| View previous topic :: View next topic |
| Author |
Message |
andrewbarr
Apprentice
Joined: 09 Jul 2004
Posts: 172
Location: Madison County, Ohio
|
 Posted: Wed Nov 03, 2004 3:33 pm Post subject: Server Security Concerns |
 |
|
I have two questions, both related to server security. First is this: I am getting hundreds of invalid SSH login attempts (the usual: trying to login as user test, etc.), and they are coming from just a few IPs. Naturally I want to ban these IPs, but I don't know the most efficient way to do this. I don't want to write an iptables rule for each address because I'm sure this list will grow in the future. Does hosts.deny work in this situation?
The other concern is related to the Apache web server. I have already seen attempts to exploit the IIS WebDAV vulnerability (SEARCH requests hundreds of lines long), and these are little more than annoying to me. What concerns me though is this entry in the access log:
| Code: |
195.14.198.2xx - - [03/Nov/2004:09:37:53 -0500] "CONNECT login.icq.com:443 HTTP/1.0" 302 - "-" "-"
|
Even though I'm new to this amateur server admin game  , this looks like someone trying to use my machine as a proxy. How can I be sure attempts like this don't succeed? There's only been one so far so it isn't a huge problem yet.
Thanks in advance,
Andrew
_________________
"The song I've written for you is so schmultzy it'll make 'Moon River' sound like a farting orangutan." - Homer Simpson |
|
| Back to top |
|
 |
nevynxxx
Veteran
Joined: 12 Nov 2003
Posts: 1123
Location: Manchester - UK
|
| Posted: Wed Nov 03, 2004 3:38 pm Post subject: |
|
|
Theres three ways to combat the Ssh problem.
1) Change the port Ssh listens on.
2) Live with it. It's coming from hacked boxes all over the place, its been happening for a couple of months and shows no sign of stopping. As long as you have no accounts with silly un/pass combos (test/test, root/root etc) you should be ok.
3) Tell iptables to only allow connects from the IP addresses you use. This obviously only helps if you use a handful of IPs to connect to your box from.
I don't know about the Apache 1, some novel iptables rules will probably help but I'm not that good yet!
_________________
My Public Key
Wanted: Instructor in the art of Bowyery |
|
| Back to top |
|
|
SoTired
Apprentice
Joined: 19 May 2004
Posts: 174
|
| Posted: Wed Nov 03, 2004 5:46 pm Post subject: |
|
|
I have some ideas for possible other solutions:
For apache, just get mod_security - the default rules are enough to stop most attempts at exploits, and you could easily write some new rules to stop other things as they come up.
As for SSH, I too got fed up with the attacks, and because I do not have full password control (ie. there's other users) on some of the boxes I run, I decided to do something about it!
So here's my highly untested, very possibly not working, not-even-very-well-thought-out anti-ssh-bruteforcing script:
| Code: |
#!/bin/bash
###########################
#
# SSHSafe version 2.01
#
# This code looks through a PAM-enabled logfile of failed SSH logins
# and adds people with too many failed attempts to a temporary block
# list. The number of failed attempts before blocking, and how often
# the script has to run are both configurable.
#
###########################
#How many attempts a person must make in the time interval before they are blocked
BlockAfter=4
if [ -z "$1" ]
then
echo "Temp iptables blocks SSH bruteforcers."
echo " usage:"
echo " sshsecure authlogfile"
exit 1
fi
total=0
#Adds an IP to iptables, only blocks it to port 22, after BlockAfter infractions
function blocker()
{
if [ "$1" == "$last" ]
then
total="$((total+1))"
else
total=0
fi
#Block after 4 attemps over x minutes
if [ "$total" -eq "$BlockAfter" ]
then
let "blocked = $blocked + 1"
echo "Blocking $1"
iptables -I INPUT -p tcp -s $1 --destination-port 22 -j DROP
fi
last=$1
}
echo "Dropping all old blocks..."
