DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th January 2010
mayuka mayuka is offline
Fdisk Soldier
 
Join Date: Dec 2009
Posts: 57
Thanked 0 Times in 0 Posts
Default Handling ssh login attempts with pf

Hello.

Since a couple of days my little router appearances a lot of connections to port 22 from a bunch of same hosts which my pf firewall correctly drops. How can I put those attemps automatically to a table "attackers"?

I had something like the following in mind. Is that possible?

Code:
table <attackers> persist

block in quick on $EXT from <attackers>

block in quick on $EXT from any to ($EXT:0) port 22 (max 1, overload <attackers> flush)
Obvious. The third rule does not work. But how can I accomplish something like that?
Reply With Quote
  #2   (View Single Post)  
Old 7th January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

I use the following in my pf.conf, i do NOT use port 22 it saves mucho scans and logging dropped packets.


Code:
TCP_SVCS = "{ 32009 }"

table <bruteforce> persist

block drop log quick from { <bruteforce>, <noroute> }

pass in log quick on { $EXT, $INT } inet proto tcp from ip.addr.allowed to { $EXT } port $TCP_SVCS flags S/SA modulate state (max-src-conn 10, max-src-conn-rate 3/10, overload <bruteforce> flush global)
http://www.openbsd.org/faq/pf/index.html <- general howto for PF
http://johan.fredin.info/openbsd/blo...ruteforce.html
http://openbsd-wiki.org/index.php?title=PF_Examples
__________________
The more you learn, the more you realize how little you know ....

Last edited by J65nko; 10th January 2010 at 07:24 PM. Reason: Added [noparse][code][/noparse] tags ;)
Reply With Quote
  #3   (View Single Post)  
Old 7th January 2010
mayuka mayuka is offline
Fdisk Soldier
 
Join Date: Dec 2009
Posts: 57
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by There0 View Post
pass in log quick on { $EXT, $INT } inet proto tcp from ip.addr.allowed to { $EXT } port $TCP_SVCS flags S/SA modulate state (max-src-conn 10, max-src-conn-rate 3/10, overload <bruteforce> flush global)
I have a similar rule in my pf.conf for port 80. Since ssh listens on another port than 22 (for safety reasons) I just simply want to make a similar rule but altogether with block instead of pass. So that everyone who tries connection to port 22 is being put on the table attackers automatically.
Reply With Quote
  #4   (View Single Post)  
Old 8th January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Edit the rule accordingly and do not flush it at all? (verify this plz i am not certain), it will keep the table of offenders in PF. Something like this maybe helpful, i just typed this out, have not run in PF to test, feel free

table <offenders> persist
block log quick on $EXT from any to port 22 (overload <offenders> flush global)
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
  #5   (View Single Post)  
Old 8th January 2010
mayuka mayuka is offline
Fdisk Soldier
 
Join Date: Dec 2009
Posts: 57
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by There0 View Post
block log quick on $EXT from any to port 22 (overload <offenders> flush global)
Does not work. I get a syntax error. However I was only able to use overload in conjunction with pass and keep state so far. Any other clues? Maybe there's another way? Maybe via match?
Reply With Quote
  #6   (View Single Post)  
Old 9th January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Quote:
However I was only able to use overload in conjunction with pass and keep state so far. Any other clues?
Have you tried changeing the "pass" to "drop" and not keeping state? then add a table rule perhaps? If your basically looking to drop port 22 TCP and drop offenders into a table, start with a simple "block log drop on $EXT from any to any port 22" and expand on that.
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
  #7   (View Single Post)  
Old 9th January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

I just tried adding something similar to what you are trying to accomplish to my firewall ruleset, it seems that creating the table, then blocking the table work fine, the rule to drop the traffic to port 22 and add that to a table was where i am stuck at as well.

I tried "block log quick on $EXT from any to port 22" with success, but could not seem to add anything after that (I tried "(max-src-conn 1, max-src-conn-rate 1/3, overload <port22bad> flush global)" ) and load PF properly.

I am not certain if tables can be used with blocked rules (I don't see why not, but i found nothing on the PF FAQ or the @openbsd-pf mailling list concerning this). Perhaps a question for @openbsd-pf and the developers to answer, i will actually post as i am also considering something like this for my PF rules, not to make anything easier and take away from your learning.
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
  #8   (View Single Post)  
Old 9th January 2010
mayuka mayuka is offline
Fdisk Soldier
 
Join Date: Dec 2009
Posts: 57
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by There0 View Post
I am not certain if tables can be used with blocked rules (I don't see why not, but i found nothing on the PF FAQ or the @openbsd-pf mailling list concerning this). Perhaps a question for @openbsd-pf and the developers to answer, i will actually post as i am also considering something like this for my PF rules, not to make anything easier and take away from your learning.
I'm not subscribed to those mailing lists. (And I do not intend to because the mail traffic would be quite high I suppose.) I'll try to reach someone of the developers if I can find them on the net.

