 |
|
| Linux Forum Index » Linux Networking » Blocking attacks from spoofed IP addresses... |
|
Page 1 of 2 Goto page 1, 2 Next |
|
| Author |
Message |
| Marty... |
 Posted: Wed Sep 30, 2009 6:41 pm |
|
|
|
Guest
|
Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.
I thought that the MAC address might be a good place to start looking,
but all of the packets I see are coming from the MAC address of my cable
modem. I'm not concerned about him getting in because he's attempting
root logins and I disabled root logins through ssh, but I want to drop
his nonsense traffic if I can, and also avoid any other attacks that
might be coming from him which may have escaped my notice.
Any ideas how I can dig deeper to find a common thread that I can use to
filter his traffic?
--
Reverse the parts of the e-mail address to reply by mail. |
|
|
| Back to top |
|
|
|
| David Schwartz... |
| Posted: Wed Sep 30, 2009 6:41 pm |
|
|
|
Guest
|
On Sep 30, 5:41 pm, Marty <n... at (no spam) comcast.martyamodeo> wrote:
Quote: Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.
Since he can't even establish a TCP connection (because he can't get
the replies), there's probably not much benefit to filtering them out.
Quote: I thought that the MAC address might be a good place to start looking,
but all of the packets I see are coming from the MAC address of my cable
modem.
Of course. MAC is an Ethernet thing, and those Ethernet packets
originate at your cable modem. Your modem is routing, not bridging.
Quote: I'm not concerned about him getting in because he's attempting
root logins and I disabled root logins through ssh, but I want to drop
his nonsense traffic if I can, and also avoid any other attacks that
might be coming from him which may have escaped my notice.
How can he attempt root logins? If he spoofs the source IP address, he
can't get the reply packet.
Quote: Any ideas how I can dig deeper to find a common thread that I can use to
filter his traffic?
Filter all SSH from unknown IPs. Have a web page that allows you to
authorize an IP for SSH login.
I doubt it's one person (or if it is, he's using a botnet or multiple
machines). Since the TCP connections are establishing (I think you at
least implied that), then he must be receiving the packets.
DS |
|
|
| Back to top |
|
|
|
| Grant... |
| Posted: Wed Sep 30, 2009 8:08 pm |
|
|
|
Guest
|
On Wed, 30 Sep 2009 17:41:28 -0700, Marty <net at (no spam) comcast.martyamodeo> wrote:
Quote: Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.
Do you need to?
Quote:
I thought that the MAC address might be a good place to start looking,
but all of the packets I see are coming from the MAC address of my cable
modem.
There's no MAC addr for Internet packets, you may be able to correlate
TTL, but I don't see the point. I get SSH attempts quite frequently
from all over, but there's nothing listening on port 22 here.
Quote: I'm not concerned about him getting in because he's attempting
root logins and I disabled root logins through ssh, but I want to drop
his nonsense traffic if I can, and also avoid any other attacks that
might be coming from him which may have escaped my notice.
Do you need to allow _any_ SSH logins? If so why not bump them to
another port? That way you can leave 22 closed.
Quote:
Any ideas how I can dig deeper to find a common thread that I can use to
filter his traffic?
I don't see the point in assuming it's just one clown out there ;)
Grant.
--
http://bugsplatter.id.au |
|
|
| Back to top |
|
|
|
| Allen Kistler... |
| Posted: Wed Sep 30, 2009 8:42 pm |
|
|
|
Guest
|
Marty wrote:
Quote: Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.
Welcome to the Internet. Lots of people are trying to get into
everybody else's ssh server.
Spoofing source addresses for TCP is mostly useless for anything other
than a DOS attack. The addresses you see are probably all real.
As for vocabulary, unless he's in your house, he's probably not on your
subnet.
Quote: I thought that the MAC address might be a good place to start looking,
but all of the packets I see are coming from the MAC address of my cable
modem. I'm not concerned about him getting in because he's attempting
root logins and I disabled root logins through ssh, but I want to drop
his nonsense traffic if I can, and also avoid any other attacks that
might be coming from him which may have escaped my notice.
