 |
|
| Linux Forum Index » Linux Networking » Blocking attacks from spoofed IP addresses... |
|
Page 2 of 2 Goto page Previous 1, 2 |
|
| Author |
Message |
| Unruh... |
 Posted: Thu Oct 01, 2009 4:04 pm |
|
|
|
Guest
|
Marty <net at (no spam) comcast.martyamodeo> writes:
Quote: Unruh wrote:
Marty <net at (no spam) comcast.martyamodeo> writes:
Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world). I'm scrutinizing his packets, but I'm not sure how
to find the "fingerprints" I need to filter them out.
I thought that the MAC address might be a good place to start looking,
but all of the packets I see are coming from the MAC address of my cable
modem. I'm not concerned about him getting in because he's attempting
root logins and I disabled root logins through ssh, but I want to drop
his nonsense traffic if I can, and also avoid any other attacks that
might be coming from him which may have escaped my notice.
Any ideas how I can dig deeper to find a common thread that I can use to
filter his traffic?
It is not a "he" it is many many "hes". ssh attacks have become a fact
of life. They AR launched from many machines around the world ( remember
that something like 1% of all windows boxes are broken and owned by
spammers, etc. -- that is a lot of IP addresses. )
You can put ssh on a different port -- almost all attacks are on the
standard port. You could disable ssh entirely.
If I do anything, I like the suggestion of blanket-banning ssh, and then
setting up a web page to authorize an IP. At least that way, a human
would have to do it, not a zombie winxx machine. SSH is too useful for
me to disable completely. Saved my bacon quite a lot of times when I
was out of town.
And you cannot "drop his traffic". His traffic has to be read by your
filtering software to drop it.
iptables terminology, not mine.
No, I was making a point. The concern you have is not the traffic ( there is not
that much traffic from a single ssh attempt) but the log file messages. But when
iptables drops an incoming connection it also logs that info (unless you tell it
not to, but then you could also tell ssh not to).
Quote: You can also put in a script to read the logs and if there is more than
say 5 unsucessful login attempts, put the address into /etc/hosts.allow
with a deny tag.
I'm doing this, but instead driving iptables filter rules with this.
This way the packets never get to reach the protocol level. They're
sending a lot of malformed SSH packets too, no doubt trying to exploit
various bugs of the past.
(but remember to keep the lines shorter than about 1000
bytes-- there is a bug in the hosts.allow software which crashes the
system if a line is longer, and Venema refuses to fix it).
Great thing about open source, "anyone" can fix it. 
I did fix mine (I found the bug and a one line fix). I reported the bug to Venema, who said he did
not care (it was an old program for him). I also reported it to Mandriva, who at
least for a while fixed it in the Mandriva. The problem is that Venema is the
upstream support for the program and he is uninterested. I cannot fix the
original source which is distributed. |
|
|
| Back to top |
|
|
|
| Grant... |
| Posted: Thu Oct 01, 2009 6:54 pm |
|
|
|
Guest
|
On Thu, 01 Oct 2009 14:48:54 -0500, ibuprofin at (no spam) painkiller.example.tld (Moe Trin) wrote:
Quote: On Thu, 01 Oct 2009, in the Usenet newsgroup comp.os.linux.networking, in
article <aog8c5t75j6fnr4ksb5v81ick5cqi0j4ul at (no spam) 4ax.com>, Grant wrote:
....
Sometimes I do a 'whois' on what looks like related IPs and ban entire
CIDR blocks at the firewall (a linux box with bridged modem). Just
checked, only 38 banned blocks collected over the last couple years,
so it's not a big ask for iptables to do that.
Two thoughts - what are you "offering" to the world, and what are you
trying to defend against.
Anonymous ftp + hhtp. Defending against too much traffic So
there's firewall rules that disable any IP after too many hits (over
time) on offered services, single hits on ssh (just on principle, I
rarely offer ssh, and than it's to known IP or IP block).
Quote: ... You speak of 38
banned blocks, which would be the "mostly open" situation, while I
accept connections from 3 blocks (blocking all else by default) which
would be the "mostly closed" situation.
