Robert G. (Doc) Savage wrote:
On Mon, 2009-05-04 at 22:49 +0800, John Summerfield wrote:
Robert G. (Doc) Savage wrote:
I'm trying to contend with global SSH brute force attacks with fail2ban.
Apparently I have one or more settings/permissions wrong. Iptables is
not being updated despite waves of attacks, and I'm not getting any
e-mail warnings. Suggestions anybody?
--Doc Savage
Fairview Heights, IL
I've made the following changes to /etc/fail2ban.conf:
background = true
bantime = -1
ignoreip = 192.168.1.1/24
[MAIL] notification
enabled = true
Here is a sample entry from /var/log/secure for an attack on user
'nagios':
May 3 08:41:20 lion sshd[30068]: reverse mapping checking getaddrinfo for
51.82.66.200.in-addr.arpa failed - POSSIBLE BREAK-IN ATTEMPT!
May 3 08:41:20 lion sshd[30068]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=200.66.82.51 user=nagios
May 3 08:41:22 lion sshd[30068]: Failed password for nagios from 200.66.82.51
port 35501 ssh2
May 3 08:41:22 lion sshd[30069]: Received disconnect from 200.66.82.51: 11:
Bye Bye
I am curious.
I only manage small networks, with little expected ssh traffic. I use
iptables to limit the number of connexion attempts per hour to two or so.
I find I block 90% or so of bad ssh connexions, nothing short of a
distributed attach can home to enumerate passwords, and I don't have
enough bandwidth for anyone to make a realistic attempt to guess a password.
I get messages like yours above,. but not enough to trouble me. I don't
expect every to get none, but on the other hand it's possible someone
might need to connect some time without a key, and maybe get the
password wrong in the process of trying to use it.
I'm sure that there are good reasons my method won't work, but I'd like
to know some of them, just in case.
How many ssh connexions do you expect?
How many are you receiving?
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
unknown (200.66.82.51): 437 Time(s)
xxxxx (200.66.82.51): 14 Time(s)
xxxxxx (200.66.82.51): 8 Time(s)
xxxxx (200.66.82.51): 8 Time(s)
xxxxxx (200.66.82.51): 6 Time(s)
xxx (200.66.82.51): 5 Time(s)
xxx (200.66.82.51): 4 Time(s)
xxxxx (200.66.82.51): 4 Time(s)
xxxxxxx (200.66.82.51): 4 Time(s)
root (200.66.82.51): 2 Time(s)
xxxxxxxx (200.66.82.51): 1 Time(s)
xxxxx (200.66.82.51): 1 Time(s)
root (nlos-41.222.17.240.iconnect.zm): 1 Time(s)
Invalid Users:
Unknown Account: 437 Time(s)
---------------------- pam_unix End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from:
41.222.17.240 (nlos-41.222.17.240.iconnect.zm): 1 time
200.66.82.51 (51.82.66.200.in-addr.arpa): 57 times
Illegal users from:
200.66.82.51 (51.82.66.200.in-addr.arpa): 437 times
Users logging in through sshd:
root:
192.168.1.XXX (xxxxxxxxxx.xxxxxxxxx.xxx): 1 time
Received disconnect:
11: Bye Bye : 494 Time(s)
**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user
CounterStrike : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tribox : 1
time(s)
pam_succeed_if(sshd:auth): error retrieving information about user teamspeak :
10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user stephanie :
4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user info : 3
time(s)
pam_succeed_if(sshd:auth): error retrieving information about user informix :
8 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user web7 : 16
time(s)
...
pam_succeed_if(sshd:auth): error retrieving information about user ts : 15
time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cod3 : 1
time(s)
pam_succeed_if(sshd:auth): error retrieving information about user web4 : 3
time(s)
For comparison:
--------------------- Kernel Begin ------------------------
Dropped 361 packets on interface eth0
From 58.61.156.101 - 3 packets to tcp(22)
From 59.77.25.61 - 27 packets to tcp(22)
From 86.126.16.27 - 69 packets to tcp(22)
From 86.126.78.53 - 99 packets to tcp(22)
From 117.21.127.102 - 6 packets to tcp(22)
From 124.254.7.198 - 16 packets to tcp(22)
From 140.114.196.35 - 30 packets to tcp(22)
From 202.103.0.117 - 27 packets to tcp(22)
From 210.51.171.74 - 30 packets to tcp(22)
From 210.245.81.31 - 15 packets to tcp(22)
From 219.148.34.4 - 25 packets to tcp(22)
From 220.184.13.87 - 14 packets to tcp(22)
Logged 23 packets on interface eth0
From 58.61.156.101 - 1 packet to tcp(22)
From 59.77.25.61 - 2 packets to tcp(22)
From 86.126.16.27 - 5 packets to tcp(22)
From 117.21.127.102 - 2 packets to tcp(22)
From 124.254.7.198 - 2 packets to tcp(22)
From 140.114.196.35 - 2 packets to tcp(22)
From 202.103.0.117 - 2 packets to tcp(22)
From 210.51.171.74 - 2 packets to tcp(22)
From 210.245.81.31 - 2 packets to tcp(22)
From 219.148.34.4 - 2 packets to tcp(22)
From 220.184.13.87 - 1 packet to tcp(22)
---------------------- Kernel End -------------------------
On this LAN, the firewall is a Debian box, and there's a DNAT rule to
forward ssh to my desktop (I'm the only user expected to login remotely)
which is running Nahant-clone. I don't think anyone' going to guess
passwords for this system, they'd need a distributed attack, and there
are easier systems to crack.
--
Cheers
John
-- spambait
[email protected] [email protected]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
