[opensuse-factory] sshd attacks blocked by default request
Just do the following as root: grep sshd /var/log/messages |grep "Invalid user"| \ awk '{print $NF}'|sort|uniq -c|sort -n As most people know, sshd attacks are very common. Also there are various tools out there that can be used to block these attacks. Would there be a possability to have such a thing included in 10.2? Some scripts that are out there: http://www.csc.liv.ac.uk/~greg/sshdfilter/ http://www.aczoom.com/cms/blockhosts http://www.securiteam.com/tools/5JP0520G0Q.html http://linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry http://denyhosts.sourceforge.net/ And I am sure there are several more. I think it would help making SUSE a bit safer and cleans up the logfiles rather nicely. It should be something that does not run with cron, as it is to slow to run only each minute. --
From the day the male foetus' hands grow long enough to grasp at their 'third leg', until the man in question is dead and buried, the penis is a constant source of amusement and amazement to those of the male gender. http://www.bbc.co.uk/dna/h2g2/A219061
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
On Sun, Jul 16, 2006 at 12:24:57PM +0200, houghi wrote:
Just do the following as root: grep sshd /var/log/messages |grep "Invalid user"| \ awk '{print $NF}'|sort|uniq -c|sort -n
As most people know, sshd attacks are very common. Also there are various tools out there that can be used to block these attacks.
Would there be a possability to have such a thing included in 10.2?
Some scripts that are out there: http://www.csc.liv.ac.uk/~greg/sshdfilter/ http://www.aczoom.com/cms/blockhosts http://www.securiteam.com/tools/5JP0520G0Q.html http://linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry http://denyhosts.sourceforge.net/
And I am sure there are several more. I think it would help making SUSE a bit safer and cleans up the logfiles rather nicely.
It should be something that does not run with cron, as it is to slow to run only each minute.
If you are interested, I now use http://www.aczoom.com/cms/blockhosts as it tests each and every time when a connection is made. The only thing I needed to edit was to let it look at /var/log/messages and three extra lines in /etc/hosts.allow Strangely the RPM on the site gave an error about env not being available, so I used the gziped file. --
From the day the male foetus' hands grow long enough to grasp at their 'third leg', until the man in question is dead and buried, the penis is a constant source of amusement and amazement to those of the male gender. http://www.bbc.co.uk/dna/h2g2/A219061
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
Hello, Am Sonntag, 16. Juli 2006 12:24 schrieb houghi:
As most people know, sshd attacks are very common. Also there are various tools out there that can be used to block these attacks. [...] It should be something that does not run with cron, as it is to slow to run only each minute.
The ipt_recent module can do this job without adding a new package: https://bugzilla.novell.com/show_bug.cgi?id=104602 The only problem with this: it will also block IPs that legally open more than the allowed number of SSH connections per minute - but I don't consider this a real problem, who needs more than 5 [1] new SSH connections per minute? ;-) Regards, Christian Boltz [1] number is configurable, of course -- Die Nutzung der Datenbank für die Bunte Mischung Deutschland veschiebt sich wegen Dämlichkeit des Programmierers auf unbestimmte Zeit. Wir bitten die Verzögerung zu entschuldigen und hoffen auf Ihr Verständnis! [Andreas Schott] --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
On Sun, Jul 16, 2006 at 03:33:18PM +0200, Christian Boltz wrote:
Hello,
Am Sonntag, 16. Juli 2006 12:24 schrieb houghi:
As most people know, sshd attacks are very common. Also there are various tools out there that can be used to block these attacks. [...] It should be something that does not run with cron, as it is to slow to run only each minute.
The ipt_recent module can do this job without adding a new package: https://bugzilla.novell.com/show_bug.cgi?id=104602
The only problem with this: it will also block IPs that legally open more than the allowed number of SSH connections per minute - but I don't consider this a real problem, who needs more than 5 [1] new SSH connections per minute? ;-)
Most users will indeed not need more then 5 new SH connection per minute from the same IP. And if they do, then most likley they have some experience with sshd servers and should be able to figure things out themselves after turning of ipt_recent. I have not enough experience in these things to know wether or not blocking IPs at that level is unwanted. Perhaps for SLED or SLES it is. The adbatage of e.g. blockhosts is that it is much easier to configure. All you need to do is edit /etc/hosts.allow It is always good to have alternatives to look at and then decide what is the best way to go. What has the least disadvatages. We agree luckily that something should be done by default when sshd is running. Talking about sshd, is there a reason that ssh 1 is still active as well by default? (or has that changed?) --
From the day the male foetus' hands grow long enough to grasp at their 'third leg', until the man in question is dead and buried, the penis is a constant source of amusement and amazement to those of the male gender. http://www.bbc.co.uk/dna/h2g2/A219061
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
Christian Boltz wrote:
Hello,
Am Sonntag, 16. Juli 2006 12:24 schrieb houghi:
As most people know, sshd attacks are very common. Also there are various tools out there that can be used to block these attacks. [...] It should be something that does not run with cron, as it is to slow to run only each minute.
The ipt_recent module can do this job without adding a new package: https://bugzilla.novell.com/show_bug.cgi?id=104602
Tried adding the suggested rules into /etc/sysconfig/scripts/SuSEfirewall2-custom. They don't seem to get loaded, the new rules don't show with 'iptables --list' They do load if you issue the commands manually after loading SuSEfirewall2. The ipt_recent kernel module gets loaded. Then I logged to a remote machine and attempted more than 4 connections in rapid sequence and the rule didn't trigger. Did I do something wrong? Rafael --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
participants (3)
-
Christian Boltz -
houghi -
Rafael E. Herrera