Banned blocks mostly from annoying web crawlers that don't honour
the web 'robots.txt' file -- like the recently new Chinese crawler.
Or web site rippers. Once it was some script kiddies from NL playing
with a web form -- after I used their crap traffic to refine a quota
system I blocked the IP, then the IP block when the traffic changed IPs.
....
Quote: Oh, and the port-knocking may run
into those same 'blocked by the corporate firewall' rules that made
it impractical to move your server to an obscure port.
Maybe one could knock the http (or 8000 port area) port? A custom
..cgi could do anything one wanted, no?
Haven't done port knocking yet as I've not yet needed to offer
'random' access for ssh :)
Grant.
--
http://bugsplatter.id.au |
|
|
| Back to top |
|
|
|
| Wanna-Be Sys Admin... |
| Posted: Fri Oct 02, 2009 1:10 pm |
|
|
|
Guest
|
Marty wrote:
Quote: You're yanking my chain, right?  I do have it set to do a reverse
lookup on any names that it gets to see that they map to the same IP,
and it logs failures (which I instantly ban).
So when you say it's spoofed, do you mean a domain or an IP? You said
IP was all, so I was curious if you're sure, since if they were
actually spoofing the requesting IP, it'd not do them any good (since
they don't get the response). But, I see that people mentioned that
earlier in the thread to you already, so no need to repeat it here.
--
Not really a wanna-be, but I don't know everything. |
|
|
| Back to top |
|
|
|
| Moe Trin... |
| Posted: Fri Oct 02, 2009 2:01 pm |
|
|
|
Guest
|
On Fri, 02 Oct 2009, in the Usenet newsgroup comp.os.linux.networking, in
article <a1jac5119p0tr7ar15ci6548eusq1hoh7s at (no spam) 4ax.com>, Grant wrote:
Quote: ibuprofin at (no spam) painkiller.example.tld (Moe Trin) wrote:
Two thoughts - what are you "offering" to the world, and what are
you trying to defend against.
Anonymous ftp + hhtp. Defending against too much traffic
Sounds as if you have thought the problem through - that's good.
Quote: Banned blocks mostly from annoying web crawlers that don't honour
the web 'robots.txt' file -- like the recently new Chinese crawler.
I hesitate to ask, but what IP[s]? Some time ago, I looked at the
logs of someone else's system, and noted a lot of consistent hits
from a handful of IP ranges registered in China. DNS lookups were
useless, as most addresses there don't have PTR records, but the
'whois' queries provide some hints. There is a whois server for
..cn, but it's not going to provide useful data. The 1630 IPv4
blocks registered in China are scattered over 39 /8s from 58.14.0.0
to 222.249.255.255.
Quote: Or web site rippers. Once it was some script kiddies from NL playing
with a web form -- after I used their crap traffic to refine a quota
system I blocked the IP, then the IP block when the traffic changed IPs.
Residential IPs? Some have commented about my statement about not
wanting traffic "from Kazakhstan, Kenya, Kiribati, Korea, or Kuwait or
a lot of other places" but seem to miss that I also block access from
nearly all the ISPs in North America as well. It's usually not so
much the country that indicates a problem, but the _type_ of network
(with residential providers being some of the worst).
Quote: Oh, and the port-knocking may run into those same 'blocked by the
corporate firewall' rules that made it impractical to move your
server to an obscure port.
Maybe one could knock the http (or 8000 port area) port? A custom
.cgi could do anything one wanted, no?
Firewall rules alone are all that are needed, so there is no reason to
have an actual server listening. There are many ways to implement this
concept, which _MIGHT_ be as simple as a log-reader running as a cron
job. As for port 80, 8000, and friends, a significant number of
corporate firewalls block user access OUT to those ports - a proxy
server is used to access the remote site. That tends to put a severe
crimp in usable port lists. I've found that _moderately_ well used
ports SUCH AS 21, 23, 43, 53, 113, 119, 443 and some ports around 990
have some chance of success, but nothing is universally going to work.