The MAC address is always the last hop. That's how routing works.
I suggest using only public key authentication. Disable password
authentication. Some of the ssh attacks are distributed. It's harder
to guess an asymmetric key than any password you can dream up, no matter
how cool you think it is.
You can keep track of the IP addresses and block them. Or use a utility
to do it for you. I haven't needed to resort to things like fail2ban,
etc., but some people like them. I'll let them suggest their favorites.
Quote: Any ideas how I can dig deeper to find a common thread that I can use to
filter his traffic?
There is no common thread. It's not one person. It's every kid with a
script, plus every criminal organization, plus maybe every cyberspy in
China. They're evil, they're your neighbors, and you can't move away.
Different people figure out different ways to deal with it. Now you get
to pick yours. |
|
|
| Back to top |
|
|
|
| Jon Solberg... |
| Posted: Wed Sep 30, 2009 9:04 pm |
|
|
|
Guest
|
On 2009-10-01, David Schwartz <davids at (no spam) webmaster.com> wrote:
Quote: On Sep 30, 5:41Â pm, Marty <n... at (no spam) comcast.martyamodeo> wrote:
Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). Â I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.
[...]
Any ideas how I can dig deeper to find a common thread that I can use to
filter his traffic?
Filter all SSH from unknown IPs. Have a web page that allows you to
authorize an IP for SSH login.
Or use DenyHosts to block repeated failed login attempts (forever or
for a shorter time) if you can afford to.
--
Jon Solberg (remove "nospam" from email address). |
|
|
| Back to top |
|
|
|
| Joe Pfeiffer... |
| Posted: Wed Sep 30, 2009 9:56 pm |
|
|
|
Guest
|
Marty <net at (no spam) comcast.martyamodeo> writes:
Quote: Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.
Why are you guessing he's on your subnet?
Quote: I thought that the MAC address might be a good place to start looking,
but all of the packets I see are coming from the MAC address of my cable
modem. I'm not concerned about him getting in because he's attempting
root logins and I disabled root logins through ssh, but I want to drop
his nonsense traffic if I can, and also avoid any other attacks that
might be coming from him which may have escaped my notice.
Since they seem to be coming from your cable modem, why do you think
they're coming from somewhere other than the other side of your cable
modem?
Quote: Any ideas how I can dig deeper to find a common thread that I can use to
filter his traffic?
--
As we enjoy great advantages from the inventions of others, we should
be glad of an opportunity to serve others by any invention of ours;
and this we should do freely and generously. (Benjamin Franklin) |
|
|
| Back to top |
|
|
|
| Marty... |
| Posted: Wed Sep 30, 2009 10:46 pm |
|
|
|
Guest
|
Grant wrote:
Quote: On Wed, 30 Sep 2009 17:41:28 -0700, Marty <net at (no spam) comcast.martyamodeo> wrote:
Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.
Do you need to?
My line of thinking was, if he's attacking this port, I don't want any
of his network traffic, because he's probably making other break-in
attempts through other means as well.
Quote: I thought that the MAC address might be a good place to start looking,
but all of the packets I see are coming from the MAC address of my cable
modem.
There's no MAC addr for Internet packets, you may be able to correlate
TTL, but I don't see the point. I get SSH attempts quite frequently
from all over, but there's nothing listening on port 22 here.
I use SSH for myself, and I haven't move the port. Maybe it's time to
consider doing so, but I might have to contend with corporate firewalls
then.
Quote: I'm not concerned about him getting in because he's attempting
root logins and I disabled root logins through ssh, but I want to drop
his nonsense traffic if I can, and also avoid any other attacks that
might be coming from him which may have escaped my notice.
Do you need to allow _any_ SSH logins? If so why not bump them to
another port? That way you can leave 22 closed.
That sounds like the only viable option.
Quote: Any ideas how I can dig deeper to find a common thread that I can use to
filter his traffic?
I don't see the point in assuming it's just one clown out there 
Big assumption on my part, and after reading the responses here I'm
starting to see that it probably doesn't hold water.
The strange thing is that I never saw ANY of these attempts before
today! Sure I've seen ssh login attempts, but for other user names.
