pavement

Block repeated illegal or failed SSH logins

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
(/etc/crontab)
m (Reverted edits by DavidYoung (talk) to last revision by 209.6.38.187)
 
(82 intermediate revisions by 42 users not shown)
Line 3: Line 3:
  
 
==Limiting SSH login sessions==
 
==Limiting SSH login sessions==
In your <code>man 5 sshd_config</code> file the following settings can also help slow down such attacks.
+
In your [[sshd_config]] file the following settings can also help slow down such attacks.
  
 
* LoginGraceTime
 
* LoginGraceTime
::The server disconnects after this time if the user has not suc-cessfully logged in.  If the value is 0, there is no time limit. The default is 120 seconds.
+
::The server disconnects after this time if the user has not successfully logged in.  If the value is 0, there is no time limit. The default is 120 seconds.
  
 
* MaxStartups
 
* MaxStartups
Line 12: Line 12:
  
 
==Firewall repeated illegal or failed SSH logins attempts==
 
==Firewall repeated illegal or failed SSH logins attempts==
To firewall failed login attemps, a simple script that will scan the log file for illegal or failed attempts and firewall repeated IP's will do the trick. It will slow down and stop a brute force dictionary login attack.
+
To firewall failed login attempts, a simple script that will scan the log file for illegal or failed attempts and firewall repeated IP's will do the trick. It will slow down and stop a brute force dictionary login attack.
  
Using the examples below you can create a file called sshd-fwscan.sh, then use <code>man 1 crontab</code> to run the file every ''x'' minutes and it will automatically firewall the IP once it dettects 5 or more failed login attempts.
+
Using the examples below you can create a file called sshd-fwscan.sh, then use [[cron]] to run the file every ''x'' minutes and it will automatically firewall the IP once it detects 5 or more failed login attempts.
  
 
===/etc/syslog.conf===
 
===/etc/syslog.conf===
You need an ''auth.*'' line in your <code>man 5 syslog.conf</code> file in order to log all authentications.
+
You need an ''auth.*'' line in your [[syslog.conf]] file in order to log all authentications.
 
  auth.*                                          /var/log/auth.log
 
  auth.*                                          /var/log/auth.log
  
Line 27: Line 27:
 
         ipfw delete 20000
 
         ipfw delete 20000
 
  fi
 
  fi
  for ips in `cat /var/log/auth.log | grep sshd | grep "Illegal" | awk '{print $10}' | uniq -d` ; do
+
  # This catches repeated attempts for both legal and illegal users
         ipfw -q add 20000 deny tcp from $ips to any
+
# No check for duplicate entries is performed, since the rule
 +
# has been deleted.
 +
awk '/sshd/ && (/Invalid user/ || /authentication error/) {try[$(NF)]++}
 +
END {for (h in try) if (try[h] > 5) print h}' /var/log/auth.log |
 +
while read ip
 +
do
 +
         ipfw -q add 20000 deny tcp from $ip to any in
 
  done
 
  done
cat /var/log/auth.log | grep sshd | grep "Failed" | rev  | cut -d\  -f 4 | rev | sort | uniq -c | \
 
( while read num ips; do
 
    if [ $num -gt 5 ]; then
 
          if ! ipfw show | grep -q $ips ; then
 
                ipfw -q add 20000 deny tcp from $ips to any
 
        fi
 
    fi
 
  done
 
)
 
  
 
'''Note:''' To make sure IP's expire we delete and add rule ''20000'' of the firewall each time, thus if the IP's are no longer ''duplicates'' in the auth.log they are no longer firewalled.
 
'''Note:''' To make sure IP's expire we delete and add rule ''20000'' of the firewall each time, thus if the IP's are no longer ''duplicates'' in the auth.log they are no longer firewalled.
Line 75: Line 72:
  
 
  #!/bin/sh
 
  #!/bin/sh
  pfctl -t ssh-violations -T flush
+
  /sbin/pfctl -t ssh-violations -T flush
  for ips in `cat /var/log/authlog | grep sshd | grep "Illegal" | awk '{print $10}' | uniq -d` ; do
+
  for ips in `cat /var/log/auth.log | grep sshd | grep -i "illegal" | awk '{print $10}' | uniq -d` ; do
         pfctl -t ssh-violations -T add $ips  
+
         /sbin/pfctl -t ssh-violations -T add $ips  
 
  done
 
  done
  cat /var/log/authlog | grep sshd | grep "Failed" | rev  | cut -d\  -f 4 | rev | sort | uniq -c | \
+
  cat /var/log/auth.log | grep sshd | grep -i "failed" | rev  | cut -d\  -f 4 | rev | sort | uniq -c | \
 
