Re: [opensuse] Possible SSH attacker?

22 Aug 2015

      Il 21/08/2015 19:41, Greg Freemyer ha scritto:
...
On Fri, Aug 21, 2015 at 3:52 PM, Marco Calistri
<marco.calistri@yahoo.com.br <mailto:marco.calistri@yahoo.com.br>> wrote:
Il 21/08/2015 12:44, Greg Freemyer ha scritto:
On Fri, Aug 21, 2015 at 11:23 AM, Lew Wolfgang
        <wolfgang@sweet-haven.com <mailto:wolfgang@sweet-haven.com>> wrote:
On 08/21/2015 07:32 AM, Marco Calistri wrote:
Hello,
I'm monitoring the /var/log/messages and I noticed this
                kind of warning
                (there are many similar):
2015-08-21T11:16:05.451779-03:00 linux-turion64 kernel:
                [ 9894.977105 <tel:%5B%209894.977105>]
                audit: type=2404 audit(1440166565.450:788): pid=4260
                uid=0 auid=4294967295
                ses=4294967295 msg='op=destroy kind=server
                fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5]
                direction=?
                spid=4260 suid=0  exe="/usr/sbin/sshd" hostname=?
                addr=125.121.146.24 <tel:125.121.146.24>
                terminal=? res=success'
Have I to be worried?
I'm not familiar with that particular message, but the fact that
            125.121.146.24 <tel:125.121.146.24> is in China would make
            me very nervous!  It's
            also blackholed by spamhaus.   Do the other warnings
            reference the same IP?
Are you running sshd?   Are you seeing any "sshd" entries
            in /var/log/messages?
Regards,
            Lew
I'm not aware of that specific message either, but failed ssh
        connections from malicious IPs is so common it isn't worth
        mentioning.
I use fail2ban to scan my logs and look for failed SSH login
        attempts.
        On first detection it blocks that IP for some hours.  Then after 3
        temporary blocks it does a permanent block.
Currently I have 114 IPs in my permanent ban list.  (I inadvertently
        wiped it out a few months back.)
I think most of the failed attempt try to login as root.  I also
        have
        all root ssh access disabled.
Greg
Greg,
Interesting!
This app., fail2ban is it difficult to setup?
Thanks also to point out the important detail about ssh root access,
    I will give a check to my ssh configuration.
It is most probable my laptop is being attacked from a lot of days
    or even months and I had not yet noticed it!
Regards,
-- 
    Marco Calistri
    opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2
    Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile
    -- 
    To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
    <mailto:opensuse%2Bunsubscribe@opensuse.org>
    To contact the owner, e-mail: opensuse+owner@opensuse.org
    <mailto:opensuse%2Bowner@opensuse.org>
You should start a new thread, but it is not hard to use.  Unfortunately
I don't think it can be setup via YaST.
I have a newer fail2ban release installed from OBS (fail2ban-0.9.2).  It
is easier to setup I think.  The below may only apply to that version:
It uses an override file /etc/fail2ban/jail.local.  Here's mine:
========================> jail.local <================
# Fail2Ban jail base specification file
#
# Comments: use '#' for comment lines and ';' (following a space) for
inline comments
# The DEFAULT allows a global definition of the options. They can be
overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban
will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 <http://127.0.0.1/8>
#
# ACTIONS
#
# Some options used for actions
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = "put your email address here"
[sshd]
enabled = true
action = %(action_)s
[sshd-ddos]
enabled = true
action = %(action_mw)s
# Added by GAF (Greg Freemyer) from a v8.x recipe
[ssh-repeater]
enabled  = true
filter   = sshd
action = %(action_mw)s
logpath = %(sshd_log)s
maxretry = 21
findtime = 31536000
bantime  = 31536000
===============================================================
I deleted my email address.  Also I deleted my IPs from the "ignoreip"
line above.  You should add any static IPs you use so your don't disable
your own access inadvertently.
Note [ssh-repeater] is not part of the base install, so I also have to
have:an extra action file:
========   /etc/fail2ban/action.d/iptables-repeater.conf
# Fail2ban configuration file
#
# Author: Phil Hagen <phil@identityvector.com
<mailto:phil@identityvector.com>>
#
# This file is NOT part of openSUSE default.  It was added by GAF (Greg
Freemyer)
#
[Definition]
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-REPEAT-ssh
              iptables -A fail2ban-REPEAT-ssh -j RETURN
              iptables -I INPUT -j fail2ban-REPEAT-ssh
              # set up from the static file
              cat /etc/fail2ban/ip.blocklist.ssh |grep -v ^\s*#|awk
'{print $1}' | while read IP; do iptables -I fail2ban-REPEAT-ssh 1 -s
$IP -j DROP; done
# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D INPUT -j fail2ban-REPEAT-ssh
             iptables -F fail2ban-REPEAT-ssh
             iptables -X fail2ban-REPEAT-ssh
# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L INPUT | grep -q fail2ban-REPEAT-ssh
# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = iptables -I fail2ban-REPEAT-ssh 1 -s <ip> -j DROP
            # also put into the static file to re-populate after a restart
            ! grep -Fq <ip> /etc/fail2ban/ip.blocklist.ssh && echo "<ip>
# fail2ban/$( date '+%%Y-%%m-%%d %%T' ): auto-add for repeat offender"
...
...
/etc/fail2ban/ip.blocklist.ssh
# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = /bin/true
[Init]
# Defaut name of the chain
#
name = REPEAT
============================================================================================
It seems to be working fine.
Greg
Thanks for the details Greg,

I will think about it despite I have not a 24/24 online system.

Regards,

-- 
Marco Calistri
opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2
Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile
-- 
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse+owner@opensuse.org