Hi all, I have set up a SSH server for few weeks ago. During these weeks my server has been under very very intensive brute force attacks (I have no idea how these bastards found my address). I would like: 1. Disable ping. (I actually have added a rule to IP tables to drop all ping packets but it still respond to it!) 2. Ban some known IP addresses which are those addresses which are already used for attack. 3. Ban an IP address which tries to login with wrong username or password more than three times. Any help will be appreciated. I would also like to know if it is the only way to perform these tasks using IP tables or there are any other ways to do so. I am using a P4 PC with one network card and OpenSuSE 10.3 installed. Thanks, Danesh -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2008-07-02 at 01:22 +0200, Danesh Daroui wrote:
3. Ban an IP address which tries to login with wrong username or password more than three times.
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIasLCtTMYHG2NR9URAlYxAKCJs+s4Sqtf3MawbMtOObUJaEfSNACghPBt NFT7Juo9c6iKuxjMV7vFRFU= =+jKq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. skrev:
The Wednesday 2008-07-02 at 01:22 +0200, Danesh Daroui wrote:
3. Ban an IP address which tries to login with wrong username or password more than three times.
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
-- Cheers, Carlos E. R.
Hi, - wow, wait a second... - does this mean that your one-liner will/could nearly replace all the functionality of "Denyhosts"?? - if so, it's a little easier...with all due respect to Denyhosts. -- -------------------------------------------- Med venlig hilsen/best regards Verner Kjærsgaard Novell Certified Linux Professional 10035701 www.os-academy.dk +45 56964223 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2008-07-02 at 23:04 +0200, Verner Kjærsgaard wrote:
Carlos E. R. skrev:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
Hi,
- wow, wait a second... - does this mean that your one-liner will/could nearly replace all the functionality of "Denyhosts"??
All, all.. dunno. It certainly does its job. But remember that the firewall is actually a script that reads the configuration file and generates a set of iptables rules. Before, it was a bit longer: /etc/sysconfig/scripts/SuSEfirewall2-custom: iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
- if so, it's a little easier...with all due respect to Denyhosts.
Sure :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIa/hEtTMYHG2NR9URAufAAKCL97jOYXM1RgovdnMdZPV5sWz6agCggvCZ V8DtLNkJgPzMogGMOL6EhJk= =WbDO -----END PGP SIGNATURE-----
* Carlos E. R. <robin.listas@telefonica.net> [07-02-08 17:53]:
The Wednesday 2008-07-02 at 23:04 +0200, Verner Kjærsgaard wrote:
Carlos E. R. skrev:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
you put this in: /etc/sysconfig/scripts/SuSEfirewall2-custom: or assign it to FW_SERVICES_ACCEPT_EXT via yast2? tks, -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2008-07-02 at 18:11 -0400, Patrick Shanahan wrote:
The Wednesday 2008-07-02 at 23:04 +0200, Verner Kjærsgaard wrote:
Carlos E. R. skrev:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
you put this in: /etc/sysconfig/scripts/SuSEfirewall2-custom:
or assign it to FW_SERVICES_ACCEPT_EXT via yast2?
Either via Yast or directly into "/etc/sysconfig/SuSEfirewall2". This is "new" since 10.3, I think (10.2 doesn't have it). - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIa//ftTMYHG2NR9URAk6VAJ9Kr3oiLGJ0JWRtJk6gN+FHGl+6nQCfVhJ2 meZ2wnY0cj2WCrYgOVR8YWs= =n7WB -----END PGP SIGNATURE-----
Carlos E. R. skrev:
The Wednesday 2008-07-02 at 23:04 +0200, Verner Kjærsgaard wrote:
Carlos E. R. skrev:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
Hi,
- wow, wait a second... - does this mean that your one-liner will/could nearly replace all the functionality of "Denyhosts"??
All, all.. dunno. It certainly does its job. But remember that the firewall is actually a script that reads the configuration file and generates a set of iptables rules. Before, it was a bit longer:
/etc/sysconfig/scripts/SuSEfirewall2-custom:
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
- if so, it's a little easier...with all due respect to Denyhosts.
Sure :-)
-- Cheers, Carlos E. R.
Hi - thanks A LOT for the answer. This saves a lot of sweat... - one Q, though..would you put the above statement just before (inside) the very last "}" in the SuSEfirewall2-custom file? -- -------------------------------------------- Med venlig hilsen/best regards Verner Kjærsgaard Novell Certified Linux Professional 10035701 www.os-academy.dk +45 56964223 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2008-07-03 at 09:27 +0200, Verner Kjærsgaard wrote:
Hi - thanks A LOT for the answer. This saves a lot of sweat... - one Q, though..would you put the above statement just before (inside) the very last "}" in the SuSEfirewall2-custom file?
