|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Add ip from /var/log/authlog to pf
Solution
PART1 authlog-analyser scripts PART2 fail2ban site blocklist.de PART3 add table to pf PART4 Add to crontab Pure pf.conf setup with strict conn-srs-rate redusced ssh attacke by 60 % (guessing) WIth added blocklist from blocklist.de and auto blocking of failed authlog ip, attacker are redusced by 97 -99 %. Attacker do use the cloud, it is good to have the fail2ban clould blocklist add some counterbalance, not only the attacker can gain strength in the cloud. Getting ip from blocklist.de is simple, it is in a plain text file. Last two hours after setup completed 0 attacker came trough the pf wall Before with strict pf rules, 20+ pr hour came trough to attack ssh. Please leave feedback, I hope to improve it fufther. Many thanks for the help, epsiccialy TronDD who gave me the code to get started. I chopped it up, and used temp files, it was easyer for me as a beginner to understand where it went wrong, and what each command did, when each step has it own file. PART 1: authlog-analyser scripts, looks for "bad", or "invalid user" or "Invalid user". IP from authlog are cleaned for other information and feed into /etc/bruteforce I will monitor /var/log/authlog and see if other words are needed also. Code:
#! /bin/ksh cd /home/nobody/script/ rm temp* touch tempfile1 touch tempfile2 touch tempfile3 grep -E "[iI]nvalid user .+ from" /var/log/authlog > /home/nobody/script/tempfile1 sed 's/.*from //' tempfile1 > tempfile2 cut -d ' ' -f 1 tempfile2 > tempfile3 sort -fu tempfile3 >> /etc/bruteforce touch tempfile11 touch tempfile22 touch tempfile33 grep -E "Bad + *" /var/log/authlog > /home/nobody/script/tempfile11 sed 's/.*from //' tempfile11 > tempfile22 cut -d ' ' -f 1 tempfile22 > tempfile33 sort -fu tempfile33 >> /etc/bruteforce pfctl -f /etc/pf.conf exit Downloading with ftp and deleting content of /etc/badhosts , filling the /etc/badhosts, with the full new content every time. According to blocklist.de offending ip are stored in their block list for 48 hours. Code:
#! /bin/ksh ftp https://lists.blocklist.de/lists/all.txt cat all.txt > /etc/badhosts pfctl -f /etc/pf.conf exit Make the files for storing ip information Code:
touch /etc/badhosts Code:
touch /etc/bruteforce Code:
#Badhosts table <badhosts> persist file "/etc/badhosts" block in quick on egress proto tcp from <badhosts> \ to any port ssh label "badhosts" #Bruteforecers table <bruteforce> persist file "/etc/bruteforce" block quick from <bruteforce> Enable the script to be run every hour. I might change this later. Code:
env EDITOR=nano crontab -e Code:
# SHELL=/bin/sh PATH=/bin:/sbin:/usr/bin:/usr/sbin HOME=/var/log # #minute hour mday month wday command 0 * * * * /bin/sh /home/nobody/script/fetch.script * * * * * /bin/sh /home/nobody/script/authlog-analyser # rotate log files every hour, if necessary 0 * * * * /usr/bin/newsyslog # send log file notifications, if necessary #1-59 * * * * /usr/bin/newsyslog -m # # do daily/weekly/monthly maintenance 30 1 * * * /bin/sh /etc/daily 30 3 * * 6 /bin/sh /etc/weekly 30 5 1 * * /bin/sh /etc/monthly #0 * * * * sleep $((RANDOM \% 1800)) && /usr/libexec/spamd-setup ************************************************** ************************************************** * Problem I see many attempts to attack my firewall. Idea for solution: Scripts exporting ip from /var/log/authlog, and adding it to /etc/badhosts in pf. There are a few legit ip in authlog, so every ip cant be added to badhosts. wishlist block: a)Invalid user b)Repeated disconnecting with out successful login, remember attempts for 48 hours. Here is a sample from /var/log/authlog Code:
an 25 18:58:50 wall sshd[89865]: Disconnecting: Too many authentication failures [preauth] Jan 25 19:06:39 wall sshd[55279]: Received disconnect from 119.249.54.71 port 42103:11: [preauth] Jan 25 19:06:39 wall sshd[55279]: Disconnected from 119.249.54.71 port 42103 [preauth] Jan 25 19:15:41 wall sshd[71072]: Invalid user android from 112.216.245.75 port 14856 Jan 25 19:15:41 wall sshd[71072]: input_userauth_request: invalid user android [preauth] Jan 25 19:15:41 wall sshd[71072]: error: maximum authentication attempts exceeded for invalid user android from 112.216.245.75 port 14856 ssh2 [preauth] Jan 25 19:15:41 wall sshd[71072]: Disconnecting: Too many authentication failures [preauth] Jan 25 19:30:19 wall sshd[44171]: Received disconnect from 121.18.238.104 port 40342:11: [preauth] Jan 25 19:30:19 wall sshd[44171]: Disconnected from 121.18.238.104 port 40342 [preauth] Jan 25 19:32:17 wall sshd[18696]: Invalid user nostale from 112.216.245.75 port 14856 Jan 25 19:32:17 wall sshd[18696]: input_userauth_request: invalid user nostale [preauth] Jan 25 19:32:17 wall sshd[18696]: error: maximum authentication attempts exceeded for invalid user nostale from 112.216.245.75 port 14856 ssh2 [preauth] Jan 25 19:32:17 wall sshd[18696]: Disconnecting: Too many authentication failures [preauth] Jan 25 19:33:19 wall sshd[20562]: Unable to negotiate with 195.154.102.193 port 62787: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth] Jan 25 19:33:23 wall sshd[13245]: Unable to negotiate with 195.154.102.193 port 62928: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth] Jan 25 19:39:15 wall sshd[78437]: Received disconnect from 221.194.47.208 port 36552:11: [preauth] Jan 25 19:39:15 wall sshd[78437]: Disconnected from 221.194.47.208 port 36552 [preauth] Jan 25 19:44:49 wall sshd[26394]: Received disconnect from 221.194.44.224 port 47858:11: [preauth] Jan 25 19:44:49 wall sshd[26394]: Disconnected from 221.194.44.224 port 47858 [preauth] Jan 25 20:20:26 wall sshd[91739]: Connection closed by 191.101.154.104 port 61449 [preauth] Jan 25 20:25:08 wall sshd[31248]: Received disconnect from 121.18.238.114 port 47474:11: [preauth] Jan 25 20:25:08 wall sshd[31248]: Disconnected from 121.18.238.114 port 47474 [preauth] Last edited by psypro; 31st October 2020 at 06:39 AM. Reason: Fixed malformed [/code] tag |
|
||||
You can write your own, or you can start with any of the publicly available tools.
|
|
|||
I use something like this (play around with it to do what you need it to do):
Code:
for i in $(cat /var/log/authlog | grep sshd | grep -E "[iI]nvalid user .+ from" | sed 's/.*from //' | cut -d ' ' -f 1); do pfctl -t bruteforce -T add $i; done I also have a safe table in pf that matches my home IP before blocking on the bruteforce table so I can't lock myself out by accident. I did it once. That was enough. I only do that because it's a remote server. |
|
|||
Code:
for i in $(cat /var/log/authlog | grep sshd | grep -E "[iI]nvalid user .+ from" | sed 's/.*from //' | cut -d ' ' -f 1); do pfctl -t bruteforce -T add $i; done I have tried to get it to write to file. >>"/etc/badhosts" This does not work Code:
for i in $(cat /var/log/authlog | grep sshd | grep -E "[iI]nvalid user .+ from" | sed 's/.*from //' | cut -d ' ' -f 1); do cat >> "/etc/badhosts" $i; done |
|
|||
Making progress, I have now written a little script to download blocklist
From my experience this is strongly recommend to have a blocklist. From a constant wave after wave of attacks, to peace! (I guess some non block attacker will show up, but for now 100 % attackers stoped by pf with help of blocklist.de) I have hopefully managed to add it to cron. Should I split the script into two parts? one which download, and one who applies changes? is there some security implications of running such a script in cron, and any ideas for improving security? Code:
#! /bin/ksh wget https://lists.blocklist.de/lists/all.txt cat all.txt >> /etc/badhosts pfctl -f /etc/pf.conf exit Last edited by psypro; 26th January 2017 at 01:26 PM. |
|
|||
How to remove duplicate of ip in the /etc/bruteforce file?
|
|
||||
It won't be necessary, because when you use pfctl to load a table from a file, duplicates addresses will be ignored.
If you are still concerned, use your Internet search tool to find "shell script to remove duplicate lines in a file" and you'll get a list of methods to choose from, such as these. |
|
|||
|
|
|||
I removed
Code:
cat Code:
sort -fu If I run this, it works. Code:
sh authlog-analyser Code:
sh fetch.script It works perfectly when I run it myself. |
|
|||
Quote:
Removed from PART2 fetch.script Code:
wget Code:
ftp |
|
|||
Next step
IP should not be blocked for ever. The ip from Blocklist.de will expire every 48 hour according to their website, and my script deletes and re write every time. So where changes are needed is for the authlog-analyser, and the /etc/bruteforce Alternatives a)dev-null-script, with crontab to purge /etc/bruteforce once a week or b) Add new table to pf.conf bruteforce.old Somehow write a script to cp to from bruteforce to bruteforce.old, and then clean bruteforce Can to crontab crash into each other, or do they wait for the other to finish before beginning? |
|
|||
I have now splitted the scripts up into
authloger-analyser fetch.openbl.script (ftp download text file) fetch.blocklist.de.script (ftp download text file) addfw (write data to permanent files in /etc pf.reload.script (Needs to run pfctl -f /etc/pf.conf Code:
# SHELL=/bin/sh PATH=/bin:/sbin:/usr/bin:/usr/sbin HOME=/var/log # #minute hour mday month wday command 0 * * * * /bin/sh /home/nobody/script/fetch.script * * * * * /bin/sh /home/nobody/script/authlog-analyser Reading the manual, if found FILES /etc/crontab System crontab. /var/cron/tabs/⟨user⟩ User crontab. /var/cron/tab/root was the only one i found. And that is the one I am using. So how to add a user crontab? Trying this a normal user Code:
env EDITOR=nano crontab -e Last edited by psypro; 29th January 2017 at 06:34 PM. |
|
|