Re: SSH brute force attacks no longer being caught by PF rule

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Daniel Cid

Subject: Re: SSH brute force attacks no longer being caught by PF rule

Date: Wednesday, August 8, 2007 - 11:20 am

Please, don't use grok for that! From what I saw it is
vulnerable to very simple log injection attacks (you
need much more string regexes):

http://www.ossec.net/en/attacking-loganalysis.html


Be very careful when parsing logs for automated
remediation...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


--- Rob <robsheldon@gmail.com> escreveu:

quoted text> Although this doesn't answer your actual pf
> question, you might try
> using a tool called Grok
> (http://www.semicomplete.com/projects/grok/).
> It's a pretty decent log watcher written in Perl,
> designed to do
> exactly this sort of thing. You define matches and
> reactions in its
> config file (match = "Illegal user %USERNAME% from
> %IP%"; reaction =
> "pfctl -t scanners -T add %IP%";).
> 
> It does have a few quirks though. We've encountered
> problems with
> having multiple rules watching the same log. But,
> all in all, probably
> a better way to do what it looks like you want to
> do.
> 
> - R.
> 
> On 8/8/07, David Newman <dnewman@networktest.com>
> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 6/27/07 10:39 PM, Daniel Ouellet wrote:
> > > Steve B wrote:
> > >> The rule I've had in my pf.conf file to catch
> and block forceful SSH
> > >> attempts no longer appears to be working. I see
> the entries in my
> > >> authlog,
> > >> but the IPs are no longer getting added to my
> table. I suspect I screwed
> > >> something  up, but so far I am at a loss to see
> where. Could someone pass
> > >> another set of eyes over the relevant parts of
> my pf.conf?
> > >
> > > Put quickly as an example, but you can try:
> > >
> > > # Define some variable for clarity
> > > SSH_LIMIT="(max-src-conn-rate 3/30, overload
> <scanners> flush global)"
> > >
> > > ## SSH Hackers - blocked IPs
> > > table <scanners> persist file
> "/etc/tables/scanners"
> > >
> > > # Block ssh access to bad ssh scanner
> > > block drop in log quick on $ext_if inet proto
> tcp \
> > >    from <scanners> to any port ssh
> > >
> > > # Allow quick valid traffic to ssh but log all
> attempts as well
> > > pass in log quick on $ext_if inet proto tcp from
> ! <scanners> \
> > >    to $ext_if port ssh flags S/SA keep state \
> > >    $SSH_LIMIT
> > >
> >
> > I've added something like this to pf.conf but it's
> only partially
> > successful. I would appreciate any clues as to why
> it's not blocking all
> > brute-force attempts.
> >
> > On an OBSD 4.1 box, here's what I added to pf.conf
> ($unpro is the
> > Internet-facing interface):
> >
> > #####
> >
> > # Define limit of ssh connection rates
> > SSH_LIMIT="(max-src-conn-rate 3/30, overload