  ( while read num ips; do
 
  ( while read num ips; do
 
     if [ $num -gt 5 ]; then
 
     if [ $num -gt 5 ]; then
           if ! pfctl -s rules | grep -q $ips ; then
+
           if ! /sbin/pfctl -s rules | grep -q $ips ; then
                 pfctl -t ssh-violations -T add $ips  
+
                 /sbin/pfctl -t ssh-violations -T add $ips  
 
         fi
 
         fi
 
     fi
 
     fi
Line 89: Line 86:
 
  )
 
  )
  
'''Note:''' To make sure IP's expire we delete and add a table called ''ssh-violations'', thus if the IP's are no longer ''duplicates'' in the authlog they are no longer firewalled.
+
'''Note:''' To make sure IP's expire we delete and add a table called ''ssh-violations'', thus if the IP's are no longer ''duplicates'' in the auth.log they are no longer firewalled.
  
 
====/etc/pf.conf====
 
====/etc/pf.conf====
Line 97: Line 94:
  
 
  '''Note:'''  
 
  '''Note:'''  
  When using the [[OpenBSD]] [[Packet Filter]] (PF) you must also edit your <code>man 5 pf.conf</code>
+
  When using the [[OpenBSD]] [[Packet Filter]] (PF) you must also edit your <code>pf.conf</code>
 
  file to add the above table and rule.
 
  file to add the above table and rule.
  
Line 116: Line 113:
  
 
====/etc/crontab====
 
====/etc/crontab====
In order to have the script run every 10 minutes and firewall offenders you can use something like this in your <code>man 5 crontab</code> file:
+
In order to have the script run every 10 minutes and firewall offenders you can use something like this in your [[crontab]] file:
  */10    *      *      *      *      root    /root/scripts/sshd-fwscan.sh
+
  */10    *      *      *      *      root    /operator/sshd-fwscan.sh
  
'''Note:''' Some users might prefer a tailling method rather then a scanning/searching method, but all we really want is to slow down such attacks to reduce their chances of craking a user account and not waste our resources. The odds that a password gets cracked under 10 minutes should be rare. (The longer the password is, mixed with letters numbers and symbols, the longer it takes to crack.)
+
'''Note:''' Some users might prefer a [[tail]]ing method rather then a scanning/searching method, but all we really want is to slow down such attacks to reduce their chances of cracking a user account and not waste our resources. The odds that a password gets cracked under 10 minutes should be rare. (The longer the password is, mixed with letters numbers and symbols, the longer it takes to crack.)
  
 
==External links==
 
==External links==
*[http://danger.rulez.sk/projects/bruteforceblocker/ BruteForceBlocker is a script, that works along with pf - OpenBSD's firewall.]
+
* [http://danger.rulez.sk/projects/bruteforceblocker/ BruteForceBlocker] is a script, that works along with pf - OpenBSD's firewall.
* [http://bsdwiki.org/wiki/ BSDWiki] Origional (to my knowledge) document. To briljant not to share.
+
* [http://denyhosts.sourceforge.net/ DenyHosts] a similar tool (available in security/denyhosts in ports)
 +
* [http://fail2ban.sourceforge.net/ fail2ban] a similar tool
 +
* [http://www.aczoom.com/cms/blockhosts/ blockhosts] a similar tool
 +
* [http://blinkeye.ch/mediawiki/index.php/SSH_Blocking blacklist] a similar tool
 +
* [http://sshguard.sourceforge.net sshguard] similar tool
  
 
[[Category:Securing FreeBSD]]
 
[[Category:Securing FreeBSD]]

Latest revision as of 16:22, 25 August 2012

Contents

[edit] Introduction

We're starting to see a rash of password guessing attacks via SSH on exposed BSD servers which are running the SSH daemon. These login attempts are coming from multiple addresses, which makes some people suspect that they're being carried out by a network of "bots" rather than a single attacker.

[edit] Limiting SSH login sessions

In your sshd_config file the following settings can also help slow down such attacks.

  • LoginGraceTime
The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds.
  • MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the sshd daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10. Alternatively, random early drop can be enabled by specifying the three colon separated values "start:rate:full" (e.g.,"10:30:60"). sshd will refuse connection attempts with a probability of "rate/100" (30%) if there are currently "start" (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches "full" (60).

[edit] Firewall repeated illegal or failed SSH logins attempts

To firewall failed login attempts, a simple script that will scan the log file for illegal or failed attempts and firewall repeated IP's will do the trick. It will slow down and stop a brute force dictionary login attack.