I'm not sure. But what does happen when I first do pass in port 22 (overload <table>) and then block in quick port 22 directly after (note the quick in the block rule)??
Reply With Quote
  #9   (View Single Post)  
Old 9th January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Quote:
I'm not sure. But what does happen when I first do pass in port 22 (overload <table>) and then block in quick port 22 directly after (note the quick in the block rule)??
Last matching rule wins, but why pass then block? to create the table? use "pfctl -t tablename -T show" to see if your table is poplulated, try and hit port 22 for a login first to get at least one in there.

I posted to the PF mailing list, hope for a good answer.
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Old 9th January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

If you want a bit of a trick to NOT have to subscribe to the lists, you can find out the email address per list at http://lists.openbsd.org, from there can find the list, find the email address and just email to it.

To check responses http://marc.info @ openbsd-pf is where they get posted (and nabble and some others too) and you can view the responses, then you can actually email yourself the response, and respond yet again to that. Of course @openbsd-pf is one of the few missing from the web GUI ...
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Old 10th January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

I recieved a reply from Peter Hansteen himself which follows, I believe (as stated earlier) the "Block rules do not create state" is the problem on this.

Quote:
Ah, so you want to block access to ssh and then for good measure add
those who try anyway to a table? There is no support for that in the
current PF syntax, sorry. Block rules do not create state.

One possible way to do what you're asking about would be to read the
pflog and extract the IP addresses from there for further processing.

The other option is to go with a pass rule with suitably restrictive
overload criteria.

- Peter
I asked him for any suggestions or tips about parsing pflog and extracting IP's and if there was a way to put them into a table or whatever was possible, awaiting a reponse on that question.
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Old 10th January 2010
mayuka mayuka is offline
Fdisk Soldier
 
Join Date: Dec 2009
Posts: 57
Thanked 0 Times in 0 Posts
Default

Thanks. Maybe sometime they will be adding this feature.
Reply With Quote
Old 10th January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

In the beginning of http://www.daemonforums.org/showthre...8994#post28994 I refer to a discussion on the FreeBSD mailing list. IIRC somebody posted a perl program to do something with the IP addresses of those SSH hammerers.

Some time ago I read an analysis of these SSH probes. There are two stages. In stage one, bots scans network blocks for open SSH ports 22. Then after distributing the addresses found, bots are starting to do these ssh login probes in the second stage.

So simply moving your incoming SSH LISTEN port to something else than the default port 22, will usually save you from being probed in stage two.

Previously a single bot, and thus a single IP address, probed several login names and passwords in a row. So in the past you could block multiple failed connection attempts from a single IP address.

Nowadays a couple of coordinated bots each probe a single name/password . So now each individual probe use a different IP address.

And because you don't want to automatically blacklist an IP address because of one failed login attempt, dealing with these idiots has becoming more challenging.
How would you like it if gmail would block you for one single mistyped password?

My tips:
  • move incoming ssh to a different port
  • Use public key authorization
  • If you cannot use publick keys, use non-English login names.
    I have never seen logs where these bots use names like 'Guillaume , Didier, Dieter, Jan-Peter, Wouter, Isidoor, Henk or Sven.
  • Or for more complexity add underscores "_" , numbers or dashes '-' to the names.
    If these bots cannot guess the right names, they already stand no chance.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 10th January 2010
mayuka mayuka is offline
Fdisk Soldier
 
Join Date: Dec 2009
Posts: 57
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
And because you don't want to automatically blacklist an IP address because of one failed login attempt, dealing with these idiots has becoming more challenging.
Its not that I want to block them forever... I'd have added a rule to crontab that removes expired hosts after 1 day (pfctl -t bad_guys -T expire 3600). I'm seeing probes on other ports and simple icmp echo requests as well.
Reply With Quote
Old 10th January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

An example of probes from June 2009 as posted on the FreeBSD questions mailing list:
Quote:
Aug 22 00:46:21 amnesiac sshd[63107]: error: PAM: authentication error for illegal user adrian from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:21 amnesiac sshd[63107]: Failed keyboard-interactive/pam for invalid user adrian from 76.193.128.193 port 2901 ssh2
Aug 22 00:46:23 amnesiac sshd[63110]: error: PAM: authentication error for illegal user agfa from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:23 amnesiac sshd[63110]: Failed keyboard-interactive/pam for invalid user agfa from 76.193.128.193 port 3165 ssh2
Aug 22 00:46:26 amnesiac sshd[63113]: error: PAM: authentication error for illegal user agneta from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:26 amnesiac sshd[63113]: Failed keyboard-interactive/pam for invalid user agneta from 76.193.128.193 port 3338 ssh2
Aug 22 00:46:29 amnesiac sshd[63116]: error: PAM: authentication error for illegal user ahren from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:29 amnesiac sshd[63116]: Failed keyboard-interactive/pam for invalid user ahren from 76.193.128.193 port 3499 ssh2
As you see all originating from a single IP address.