The "knocking program" on the client can be very nearly anything that
accepts a port number as part of the address URL.
Quote: Haven't done port knocking yet as I've not yet needed to offer
'random' access for ssh
Port knocking is a poorly defined term. Some interpret it to mean using
a (pre-determined) sequence of connection attempts, and this sequence
acts as the authentication function. That's nearly always a horrible
idea. At the other end, the simple "telnet $ADDRESS $PORT_FOO ^c
ssh $ADDRESS <username> <authentication>" sequence is good enough.
Dynamic usernames or authentication based on time of day? Sure, that
can be made to work, and hinder replay attacks. Same for 'challenge -
response' authentication mechanisms. Just don't make the procedure[s]
so complex that you are sure to make a typ0 or other fumble-finger and
lock yourself out.
Old guy |
|
|
| Back to top |
|
|
|
| Maxwell Lol... |
| Posted: Fri Oct 02, 2009 2:34 pm |
|
|
|
Guest
|
Marty <net at (no spam) comcast.martyamodeo> writes:
Quote: Some clown (on my subnet, I would guess) thinks he's exceedingly clever
and is sending repeated SSH login attempts to my machine using spoofed
IP addresses (making the consolidated attack appear to be coming from
all over the world).
what is the MAC address? If it's a router/firewall in your network,
that's where you block him.
Can you examine the MAC address on the other side of the
router/firewall? That may identify the next hop. Then contact the
owner of THAT hop.
If your network is NATed, then make sure the firewall does not allow
packets to pass the firewall with the source address from the outside. |
|
|
| Back to top |
|
|
|
| Maxwell Lol... |
| Posted: Fri Oct 02, 2009 2:35 pm |
|
|
|
Guest
|
Marty <net at (no spam) comcast.martyamodeo> writes:
Quote: Yup. I'm not so naive that I didn't expect this. I was just concerned
that this seemed to be on a grander scale than I had seen before and I
was wondering if there was a way if I could link all of the attacks
together or if they were operating independently.
There are a lot of script kiddies out there... |
|
|
| Back to top |
|
|
|
| Maxwell Lol... |
| Posted: Fri Oct 02, 2009 8:38 pm |
|
|
|
Guest
|
Quote: Be careful about banning IP addresses. That is often a good way to
cause a _Self_ Denial Of Service attack.
I usually look at log files.
They can't spoof a SSH session that inputs a username.
I also have a list of exceptions - never blacklist addresses from
certain blocks. |
|
|
| Back to top |
|
|
|
| Günther Schwarz... |
| Posted: Sat Oct 03, 2009 6:54 am |
|
|
|
Guest
|
Moe Trin wrote:
Quote: On Thu, 01 Oct 2009, in the Usenet newsgroup comp.os.linux.networking,
in article <aog8c5t75j6fnr4ksb5v81ick5cqi0j4ul at (no spam) 4ax.com>, Grant wrote:
Marty <net at (no spam) comcast.martyamodeo> wrote:
Allen Kistler wrote:
I suggest using only public key authentication. Disable password
authentication. Some of the ssh attacks are distributed. It's
harder to guess an asymmetric key than any password you can dream up,
no matter how cool you think it is.
But then still remains the question: has there ever been a real world
example of a reasonably strong password that has been guessed just by a
few login attempts? Even with botnets they do not have more than a few
hundred chances to test a password on a ssh server that limits logins or
blocks after some failed ones. So disabling weak passwords is the key
here.
So IMHO public key authentication does not necessarily reduce risks. It
might be simpler as far is administration and monitoring is concerned. If
used in an improper way it may even reduce security. Keys without
password protection give sysadmins of remote networks access to your
system, USB sticks get lost or stolen etc.
Quote: Sometimes I do a 'whois' on what looks like related IPs and ban entire
CIDR blocks at the firewall (a linux box with bridged modem). Just
checked, only 38 banned blocks collected over the last couple years, so
it's not a big ask for iptables to do that.