Using the examples below you can create a file called sshd-fwscan.sh, then use cron to run the file every x minutes and it will automatically firewall the IP once it detects 5 or more failed login attempts.

[edit] /etc/syslog.conf

You need an auth.* line in your syslog.conf file in order to log all authentications.

auth.*                                          /var/log/auth.log

[edit] Using IPFW

[edit] sshd-fwscan.sh

#!/bin/sh
if ipfw show | awk '{print $1}' | grep -q 20000 ; then
        ipfw delete 20000
fi
# This catches repeated attempts for both legal and illegal users
# No check for duplicate entries is performed, since the rule
# has been deleted.
awk '/sshd/ && (/Invalid user/ || /authentication error/) {try[$(NF)]++}
END {for (h in try) if (try[h] > 5) print h}' /var/log/auth.log |
while read ip
do
        ipfw -q add 20000 deny tcp from $ip to any in
done

Note: To make sure IP's expire we delete and add rule 20000 of the firewall each time, thus if the IP's are no longer duplicates in the auth.log they are no longer firewalled.

[edit] Using IPF

[edit] sshd-fwscan.sh

#!/bin/sh
IFS='
'
for rules in `ipfstat -i | grep "group 20000"` ; do
       echo "$rules" | ipf -r -f -
done
for ips in `cat /var/log/auth.log | grep sshd | grep "Illegal" | awk '{print $10}' | uniq -d` ; do
       echo "block in quick from $ips to any group 20000" | ipf -f -
done
cat /var/log/auth.log | grep sshd | grep "Failed" | rev  | cut -d\  -f 4 | rev | sort | uniq -c | \
( while read num ips; do
   if [ $num -gt 5 ]; then
        if ! ipfstat -i | grep $ips ; then
               echo "block in quick from $ips to any group 20000" | ipf -f -
       fi
    fi
 done
)


Note: 
To make sure IP's expire we delete and add group 20000 of the firewall each time, 
thus if the IP's are no longer duplicates in the auth.log they are no longer firewalled. 
You will need to add a rule like "block in on rl0 from any to any head 20000" to your ipf rule 
set (BEFORE your actual blocking group of rules) for this to work.

[edit] Using PF

[edit] sshd-fwscan.sh

#!/bin/sh
/sbin/pfctl -t ssh-violations -T flush
for ips in `cat /var/log/auth.log | grep sshd | grep -i "illegal" | awk '{print $10}' | uniq -d` ; do
       /sbin/pfctl -t ssh-violations -T add $ips 
done
cat /var/log/auth.log | grep sshd | grep -i "failed" | rev  | cut -d\  -f 4 | rev | sort | uniq -c | \
( while read num ips; do
    if [ $num -gt 5 ]; then
         if ! /sbin/pfctl -s rules | grep -q $ips ; then
                /sbin/pfctl -t ssh-violations -T add $ips 
        fi
    fi
  done
)

Note: To make sure IP's expire we delete and add a table called ssh-violations, thus if the IP's are no longer duplicates in the auth.log they are no longer firewalled.

[edit] /etc/pf.conf

table <ssh-violations> persist file "/etc/ssh-violations"
...
block drop in from <ssh-violations> to any
Note: 
When using the OpenBSD Packet Filter (PF) you must also edit your pf.conf
file to add the above table and rule.
Important: 
If this rule is added before a "pass in" rule for port 22, use the "quick" option to ensure that
OpenBSD Packet Filter (PF) drops the packet immediately, without further inspection of the
ruleset. See the man 5 pf.conf for details.

[edit] Copyrights

sshd-fwscan.sh

# Copyright (c) 2004,2005 RPTN.Net,
# Copyright (c) 2005 DaveG.ca, 
# Copyright (c) 2006 Bob (kba at ats32.ru)
# You may use this code under the GPL, version 2 or newer.
# Updates for IPF by Sasha.by

[edit] Automatically firewall IP's

[edit] /etc/crontab

In order to have the script run every 10 minutes and firewall offenders you can use something like this in your crontab file:

*/10    *       *       *       *       root    /operator/sshd-fwscan.sh

Note: Some users might prefer a tailing method rather then a scanning/searching method, but all we really want is to slow down such attacks to reduce their chances of cracking a user account and not waste our resources. The odds that a password gets cracked under 10 minutes should be rare. (The longer the password is, mixed with letters numbers and symbols, the longer it takes to crack.)

[edit] External links

Personal tools