Koozali.org: home of the SME Server

Auto block ssh port when hammered by certain IP

hecoms

Auto block ssh port when hammered by certain IP
« on: July 17, 2006, 12:24:04 AM »
A SME server (6.01) of my is now hammered by folks from Denmark for weeks now (24/7).  It overloads the logfiles and I get an out of memory during the logrotate.
There is a project (perlscript) at bruteforceblocker http://danger.rulez.sk/projects/bruteforceblocker/
This is for freebsd.  Is this adaptable for SMEserver? This will help a lot!

Regards Jaap

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Auto block ssh port when hammered by certain IP
« Reply #1 on: July 17, 2006, 11:36:30 PM »
I never got auto-blocking working, but I used http://no.longer.valid/phpwiki/index.php/Changing%20the%20default%20ssh%20port to change my default port and haven't had an attack for months.

I know this is only a make-shift solution, but if it keeps your server running long enough to get the auto-blocking solution up and running, great!

Offline raem

  • *
  • 3,972
  • +4/-0
Re: Auto block ssh port when hammered by certain IP
« Reply #2 on: July 18, 2006, 03:48:55 AM »
hecoms

Much better from a security perspective is to disable ssh password access. Then configure your server & your client PC with public/private keys.
No one except you will be able to access your server then & no more logging of failed attempts as password access is disabled.
Ian Wells wrote a good howto for this, and it is fairly easy to implement.
...

boss_hog

Auto block ssh port when hammered by certain IP
« Reply #3 on: July 18, 2006, 06:36:31 AM »
Hi hecoms,
nice little program that reads log files and writes the iptables as it goes.
It is called Daemon Shield. I have used it on a CentOS 4.3 server
and it worked as advertised. Link below:
http://sourceforge.net/projects/daemonshield/

I do not know if it is fully compatible with SME7, yet!
Try it at your own risk. I may be able to do some testing on an SME7 box
later this month.
Good luck
Joe

icpix

Auto block ssh port when hammered by certain IP
« Reply #4 on: July 20, 2006, 04:54:48 PM »
boss_hog----
Does that mean you may be contributing a daemonshield rpm?
----best wishes, Robert

boss_hog

Auto block ssh port when hammered by certain IP
« Reply #5 on: July 20, 2006, 07:00:58 PM »
Hi Robert,
Quote
Does that mean you may be contributing a daemonshield rpm?

Well.... I have never built an RPM, but I would love to.
Building an RPM would help me to give something back to the SME.
So an answer? Maybe.

At the very least, I will put Daemon Shield on an SME7 box and
 see if I can get it to work properly. Once successful, I would post
a How To.

If all goes well, maybe I can post back next month.
Joe

boss_hog

Auto block ssh port when hammered by certain IP
« Reply #6 on: July 20, 2006, 07:15:12 PM »
Ooops,
after going back to Daemon Shield at freshmeat.net.
The program is claimed to be compatible with CentOS and RHEL.
By next week sometime, I should get a SME7 test box up
and running.
I will install(attempt to install) on a fresh SME7.
See where it goes from there!
Joe

Offline raem

  • *
  • 3,972
  • +4/-0
Auto block ssh port when hammered by certain IP
« Reply #7 on: July 21, 2006, 03:55:50 AM »
boss_hog

> ...nice little program that reads log files and writes the iptables as it goes

Why even bother implementing this ? You are only chasing your own tail as hackers keep changing IP's.
Secure your server & ssh connection properly with public/private keys as per the howto mentioned.
...

boss_hog

Auto block ssh port when hammered by certain IP
« Reply #8 on: July 21, 2006, 04:22:01 AM »
Hey Ray,
I won't waste the time trying to explain the idea of Daemon Shield in detail.
Anyone who may be interested can just go to freshmeat and delve into the spirit of things.
But as a crude synopsis:
It monitors the logs for FAILED login attempts over a set time frame.
Say you set it at 5 FAILED attempts per 1 minute, and it will lock the IP
of the "attacker" for a determined time, say 30 minutes.
It slows down the 200+ list of attempts in your logs and will slow
the bots down a little.

Joe

Offline raem

  • *
  • 3,972
  • +4/-0
Auto block ssh port when hammered by certain IP
« Reply #9 on: July 21, 2006, 04:34:36 AM »
boss_hog

No explanation needed. I understand what these type of programs do, I think it's Guardian (part of Snort Acid Guardian) that has already been implemented for sme.

I was just making a point about the concept, no matter how much you monitor & temporarily block access attempts, the hackers & robots will keep on trying, so why bother with these type of blocking scripts at all.
Secure your server properly.

You can totally STOP all ssh password based access atempts by disabling ssh password access, and enabling public/private keys, and you will have a significantly more secure server in the process, and no numerous ssh log attempts showing in the log files ever again.

See this howto
http://no.longer.valid/phpwiki/index.php/SSH%20Public-Private%20Keys
...

Offline calisun

  • *
  • 601
  • +0/-0
Auto block ssh port when hammered by certain IP
« Reply #10 on: August 02, 2006, 07:40:34 PM »
It depends on the situation, if you will have only specific computers connecting to the server, than public/private keys works great. But if you have a lot of traveling sales people who sometimes connect to the server from their home computer, sometimes from laptop on the road and sometimes from hotel computer, passwords is the only way you can accomplish this.

So there is no one solution, it depends on the situation.
SME user and community member since 2005.
Want to install Wordpress in iBay of SME Server?
See my step-by-step How-To wiki here:
http://wiki.contribs.org/Wordpress_Multisite

Offline raem

  • *
  • 3,972
  • +4/-0
Auto block ssh port when hammered by certain IP
« Reply #11 on: August 03, 2006, 04:28:33 AM »
calisun

> sometimes connect to the server from their home computer
> ...from laptop on the road...from hotel computer,
> passwords is the only way you can accomplish this.

They could have the key file (& Putty too) on a USB stick they carry with them and then be able to use any computer anywhere.
...

Offline pmstewart

  • *
  • 73
  • +0/-0
Auto block ssh port when hammered by certain IP
« Reply #12 on: March 18, 2007, 10:37:21 PM »
Ray,

Checking into your suggestion with p/p keys.  Wondering if the how-to by Ian Wells is still applicable in 7.1.2 and if it is should we move it to the new wiki along with "changing the default ssh port"?

Regards,
Paul

Offline raem

  • *
  • 3,972
  • +4/-0
Auto block ssh port when hammered by certain IP
« Reply #13 on: March 18, 2007, 10:53:46 PM »
pmstewart

ssh p/p key access still works OK on sme 7.1.2 without modification after yum upgrades from sme 7.0, so I assume the howto is still applicable.
...

Offline pmstewart

  • *
  • 73
  • +0/-0
Auto block ssh port when hammered by certain IP
« Reply #14 on: March 19, 2007, 12:22:21 AM »
Thx Ray.....

leto

Auto block ssh port when hammered by certain IP
« Reply #15 on: March 19, 2007, 11:00:28 AM »
Using iptables, you can ban for like 5 minutes an IP that has failed X times.

It goes something like this :
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP

That example bans for 300 seconds after 10 unsuccessful tries.

leto

Auto block ssh port when hammered by certain IP
« Reply #16 on: March 19, 2007, 11:01:09 AM »
Of course you'll need to replace 22 and eth0 with the port sshd is listening on and the name of your network iface.

Offline Curly

  • ***
  • 114
  • +0/-0
Auto block ssh port when hammered by certain IP
« Reply #17 on: March 19, 2007, 07:20:43 PM »
I'm not sure, but I think that SME does not contain the neccesary module ipt_recent.
.......................................