> <scanners> flush global)"
> > # SSH scanners - blocked IPs
> > table <scanners> persist
> >
> > block drop in log quick on $unpro inet proto tcp \
> >   from <scanners> to any port ssh
> >
> >
> > # Allow quick valid traffic to ssh but log all
> attempts as well
> > pass in log quick on $unpro inet proto tcp from !
> <scanners> \
> >    to $unpro port ssh $SSH_LIMIT
> >
> > #####
> >
> > And it appears to be working, at least in part:
> >
> > dnewman@fw17 ~ 501$ sudo pfctl -t scanners -T show
> >    61.146.178.13
> >    61.189.145.103
> >    67.76.237.190
> >    161.200.144.108
> >    193.254.31.194
> >
> > #####
> >
> > But some hosts on the protected side of the
> firewall still report
> > brute-force ssh login attempts exceeding the 3/30
> rate:
> >
> > Aug  7 10:16:00 mail sshd[21608]: Invalid user
> trash from 201.18.81.8
> > Aug  7 10:16:08 mail sshd[21610]: Invalid user
> aaron from 201.18.81.8
> > Aug  7 10:16:11 mail sshd[21612]: Invalid user
> gt05 from 201.18.81.8
> > Aug  7 10:16:18 mail sshd[21614]: Invalid user
> william from 201.18.81.8
> > Aug  7 10:16:22 mail sshd[21616]: Invalid user
> stephanie from 201.18.81.8
> > Aug  7 10:16:59 mail sshd[21628]: Invalid user
> gary from 201.18.81.8
> > Aug  7 10:17:07 mail sshd[21632]: Invalid user
> guest from 201.18.81.8
> > Aug  7 10:17:11 mail sshd[21634]: Invalid user
> test from 201.18.81.8
> > Aug  7 10:17:17 mail sshd[21636]: Invalid user
> oracle from 201.18.81.8
> > Aug  7 10:19:24 mail sshd[21717]: Invalid user
> apache from 201.18.81.8
> > Aug  7 10:19:43 mail sshd[21723]: Invalid user lab
> from 201.18.81.8
> > Aug  7 10:19:55 mail sshd[21729]: Invalid user
> oracle from 201.18.81.8
> > Aug  7 10:20:00 mail sshd[21736]: Invalid user svn
> from 201.18.81.8
> > Aug  7 10:20:06 mail sshd[21745]: Invalid user
> iraf from 201.18.81.8
> > Aug  7 10:20:13 mail sshd[21747]: Invalid user
> swsoft from 201.18.81.8
> > Aug  7 10:20:18 mail sshd[21749]: Invalid user
> production from 201.18.81.8
> > Aug  7 10:20:23 mail sshd[21751]: Invalid user
> guest from 201.18.81.8
> > Aug  7 10:20:28 mail sshd[21753]: Invalid user
> gast from 201.18.81.8
> > Aug  7 10:20:34 mail sshd[21755]: Invalid user
> gast from 201.18.81.8
> > Aug  7 10:20:40 mail sshd[21762]: Invalid user
> oliver from 201.18.81.8
> > Aug  7 10:20:45 mail sshd[21767]: Invalid user
> sirsi from 201.18.81.8
> > Aug  7 10:20:50 mail sshd[21769]: Invalid user
> nagios from 201.18.81.8
> > Aug  7 10:20:55 mail sshd[21771]: Invalid user
> nagios from 201.18.81.8
> > Aug  7 10:20:59 mail sshd[21773]: Invalid user
> nagios from 201.18.81.8
> >
> > Thanks in advance for suggestions as to how to
> reduce these kind of
> > login attempts.
> >
> > dn
> >
>
iD8DBQFGufyzyPxGVjntI4IRAty2AJ9WDCqLqkWyhx/KuciGINow6Upb5wCfUuP+
quoted text> > GfZ8lnaun1QPItnFK5c4MNU=
> > =tjbD
> > -----END PGP SIGNATURE-----
> 
> 