#Drop previous blocks, they will be reimplemented if need be
rtd=1
while [ $rtd -le `cat /var/lib/iptables/tempblocks` ]
do
iptables -D INPUT 1
let "rtd = $rtd + 1"
done
cat /dev/null > /var/lib/iptables/tempblocks
blocked=0
echo "Getting intrusion attempts..."
ctim=`date | awk '{ print $4 }'`
cday=`date | awk '{ print $3 }'`
chour=`echo $ctim | awk -F : '{ print $1 }'`
cminute=`echo $ctim | awk -F : '{ print $2 }'`
rday=`expr $cday - 1`
if [ "$chour" -eq 0 ]
then
rhour=23
else
rhour=`expr $chour - 1`
fi
if [ "$cday" -eq 1 ]
then
rday=1
fi
tandhi=(`egrep "^[A-Za-z]+.*\ (\$cday|\$rday)+\ (\$chour|\$rhour)+:.+sshd\(pam_unix\).*authentication\ failure;.+$" "$1" | awk '{ print $13"|"$3"|"$2 }'`)
echo "Sorting intrusion attempts list..."
#Shell sort
h=1
hh=1
n=${#tandhi[*]}
while [ "$h" -lt "$n" ]
do
hh="$((hh+h))"
h="$((hh-h))"
done
while [ "$hh" -gt 1 ]
do
for (( i = h ; i < n ; i++ ))
do
v="${tandhi[$i]}"
j="$i"
while [ "$j" -ge "$h" -a @"${tandhi[$((j-h))]}" \> "$v" ]
do
tandhi[$j]="${tandhi[$((j-h))]}"
j="$((j-h))"
done
tandhi[$j]="$v"
done
h="$((hh-h))"
hh="$((hh-h))"
done
echo "Calculating blocks ($n attempts to consider)..."
index=0
while [ "$index" -lt "$n" ]
do
if [ "`sshsecparse $cday $chour $cminute "${tandhi[$index]}"`" == 1 ]
then
host=`echo ${tandhi[$index]} | awk -F \| '{ print $1 }' | awk -F = '{ print $2 }'`
blocker $host
fi
index="$((index+1))"
done
echo "$blocked" > /var/lib/iptables/tempblocks
echo "Done!"
exit 0;
|
and the C portion of it (sshsecparse, though you can always change how it's called in the bash script, if you want):
| Code: |
/*
###########################
#
# SSHSafe.c version 1.02
#
# This is the C code portion of the sshsafe bash script.
#
###########################
*/
// IMPORTANT!!!
// Change this to how often you will cron the script
// ex. 'often = 5' means once every 5 minutes
const int often = 5;
#include "stdio.h"
#include "string.h"
void usage();
int readinput(char* cday, char* chour, char* cminute, char* string);
int main(int argc, char *argv[])
{
if (argc != 5)
{
usage();
return(0);
}
// Bash is weird with getting return values
// this really shouldn't be needed, or
// maybe it's C, I'm used to C++.
if(readinput(argv[1], argv[2], argv[3], argv[4]) == 1)
{
return(1);
} else {
return(0);
}
}
// Just to be helpful ;)
void usage()
{
fprintf(stderr, "sshsecparse - Checks an auth log message and times to\ndetermine if it is a recent infraction or not.\n");
fprintf(stderr, "This program is supposed to be called as part of sshsafe.\n");
fprintf(stderr, "\nusage:\n");
fprintf(stderr, " sshsecparse day hour minute rhost=IPADDR|HR:MN:SC|DAY\n");
}
// Function that does everything
int readinput(char* cday, char* chour, char* cminute, char* string)
{
// Grab the times
int rday = atoi(cday);
int rhour = atoi(chour);
int rmin = atoi(cminute);
// Extract the incident time values
strtok(string, "|"); // First is the IP, ignore it
char* time = strtok(NULL, "|");
int day = atoi(strtok(NULL, "|"));
int hour = atoi(strtok(time, ":"));
int min = atoi(strtok(NULL, ":"));
// Check to see if this incident happened within past often minutes...
if((rhour == hour && (rmin-min) <= often) ||
(rhour == (hour-1) && (rmin-min) <= (often-60)) ||
(rday == (day-1) && rhour == (hour-23) && (rmin-min) <= (often-60)))
{
fprintf(stdout, "1"); // I have no idea why the bash script wont work without this
return(1);
}
return(0);
}
|
It was orginally all bash, but it ran too slow. Anyways, what it'll hopefully do, is to read through your blockfile every 5 or 10 minutes or so (how long is up to you) and block people who have been attempting to get into your ssh server. After 5 minutes all of the blocks are deleted and it checks the logfile again, and implements new blocks.
The main problem is that for it to be most effective you need iptables to continute to generate ssh login fail messages even when it's blocking the packets (otherwise they would be blocked for five minutes, the script would run, see that they've started to 'behave' when really they just been blocked). This could be solved by having ip tables log all infractions upon the rules created by the script, so, all it would need would be a better grep statement, I'll work on this once i have sometime.
In the meantime, feel free to try it out, I've only had one person attempt to get into my box since using it, and it was somewhat effective at stopping them, and it didn't crash or make iptables block everything or anything bad like that even, enjoy! |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Wed Nov 03, 2004 5:50 pm Post subject: |
|
|
For your apache concerns maybe the limit directive is helpful.
Alex!
_________________
ALT-F4 |
|
| Back to top |
|
|
lanzz
n00b
Joined: 12 Sep 2004
Posts: 28
|
| Posted: Wed Nov 03, 2004 7:19 pm Post subject: |
|
|
if you are not offering ssh to a lot of people, you might limit the accounts allowed to log in with ssh to the absolute minimum:
in sshd_config:
| Code: | | AllowUsers user1 user2 user3 |
|
|
| Back to top |
|
|
andrewbarr
Apprentice
Joined: 09 Jul 2004
Posts: 172
Location: Madison County, Ohio
|
| Posted: Wed Nov 03, 2004 10:21 pm Post subject: |
|
|
| SoTired wrote: | I have some ideas for possible other solutions:
For apache, just get mod_security - the default rules are enough to stop most attempts at exploits, and you could easily write some new rules to stop other things as they come up.
|
Can I just install mod_security ("emerge mod_security") and then add a minimal IfModule statement to apache2.conf:
| Code: |
<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding On
SecAuditEngine RelevantOnly
SecFilterScanPOST On
SecDefaultFilterAction "deny,log,post:500"
SecFilter 111
</IfModule>
|
I see from the mod_security documentation I can add lots of custom rules--I don't think my security situation is there yet.
| SoTired wrote: |
As for SSH, I too got fed up with the attacks, and because I do not have full password control (ie. there's other users) on some of the boxes I run, I decided to do something about it!
|
I do have full password control, and I'm the only one who uses it anyway, so I'll just add a directive to sshd_config as lanzz suggested.
Thanks for everyone's help!
_________________
"The song I've written for you is so schmultzy it'll make 'Moon River' sound like a farting orangutan." - Homer Simpson |
|
| Back to top |
|
|
SoTired
Apprentice
Joined: 19 May 2004
Posts: 174
|
| Posted: Thu Nov 04, 2004 6:08 am Post subject: |
|
|
| andrewbarr wrote: | Can I just install mod_security ("emerge mod_security") and then add a minimal IfModule statement to apache2.conf:
| Code: |
<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding On
SecAuditEngine RelevantOnly
SecFilterScanPOST On
SecDefaultFilterAction "deny,log,post:500"
SecFilter 111
</IfModule>
|
|
Don't forget the LoadModule line. Though, yes, you could, I would suggest a slightly better configuration, as with what you have you really wont be adding too much security.
I'd suggest starting with something like
| Code: |
SecFilterEngine On
SecServerResponseToken On
SecFilterCheckURLEncoding On
SecUploadDir /tmp
SecUploadKeepFiles Off
SecFilterForceByteRange 8 254
SecAuditEngine RelevantOnly
SecAuditLog /var/log/apache2/modsec
SecFilterScanPOST On
SecFilterCheckCookieFormat On
SecFilterDefaultAction "deny,log,status:404"
SecFilterSelective REQUEST_METHOD "!^GET$" chain
SecFilterSelective HTTP_Content-Type "!^(|application/x-www-form-urlencoded|multipart/form-data)$"
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
#Prevent some XSS
SecFilter "\.\./"
SecFilter "<[[:space:]]*script"
#Prevent SQL injection attempts, might affect phpmyadmin/phppgadmin/similar tools
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
|
and working from there.
The SQL rules could obviously go if you don't run an SQL server there or whatnot, but it's a reasonable starting point. |
|
| Back to top |
|
|
apc
n00b
Joined: 10 Jul 2004
Posts: 18
|
| Posted: Tue Nov 16, 2004 9:51 am Post subject: |
|
|
I had a similar log finding today. It is as follows:
64.71.165.195 - - [16/Nov/2004:00:34:06 -0800] "CONNECT 216.179.62.106:6667 HTTP/1.0" 302 0
It looks like an irc server, but does the 0 returned mean that I'm not actually proxying anything? I don't have mod_proxy on. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