Two thoughts - what are you "offering" to the world, and what are you
trying to defend against. Most residential situations should not be
offering much (if anything) in the line of services, and this may be a
little as SSH based access (meaning no web or ftp or similar server for
example). Who are you offering these services to? The _concepts_ of
"mostly open" verses "mostly closed" as discussed in the manual page for
tcp_wrappers (man 5 hosts_access) apply. You speak of 38 banned blocks,
which would be the "mostly open" situation, while I accept connections
from 3 blocks (blocking all else by default) which would be the "mostly
closed" situation. On those occasions when my authorized users may be
traveling (and thus away from those three acceptable blocks), I usually
set up a port-knocking scheme, where one must first make a connection
attempt to some non-standard (but closed) port, with the firewall
recognizing the attempt and opening access to my systems from that
address only for a limited (one minute) period. This isn't "security by
obscurity" because once you are allowed to _connect_ you still have to
use the "normal" authentication mechanism to actually get "in". Oh,
and the port-knocking may run into those same 'blocked by the corporate
firewall' rules that made it impractical to move your server to an
obscure port.
Nice, but is this really worth the effort? Maintaining such lists is
probably more work than it is worth the effort. I once asked around for a
list of scientific and educational networks. Such a list does not exist,
and I'm far to lazy to collect the addresses myself.
Finally: if one is scared about login unwanted attempts on a ssh server
he or she has a problem with password policy. Around here access is
restricted to a single machine in order to facilitate administration,
users are forced to reasonably strong passwords, and iptables as well as
sshd block after several failed login attempts. IMHO this is sufficient
in almost any but the most paranoid environments.
Günther |
|
|
| Back to top |
|
|
|
| Moe Trin... |
| Posted: Sat Oct 03, 2009 2:14 pm |
|
|
|
Guest
|
On Sat, 03 Oct 2009, in the Usenet newsgroup comp.os.linux.networking, in
article <eutcc5tdqofn2o4tmnnqb18meuo51c7d0i at (no spam) 4ax.com>, Grant wrote:
Quote: (Moe Trin) wrote:
I hesitate to ask, but what IP[s]? Some time ago, I looked at the
logs of someone else's system, and noted a lot of consistent hits
from a handful of IP ranges registered in China. DNS lookups were
useless, as most addresses there don't have PTR records, but the
'whois' queries provide some hints.
From my block drop list:
[...]
No, don't see the blocks I expected. I'm seeing a lot of consistent
hits from Hangzhou province (122.224/12) and Hebei province (121.16/13,
221.192/13) networks. The addresses are steady for a month or more,
then they disappear. 221.192.199.xx seems to be the hot spot now.
The Chinese whois server (whois.cnnic.net.cn) claims not to own the
address range.
Quote: Only caught one oddness, that:
"
# dunno, something is calling home to 38.97.225.166:6667
38.97.225.128/25
"
after a web page hijacking.
It's obvious you know how to use rwhois, and that block belongs to
name.com in Denver - they're an ICANN accredited registrar. Currently,
they are only accredited for .cat .coop .museum
(http://www.icann.org/registrars/accredited-list.html), but last summer
they were accredited for .aero .asia .biz .com .info .jobs .mobi and
..name domains. I don't know when they cut back. Port 6667 is one used
by IRC. Co-inky-dink? Perhaps - perhaps not. As you know, port
numbers are not fool-proof, and there is no requirement that a packet
destined for port $FOO must be service/protocol $BAR.
[port knocking ports]
Quote: I'd possibly use https here as I don't offer that, or a web .cgi as
that server is always running (no php here
You don't need a server - in fact it's USUALLY better not to be running
anything on the port. Instead, you might have a logging rule for the
knock port, and then use a cron strip to scan the log looking for
"recent" hits. Some one else suggested
--------------------
CMD="iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport"
$CMD 22 -m recent --rcheck --name SSH -j ACCEPT
$CMD 11 -m recent --name SSH --remove -j DROP
$CMD 12 -m recent --name SSH --set -j DROP
$CMD 13 -m recent --name SSH --remove -j DROP
If you make a connection to port 12, it'll remember the IP you did
that from, and enable SSH access from that IP, even though the
connection to port 12 fails. This is the knock on the door that
unlocks it. Connect to port 11 or 13 to close the port again. This is
so a sequential portscan won't keep the SSH port opened.
