DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th January 2017
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default Add ip from /var/log/authlog to pf

Solution

PART1
authlog-analyser scripts
PART2
fail2ban site blocklist.de
PART3
add table to pf
PART4
Add to crontab

Pure pf.conf setup with strict conn-srs-rate redusced ssh attacke by 60 % (guessing)
WIth added blocklist from blocklist.de and auto blocking of failed authlog ip, attacker are redusced by 97 -99 %. Attacker do use the cloud, it is good to have the fail2ban clould blocklist add some counterbalance, not only the attacker can gain strength in the cloud.
Getting ip from blocklist.de is simple, it is in a plain text file.
Last two hours after setup completed 0 attacker came trough the pf wall
Before with strict pf rules, 20+ pr hour came trough to attack ssh.

Please leave feedback, I hope to improve it fufther.

Many thanks for the help, epsiccialy TronDD who gave me the code to get started. I chopped it up, and used temp files, it was easyer for me as a beginner to understand where it went wrong, and what each command did, when each step has it own file.

PART 1:
authlog-analyser scripts, looks for "bad", or "invalid user" or "Invalid user".
IP from authlog are cleaned for other information and feed into /etc/bruteforce
I will monitor /var/log/authlog and see if other words are needed also.

Code:
#! /bin/ksh
cd /home/nobody/script/

rm temp*

touch tempfile1
touch tempfile2
touch tempfile3

grep -E "[iI]nvalid user .+ from" /var/log/authlog > 
/home/nobody/script/tempfile1

sed 's/.*from //' tempfile1 > tempfile2

cut -d ' ' -f 1 tempfile2 > tempfile3

sort -fu tempfile3 >> /etc/bruteforce

touch tempfile11
touch tempfile22
touch tempfile33

grep -E "Bad + *" /var/log/authlog > /home/nobody/script/tempfile11

sed 's/.*from //' tempfile11 > tempfile22

cut -d ' ' -f 1 tempfile22 > tempfile33

sort -fu tempfile33 >> /etc/bruteforce

pfctl -f /etc/pf.conf

exit
PART 2
Downloading with ftp and deleting content of /etc/badhosts , filling the /etc/badhosts, with the full new content every time. According to blocklist.de offending ip are stored in their block list for 48 hours.

Code:
#! /bin/ksh

ftp https://lists.blocklist.de/lists/all.txt

cat all.txt  > /etc/badhosts

pfctl -f /etc/pf.conf

exit
PART3

Make the files for storing ip information
Code:
touch /etc/badhosts
Code:
touch /etc/bruteforce
Add tables to /etc/pf.conf and point the tables to the files.
Code:
#Badhosts
table <badhosts> persist file "/etc/badhosts"
block in quick on egress proto tcp from <badhosts> \
to any port ssh label "badhosts"

#Bruteforecers
table <bruteforce> persist file "/etc/bruteforce"
block quick from <bruteforce>
PART4

Enable the script to be run every hour. I might change this later.

Code:
env EDITOR=nano crontab -e
Code:
#
SHELL=/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin
HOME=/var/log
#
#minute hour    mday    month   wday    command
0      *        *       *       *       /bin/sh /home/nobody/script/fetch.script
*      *        *       *       *       /bin/sh /home/nobody/script/authlog-analyser
# rotate log files every hour, if necessary
0       *       *       *       *       /usr/bin/newsyslog
# send log file notifications, if necessary
#1-59   *       *       *       *       /usr/bin/newsyslog -m
#
# do daily/weekly/monthly maintenance
30      1       *       *       *       /bin/sh /etc/daily
30      3       *       *       6       /bin/sh /etc/weekly
30      5       1       *       *       /bin/sh /etc/monthly
#0      *       *       *       *       sleep $((RANDOM \% 1800)) && 
/usr/libexec/spamd-setup

************************************************** ************************************************** *
Problem
I see many attempts to attack my firewall.

Idea for solution:
Scripts exporting ip from /var/log/authlog, and adding it to /etc/badhosts in pf.
There are a few legit ip in authlog, so every ip cant be added to badhosts.
wishlist block:
a)Invalid user
b)Repeated disconnecting with out successful login, remember attempts for 48 hours.