This one was consistently root, every time, every minute of the day,
using a non-interactive login. That's what made me think it was a
single person, possibly in close vicinity. Same MO on every attack,
which was unlike all previous attacks I had seen.
--
Reverse the parts of the e-mail address to reply by mail. |
|
|
| Back to top |
|
|
|
| Marty... |
| Posted: Wed Sep 30, 2009 10:54 pm |
|
|
|
Guest
|
David Schwartz wrote:
Quote: On Sep 30, 5:41 pm, Marty <n... at (no spam) comcast.martyamodeo> wrote:
Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.
Since he can't even establish a TCP connection (because he can't get
the replies), there's probably not much benefit to filtering them out.
Good point, but again I'd like to stop any influence from this
"individual" (or group) if I can. SSH isn't the only vector into my
machine, I'm sure. It just happens to be one that I'm monitoring closely.
Quote: I thought that the MAC address might be a good place to start looking,
but all of the packets I see are coming from the MAC address of my cable
modem.
Of course. MAC is an Ethernet thing, and those Ethernet packets
originate at your cable modem. Your modem is routing, not bridging.
In short, logic and reason dashes that one to bits. Thanks. :-)
Quote: I'm not concerned about him getting in because he's attempting
root logins and I disabled root logins through ssh, but I want to drop
his nonsense traffic if I can, and also avoid any other attacks that
might be coming from him which may have escaped my notice.
How can he attempt root logins? If he spoofs the source IP address, he
can't get the reply packet.
Never even stopped to consider that. Thanks. Could still be some kind
of DOS attack, and also indicates that other attacks may be underway
from this individual, but he won't get far with SSH (or anything really)
if he is spoofing. Could just gum up the works a bit. I'd rather he
thinks that I'm not there though, ideally.
Quote: Any ideas how I can dig deeper to find a common thread that I can use to
filter his traffic?
Filter all SSH from unknown IPs. Have a web page that allows you to
authorize an IP for SSH login.
Might make things a little more painful for me, but does get the job
done. Thanks for the idea.
Quote: I doubt it's one person (or if it is, he's using a botnet or multiple
machines). Since the TCP connections are establishing (I think you at
least implied that), then he must be receiving the packets.
Yes, I think you are quite right. There is definitely two-way
communication occurring. The only question is if it's a pooled effort
or an individual one. In any case after 10 failed attempts in 24 hours,
I drop packets from the IP, so he'll burn up every IP he's got before he
gets through .0001% of the search space. Ok, I can rest on that I think.
--
Reverse the parts of the e-mail address to reply by mail. |
|
|
| Back to top |
|
|
|
| Marty... |
| Posted: Wed Sep 30, 2009 11:00 pm |
|
|
|
Guest
|
Allen Kistler wrote:
Quote: Marty wrote:
Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.
Welcome to the Internet. Lots of people are trying to get into
everybody else's ssh server.
Yup. I'm not so naive that I didn't expect this. I was just concerned
that this seemed to be on a grander scale than I had seen before and I
was wondering if there was a way if I could link all of the attacks
together or if they were operating independently.
Quote: Spoofing source addresses for TCP is mostly useless for anything other
than a DOS attack. The addresses you see are probably all real.
Agreed.
Quote: As for vocabulary, unless he's in your house, he's probably not on your
subnet.
I was thinking "subnet" in terms of the address that my cable modem
acquired.
Quote: I thought that the MAC address might be a good place to start looking,
but all of the packets I see are coming from the MAC address of my cable
modem. I'm not concerned about him getting in because he's attempting
root logins and I disabled root logins through ssh, but I want to drop
his nonsense traffic if I can, and also avoid any other attacks that
might be coming from him which may have escaped my notice.
The MAC address is always the last hop. That's how routing works.
I suggest using only public key authentication. Disable password
authentication. Some of the ssh attacks are distributed. It's harder
to guess an asymmetric key than any password you can dream up, no matter
how cool you think it is.
Really hard to enter your key through a corporate machine on someone
else's network, right? Or is there an easy way? I won't always have
access to the hardware to insert a USB stick or something.
Quote: You can keep track of the IP addresses and block them. Or use a utility
to do it for you. I haven't needed to resort to things like fail2ban,
etc., but some people like them. I'll let them suggest their favorites.
Yup. Already rolled my own that does a number of other things along
with the blocking.
Quote: Any ideas how I can dig deeper to find a common thread that I can use to
filter his traffic?
There is no common thread. It's not one person. It's every kid with a
script, plus every criminal organization, plus maybe every cyberspy in
China. They're evil, they're your neighbors, and you can't move away.
Different people figure out different ways to deal with it. Now you get
to pick yours.
Any sandbox I can bury my head in?? ;-)
--
Reverse the parts of the e-mail address to reply by mail. |
|
|
| Back to top |
|
|
|
| Marty... |
| Posted: Wed Sep 30, 2009 11:02 pm |
|
|
|
Guest
|
Joe Pfeiffer wrote:
Quote: Marty <net at (no spam) comcast.martyamodeo> writes:
Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.
Why are you guessing he's on your subnet?
The lease on my IP address changed recently. Before this happened, I
didn't notice this flavor of attacks. Purely a guess, and probably a
bad one, based on little or no evidence.
Quote: I thought that the MAC address might be a good place to start looking,
but all of the packets I see are coming from the MAC address of my cable
modem. I'm not concerned about him getting in because he's attempting
root logins and I disabled root logins through ssh, but I want to drop
his nonsense traffic if I can, and also avoid any other attacks that
might be coming from him which may have escaped my notice.
Since they seem to be coming from your cable modem, why do you think
they're coming from somewhere other than the other side of your cable
modem?
Ignorance on my part. Simple as that. :-)
Quote: Any ideas how I can dig deeper to find a common thread that I can use to
filter his traffic?
--
Reverse the parts of the e-mail address to reply by mail. |
|
|
| Back to top |
|
|
|
| Grant... |
| Posted: Wed Sep 30, 2009 11:57 pm |
|
|
|
Guest
|
On Wed, 30 Sep 2009 22:00:53 -0700, Marty <net at (no spam) comcast.martyamodeo> wrote:
Quote: Allen Kistler wrote:
....
As for vocabulary, unless he's in your house, he's probably not on your
subnet.
I was thinking "subnet" in terms of the address that my cable modem
acquired.
Yes, I think of it as my ISP's block rather than a subnet.
....
Quote: I suggest using only public key authentication. Disable password
authentication. Some of the ssh attacks are distributed. It's harder
to guess an asymmetric key than any password you can dream up, no matter
how cool you think it is.
Really hard to enter your key through a corporate machine on someone
else's network, right? Or is there an easy way? I won't always have
access to the hardware to insert a USB stick or something.
....
Any sandbox I can bury my head in??
:)
Sometimes I do a 'whois' on what looks like related IPs and ban entire
CIDR blocks at the firewall (a linux box with bridged modem). Just
checked, only 38 banned blocks collected over the last couple years,
so it's not a big ask for iptables to do that.
Grant.
--
http://bugsplatter.id.au |
|
|
| Back to top |
|
|
|
| Christian Winter... |
| Posted: Thu Oct 01, 2009 12:04 am |
|
|
|
Guest
|
Marty wrote:
Quote: Joe Pfeiffer wrote:
Marty <net at (no spam) comcast.martyamodeo> writes:
Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.
Why are you guessing he's on your subnet?
The lease on my IP address changed recently. Before this happened, I
didn't notice this flavor of attacks. Purely a guess, and probably a
bad one, based on little or no evidence.
It might not even be a conscious attack, I've had clients hit their
noses on my routers often enough that simply tried to scp or ssh
to their stalled dyndns hostname (easy enough to guess when they're
using certs and offer the same key time and time again). One of the
downsides of dynamic IP addresses.
-Chris |
|
|
| Back to top |
|
|
|
| Unruh... |
| Posted: Thu Oct 01, 2009 10:01 am |
|
|
|
Guest
|
Marty <net at (no spam) comcast.martyamodeo> writes:
Quote: Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.
I thought that the MAC address might be a good place to start looking,
but all of the packets I see are coming from the MAC address of my cable
modem. I'm not concerned about him getting in because he's attempting
root logins and I disabled root logins through ssh, but I want to drop
his nonsense traffic if I can, and also avoid any other attacks that
might be coming from him which may have escaped my notice.
Any ideas how I can dig deeper to find a common thread that I can use to
filter his traffic?
It is not a "he" it is many many "hes". ssh attacks have become a fact
of life. They AR launched from many machines around the world ( remember
that something like 1% of all windows boxes are broken and owned by
spammers, etc. -- that is a lot of IP addresses. )
You can put ssh on a different port -- almost all attacks are on the
standard port. You could disable ssh entirely.
And you cannot "drop his traffic". His traffic has to be read by your
filtering software to drop it.
You can also put in a script to read the logs and if there is more than
say 5 unsucessful login attempts, put the address into /etc/hosts.allow
with a deny tag. (but remember to keep the lines shorter than about 1000
bytes-- there is a bug in the hosts.allow software which crashes the
system if a line is longer, and Venema refuses to fix it).
Quote: --
Reverse the parts of the e-mail address to reply by mail. |
|
|
| Back to top |
|
|
|
| Marty... |
| Posted: Thu Oct 01, 2009 10:54 am |
|
|
|
Guest
|
Unruh wrote:
Quote: Marty <net at (no spam) comcast.martyamodeo> writes:
Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.
I thought that the MAC address might be a good place to start looking,
but all of the packets I see are coming from the MAC address of my cable
modem. I'm not concerned about him getting in because he's attempting
root logins and I disabled root logins through ssh, but I want to drop
his nonsense traffic if I can, and also avoid any other attacks that
might be coming from him which may have escaped my notice.
Any ideas how I can dig deeper to find a common thread that I can use to
filter his traffic?
It is not a "he" it is many many "hes". ssh attacks have become a fact
of life. They AR launched from many machines around the world ( remember
that something like 1% of all windows boxes are broken and owned by
spammers, etc. -- that is a lot of IP addresses. )
You can put ssh on a different port -- almost all attacks are on the
standard port. You could disable ssh entirely.
If I do anything, I like the suggestion of blanket-banning ssh, and then
setting up a web page to authorize an IP. At least that way, a human
would have to do it, not a zombie winxx machine. SSH is too useful for
me to disable completely. Saved my bacon quite a lot of times when I
was out of town.
Quote: And you cannot "drop his traffic". His traffic has to be read by your
filtering software to drop it.
iptables terminology, not mine.
Quote: You can also put in a script to read the logs and if there is more than
say 5 unsucessful login attempts, put the address into /etc/hosts.allow
with a deny tag.
I'm doing this, but instead driving iptables filter rules with this.
This way the packets never get to reach the protocol level. They're
sending a lot of malformed SSH packets too, no doubt trying to exploit
various bugs of the past.
Quote: (but remember to keep the lines shorter than about 1000
bytes-- there is a bug in the hosts.allow software which crashes the
system if a line is longer, and Venema refuses to fix it).
Great thing about open source, "anyone" can fix it. :-)
--
Reverse the parts of the e-mail address to reply by mail. |
|
|
| Back to top |
|
|
|
| Wanna-Be Sys Admin... |
| Posted: Thu Oct 01, 2009 2:32 pm |
|
|
|
Guest
|
Marty wrote:
Quote: Some clown (on my subnet, I would guess) thinks he's exceedingly
clever and is sending repeated SSH login attempts to my machine using
spoofed IP addresses (making the consolidated attack appear to be
coming from all over the world).
How did you determine it's spoofed and not brute force attempts from all
over? Did you set nospoof? Did you consider changing the SSH port, or
not allowing access from just anyone in the world (via hosts
{allow,deny} iptables, or whatever), or just consider using port
knocking/blocking?
--
Not really a wanna-be, but I don't know everything. |
|
|
| Back to top |
|
|
|
|
|
All times are GMT - 5 Hours
The time now is Tue Nov 24, 2009 3:03 pm
|
|