Solution
PART1
authlog-analyser scripts
PART2
fail2ban site blocklist.de
PART3
add table to pf
PART4
Add to crontab
Pure pf.conf setup with strict conn-srs-rate redusced ssh attacke by 60 % (guessing)
WIth added blocklist from blocklist.de and auto blocking of failed authlog ip, attacker are redusced by 97 -99 %. Attacker do use the cloud, it is good to have the fail2ban clould blocklist add some counterbalance, not only the attacker can gain strength in the cloud.
Getting ip from blocklist.de is simple, it is in a plain text file.
Last two hours after setup completed 0 attacker came trough the pf wall
Before with strict pf rules, 20+ pr hour came trough to attack ssh.
Please leave feedback, I hope to improve it fufther.
Many thanks for the help, epsiccialy TronDD who gave me the code to get started. I chopped it up, and used temp files, it was easyer for me as a beginner to understand where it went wrong, and what each command did, when each step has it own file.
PART 1:
authlog-analyser scripts, looks for "bad", or "invalid user" or "Invalid user".
IP from authlog are cleaned for other information and feed into /etc/bruteforce
I will monitor /var/log/authlog and see if other words are needed also.
Code:
#! /bin/ksh
cd /home/nobody/script/
rm temp*
touch tempfile1
touch tempfile2
touch tempfile3
grep -E "[iI]nvalid user .+ from" /var/log/authlog >
/home/nobody/script/tempfile1
sed 's/.*from //' tempfile1 > tempfile2
cut -d ' ' -f 1 tempfile2 > tempfile3
sort -fu tempfile3 >> /etc/bruteforce
touch tempfile11
touch tempfile22
touch tempfile33
grep -E "Bad + *" /var/log/authlog > /home/nobody/script/tempfile11
sed 's/.*from //' tempfile11 > tempfile22
cut -d ' ' -f 1 tempfile22 > tempfile33
sort -fu tempfile33 >> /etc/bruteforce
pfctl -f /etc/pf.conf
exit
PART 2
Downloading with ftp and deleting content of /etc/badhosts , filling the /etc/badhosts, with the full new content every time. According to blocklist.de offending ip are stored in their block list for 48 hours.
Code:
#! /bin/ksh
ftp https://lists.blocklist.de/lists/all.txt
cat all.txt > /etc/badhosts
pfctl -f /etc/pf.conf
exit
PART3
Make the files for storing ip information
Code:
touch /etc/badhosts
Code:
touch /etc/bruteforce
Add tables to /etc/pf.conf and point the tables to the files.
Code:
#Badhosts
table <badhosts> persist file "/etc/badhosts"
block in quick on egress proto tcp from <badhosts> \
to any port ssh label "badhosts"
#Bruteforecers
table <bruteforce> persist file "/etc/bruteforce"
block quick from <bruteforce>
PART4
Enable the script to be run every hour. I might change this later.
Code:
env EDITOR=nano crontab -e
Code:
#
SHELL=/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin
HOME=/var/log
#
#minute hour mday month wday command
0 * * * * /bin/sh /home/nobody/script/fetch.script
* * * * * /bin/sh /home/nobody/script/authlog-analyser
# rotate log files every hour, if necessary
0 * * * * /usr/bin/newsyslog
# send log file notifications, if necessary
#1-59 * * * * /usr/bin/newsyslog -m
#
# do daily/weekly/monthly maintenance
30 1 * * * /bin/sh /etc/daily
30 3 * * 6 /bin/sh /etc/weekly
30 5 1 * * /bin/sh /etc/monthly
#0 * * * * sleep $((RANDOM \% 1800)) &&
/usr/libexec/spamd-setup
************************************************** ************************************************** *
Problem
I see many attempts to attack my firewall.
Idea for solution:
Scripts exporting ip from /var/log/authlog, and adding it to /etc/badhosts in pf.
There are a few legit ip in authlog, so every ip cant be added to badhosts.
wishlist block:
a)Invalid user
b)Repeated disconnecting with out successful login, remember attempts for 48 hours.
Here is a sample from /var/log/authlog
Code:
an 25 18:58:50 wall sshd[89865]: Disconnecting: Too many authentication
failures [preauth]
Jan 25 19:06:39 wall sshd[55279]: Received disconnect from 119.249.54.71
port 42103:11: [preauth]
Jan 25 19:06:39 wall sshd[55279]: Disconnected from 119.249.54.71 port
42103 [preauth]
Jan 25 19:15:41 wall sshd[71072]: Invalid user android from
112.216.245.75 port 14856
Jan 25 19:15:41 wall sshd[71072]: input_userauth_request: invalid user
android [preauth]
Jan 25 19:15:41 wall sshd[71072]: error: maximum authentication attempts
exceeded for invalid user android from 112.216.245.75 port 14856 ssh2
[preauth]
Jan 25 19:15:41 wall sshd[71072]: Disconnecting: Too many authentication
failures [preauth]
Jan 25 19:30:19 wall sshd[44171]: Received disconnect from
121.18.238.104 port 40342:11: [preauth]
Jan 25 19:30:19 wall sshd[44171]: Disconnected from 121.18.238.104 port
40342 [preauth]
Jan 25 19:32:17 wall sshd[18696]: Invalid user nostale from
112.216.245.75 port 14856
Jan 25 19:32:17 wall sshd[18696]: input_userauth_request: invalid user
nostale [preauth]
Jan 25 19:32:17 wall sshd[18696]: error: maximum authentication attempts
exceeded for invalid user nostale from 112.216.245.75 port 14856 ssh2
[preauth]
Jan 25 19:32:17 wall sshd[18696]: Disconnecting: Too many authentication
failures [preauth]
Jan 25 19:33:19 wall sshd[20562]: Unable to negotiate with
195.154.102.193 port 62787: no matching key exchange method found. Their
offer: diffie-hellman-group1-sha1 [preauth]
Jan 25 19:33:23 wall sshd[13245]: Unable to negotiate with
195.154.102.193 port 62928: no matching key exchange method found. Their
offer: diffie-hellman-group1-sha1 [preauth]
Jan 25 19:39:15 wall sshd[78437]: Received disconnect from
221.194.47.208 port 36552:11: [preauth]
Jan 25 19:39:15 wall sshd[78437]: Disconnected from 221.194.47.208 port
36552 [preauth]
Jan 25 19:44:49 wall sshd[26394]: Received disconnect from
221.194.44.224 port 47858:11: [preauth]
Jan 25 19:44:49 wall sshd[26394]: Disconnected from 221.194.44.224 port
47858 [preauth]
Jan 25 20:20:26 wall sshd[91739]: Connection closed by 191.101.154.104
port 61449 [preauth]
Jan 25 20:25:08 wall sshd[31248]: Received disconnect from
121.18.238.114 port 47474:11: [preauth]
Jan 25 20:25:08 wall sshd[31248]: Disconnected from 121.18.238.114 port
47474 [preauth]