--------------------
but obviously you'd need to use more ``appropriate'' port numbers.
This is far from the only or best technique/rule-set. Doing a google
search for the keywords 'port knocking' and 'Linux' or 'iptables'
will bring up lots of hits, some rather interesting.
Quote: I've noticed telnet hits are more frequent last couple years, but
the firewall here bans the IP for some time after first hit to 22
or 23.
I don't normally bother logging drops on the firewall at home (it's
just the remnants of a 386SX laptop and doesn't have that much
horsepower), but don't recall anything going after telnet. That's
a pretty dead service, and just about everyone and his dog has
transitioned to SSH. Actually, I'm not even sure that distributions
are supplying the telnet server any more. Client, yes, but not the
server.
Quote: Just don't make the procedure[s] so complex that you are sure to
make a typ0 or other fumble-finger and lock yourself out.
Think I'd go for the KISS method -- after all it's only about
reducing exposure to the system scanners out there discovering an
open port to try logins on.
That is the name of the game, but a lot of people loose sight of that
goal, and shoot themselves very nicely. More than once I've heard
horror stories about someone fixing up a new spiffy firewall on their
co-lo box, and having to have the local staff kick the system in the
appropriate places to regain access.
Old guy |
|
|
| Back to top |
|
|
|
| Moe Trin... |
| Posted: Sat Oct 03, 2009 2:16 pm |
|
|
|
Guest
|
On Fri, 02 Oct 2009, in the Usenet newsgroup comp.os.linux.networking, in
article <87eipl19s7.fsf at (no spam) com.invalid>, Maxwell Lol wrote:
Quote: Be careful about banning IP addresses. That is often a good way to
cause a _Self_ Denial Of Service attack.
I usually look at log files.
They can't spoof a SSH session that inputs a username.
Unfortunately, a lot of people don't think about having separate rules
for separate services. The common advice for setting up "PortSentry"
(when it was a big shiny thing ten years ago) was to block (usually
by firewall rule, but also by tcp_wrappers or a 'route add reject')
individual addresses that attempted access to a [group of] port[s]
that the admin deemed sensitive.
Quote: I also have a list of exceptions - never blacklist addresses from
certain blocks.
Again, a lot of people don't waste energy by actually _thinking_ about
the consequences of their actions. Whitelisting addresses and/or
blocks will work, but it's better not to _need_ (white|black|gray)lists
in the first place.
Old guy |
|
|
| Back to top |
|
|
|
| Moe Trin... |
| Posted: Sun Oct 04, 2009 8:59 pm |
|
|
|
Guest
|
On Sun, 04 Oct 2009, in the Usenet newsgroup comp.os.linux.networking, in
article <rpqgc59t4rc5esbruofiltduarcav47tvj at (no spam) 4ax.com>, Grant wrote:
Quote: ibuprofin at (no spam) painkiller.example.tld (Moe Trin) wrote:
You're way ahead of me ;-)
Too much free time I'm retired.
I haven't had time to do that yet. Both of us are eligible.
Quote: As mentioned else-thread, my firewall doesn't have spare horse-power
to handle much of this, so the rules are pretty simple
Dunno, it's not much work, uses the iptables -recent based rules
like you use for port knocking along with external data files and
a script to get persistence when (if) the firewall is reloaded.
It's easy enough to log stuff, and the system already uses remote
logging. I think that when I do run logging, I spend more time than
I should reading the logs and trying to understand what's going on.
Invariably, something catches my eye, and I wind up digging and
digging and digging... even though things worked quite well without
my extra supervision.
