Fail2ban app is not using cron. It runs as a service. You set the polling interval via the config file. Default is 1 second.

I am sure this app is using plenty of resources, and would not want to imply that it is a better solution then those already proposed. I just thought it was interesting.
Top
   
Reply with quote  
raman
PostPosted: Fri Aug 26, 2005 3:43 pm 
Offline
Senior Newbie

Joined: Tue Nov 30, 2004 10:01 pm
Posts: 17
I have found Shorewall to work wonderfully for configuring my iptables firewall both at home and on my linode. It also supports the iptables rate limiting feature, as is being discussed.

The following line in /etc/shorewall/rules works great for me, and sets up iptables on each restart:

Code:
ACCEPT   net            fw              tcp     22      -          -            3/min:3


Description of the last parameter (rate limit):

Code:
#       RATE LIMIT      You may rate-limit the rule by placing a value in
#                       this column:
#
#                               <rate>/<interval>[:<burst>]
#
#                       where <rate> is the number of connections per
#                       <interval> ("sec" or "min") and <burst> is the
#                       largest burst permitted. If no <burst> is given,
#                       a value of 5 is assumed. There may be no
#                       no whitespace embedded in the specification.


A lot of the other scripts go to the trouble of blocking the source IP when the rate limit is exceeded, but I've found it to be totally unnecessary -- when the scanner program gets blocked, it moves on.

Cheers,
Raman
Top
   
Reply with quote  
mike
 Post subject:
PostPosted: Wed Aug 31, 2005 12:27 pm 
Offline
Senior Newbie

Joined: Tue Nov 04, 2003 12:32 am
Posts: 12
mastabog wrote:
Nice script Mike. Unfortunately it only works if your INPUT chain policy is set to ACCEPT (mine is on DROP).

If your policy is set to DROP (as it probably should be) add one more line:
Code:
# Create the Whitelist chain
iptables -N SSH_WHITELIST

# Block after three failed attempts per minute
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

# Less than four? Accept
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Whitelist (repeat for each host...or create a mask)
iptables -A SSH_WHITELIST -p tcp --dport 22 -s ${WHITELISTED_HOST} -m recent --remove --name SSH -j ACCEPT
Top
   
Reply with quote  
raman
PostPosted: Wed Apr 26, 2006 12:23 am 
Offline
Senior Newbie

Joined: Tue Nov 30, 2004 10:01 pm
Posts: 17
raman wrote:
The following line in /etc/shorewall/rules works great for me, and sets up iptables on each restart:

Code:
ACCEPT   net            fw              tcp     22      -          -            3/min:3



This thread is long dead, but for future searchers and posterity, do not do the above. It generally does work fine, but brute force attacks will cause a DOS on your ssh server because the rule is not specific to the source IP -- it blocks all conections, including valid ones.

However, if you are using Shorewall 3.0.4 or later, you can just put something like this in rules instead:

Code:
Limit:info:SSH,3,60   net    fw    tcp   ssh


The Limit action is builtin (> 3.0.4), and the params define how it is logged, and how many connections are allowed over what interval for individual IPs. See this page: http://www.shorewall.net/PortKnocking.html#id2460417 (the URL is a bit misleading, it talks about port knocking as well).

Cheers,
Raman
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion


Who is online

Users browsing this forum: virneto and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group