      Alertas do Yahoo! Mail em seu celular. Saiba mais em http://br.mobile.yahoo.com/mailalertas/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

SSH brute force attacks no longer being caught by PF rule, Steve B, (Wed Jun 27, 9:54 pm)

Re: SSH brute force attacks no longer being caught by PF rule, Daniel Ouellet, (Wed Jun 27, 10:39 pm)

Re: SSH brute force attacks no longer being caught by PF rule, Joachim Schipper, (Thu Jun 28, 7:20 am)

Re: SSH brute force attacks no longer being caught by PF rule, David Newman, (Wed Aug 8, 10:26 am)

Re: SSH brute force attacks no longer being caught by PF rule, Rob, (Wed Aug 8, 10:50 am)

Re: SSH brute force attacks no longer being caught by PF rule, Allie D., (Wed Aug 8, 10:54 am)

Re: SSH brute force attacks no longer being caught by PF rule, Daniel Cid, (Wed Aug 8, 11:20 am)

Re: SSH brute force attacks no longer being caught by PF rule, Allie D., (Wed Aug 8, 12:02 pm)

Re: SSH brute force attacks no longer being caught by PF rule, Rob, (Wed Aug 8, 12:03 pm)

Re: SSH brute force attacks no longer being caught by PF rule, Marc Balmer, (Wed Aug 8, 2:14 pm)

Re: SSH brute force attacks no longer being caught by PF rule, Joachim Schipper, (Thu Aug 9, 3:22 am)

Re: SSH brute force attacks no longer being caught by PF rule, David Newman, (Thu Aug 9, 10:24 am)

Re: SSH brute force attacks no longer being caught by PF rule, David Newman, (Thu Aug 9, 10:29 am)

Re: SSH brute force attacks no longer being caught by PF rule, Joachim Schipper, (Thu Aug 9, 12:43 pm)

Re: SSH brute force attacks no longer being caught by PF rule, Stuart Henderson, (Mon Aug 13, 2:10 am)

Re: SSH brute force attacks no longer being caught by PF rule, Joachim Schipper, (Mon Aug 13, 3:14 am)

Re: SSH brute force attacks no longer being caught by PF rule, Janne Johansson, (Mon Aug 13, 4:29 am)

Re: SSH brute force attacks no longer being caught by PF rule, Stuart Henderson, (Mon Aug 13, 4:30 am)

Re: SSH brute force attacks no longer being caught by PF rule, Henning Brauer, (Mon Aug 13, 5:09 am)


linux-kernel:
Ingo Molnar	Re: [PATCH 0/3] v2 Make hierarchical RCU less IPI-happy and add more tracing
Jeremy Fitzhardinge	Re: Linux 2.6.28.10 and Linux 2.6.29.6 XEN Guest Support Broken x86_64 in BUILD
Nick Piggin	Re: [patch] CFS (Completely Fair Scheduler), v2
Gary Hade	Re: [PATCH 0/5][RFC] Physical PCI slot objects
Dave Johnson	Re: expected behavior of PF_PACKET on NETIF_F_HW_VLAN_RX device?
linux-netdev:
Arnd Bergmann	Re: 64-bit net_device_stats
Stephens, Allan	RE: [PATCH]: tipc: Fix oops on send prior to entering networked mode
frank.blaschka	[patch 3/5] [PATCH] qeth: support z/VM VSWITCH Port Isolation
Wu Fengguang	Re: [PATCH] dm9601: handle corrupt mac address
David Miller	Re: [PATCH net-2.6.24] Fix refcounting problem with netif_rx_reschedule()
git:
Junio C Hamano	Re: [PATCH] [RFC] add Message-ID field to log on git-am operation
Junio C Hamano	Re: Handling large files with GIT
Karl	Re: [ANNOUNCE] pg - A patch porcelain for GIT
Josh Triplett	Re: [RFC][PATCH 00/10] Sparse: Git's "make check" target
Pierre Habouzit	Re: [PATCH] git-daemon: more powerful base-path/user-path settings, using formats.
git-commits-head:
Linux Kernel Mailing List	MIPS: RBTX4939: Fix IOC pin-enable register updating
Linux Kernel Mailing List	regulator: update email address for Liam Girdwood
Linux Kernel Mailing List	[SCSI] ipr: add message to error table
Linux Kernel Mailing List	powerpc/32: Wire up the trampoline code for kdump
Linux Kernel Mailing List	USB: omap_udc: sync with OMAP tree
openbsd-misc:
Josh Grosse	Re: error : pkg add phpMyAdmin
Brian Candler	Re: OBSD's perspective on SELinux
Jacob Meuser	Re: /dev/audio: Device busy
David Vasek	Re: Inexpensive, low power, "wall wart" computer
William Boshuck	Re: Richard Stallman...