View unanswered posts    View active topics

All times are UTC - 6 hours





Post new topic Reply to topic  [ 34 posts ] 
Go to page Previous  1, 2, 3

Print view Previous topic   Next topic  
Author Message
Search for:
 Post subject: Re: seems to be working
PostPosted: Sun Feb 24, 2008 8:24 pm 
Offline
Joined: Mon Mar 13, 2006 2:28 am
Posts: 143
Location: Brisbane, Australia
neutron68 wrote:
Any idea if these lists clear out with each reboot?

Yes, they are cleared.

_________________
MBE/FE ~ R5F27 ~ Asus A8N-VM-CSM ~ AMD64 3500+ ~ 1GB RAM ~ 1.5TB Storage ~ Nova-T-500 ~ SH-S183A DVDRW ~ LC20M Case ~ iMON-Pad Remote
FE ~ Diskless ~ Asus M2NPV-VM ~ AMD X2 BE-2350 (45w) ~ 1GB RAM ~ TT Lanbox Lite ~ iMON-Pad Remote


Top
 Profile  
 
 Post subject: so far - working well
PostPosted: Mon Mar 10, 2008 9:10 am 
Offline
Joined: Tue Mar 28, 2006 8:26 pm
Posts: 804
Location: Minneapolis, MN
So far, SSHDFILTER is working well. It's booting out the attackers after just a few attpempts at entry and then banning them for a week! HA!! :lol:
My SSH logs are pretty short now - the system events are the majority of the entries now - as it should be!

Quote:
root@mythtv:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
SSHD tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain SSHD (1 references)
target prot opt source destination
DROP tcp -- pouch.kangaroopartners.com anywhere tcp dpt:ssh
DROP tcp -- 211.137.137.233 anywhere tcp dpt:ssh
DROP tcp -- 202.179.108.54 anywhere tcp dpt:ssh
DROP tcp -- itm.vaslui.ro anywhere tcp dpt:ssh
DROP tcp -- host226-148-static.34-88-b.business.telecomitalia.it anywhere tcp dpt:ss h
DROP tcp -- 124.228.10.20 anywhere tcp dpt:ssh
DROP tcp -- 202.105.179.9 anywhere tcp dpt:ssh
DROP tcp -- 60.28.222.154 anywhere tcp dpt:ssh
DROP tcp -- 219.95.66.42 anywhere tcp dpt:ssh
DROP tcp -- 211.169.249.241 anywhere tcp dpt:ssh
DROP tcp -- foxxy.triohost.com anywhere tcp dpt:ssh
DROP tcp -- 76.74.164.4 anywhere tcp dpt:ssh
DROP tcp -- unassigned.netnation.com anywhere tcp dpt:ssh
root@mythtv:~#

_________________
KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner


Top
 Profile  
 
 Post subject: Re: trying sshdfilter
PostPosted: Fri Apr 11, 2008 4:47 pm 
Offline
Joined: Fri Oct 20, 2006 12:04 pm
Posts: 905
Location: LA, CA
neutron68 wrote:
My main goal is to automatically block an IP address from SSH after they have shown that they are a dictionary login attacker - after a few failed names. It sounds like sshdfilter will do that.

I went to http://www.csc.liv.ac.uk/~greg/sshdfilter/ and downloaded the code for the 1.5.5 version of sshdfilter. I read the INSTALL file to see how easy/hard it was to install. You can pick standalone mode or as an sshd wrapper. There are perl scripts for either choice that autoinstall and configure for you. The script autodetects if you have Debian, Redhat, Slackware, etc. and makes the correct tweaks for that distro. When the script was done, all I had to do was /etc/init.d/ssh restart.

I do have a couple of clarification questions, if someone could lend some expertise.

1. There is a section in the INSTALL text file that I'm not sure of the proper location for these commands.
Quote:
3.
Add the SSHD chain to your iptables firewall setup, typically (/etc/sysconfig/iptables style):
:SSHD - [0:0]
or bash:
$ iptables -N SSHD

Add a jump to SSHD rule with something like (/etc/sysconfig/iptables style):
-A INPUT -p tcp -m tcp --dport 22 -j SSHD
or bash:
$ iptables -I INPUT -p tcp -m tcp --dport 22 -j SSHD
would the 2 iptables lines go in the file /etc/init.d/bootmisc.sh ?

2. Is there a way to see the list of IP addresses that sshdfilter has blocked?

insight appreciated,
Eric


Did you ever get this ironed out? Any chance of a "for dummy's" install guide? Maybe a wiki entry?

Been looking for a nice light-weight way for locking down ssh. (I guess your never secure enough) I've ran firestarter, but this seems much lighter.


Top
 Profile  
 
 Post subject: yes, I got it working
PostPosted: Sat Apr 12, 2008 11:50 am 
Offline
Joined: Tue Mar 28, 2006 8:26 pm
Posts: 804
Location: Minneapolis, MN
It does work and has been stopping brute force attacks on my SSH port. :)
I didn't write down the process as I did it over the course of a week, so I'm going from memory on some of thie...

The main page for SSHDFILTER is http://www.csc.liv.ac.uk/~greg/sshdfilter/

I downloaded the version 1.5.5 tar file from http://www.csc.liv.ac.uk/~greg/sshdfilter-1.5.5.tar.gz and unpacked it into my /usr/src directory. I followed the directions in the INSTALL file. There are 2 setup methods - wrapper or standalone. I chose the wrapper method as it seemed like it would just dovetail into the SSHD system already in Knoppmyth.

I started by reading the contents of the INSTALL file and thought that I had to perform all those steps manually.
The author made script files that will auto install the proper files in the proper places. For the wrapper method, you execute the script with "pl install_aswrapper.pl".
By trying to follow the steps of the INSTALL file manually, I could see that the that the script had mostly set up the system for me.

To comply with Step 3, I did have to add the following lines to my "/etc/init.d/bootmisc.sh" file - so that the SSHD chain is added to the iptables after each bootup:
Code:
iptables -N SSHD
iptables -I INPUT -p tcp -m tcp --dport 22 -j SSHD


For step 8a, the file "/etc/init.d/ssd" needed to be modified to call sshdfilter rather than sshd. I can't recall if the script did this for me or if I did it:
replacing the line that said
Code:
start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS
with the line
Code:
start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/local/sbin/sshdfilter -- $SSHD_OPTS


The last step was to make custom tweaks in the file "/etc/sshdfilterrc".
Most of it is fine as it is and blocks SSH attacks by banning offending IP adresses for a period of time.

I think the only thing I changed in this file were to add my LAN's IP address space to the "SECTION IPPOLICY" part of the file:
Code:
+'^192\.168\.7\.[0-9]+$'       # always accept, never block LAN connections


I recall that a reboot was necessary to get the system started, so remember to do that in addition to the stopping and restarting of services that they tell you in step 8b of the INSTALL text file.

I'll edit this post if I think of any missed details. If there are I'll probably remember them as I reconfigure sshdfilter after my next Knoppmyth upgrade.

Eric

_________________
KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner


Top
 Profile  
 

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 34 posts ] 
Go to page Previous  1, 2, 3



All times are UTC - 6 hours




Who is online

Users browsing this forum: No registered users and 16 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group

Theme Created By ceyhansuyu