Revision [4052]

Last edited on 2011-07-06 22:45:33 by KenFong
Additions:
~ ==[[SecurityTreason Block Treason uncloakced attack]]

Revision [3490]

Edited on 2009-08-14 11:11:57 by KenFong
Additions:
Specifies the maximum number of authentication attempts permitted
per connection. Once the number of failures reaches half this
value, additional failures are logged. The default is 6.
Specifies the maximum number of concurrent unauthenticated con-
nections to the SSH daemon. Additional connections will be
dropped until authentication succeeds or the LoginGraceTime ex-
pires for a connection. The default is 10.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability in-
creases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).
SynFlood - http://www.securityfocus.com/infocus/1729
Deletions:
Specifies the maximum number of authentication attempts permitted
per connection. Once the number of failures reaches half this
value, additional failures are logged. The default is 6.
Specifies the maximum number of concurrent unauthenticated con-
nections to the SSH daemon. Additional connections will be
dropped until authentication succeeds or the LoginGraceTime ex-
pires for a connection. The default is 10.
Alternatively, random early drop can be enabled by specifying the
three colon separated values ``start:rate:full'' (e.g.
"10:30:60"). sshd(8) will refuse connection attempts with a
probability of ``rate/100'' (30%) if there are currently
``start'' (10) unauthenticated connections. The probability in-
creases linearly and all connection attempts are refused if the
number of unauthenticated connections reaches ``full'' (60).

Revision [1100]

Edited on 2007-10-25 08:25:24 by WikiAdmin
Additions:
==Sub-topics==

Revision [1099]

Edited on 2007-10-25 08:25:07 by WikiAdmin

No differences.

Revision [1097]

Edited on 2007-10-25 08:24:17 by WikiAdmin
Deletions:
==Protect sshd w/ SEC==
OK, yet another way to go. Get SEC from http://kodu.neti.ee/~risto/sec. It's just a perl script so it will run out of the box. You will need a config file like this one:
%%(text;/etc/sec.conf)
type=singlewiththreshold
ptype=regexp
pattern=Authentication failure for (?:illegal user )?(.+?) from (\S+)
desc=ssh password attach from $2
action=shellcmd /sbin/ipfw -q add 2000 deny all from $2 to any
thresh=3
window=300
Then start sec.pl with some options. Here's the run file of the sec daemontools service:
#!/bin/sh
exec 2>&1
exec /usr/sbin/sec.pl -conf=/etc/sec-block.conf -syslog=local0 -input=/var/log/messages -log=/var/log/sec.log

Revision [1096]

Edited on 2007-10-25 08:24:04 by WikiAdmin
Additions:
~ ==[[SecuritySshdSEC Protect sshd with SEC]]==

Revision [1094]

Edited on 2007-10-25 08:23:04 by WikiAdmin
Deletions:
=== Protecting ssh with sshguard ===
sshguard [[http://sourceforge.net/projects/sshguard/ (Get it here)]] works very similarly to sshdfilter. Just **tail -n0 -F /var/log/secure | /usr/local/sbin/sshguard** , and it will do the work for you. Sadly, it works on selected systems only, just like sshdfilter. Maybe different systems produce different formats of error? Anyway, that's a shame. I like the tools.

Revision [1092]

Edited on 2007-10-25 08:21:01 by WikiAdmin
Deletions:
=== Protecting ssh with iptables (required kernel 2.6.18) ===
On systems where sshdfilter of sshguard don't work, there is a simple iptables fix. Essentially, it marks all NEW connections and if there are more than certain number of NEW connection attempts, subsequent ones will be blocked. To do this, add these to INPUT chain:
%%(bash)
iptables -I INPUT 1 -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT 2 -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 6 -j DROP
Then instead of testing manually, you can run this script to see the result:
%%(bash)
#!/bin/bash
for i in `seq 1 5` ; do
echo 'exit' | nc 127.0.0.1 22 ;
done
You should get this during the first few loops, and no reply afterwards. Check iptables and you should see packets being dropped.
%%(bash;sshtest.sh)
[root@c50 ~]# ./sshtest.sh
SSH-2.0-OpenSSH_4.3
Protocol mismatch.
SSH-2.0-OpenSSH_4.3
Protocol mismatch.
Note: ipt_recent prior to kernel 2.6.18 is not reliable. For kernel 2.4, try this:
iptables -I INPUT 1 -m state --state NEW -p tcp --dport 22 -m limit --limit 10/minute --limit-burst 2 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 3 -p tcp --dport 22 -j DROP

Revision [1091]

Edited on 2007-10-25 08:20:34 by WikiAdmin
Additions:
~ ==[[SecuritySshdFilter Prevent ssh brute force attacks with sshdfilter ]]==
~ ==[[SecuritySshIptables Protecting ssh with iptables ]]==
~ ==[[SecuritySshguard Protecting ssh with sshguard ]]==
Deletions:
~[[SecuritySshdFilter Prevent ssh brute force attacks with sshdfilter ]]

Revision [1087]