A more recent log from Dec 2009
Quote:
Dec 26 18:28:13 xantippe sshd[91556]: error: PAM: authentication error
for illegal user helen from 84.246.69.21
Dec 26 18:55:08 xantippe sshd[91634]: error: PAM: authentication error
for illegal user helen from 83.211.160.211
Dec 26 19:22:05 xantippe sshd[91710]: error: PAM: authentication error
for illegal user jenny from 93.63.231.55
Dec 26 19:39:55 xantippe sshd[91744]: error: PAM: authentication error
for illegal user jenny from 211.115.234.143
Dec 26 19:49:02 xantippe sshd[91772]: error: PAM: authentication error
for illegal user jenny from 121.52.215.180
Dec 26 20:16:17 xantippe sshd[91855]: error: PAM: authentication error
for illegal user jenny from 201.82.6.7
Dec 26 20:34:22 xantippe sshd[91902]: error: PAM: authentication error
for illegal user jenny from 201.244.188.202
Dec 26 20:52:23 xantippe sshd[91943]: error: PAM: authentication error
for illegal user jenny from 116.55.226.131
Dec 26 21:01:25 xantippe sshd[91987]: error: PAM: authentication error
for illegal user jenny from 202.102.245.109
Dec 26 21:10:29 xantippe sshd[92002]: error: PAM: authentication error
for illegal user jenny from 90.182.107.194
Dec 26 21:37:41 xantippe sshd[92078]: error: PAM: authentication error
Here each address only probes one single name/password and the interval between probes is quite large.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 10th January 2010 at 07:06 PM. Reason: Added newest probes from multiple machines
Reply With Quote
Old 11th January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Quote:
I asked him for any suggestions or tips about parsing pflog and extracting IP's and if there was a way to put them into a table or whatever was possible, awaiting a reponse on that question.
Peter's reply to that question;

Quote:
There is a at least deamon in the base system that reads data off
pflog interfaces already: spamlogd.

By looking at /usr/src/libexec/spamlogd/spamlogd.c and likely the
table parts of pfctl it should be feasible to hack together something
that reads a specific pflog interface (I would suggest logging each
rule you're interested in to a separate pflog interface or at least
clustering the blocks that should be treated similarly), looks for
blocks instead of passes, updates table entries. Might even be a fun
project. I'm not sure I'll have the time to do much about in the short
run though.
I actually use snort and have it drop offending IP's into /etc/hosts.deny, i am certain that snort can be configured to your specifications regarding blocking port 22 TCP requests and blocked/logged accordingly.
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Old 11th January 2010
mayuka mayuka is offline
Fdisk Soldier
 
Join Date: Dec 2009
Posts: 57
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by There0 View Post
I actually use snort and have it drop offending IP's into /etc/hosts.deny, i am certain that snort can be configured to your specifications regarding blocking port 22 TCP requests and blocked/logged accordingly.
Ok. I'll look into it.

Its quite true that the ssh probe behaviour has changed during the last months. But not with other ports (e.g. 5900).
Reply With Quote
Old 11th January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Quote:
I actually use snort and have it drop offending IP's into /etc/hosts.deny
Was kind of a lie actually i use portsentry for that purpose, i use snort to get more info on scans and attempts. It's a good little program for baiting, and denying, i certainly recommend that one as well.
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Reply

Tags
ssh brute force attack, ssh hammering, ssh login attempts, ssh probes

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
how to start X11 on login? Mantazz FreeBSD Ports and Packages 2 10th July 2009 07:27 PM
cannot login after installation ccc FreeBSD Installation and Upgrading 3 28th October 2008 11:54 AM
How can i login to my FreeBSD ?? ceramic FreeBSD Installation and Upgrading 4 28th July 2008 11:56 AM
How to set up ssh login cssgalactic FreeBSD General 12 28th June 2008 06:00 PM
DSL auto login Weaseal FreeBSD General 3 17th June 2008 03:26 PM


All times are GMT. The time now is 06:07 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick