Topic: Being Probed - any revenge ??

[kmccarn]

I was working on my nut setup - and checking the log files and....

Here's the excerpt:

Jan  6 14:53:59 sme sshd[16303]: Illegal user arts from 220.73.136.254
Jan  7 05:46:55 sme sshd[6890]: Illegal user jordan from 222.177.175.13
Jan  7 05:47:03 sme sshd[6892]: Illegal user michael from 222.177.175.13
Jan  7 05:47:11 sme sshd[6894]: Illegal user nicole from 222.177.175.13

So - someone is trying to hack in !!!

Does anyone have any nifty DOS attacks I can mount in retaliation ??

I double checked all my log files - nobody has gotten in successfully - and the ip's they're trying from seem to be from different places.

 

[smeghead]

Easy way to stop this is to setup a good router infront of the SME box and lock down ssh access to specific external IP addresses only.

Any other ssh access would therefore need to be via VPN and be classified as local.

[Curly]

or: change the default ssh-port to some other one,

or: reconfigure sme to only allow ssh from certain addresses (link:http://forums.contribs.org/index.php?topic=24818.0).

Retaliation is probably not a good idea (but it would probably make you feel better).

[ldkeen]

Hi kmccarn

Does anyone have any nifty DOS attacks I can mount in retaliation ??
 

It's most likely that these scans are coming from a box that has already been compromised and they are totally unaware of this, so retaliating against that IP is going to achieve nothing (except give you a bit of misguided satisfaction). I think Curly is on the right track - I was getting sometimes 100 scans a day but since I've changed the listening port for SSH I'm now getting zero I've also required ssh2 and dropped the allowed login time down from 10mins to 1min just for added security.
Lloyd

[kmccarn]

Yeah - I don't really want (or need) retaliation.

I was just cranky and frustrated from trying to get some  
winBlows software to work as advertised.

 

[mbachmann]

I've also required ssh2 and dropped the allowed login time down from 10mins to 1min just for added security.
Lloyd

How can i set that?

[p-jones]

If you are running Snort you might like to play with this. I have it "sort of working" with snort - guardian / Snort Acid. Anyone who can get it better - I would love to hear from them ! I think my guardian block script needs some more work...

Rgds
Peter

alert tcp any any -> $HOME_NET 22 ( \
  msg:"BLEEDING-EDGE Potential SSH Brute Force Attack"; \
     flow:to_server,established; \
   flags:S; \
    threshold:type threshold, track by_src, count 5, seconds 30; \
    classtype:attempted-dos; \
   sid:2001219; \
     rev:4; \
)

[holck]

Isn't it possible to limit these attacks by blocking the IP address after a certain number of failed logins? If so, how?
/Jesper

[p-jones]

Snort-Guardian

[ldkeen]

I've also required ssh2 and dropped the allowed login time down from 10mins to 1min just for added security.
Lloyd

How can i set that?

#mkdir -p /etc/e-smith/templates-custom/etc/ssh/sshd_config
#touch /etc/e-smith/templates-custom/etc/ssh/sshd_config/10Port
#touch /etc/e-smith/templates-custom/etc/ssh/sshd_config/16Protocol
#touch /etc/e-smith/templates-custom/etc/ssh/sshd_config/20LoginGraceTime
#echo "Port 222" > /etc/e-smith/templates-custom/etc/ssh/sshd_config/10Port
#echo "Protocol 2" > /etc/e-smith/templates-custom/etc/ssh/sshd_config/16Protocol
#echo "LoginGraceTime 60" > /etc/e-smith/templates-custom/etc/ssh/sshd_config/20LoginGraceTime
#/sbin/e-smith/expand-template /etc/ssh/sshd_config
#/sbin/e-smith/signal-event remoteaccess-update

Should do it, I'm not in front of my machine at the moment to check.
Lloyd

[mbachmann]

ldkeen, did you learn this by heart? - I'll try it out and report back. Thanks.

/etc/e-smith/templates-custom/etc/ssh/sshd_config/20Protocol
with Protocol 2 is already there. Nice.

Did it. Works. To cite another user: I like no brainers