Quote: Downside is the timing depends on the kernel and is obscure,
also changed -- I have to rewrite this stuff to move forward from
2.6.27.$latest-stable (linux-2.6.27 is an extended maintenance
release)
-rw-rw-r-- 1 536 536 10560 Sep 24 17:25 ChangeLog-2.6.27.35
one could say that  Looking at the patch data, it totals close
to 15 percent of the size of the original source.
Quote: Fancy stuff like ip to country or host lookups are done on the
presentation side, not in the firewall -- there it's all IP based.
It's more for curiosity than practical. Laying aside the fact that
APNIC and RIPE have decided to define regional locations as opposed
to country codes, the location given is supposed to be where the
organization is registered, rather than the physical location.
Quote: Not after seeing how big the lists are -- and this form joins up
contiguous allocation blocks to reduce list IP block count.
There has been some hand-waving about reducing the number of routing
table entries on the back-bone, which implies aggregation - at least
since the early 1990s - but IP allocations were never really about
geography. You see a lot of recommendations about picking "nearby"
servers, as if physical distance is meaningful. I once did a
traceroute from a server in Phoenix to a server in Tempe (11 km
physical), and noted Salt Lake City (800 km North), San Francisco and
Los Angeles for a total path length over 2800 km. Of course, if you
look at IPv6, it's even worse.
Old guy |
|
|
| Back to top |
|
|
|
| Günther Schwarz... |
| Posted: Tue Oct 06, 2009 5:04 am |
|
|
|
Guest
|
Moe Trin wrote:
Quote: On 3 Oct 2009, in the Usenet newsgroup comp.os.linux.networking, in
article <7iovs0F32s5vaU1 at (no spam) mid.individual.net>, Günther Schwarz wrote:
I once asked around for a list of scientific and educational networks.
Such a list does not exist, and I'm far to lazy to collect the addresses
myself.
Depends on what you mean by scientific and educational networks. Does
the latter mean all those domains with a .edu TLD (or the national
equivalent)?
On an international level there is no equivalent for the .edu TLD. The
list I had in mind should cover should cover places where people travel
to or where they have collaborations with: universities, but also
research labs like the ones from IBM or former Xerox, national labs, hpc
facilities etc.
Individual adjustments ("I travel to such and such next week - could you
adjust the ssh server for me?") are no option.
Günther |
|
|
| Back to top |
|
|
|
| Moe Trin... |
| Posted: Tue Oct 06, 2009 1:55 pm |
|
|
|
Guest
|
On 6 Oct 2009, in the Usenet newsgroup comp.os.linux.networking, in article
<7j0mi3F337s76U1 at (no spam) mid.individual.net>, Günther Schwarz wrote:
Quote: Moe Trin wrote:
Günther Schwarz wrote:
I once asked around for a list of scientific and educational
networks. Such a list does not exist, and I'm far to lazy to
collect the addresses myself.
Depends on what you mean by scientific and educational networks.
Does the latter mean all those domains with a .edu TLD (or the
national equivalent)?
On an international level there is no equivalent for the .edu TLD.
True, though a number of national schemes have what amounts to be
an equivalent using the second level.
Quote: The list I had in mind should cover should cover places where people
travel to or where they have collaborations with: universities, but
also research labs like the ones from IBM or former Xerox, national
labs, hpc facilities etc.
That's going to be even more difficult, as there is usually no pattern
to the IP ranges, and you don't want to trust DNS naming conventions
to identify a lab. Just looking at IBM mail addresses in the kernel
ChangeLog shows the order of difficulty.
Quote: Individual adjustments ("I travel to such and such next week - could
you adjust the ssh server for me?") are no option.
For the same reason. Depending on the country and skill of the
visitor, we tend to use one of three options
1. no access (or access only via voice phone)
2. access via security token or challenge/response card
3. port knocking
Surprisingly, the first option (no access) is more common, mainly
because of security (classification) rules, either by the company,
the customer, or the facility we are visiting.
Old guy |
|
|
| Back to top |
|
|
|
|
|
All times are GMT - 5 Hours
The time now is Tue Dec 01, 2009 1:30 pm
|
|