LinHES Forums http://forums.linhes.org/ |
|
Securing KnoppMyth http://forums.linhes.org/viewtopic.php?f=5&t=16766 |
Page 3 of 3 |
Author: | Kirk [ Sun Feb 24, 2008 8:24 pm ] |
Post subject: | Re: seems to be working |
neutron68 wrote: Any idea if these lists clear out with each reboot?
Yes, they are cleared. |
Author: | neutron68 [ Mon Mar 10, 2008 9:10 am ] |
Post subject: | so far - working well |
So far, SSHDFILTER is working well. It's booting out the attackers after just a few attpempts at entry and then banning them for a week! HA!! My SSH logs are pretty short now - the system events are the majority of the entries now - as it should be! Quote: root@mythtv:~# iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination SSHD tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain SSHD (1 references) target prot opt source destination DROP tcp -- pouch.kangaroopartners.com anywhere tcp dpt:ssh DROP tcp -- 211.137.137.233 anywhere tcp dpt:ssh DROP tcp -- 202.179.108.54 anywhere tcp dpt:ssh DROP tcp -- itm.vaslui.ro anywhere tcp dpt:ssh DROP tcp -- host226-148-static.34-88-b.business.telecomitalia.it anywhere tcp dpt:ss h DROP tcp -- 124.228.10.20 anywhere tcp dpt:ssh DROP tcp -- 202.105.179.9 anywhere tcp dpt:ssh DROP tcp -- 60.28.222.154 anywhere tcp dpt:ssh DROP tcp -- 219.95.66.42 anywhere tcp dpt:ssh DROP tcp -- 211.169.249.241 anywhere tcp dpt:ssh DROP tcp -- foxxy.triohost.com anywhere tcp dpt:ssh DROP tcp -- 76.74.164.4 anywhere tcp dpt:ssh DROP tcp -- unassigned.netnation.com anywhere tcp dpt:ssh root@mythtv:~# |
Author: | Too Many Secrets [ Fri Apr 11, 2008 4:47 pm ] |
Post subject: | Re: trying sshdfilter |
neutron68 wrote: My main goal is to automatically block an IP address from SSH after they have shown that they are a dictionary login attacker - after a few failed names. It sounds like sshdfilter will do that.
I went to http://www.csc.liv.ac.uk/~greg/sshdfilter/ and downloaded the code for the 1.5.5 version of sshdfilter. I read the INSTALL file to see how easy/hard it was to install. You can pick standalone mode or as an sshd wrapper. There are perl scripts for either choice that autoinstall and configure for you. The script autodetects if you have Debian, Redhat, Slackware, etc. and makes the correct tweaks for that distro. When the script was done, all I had to do was /etc/init.d/ssh restart. I do have a couple of clarification questions, if someone could lend some expertise. 1. There is a section in the INSTALL text file that I'm not sure of the proper location for these commands. Quote: 3. would the 2 iptables lines go in the file /etc/init.d/bootmisc.sh ?Add the SSHD chain to your iptables firewall setup, typically (/etc/sysconfig/iptables style): :SSHD - [0:0] or bash: $ iptables -N SSHD Add a jump to SSHD rule with something like (/etc/sysconfig/iptables style): -A INPUT -p tcp -m tcp --dport 22 -j SSHD or bash: $ iptables -I INPUT -p tcp -m tcp --dport 22 -j SSHD 2. Is there a way to see the list of IP addresses that sshdfilter has blocked? insight appreciated, Eric Did you ever get this ironed out? Any chance of a "for dummy's" install guide? Maybe a wiki entry? Been looking for a nice light-weight way for locking down ssh. (I guess your never secure enough) I've ran firestarter, but this seems much lighter. |
Author: | neutron68 [ Sat Apr 12, 2008 11:50 am ] |
Post subject: | yes, I got it working |
It does work and has been stopping brute force attacks on my SSH port. I didn't write down the process as I did it over the course of a week, so I'm going from memory on some of thie... The main page for SSHDFILTER is http://www.csc.liv.ac.uk/~greg/sshdfilter/ I downloaded the version 1.5.5 tar file from http://www.csc.liv.ac.uk/~greg/sshdfilter-1.5.5.tar.gz and unpacked it into my /usr/src directory. I followed the directions in the INSTALL file. There are 2 setup methods - wrapper or standalone. I chose the wrapper method as it seemed like it would just dovetail into the SSHD system already in Knoppmyth. I started by reading the contents of the INSTALL file and thought that I had to perform all those steps manually. The author made script files that will auto install the proper files in the proper places. For the wrapper method, you execute the script with "pl install_aswrapper.pl". By trying to follow the steps of the INSTALL file manually, I could see that the that the script had mostly set up the system for me. To comply with Step 3, I did have to add the following lines to my "/etc/init.d/bootmisc.sh" file - so that the SSHD chain is added to the iptables after each bootup: Code: iptables -N SSHD iptables -I INPUT -p tcp -m tcp --dport 22 -j SSHD For step 8a, the file "/etc/init.d/ssd" needed to be modified to call sshdfilter rather than sshd. I can't recall if the script did this for me or if I did it: replacing the line that said Code: start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS with the lineCode: start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/local/sbin/sshdfilter -- $SSHD_OPTS The last step was to make custom tweaks in the file "/etc/sshdfilterrc". Most of it is fine as it is and blocks SSH attacks by banning offending IP adresses for a period of time. I think the only thing I changed in this file were to add my LAN's IP address space to the "SECTION IPPOLICY" part of the file: Code: +'^192\.168\.7\.[0-9]+$' # always accept, never block LAN connections
I recall that a reboot was necessary to get the system started, so remember to do that in addition to the stopping and restarting of services that they tell you in step 8b of the INSTALL text file. I'll edit this post if I think of any missed details. If there are I'll probably remember them as I reconfigure sshdfilter after my next Knoppmyth upgrade. Eric |
Page 3 of 3 | All times are UTC - 6 hours |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |