Odd ssh attacks?

Njoku, George O. njokug at winthrop.edu
Fri Jul 20 16:12:14 UTC 2007


These settings is the most effective I've seen so far. It stops/disrupts
ssh scans in real time. As oppose to sifting through log files.
Thx David

George


-----Original Message-----
From: ubuntu-users-bounces at lists.ubuntu.com
[mailto:ubuntu-users-bounces at lists.ubuntu.com] On Behalf Of David Ford
Sent: Friday, July 20, 2007 11:38 AM
To: Ubuntu user technical support,not for general discussions
Subject: Re: Odd ssh attacks?

Felipe Figueiredo wrote:
> [..]
> Would you share your script for doing those?
>
> regards
> FF
>   
Sure, here are the relevant lines again.

# skip processing of already established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# my explicit allow list for ssh, these guys can always connect as fast
as they want
iptables -A INPUT -p tcp -m tcp --dport 22 -j ssh-list

# if it's a new ssh connection, add it to the
/proc/net/ipt_recent/sshscans file
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack
--ctstate NEW -m recent --set --name sshscans --rsource

# if an IP has connected to port 22 within the last 60 seconds and the
connect count is 10 or more, TARPIT all tcp connections
iptables -A INPUT -p tcp -m tcp -m recent --rcheck --seconds 60
--hitcount 10 --name sshscans --rsource -j TARPIT

# maintain the SSH tarpit for an hour
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds
3600 --name sshscans --rsource -j TARPIT

# for email spam, if an IP is in the /proc/net/ipt_recent/spammer file,
TARPIT it for 2 weeks (1,209,600 seconds)
# (any IP that connects within the 2 weeks of establishing this rule, it
gets TARPIT'd)
iptables -A INPUT -p tcp -m tcp --dport 25 -m recent --rcheck --seconds
1209600 --name spammer --rsource -j TARPIT



SSH probes are handled entirely automatically.  If they stop connecting
to me, they will eventually get removed from the list.

Spam is handled slightly differently.  The trigger for spam comes from
userland.  Spamassassin scores the email and procmail delivers it.  If
procmail finds a spam score of 10 or higher, it adds the IP to
/proc/net/ipt_recent/spammer with echo.

Here is the relevant snippet from /etc/procmailrc

       SENDER=`formail -x Return-Path | sed 's/[<>]//g;s/^[ ]*//'`
     srcrelay=`formail -x Received -c|head -n1| sed -e
's/.*\[\([0-9.]*\)\].*/\1/g'|gawk '{printf "%-15s", $1}'`
    spamlevel=`formail -x X-Spam-Level|cut -c2-`
         from=`formail -x "From:"|sed 's/^ *//;N;s|\n| |g'`
        stars=`echo -ne $spamlevel|wc -c|gawk '{printf "%-3s", $1}'`
           to=`echo $LOGNAME|gawk '{printf "%-10s", $1}'`
    timestamp=`date "+%d%b%y-%H:%M "`

## if this rule matched, echo this IP into the spammer hash bucket.
netfilter
## will tarpit their packets if they have sent another packet within 24
hours
## x 14 days.  in other words, they get to trigger the spam filters once
per
## two weeks ;-)  this is good netfilter-fu
##
## iptables -A INPUT -p tcp -m tcp --dport 25 -m recent --rcheck
--seconds 1209600 --name spammer --rsource -j TARPIT
##
## remember to reset mode 666 or similar on /proc/net/ipt_recent/spammer
anytime
## the firewall is reloaded.  this file is written by all users.  yes i
am
## aware of ramifications, port 25 can be "killed" for you if your own
IP gets
## maliciously added.
##
## chmod a+w /proc/net/ipt_recent/spammer
##
## set userland to trigger on 10+, these source IPs are added to the
filter
## then the spam email is dropped to /dev/null
##

:0
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
{
  :0ci
  | if [ "$srcrelay" != "127.0.0.1" ]; then \
       /bin/echo $srcrelay > /proc/net/ipt_recent/spammer; \
       LOG="-F------: $timestamp score/$stars relay/$srcrelay $to
$fromM"; \
    else \
       LOG="-*------: $timestamp score/$stars relay/$srcrelay $to
$fromM"; \
    fi

      # eventually i want a webpg of stats, for now, just drop it to the
bitbucket
      :0
      /dev/null

      fi
    }


}

I shortly plan to write another milter that does this from inside
sendmail so I don't have to waste the processing time with procmail. 
Another addition to the milter would be triggering on unknown users. 
Sure seems to be a lot of randomly generated usernames hitting my server
:)

The above recipe makes it easy to add spam offenders to your firewall.

-- 
ubuntu-users mailing list
ubuntu-users at lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users




More information about the ubuntu-users mailing list