PDA

View Full Version : blocking scriptkiddies out of PC-BSD "security/denyhost


antik
06-28-2006, 11:47 AM
DenyHosts is a script intended to be run by *ix system administrators to
help thwart ssh server attacks.

If you've ever looked at your ssh log (/var/log/auth.log ) you may be alarmed
to see how many hackers attempted to gain access to your computer.
Denyhosts helps you:
- Parses /var/log/auth.log to find all login attempts
- Can be run from the command line, cron or as a daemon (new in 0.9)
- Records all failed login attempts for the user and offending host
- For each host that exceeds a threshold count, records the evil host
- Keeps track of each non-existent user (eg. sdada) when a login attempt failed.
- Keeps track of each existing user (eg. root) when a login attempt failed.
- Keeps track of each offending host (hosts can be purged )
- Keeps track of suspicious logins
- Keeps track of the file offset, so that you can reparse the same file
- When the log file is rotated, the script will detect it
- Appends /etc/hosts.deniedssh
- Optionally sends an email of newly banned hosts and suspicious logins.
- Resolves IP addresses to hostnames, if you want

# portinstall security/denyhosts

Add denyhosts_enable="YES" line to /etc/rc.conf
I made some modifications:

/etc/hosts.allow:
# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
#ALL : ALL : allow

# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny

# Allow anything from localhost. Note that an IP address (not a host
# name) *MUST* be specified for rpcbind(8).
ALL : localhost 127.0.0.1 [::1] : allow
ALL : my.machine.example.com 192.0.2.35 : allow

# To use IPv6 addresses you must enclose them in []'s
ALL : [fe80::%fxp0]/10 : allow
ALL : [fe80::]/10 : deny
ALL : [2001:db8:2:1:2:3:4:3fe1] : deny
ALL : [2001:db8:2:1::]/64 : allow

# Sendmail can help protect you against spammers and relay-rapers
sendmail : localhost : allow
sendmail : .nice.guy.example.com : allow
sendmail : .evil.cracker.example.com : deny
sendmail : ALL : allow

# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
: spawn (echo Finger. | \
/usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
: deny

# denyhosts
sshd : /etc/hosts.deniedssh \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."
: deny
sshd : ALL : allow

Rename /usr/local/etc/rc.d/denyhosts to denyhosts.sh or else it won't start.
Copy /usr/local/share/denyhosts/denyhosts.cfg-dist to /usr/local/etc/denyhosts.conf and enable BLOCK_SERVICE = sshd or if you really paranoid then BLOCK_SERVICE = ALL.

Edit PURGE_DENY = 10m if you want to block only for 10 minutes- incase you mistyped your own password to remote box it won't leave you out forever. By default this option is turned off.

# touch /etc/hosts.deniedssh
# /usr/local/etc/rc.d/denyhosts.sh start

I already cought some sucker-
/etc/hosts.deniedssh:
sshd: 69.20.11.96 : deny
sshd: 62.161.114.45 : deny


This feature would be in base install starting from 1.2 release according to roadmap (http://www.pcbsd.org/?p=roadmap).

dracheflieger
06-28-2006, 01:20 PM
Yes, mine too:

sshd: 61.235.122.2 : deny
sshd: 200.62.170.25 : deny
sshd: 203.88.213.151 : deny
sshd: 66.221.81.169 : deny


There is also an option in denyhosts to use their central sever as a deny repository.

Thanks to DragnLord and you for the good heads up and work. I thought it should start automagically if in /usr/local/etc/rc.d but never did and I had to give full path to start.

antik
06-28-2006, 01:38 PM
I thought it should start automagically if in /usr/local/etc/rc.d but never did and I had to give full path to start.

Add denyhosts_enable="YES" line to /etc/rc.conf and rename /usr/local/etc/rc.d/denyhosts to denyhosts.sh or else it won't start.

dracheflieger
06-28-2006, 01:50 PM
Thanks antik...already done ;-)

TerryP
06-28-2006, 10:27 PM
Mmmm I'll have to start payin gmore attention to my SSH logs.

DragnLord
06-29-2006, 04:08 AM
another tip for "the average desktop user"
edit /etc/ssh/sshd_config uncomment and change the port

DragnLord
06-29-2006, 05:27 AM
maybe edit into the steps that you need to create /etc/hosts.deniedssh, best to use touch to do so

antik
06-29-2006, 06:40 AM
maybe edit into the steps that you need to create /etc/hosts.deniedssh, best to use touch to do so
done

antik
06-29-2006, 11:20 AM
Example how attacker is blocked within 30seconds....
/var/log/auth.log:
Jun 29 12:21:24 PCBSD sshd[94566]: Invalid user fluffy from 134.95.205.77
Jun 29 12:21:25 PCBSD sshd[94568]: Invalid user test from 134.95.205.77
Jun 29 12:21:26 PCBSD sshd[94571]: Invalid user guest from 134.95.205.77
Jun 29 12:21:27 PCBSD sshd[94578]: Invalid user webmaster from 134.95.205.77
Jun 29 12:21:28 PCBSD sshd[94581]: Invalid user mysql from 134.95.205.77
Jun 29 12:21:28 PCBSD sshd[94584]: Invalid user oracle from 134.95.205.77
Jun 29 12:21:29 PCBSD sshd[94586]: Invalid user library from 134.95.205.77
Jun 29 12:21:30 PCBSD sshd[94589]: Invalid user unix from 134.95.205.77
Jun 29 12:21:33 PCBSD sshd[94599]: Invalid user unix from 134.95.205.77
Jun 29 12:21:34 PCBSD sshd[94601]: Invalid user webadmin from 134.95.205.77
Jun 29 12:21:35 PCBSD sshd[94608]: Invalid user ftp from 134.95.205.77
Jun 29 12:21:36 PCBSD sshd[94611]: Invalid user test from 134.95.205.77
Jun 29 12:21:37 PCBSD sshd[94614]: Invalid user guest from 134.95.205.77
Jun 29 12:21:37 PCBSD sshd[94617]: Invalid user master from 134.95.205.77
Jun 29 12:21:38 PCBSD sshd[94619]: Invalid user apache from 134.95.205.77
Jun 29 12:21:39 PCBSD sshd[94626]: Invalid user network from 134.95.205.77
Jun 29 12:21:40 PCBSD sshd[94629]: Invalid user danny from 134.95.205.77
Jun 29 12:21:41 PCBSD sshd[94632]: Invalid user sharon from 134.95.205.77
Jun 29 12:21:41 PCBSD sshd[94635]: Invalid user aron from 134.95.205.77
Jun 29 12:21:42 PCBSD sshd[94637]: Invalid user alex from 134.95.205.77
Jun 29 12:21:43 PCBSD sshd[94644]: Invalid user brett from 134.95.205.77
Jun 29 12:21:44 PCBSD sshd[94647]: Invalid user mike from 134.95.205.77
Jun 29 12:21:44 PCBSD sshd[94650]: Invalid user alan from 134.95.205.77
Jun 29 12:21:45 PCBSD sshd[94652]: Invalid user data from 134.95.205.77
Jun 29 12:21:46 PCBSD sshd[94655]: Invalid user www-data from 134.95.205.77
Jun 29 12:21:47 PCBSD sshd[94662]: Invalid user http from 134.95.205.77
Jun 29 12:21:47 PCBSD sshd[94665]: Invalid user httpd from 134.95.205.77
Jun 29 12:21:50 PCBSD sshd[94673]: Invalid user backup from 134.95.205.77
Jun 29 12:21:50 PCBSD sshd[94676]: Invalid user info from 134.95.205.77
Jun 29 12:21:51 PCBSD sshd[94682]: Invalid user shop from 134.95.205.77
Jun 29 12:21:52 PCBSD sshd[94685]: Invalid user sales from 134.95.205.77
Jun 29 12:21:53 PCBSD sshd[94688]: Invalid user web from 134.95.205.77
Jun 29 12:21:54 PCBSD sshd[94693]: Invalid user wwwrun from 134.95.205.77
Jun 29 12:21:55 PCBSD sshd[94700]: Invalid user adam from 134.95.205.77
Jun 29 12:21:56 PCBSD sshd[94703]: Invalid user stephen from 134.95.205.77
Jun 29 12:21:56 PCBSD sshd[94706]: Invalid user richard from 134.95.205.77
Jun 29 12:21:57 PCBSD sshd[94708]: Invalid user george from 134.95.205.77
Jun 29 12:21:58 PCBSD sshd[94711]: Invalid user michael from 134.95.205.77
Jun 29 12:21:58 PCBSD sshd[94718]: twist 134.95.205.77 to /bin/echo "You are not welcome to use sshd from 134.95.205.77."

pcbsdusr
06-29-2006, 12:30 PM
will this security feature make it into the official installations?

DragnLord
06-29-2006, 01:45 PM
as the roadmap says, yes, in 1.2

pcbsdusr
06-29-2006, 01:47 PM
Oops.. :oops:

Sorry i asked... :wink:

madman
06-29-2006, 03:08 PM
My servers used to get pounded with those damn ssh attacks every hour of the day. I just changed the default port and it wasn't attacked since then.

dracheflieger
06-30-2006, 08:58 PM
FreshPorts shows a new version today with several fixes.

goatman
12-24-2006, 01:43 AM
I've just finally got to this tutorial .... I am using 1.2, so I want to know if I need to do anything to my configuration (I didn't understand ALL of the above, just a little ;)).
On the same subject, I did a cat /var/log/auth.log and this was in the output of that log Nov 30 13:59:48 PCBSD kdeinit: gethostby*.getanswer: asked for "undeadly.org.nyud.net IN A", got type "39"
Nov 30 14:06:47 PCBSD kdeinit: gethostby*.getanswer: asked for "undeadly.org.nyud.net IN A", got type "39"
Nov 30 14:07:40 PCBSD last message repeated 3 times
amongst all of my su'ing to root, and typing the wrong password (FFE's), so I looked up the offender and this is what their website says If you are visiting this website because you are receiving unwanted or unrequested traffic from this or any other PlanetLab node, please use the Search Form to identify the researchers responsible for the traffic, and report your complaint to them. PlanetLab Support (support@planet-lab.org) is copied on all complaints, and will ensure that your concerns are addressed in a timely manner.
PlanetLab is a global research network that supports the development of new network services. Since the beginning of 2003, more than 1,000 researchers at top academic institutions and industrial research labs have used PlanetLab to develop new technologies for distributed storage, network mapping, peer-to-peer systems, distributed hash tables, and query processing.
If you have received UDP traceroute packets from a number of PlanetLab nodes, you or another user on your network may have recently accessed a website cached by the Coral project, which runs on PlanetLab. Many websites, including Slashdot, regularly post "Coralized" links to popular content. Coral actively probes its clients using a fast traceroute-like tool, to determine the nearest proxy for its clients to use. If you do not want to receive such probes, discontinue accessing URLs that end in .nyud.net:8090.
If you are receiving HTTP requests from PlanetLab nodes, users may be accessing your website through Coral or CoDeeN, another content distribution network that runs on PlanetLab. If you do not want your site to be cached by Coral or CoDeeN, please contact the maintainers of Coral or the maintainers of CoDeeN directly.
If your intrusion detection system (IDS) claims that a PlanetLab node may be compromised with a virus because of traffic that it sent you, the IDS is likely to be mistaken. All PlanetLab nodes run a custom version of Linux, not Windows. Each node boots from secure immutable media and is installed with only the minimum amount of software. All services, such as Coral and CoDeeN, run in virtual servers that, even if compromised, remain isolated from the rest of the system. PlanetLab Operations staff work full-time to monitor and ensure the security and integrity of the network.
Researchers using the PlanetLab network are bound by an Acceptable Use Policy which forbids malicious or disruptive behavior. Additionally, all PlanetLab nodes are secured and actively managed by the PlanetLab Operations team.
If you are unable to determine the source of the traffic, please contact PlanetLab Support (support@planet-lab.org). Feel free to direct any additional concerns or questions about PlanetLab to this address. link to their website (http://undeadly.org.nyud.net/)
Does anyone have any idea what this is? To my knowledge, I have never visited their website, and I'm the only one who uses this box. (No one else in the family likes Open Source).

I don't know what any of this means : kdeinit: gethostby*.getanswer: asked for "undeadly.org.nyud.net IN A", got type "39"
If someone can translate this, I's sure appreciate it .... then maybe I could use the search form to find out why they are trying to get into my box for whatever info they want :? THX.

dracheflieger
12-24-2006, 02:34 AM
I don't think it's anything to be concerned about...it's not a denyhosts error as those are shown above. The site is OpenBSD friendly as shown here (http://undeadly.org.nyud.net:8090/cgi?action=article&sid=20060927091645)

goatman
12-25-2006, 02:56 AM
It may be OPEN BSD friendly, but it says:If you do not want to receive such probes, discontinue accessing URLs that end in .nyud.net:8090. which I never did access in the first place, and the idea of more than 1,000 researchers at top academic institutions and industrial research labstrying to access my box is disturbing to me. (Is there a PC_OPENBSD anywhere? :lol: :lol: ) OK, I'm paranoid, and I don't trust our gov't! Is that OK? ;)! Our gov't buys and sells these academic institutions and industrial labs like you and me change our skivvies, so I don't trust the lot of them! I was in the Army in Germany in 1962 when Kennedy was murdered, and we heard a totally different story than what was put out by the Warren Commission. JMPO! goatman

Galactic Dominator
07-17-2007, 09:01 PM
As a correction, denyhosts can be started by

./denyhosts start

Solarin
07-18-2007, 08:16 AM
As a correction, denyhosts can be started by

./denyhosts start

That'll only work if you're in the directory where 'denyhosts' is present.

Antik's method is the preferred one:

/usr/local/etc/rc.d/denyhosts.sh start

Galactic Dominator
07-18-2007, 05:32 PM
I know....

The point I was making is that there is no need to rename the file as the instructions said, rather call it a sh script

running /usr/local/etc/rc.d/denyhosts start

renaming denyhosts to denyhosts.sh is not necessary

Apatewna
07-25-2007, 12:01 PM
Also take a look at some info here (http://forums.pcbsd.org/viewtopic.php?t=8596&highlight=syslogdflags),especially the syslogd flags.