LinHES Forums
http://forum.linhes.org/

Securing KnoppMyth
http://forum.linhes.org/viewtopic.php?f=5&t=16766		 Page 3 of 3
Author:  Kirk [ Sun Feb 24, 2008 8:24 pm ]
Post subject:  Re: seems to be working
neutron68 wrote:
Any idea if these lists clear out with each reboot?

Yes, they are cleared.
Author:  neutron68 [ Mon Mar 10, 2008 9:10 am ]
Post subject:  so far - working well
So far, SSHDFILTER is working well. It's booting out the attackers after just a few attpempts at entry and then banning them for a week! HA!! :lol:
My SSH logs are pretty short now - the system events are the majority of the entries now - as it should be!

Quote:
root@mythtv:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
SSHD tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain SSHD (1 references)
target prot opt source destination
DROP tcp -- pouch.kangaroopartners.com anywhere tcp dpt:ssh
DROP tcp -- 211.137.137.233 anywhere tcp dpt:ssh
DROP tcp -- 202.179.108.54 anywhere tcp dpt:ssh
DROP tcp -- itm.vaslui.ro anywhere tcp dpt:ssh
DROP tcp -- host226-148-static.34-88-b.business.telecomitalia.it anywhere tcp dpt:ss h
DROP tcp -- 124.228.10.20 anywhere tcp dpt:ssh
DROP tcp -- 202.105.179.9 anywhere tcp dpt:ssh
DROP tcp -- 60.28.222.154 anywhere tcp dpt:ssh
DROP tcp -- 219.95.66.42 anywhere tcp dpt:ssh
DROP tcp -- 211.169.249.241 anywhere tcp dpt:ssh
DROP tcp -- foxxy.triohost.com anywhere tcp dpt:ssh
DROP tcp -- 76.74.164.4 anywhere tcp dpt:ssh
DROP tcp -- unassigned.netnation.com anywhere tcp dpt:ssh
root@mythtv:~#
Author:  Too Many Secrets [ Fri Apr 11, 2008 4:47 pm ]
Post subject:  Re: trying sshdfilter
neutron68 wrote:
My main goal is to automatically block an IP address from SSH after they have shown that they are a dictionary login attacker - after a few failed names. It sounds like sshdfilter will do that.

I went to http://www.csc.liv.ac.uk/~greg/sshdfilter/ and downloaded the code for the 1.5.5 version of sshdfilter. I read the INSTALL file to see how easy/hard it was to install. You can pick standalone mode or as an sshd wrapper. There are perl scripts for either choice that autoinstall and configure for you. The script autodetects if you have Debian, Redhat, Slackware, etc. and makes the correct tweaks for that distro. When the script was done, all I had to do was /etc/init.d/ssh restart.

I do have a couple of clarification questions, if someone could lend some expertise.

1. There is a section in the INSTALL text file that I'm not sure of the proper location for these commands.
Quote:
3.
Add the SSHD chain to your iptables firewall setup, typically (/etc/sysconfig/iptables style):
:SSHD - [0:0]
or bash:
$ iptables -N SSHD

Add a jump to SSHD rule with something like (/etc/sysconfig/iptables style):
-A INPUT -p tcp -m tcp --dport 22 -j SSHD
or bash:
$ iptables -I INPUT -p tcp -m tcp --dport 22 -j SSHD
would the 2 iptables lines go in the file /etc/init.d/bootmisc.sh ?

2. Is there a way to see the list of IP addresses that sshdfilter has blocked?

insight appreciated,
Eric


Did you ever get this ironed out? Any chance of a "for dummy's" install guide? Maybe a wiki entry?

Been looking for a nice light-weight way for locking down ssh. (I guess your never secure enough) I've ran firestarter, but this seems much lighter.
Author:  neutron68 [ Sat Apr 12, 2008 11:50 am ]
Post subject:  yes, I got it working
It does work and has been stopping brute force attacks on my SSH port. :)
I didn't write down the process as I did it over the course of a week, so I'm going from memory on some of thie...

The main page for SSHDFILTER is http://www.csc.liv.ac.uk/~greg/sshdfilter/

I downloaded the version 1.5.5 tar file from http://www.csc.liv.ac.uk/~greg/sshdfilter-1.5.5.tar.gz and unpacked it into my /usr/src directory. I followed the directions in the INSTALL file. There are 2 setup methods - wrapper or standalone. I chose the wrapper method as it seemed like it would just dovetail into the SSHD system already in Knoppmyth.

I started by reading the contents of the INSTALL file and thought that I had to perform all those steps manually.
The author made script files that will auto install the proper files in the proper places. For the wrapper method, you execute the script with "pl install_aswrapper.pl".
By trying to follow the steps of the INSTALL file manually, I could see that the that the script had mostly set up the system for me.

To comply with Step 3, I did have to add the following lines to my "/etc/init.d/bootmisc.sh" file - so that the SSHD chain is added to the iptables after each bootup:
Code:
iptables -N SSHD
iptables -I INPUT -p tcp -m tcp --dport 22 -j SSHD


For step 8a, the file "/etc/init.d/ssd" needed to be modified to call sshdfilter rather than sshd. I can't recall if the script did this for me or if I did it:
replacing the line that said
Code:
start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS
with the line
Code:
start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/local/sbin/sshdfilter -- $SSHD_OPTS


The last step was to make custom tweaks in the file "/etc/sshdfilterrc".
Most of it is fine as it is and blocks SSH attacks by banning offending IP adresses for a period of time.

I think the only thing I changed in this file were to add my LAN's IP address space to the "SECTION IPPOLICY" part of the file:
Code:
+'^192\.168\.7\.[0-9]+$'       # always accept, never block LAN connections


I recall that a reboot was necessary to get the system started, so remember to do that in addition to the stopping and restarting of services that they tell you in step 8b of the INSTALL text file.

I'll edit this post if I think of any missed details. If there are I'll probably remember them as I reconfigure sshdfilter after my next Knoppmyth upgrade.

Eric
Page 3 of 3 All times are UTC - 6 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/