Topic: Limit the logon attempts on SSH (protocol 2) ?

[molski]

As many people (I think) I got SSH open on Public Access   on my SME v6.0.1-01 server.
Every night I get a nice email from LogWatch with sometimes hunderds of login attempts, lucky for me that nobody has managed to logon so far!

For myself its not so good idea to use SSH authentication with public/private keys because I SSH to my server from a lot of different PC's, so I would like to do it another way.

Is it possible to block IP adresses that has too many login tries for a certain ammount of time, or just block the IP adress forever (with the option to manually de-block it from the server if necessary) ?

I know this problem has a few topics on this forum, but none of the topics says if and how it is possible to block IP adresses that has faulty logons.


Regards,

Molski

[Reinhold]

Hi molski,

Why not carry around your key on an USB-Stick ?
else:
If somebody does annoy me enough he will get "routed away" ...

Code: [Select]

/sbin/route add -host ip_no reject
like in: /sbin/route add -host 123.456.0.1 reject
and where 123.456.0.1 is your attackers ip of course

Regards
Reinhold

P.S.: You could also "iptable him/her out"
 man iptable  _and_ man route  are your friends

P.P.S. Remember that most people do use dynamic ip's
so revert to normal after some time ...
...maybe you want to use a snort/acid contrib to do both automagically!

[molski]

Hi Reinhold,

That line of code sounds good to block IP adresses on my  server. I will keep that one in mind.
Before I read this topic I just installed the snort and acid contrib. I hope they will take care of some hack attempts for me, if this works good, I'm happy


Regards,

Molski

[molski]

Hi Reinhold,

I just created a alert report for Snort Acid, but the lines are a bit confusing to me, cant figure out what the lines mean, maybe you (or someone else) can clear things up for me?

This is the report I have, the IP adress 000.000.000.000 is my External IP adress on eth1

Generated by ACID v0.9.6b23 on Sun, 11 Sep 2005 15:10:40 +0200

#1-1| [2005-09-11 12:40:03] 000.000.000.000:1264 -> 80.200.153.61:80 [bugtraq/9879] [snort/2565] WEB-PHP modules.php access
#1-2| [2005-09-11 12:40:06] 000.000.000.000:1264 -> 80.200.153.61:80 [bugtraq/9879] [snort/2565] WEB-PHP modules.php access
#1-3| [2005-09-11 12:40:12] 000.000.000.000:1264 -> 80.200.153.61:80 [bugtraq/9879] [snort/2565] WEB-PHP modules.php access
#1-4| [2005-09-11 12:40:14] 000.000.000.000:1264 -> 80.200.153.61:80 [bugtraq/9879] [snort/2565] WEB-PHP modules.php access
#1-5| [2005-09-11 12:40:51] 000.000.000.000:1266 -> 80.200.153.61:80 [bugtraq/9879] [snort/2565] WEB-PHP modules.php access
#1-6| [2005-09-11 12:44:20] 000.000.000.000:1325 -> 207.68.177.124:80 [snort/2] (http_inspect) DOUBLE DECODING ATTACK
#1-7| [2005-09-11 12:47:46] 000.000.000.000:1334 -> 195.154.195.154:80 [bugtraq/2527] [snort/1054] WEB-MISC weblogic/tomcat .jsp view source attempt
#1-8| [2005-09-11 12:48:44] 222.179.217.131:1958 -> 000.000.000.000:1434 urlnessus[cve/2002-0649] [icat/2002-0649] [bugtraq/5311] [bugtraq/5310] [snort/2004] MS-SQL Worm propagation attempt OUTBOUND
#1-9| [2005-09-11 13:05:39] 000.000.000.000:1342 -> 216.17.211.37:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-10| [2005-09-11 13:05:42] 000.000.000.000:1343 -> 216.17.211.20:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-11| [2005-09-11 13:05:53] 000.000.000.000:1343 -> 216.17.211.20:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-12| [2005-09-11 13:06:16] 000.000.000.000:1345 -> 216.17.211.20:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-13| [2005-09-11 13:06:24] 000.000.000.000:1345 -> 216.17.211.20:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-14| [2005-09-11 13:06:40] 000.000.000.000:1351 -> 216.17.211.20:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-15| [2005-09-11 13:08:29] 000.000.000.000:1354 -> 216.17.211.37:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-16| [2005-09-11 13:08:33] 000.000.000.000:1355 -> 216.17.211.20:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-17| [2005-09-11 13:36:53] 218.75.30.34:1033 -> 000.000.000.000:1434 urlnessus[cve/2002-0649] [icat/2002-0649] [bugtraq/5311] [bugtraq/5310] [snort/2004] MS-SQL Worm propagation attempt OUTBOUND
#1-18| [2005-09-11 14:38:08] 222.178.5.234:2066 -> 000.000.000.000:1434 urlnessus[cve/2002-0649] [icat/2002-0649] [bugtraq/5311] [bugtraq/5310] [snort/2004] MS-SQL Worm propagation attempt OUTBOUND
#1-19| [2005-09-11 14:57:17] 000.000.000.000:1515 -> 216.17.211.37:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-20| [2005-09-11 14:57:19] 000.000.000.000:1517 -> 216.17.211.20:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-21| [2005-09-11 14:57:34] 000.000.000.000:1525 -> 216.17.211.37:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-22| [2005-09-11 14:57:36] 000.000.000.000:1526 -> 216.17.211.20:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-23| [2005-09-11 15:00:26] 000.000.000.000:1583 -> 216.17.211.20:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-24| [2005-09-11 15:00:43] 000.000.000.000:1583 -> 216.17.211.20:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-25| [2005-09-11 15:00:55] 000.000.000.000:1583 -> 216.17.211.20:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-26| [2005-09-11 15:01:37] 000.000.000.000:1587 -> 216.17.211.20:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-27| [2005-09-11 15:07:01] 000.000.000.000:1593 -> 216.17.211.37:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access
#1-28| [2005-09-11 15:07:04] 000.000.000.000:1594 -> 216.17.211.20:80 nessus[cve/2003-0486] [icat/2003-0486] [bugtraq/7979] [snort/2229] WEB-PHP viewtopic.php access



Regards,

Molski

[Reinhold]

Hi molski,

You NEVER have an ip 000.000.000.000
(go look with ifconfig !)
What you show does look like a failed snort install.
Which contrib did you use ?

Be aware that Snort does need YOU to look after it (at least imo). Install the database (ACID) too - it makes things easier to follow.
For a couple of reasons I haven't followed "things SME" that much recently but Michiel van Hees aka Master Sleepy did have a good working contrib for both...
... and a short glimpse indeed show's he's still to be found at:
http://www.vanhees.cc/

Regards
Reinhold

[molski]

000.000.000.000 is NOT my IP, I changed my external IP in this logfile to 000.000.000.000, because I dont know how safe it is to put my external IP in one of my own log files published on the internet  

I indeed used the how-to and the 2 RPM's for SME 6.0.1 from Master Sleepy's website.

Install of Snort and Acid went without any problems, all seems to be working, I only cant find out what the lines in the log-files mean


Regads,
Molski

[Reinhold]

ooops ... a little misunderstanding.

Easy (lazy) explanation :
goto: https://_yourserver_/acid/acid_main.php
log in as sme-admin and start clicking around ...
...takes only a few minutes and you will start to understand what that listing then meant.
(...takes ages though to really see what is serious and what is lazy xoops   stuff )

...else you have to visit www.snort.org
they really have useful documentation (as you have probably seen already)
incl. their database where you can look up the numbers as in your previous listing: http://www.snort.org/snort-db/sid.html

Regards
Reinhold