I had it in fw_custom_before_antispoofing() { iptables .... true } Notice that you only need to use the custom file till opensuse 10.2. In 10.3 you use the token in the susefirewall config file instead. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIbKBttTMYHG2NR9URAmliAJ96XobhkBX6oX4QCJlykoBFO5hCnwCgmGsm qQDRFxww+fhJSG1ywDDAg7w= =1YgD -----END PGP SIGNATURE-----
* Danesh Daroui <Danesh.D@bredband.net> [07-01-08 19:24]:
I have set up a SSH server for few weeks ago. During these weeks my server has been under very very intensive brute force attacks (I have no idea how these bastards found my address). I would like:
1. Disable ping. (I actually have added a rule to IP tables to drop all ping packets but it still respond to it!)
Yast2 -> sysconfig editor -> Firewall -> SuSEfirewall2 -> FW_ALLOW_PING_FW FW_ALLOW_PING_DMZ FW_ALLOW_PING_EXT
2. Ban some known IP addresses which are those addresses which are already used for attack. 3. Ban an IP address which tries to login with wrong username or password more than three times.
edit /etc/sysconfig/SuSEfirewall2 FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" then in /etc/sysconfig/scripts/SuSEfirewall2-custom at: fw_custom_after_antispoofing() iptables -I INPUT 1 -s <ip-address>/24 -j DROP w/o the gt/lt brackets.
Any help will be appreciated. I would also like to know if it is the only way to perform these tasks using IP tables or there are any other ways to do so. I am using a P4 PC with one network card and OpenSuSE 10.3 installed.
look at packages, fail2ban and DenyHosts -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Danesh Daroui skrev:
Hi all,
I have set up a SSH server for few weeks ago. During these weeks my server has been under very very intensive brute force attacks (I have no idea how these bastards found my address). I would like:
1. Disable ping. (I actually have added a rule to IP tables to drop all ping packets but it still respond to it!) 2. Ban some known IP addresses which are those addresses which are already used for attack. 3. Ban an IP address which tries to login with wrong username or password more than three times.
Any help will be appreciated. I would also like to know if it is the only way to perform these tasks using IP tables or there are any other ways to do so. I am using a P4 PC with one network card and OpenSuSE 10.3 installed.
Thanks,
Danesh
Hi I've used this a lot of times: http://denyhosts.sourceforge.net/ - with great succes. -- -------------------------------------------- Med venlig hilsen/best regards Verner Kjærsgaard Novell Certified Linux Professional 10035701 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Danesh Daroui wrote:
Hi all,
I have set up a SSH server for few weeks ago. During these weeks my server has been under very very intensive brute force attacks (I have no idea how these bastards found my address). I would like:
1. Disable ping. (I actually have added a rule to IP tables to drop all ping packets but it still respond to it!) 2. Ban some known IP addresses which are those addresses which are already used for attack. 3. Ban an IP address which tries to login with wrong username or password more than three times.
Any help will be appreciated. I would also like to know if it is the only way to perform these tasks using IP tables or there are any other ways to do so. I am using a P4 PC with one network card and OpenSuSE 10.3 installed.
Thanks,
Danesh
Hi Danesh, Last week my old and trusted firewall crashed its disk. It has been running since 2005 non stop with SuSE Linux 9.3. At that time there was little YaST (or none, I can't recall any more) for the firewall, and I worked with the config file directly. After a while I thought I knew how it works, until last week ... I built a new firewall with new hardware and OpenSuSE 10.3. OpenVPN was needed too. Not knowing any more how all was configured in 2005 (Alzheimers' greeting), I started doing it the same way as before. Then I also noticed a lot of these brute force attacks on 3 firewalls. DenyH0sts was recommended by a friend who also programs in python. I will install it as well. On SuSEfirewall2: Not knowing how IP-Filters work, it was not clear to me what exactly is happening in my firewall. I learnt to list the kernel IP-Table (iptables -nL), and was totally clueless what I saw there and how all this works. A friend came over and gave me 2-3 hours of tutoring on kernel IP-Filtering while we wrote a complete script for my network with a VPN included in the rules. Since then I prefer to do a script by myself, because now I understand better how to configure a 'Firewall' with IP-Tables. Do yourself a favour; learn how IP-Filters work and write your own IP-Rules script. I'm a beginner, but it took me a day to get the basics and with help got a solid script for my situation working. BUT do not be mistaken, IP-Filtering is very complicated at some levels, but a basic firewall is not so hard. I disabled my SuSEfirewall2, just using my filter rules in a script file. The first to do e.g., are to clean the iptables and set built-in chains to default to drop (not reject) all packets as a start: #!/bin/bash # flush user-defined chains iptables -t nat -F iptables -t filter -F # flush userdefined rules iptables -t nat -X iptables -t filter -X # set default policy for built-in chains to drop iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP .... ### Variables #### .... #### Rules #### .... # then only open the needed ports and allow only the needed protocols # Here I have about 40 lines of rules. I will now start learning more, to get to grips with the more complex parts of IP-Filters, because we are building a network with external access over OpenVPN to a LAMP based erp system in house by our service personnel. Maybe someone could suggest a good IP-Filters document for dummies as a first how-to, then the more complicated how-to's will make more sense. HTH Al -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Carlos E. R. -
Danesh Daroui -
LLLActive@GMX.Net -
Patrick Shanahan -
Verner Kjærsgaard