Edited on 2007-10-25 08:18:16 by WikiAdmin
Additions:
~[[SecuritySshdFilter Prevent ssh brute force attacks with sshdfilter ]]
Deletions:
=== Prevent ssh brute force attacks with sshdfilter ===
Download sshdfilter from its [[http://www.csc.liv.ac.uk/~greg/sshdfilter web site]]
Version 1.5.3 is easy. Just download the source file, run the install script, and create the SSHD iptables chain. Restart syslog and start sshdfilder service. Find log in /var/log/secure
Add necessary iptables entries
iptables -N SSHD
iptables -I INPUT 1 -p tcp --dport 22 -j SSHD
#You'd probably want to allow ssh access from a certain server no matter what
iptables -I INPUT 1 -p tcp --dport 22 -s 1.2.3.4 -j ACCEPT
To check the installation, just look at /var/log/messages, /var/log/secure, and iptables. My iptables after runnng sshdfilter for 1 day:
# iptables
Chain SSHD (1 references)
pkts bytes target prot opt in out source destination
18 1396 DROP tcp -- * * 61.133.95.228 0.0.0.0/0 tcp dpt:22
22 1732 DROP tcp -- * * 222.255.236.12 0.0.0.0/0 tcp dpt:22
22 1732 DROP tcp -- * * 85.25.20.222 0.0.0.0/0 tcp dpt:22
0 0 DROP tcp -- * * 60.250.231.36 0.0.0.0/0 tcp dpt:22
# secure log
sshdfilt[9575]: Cancelled instant block of 165.98.233.4
sshdfilt[9575]: Cancelled instant block of 210.6.69.117
sshdfilt[9575]: Cancelled instant block of 64.150.163.110
sshdfilt[9575]: Cancelled guesswork based block of 218.98.194.140
sshdfilt[9575]: Illegal user name, instant block of 218.1.65.233
sshdfilt[9575]: No ssh id string from client, instant block of 67.82.36.169
sshdfilt[9575]: Illegal user name, instant block of 205.237.97.173
sshdfilt[9575]: Cancelled instant block of 219.239.98.111
sshdfilt[9575]: Cancelled instant block of 218.91.236.93

Revision [1086]

Edited on 2007-10-25 03:13:52 by WikiAdmin
Additions:
exec /usr/sbin/sec.pl -conf=/etc/sec-block.conf -syslog=local0 -input=/var/log/messages -log=/var/log/sec.log
Deletions:
exec /usr/sbin/sec.pl --conf=/etc/sec-block.conf --syslog=local0 --input=/var/log/messages

Revision [1085]

Edited on 2007-10-25 03:05:46 by WikiAdmin
Additions:
==Protect sshd w/ SEC==
OK, yet another way to go. Get SEC from http://kodu.neti.ee/~risto/sec. It's just a perl script so it will run out of the box. You will need a config file like this one:
%%(text;/etc/sec.conf)
type=singlewiththreshold
ptype=regexp
pattern=Authentication failure for (?:illegal user )?(.+?) from (\S+)
desc=ssh password attach from $2
action=shellcmd /sbin/ipfw -q add 2000 deny all from $2 to any
thresh=3
window=300
Then start sec.pl with some options. Here's the run file of the sec daemontools service:
#!/bin/sh
exec 2>&1
exec /usr/sbin/sec.pl --conf=/etc/sec-block.conf --syslog=local0 --input=/var/log/messages

Revision [902]

Edited on 2007-08-19 23:57:18 by WikiAdmin
Additions:
mod_evasive can block possible DoS attacks. At the time of writing, no log or email is sent. I tested it with apachebench.
Deletions:
mod_evasive can block possible DoS attacks. At the time of writing, mod_evasive does not seem to work with apache2.2

Revision [901]

Edited on 2007-08-19 23:53:40 by WikiAdmin
Additions:
mod_evasive can block possible DoS attacks. At the time of writing, mod_evasive does not seem to work with apache2.2
Deletions:
mod_evasive can block possible DoS attacks.

Revision [900]

Edited on 2007-08-19 23:39:28 by WikiAdmin
Additions:
DOSPageCount 2 # num of request per page
DOSSiteCount 50 # request per site per client
DOSPageInterval 1 # 1 second
DOSSiteInterval 1 # 1second
DOSBlockingPeriod 10 # 10 seconds blocking period
DOSLogDir "/var/log/httpd"
Deletions:
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir "/var/log/mod_evasive"

Revision [899]

Edited on 2007-08-19 23:34:15 by WikiAdmin
Additions:
/usr/sbin/apxs -i -a -c mod_evasive20.c
==Configuration==
Add the following in httpd.conf:

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify you@yourdomain.com
DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir "/var/log/mod_evasive"
Deletions:
apxs -i -a -c mod_evasive20.c

Revision [898]

Edited on 2007-08-19 23:28:22 by WikiAdmin
Additions:
==Installation==
Obtain mod_evasive from http://www.zdziarski.com/projects/mod_evasive
For apache with DSO support, use the following commands to install
apxs -i -a -c mod_evasive20.c

Revision [893]

Edited on 2007-08-19 18:42:09 by WikiAdmin
Additions:
===Protecting Apache===
mod_evasive can block possible DoS attacks.

Revision [719]

Edited on 2007-06-21 02:28:00 by WikiAdmin
Additions:
==Related Knowledge==
[[ssh]]
-----

Revision [671]

The oldest known version of this page was created on 2007-06-07 08:56:25 by WikiAdmin
Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by WikkaWiki