Here is a sample from /var/log/authlog

Code:
an 25 18:58:50 wall sshd[89865]: Disconnecting: Too many authentication 
failures [preauth]
Jan 25 19:06:39 wall sshd[55279]: Received disconnect from 119.249.54.71 
port 42103:11:  [preauth]
Jan 25 19:06:39 wall sshd[55279]: Disconnected from 119.249.54.71 port 
42103 [preauth]
Jan 25 19:15:41 wall sshd[71072]: Invalid user android from 
112.216.245.75 port 14856
Jan 25 19:15:41 wall sshd[71072]: input_userauth_request: invalid user 
android [preauth]
Jan 25 19:15:41 wall sshd[71072]: error: maximum authentication attempts 
exceeded for invalid user android from 112.216.245.75 port 14856 ssh2 
[preauth]
Jan 25 19:15:41 wall sshd[71072]: Disconnecting: Too many authentication 
failures [preauth]
Jan 25 19:30:19 wall sshd[44171]: Received disconnect from 
121.18.238.104 port 40342:11:  [preauth]
Jan 25 19:30:19 wall sshd[44171]: Disconnected from 121.18.238.104 port 
40342 [preauth]
Jan 25 19:32:17 wall sshd[18696]: Invalid user nostale from 
112.216.245.75 port 14856
Jan 25 19:32:17 wall sshd[18696]: input_userauth_request: invalid user 
nostale [preauth]
Jan 25 19:32:17 wall sshd[18696]: error: maximum authentication attempts 
exceeded for invalid user nostale from 112.216.245.75 port 14856 ssh2 
[preauth]
Jan 25 19:32:17 wall sshd[18696]: Disconnecting: Too many authentication 
failures [preauth]
Jan 25 19:33:19 wall sshd[20562]: Unable to negotiate with 
195.154.102.193 port 62787: no matching key exchange method found. Their 
offer: diffie-hellman-group1-sha1 [preauth]
Jan 25 19:33:23 wall sshd[13245]: Unable to negotiate with 
195.154.102.193 port 62928: no matching key exchange method found. Their 
offer: diffie-hellman-group1-sha1 [preauth]
Jan 25 19:39:15 wall sshd[78437]: Received disconnect from 
221.194.47.208 port 36552:11:  [preauth]
Jan 25 19:39:15 wall sshd[78437]: Disconnected from 221.194.47.208 port 
36552 [preauth]
Jan 25 19:44:49 wall sshd[26394]: Received disconnect from 
221.194.44.224 port 47858:11:  [preauth]
Jan 25 19:44:49 wall sshd[26394]: Disconnected from 221.194.44.224 port 
47858 [preauth]
Jan 25 20:20:26 wall sshd[91739]: Connection closed by 191.101.154.104 
port 61449 [preauth]
Jan 25 20:25:08 wall sshd[31248]: Received disconnect from 
121.18.238.114 port 47474:11:  [preauth]
Jan 25 20:25:08 wall sshd[31248]: Disconnected from 121.18.238.114 port 
47474 [preauth]

Last edited by psypro; 31st October 2020 at 06:39 AM. Reason: Fixed malformed [/code] tag
Reply With Quote
  #2   (View Single Post)  
Old 25th January 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You can write your own, or you can start with any of the publicly available tools.
Reply With Quote
  #3   (View Single Post)  
Old 25th January 2017
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

I use something like this (play around with it to do what you need it to do):

Code:
for i in $(cat /var/log/authlog | grep sshd | grep -E "[iI]nvalid user .+ from" | sed 's/.*from //' | cut -d ' ' -f 1); do pfctl -t bruteforce -T add $i; done
There are many ways. I don't do this in real-time or in cron so I don't care about where I left off in the log, for example.

I also have a safe table in pf that matches my home IP before blocking on the bruteforce table so I can't lock myself out by accident. I did it once. That was enough. I only do that because it's a remote server.
Reply With Quote
  #4   (View Single Post)  
Old 26th January 2017
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Code:
for i in $(cat /var/log/authlog | grep sshd | grep -E "[iI]nvalid user .+ from" | sed 's/.*from //' | cut -d ' ' -f 1); do pfctl -t bruteforce -T add $i; done
Thank you.

I have tried to get it to write to file.
>>"/etc/badhosts"

This does not work
Code:
for i in $(cat /var/log/authlog | grep sshd | grep -E "[iI]nvalid user .+ from" | sed 's/.*from //' | cut -d ' ' -f 1); do cat >> "/etc/badhosts" $i; done
Reply With Quote
  #5   (View Single Post)  
Old 26th January 2017
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Making progress, I have now written a little script to download blocklist
From my experience this is strongly recommend to have a blocklist. From a constant wave after wave of attacks, to peace! (I guess some non block attacker will show up, but for now 100 % attackers stoped by pf with help of blocklist.de)

I have hopefully managed to add it to cron.
Should I split the script into two parts? one which download, and one who applies changes?
is there some security implications of running such a script in cron, and any ideas for improving security?


Code:
#! /bin/ksh

wget https://lists.blocklist.de/lists/all.txt

cat all.txt  >> /etc/badhosts

pfctl -f /etc/pf.conf

exit

Last edited by psypro; 26th January 2017 at 01:26 PM.
Reply With Quote
  #6   (View Single Post)  
Old 26th January 2017
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

How to remove duplicate of ip in the /etc/bruteforce file?
Reply With Quote
  #7   (View Single Post)  
Old 26th January 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

It won't be necessary, because when you use pfctl to load a table from a file, duplicates addresses will be ignored.

If you are still concerned, use your Internet search tool to find "shell script to remove duplicate lines in a file" and you'll get a list of methods to choose from, such as these.
Reply With Quote
  #8   (View Single Post)  
Old 26th January 2017
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by psypro View Post
How to remove duplicate of ip in the /etc/bruteforce file?
uniq(1).
Reply With Quote
  #9   (View Single Post)  
Old 26th January 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by ocicat View Post
Ah, yes. I've used it, but I keep forgetting it exists.
Reply With Quote
Old 26th January 2017
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

I removed
Code:
cat
and added
Code:
sort -fu
The cron job, is not working. Any obvious errors in my setup. I am getting tired, working on since since first post.

If I run this, it works.
Code:
sh authlog-analyser
Code:
sh fetch.script
In mail it says, wget not found. so cron cant see wget.
It works perfectly when I run it myself.
Reply With Quote
Old 26th January 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by psypro View Post
...wget not found...
$PATH is set in root's crontab. But you might find ftp(1) more useful, as it is built-in, does what wget is doing in this instance, and does not have a history of CVEs.
Reply With Quote
Old 26th January 2017
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Quote:
Originally Posted by jggimi View Post
$PATH is set in root's crontab. But you might find ftp(1) more useful, as it is built-in, does what wget is doing in this instance, and does not have a history of CVEs.
Thank you ..

Removed from PART2 fetch.script
Code:
wget
Added
Code:
ftp
Now everything works : )
Reply With Quote
Old 26th January 2017
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Next step

IP should not be blocked for ever.
The ip from Blocklist.de will expire every 48 hour according to their website, and my script deletes and re write every time.
So where changes are needed is for the authlog-analyser, and the /etc/bruteforce

Alternatives
a)dev-null-script, with crontab to purge /etc/bruteforce once a week
or
b) Add new table to pf.conf bruteforce.old
Somehow write a script to cp to from bruteforce to bruteforce.old, and then clean bruteforce

Can to crontab crash into each other, or do they wait for the other to finish before beginning?
Reply With Quote
Old 26th January 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

$ man pf.conf
/counters

$ man pfctl
/-T expire
Reply With Quote
Old 29th January 2017
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

I have now splitted the scripts up into

authloger-analyser

fetch.openbl.script (ftp download text file)
fetch.blocklist.de.script (ftp download text file)
addfw (write data to permanent files in /etc
pf.reload.script (Needs to run pfctl -f /etc/pf.conf

Code:
#
SHELL=/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin
HOME=/var/log
#
#minute hour    mday    month   wday    command
0      *        *       *       *       /bin/sh /home/nobody/script/fetch.script
*      *        *       *       *       /bin/sh /home/nobody/script/authlog-analyser
Is it better security to let basic user run, fetch script thats ftp download the text file?. Can that be edited into this crontab, or must it be removed here, and added to another user crontab?

Reading the manual, if found
FILES
/etc/crontab System crontab.
/var/cron/tabs/⟨user⟩ User crontab.

/var/cron/tab/root was the only one i found. And that is the one I am using. So how to add a user crontab?

Trying this a normal user
Code:
env EDITOR=nano crontab -e

Last edited by psypro; 29th January 2017 at 06:34 PM.
Reply With Quote
Old 29th January 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

It is always more secure to run something as a normal user when that is possible.

OpenBSD's default installation has a root crontab in /var/cron/tab. You may create them for normal users as defined in the crontab(1) man page.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 09:27 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick