| View previous topic :: View next topic |
| Author |
Message |
gr0x0rd
Guru
Joined: 12 Aug 2006
Posts: 311
|
 Posted: Thu Dec 24, 2009 10:30 pm Post subject: fail2ban / iptables question [!Solved] |
 |
|
I've been watching bots and script kids hammer my ssh and ftp ports via conky for ages. I finally changed my ssh port to something other than the default, and since then I haven't had a problem with ssh. However, I can't change my default ftp port based on some of the functions is has to serve. So rather than monitor and ban IPs manually, I decided to do some research and found fail2ban: awesome.
After configging the jail for ssh and pure-ftpd, I decided to take the system through a little test. I ssh'd into a dev server and started a brute force attack on my machine. After 12 attempts, I was still able to reach it. Using nx over a different network connection, I saw that I received an email from fail2ban saying that the IP doing the hammering had been banned after 5 attempts: excellent! However, I was still able to hammer the machine after receiving the message. Finally, I ssh'd in with legit credentials, and was able to log in! It appears I have created an illusion of security, which isn't what I want for Christmas 
Here is the relevant section of my jail.local: | Code: | [ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail[name=SSH, dest=myemail@host.com, sender=fail2ban@myserver]
logpath = /var/log/messages
maxretry = 5 |
After the ban, here is the relevant section of iptables --list: | Code: | Chain fail2ban-SSH (1 references)
target prot opt source destination
DROP all -- ipiwasusing.host.com anywhere
RETURN all -- anywhere anywhere |
This all looks correct, but I'm still able to brute force from that IP AND log in to the target machine! What am I missing here? I thought it might have to do with me changing the ssh port, but the fact that fail2ban detected the breakin and iptables has "all" listed for the prot (hehe) for that ip instance tells me that can't be it.
Any security gurus out there with some tips for me? I'd like to get the ssh angle solidified before I start locking down ftp and apache.
Enjoy the holidays.
_________________
~g
emerge -FML...
Last edited by gr0x0rd on Fri Dec 25, 2009 11:47 pm; edited 2 times in total |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23091
|
| Posted: Thu Dec 24, 2009 11:14 pm Post subject: |
|
|
| Is that rule actually referenced anywhere? What is the output of iptables-save -c when a host has been banned? |
|
| Back to top |
|
|
keyson
l33t
Joined: 10 Jun 2003
Posts: 830
Location: Sweden
|
| Posted: Thu Dec 24, 2009 11:27 pm Post subject: |
|
|
Hi,
Have you changed port for ssh?
You have ssh as port in the config so it should only stop the original port to be accessed.
Is the dpt right in the fail2ban-SSH chain for the port that you use.
| Quote: |
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
|
If you run ssh on another port, you have to change this. |
|
| Back to top |
|
|
gr0x0rd
Guru
Joined: 12 Aug 2006
Posts: 311
|
| Posted: Fri Dec 25, 2009 12:50 am Post subject: |
|
|
Hey guys,
Yes, I have changed the port for SSH- but, if someone has been clever to sniff out that port, I really don't care about banning them on that port only, I want them blocked on all ports. This | Code: | [ssh-iptables]
enabled = true
filter = sshd
action = iptables-allports[name=SSH, protocol=all]
sendmail-whois[name=SSH, dest=myemail@host.com, sender=fail2ban@myserver]
logpath = /var/log/messages
maxretry = 5
#bantime=600 |
did the trick. If I start feeling lucky, I can always uncomment the bantime line.
What a great tool, thanks for the help!
EDIT 15:45 PST 09-12-25:
Perhaps I jumped the gun here. After a successful test of ssh, I enabled fail2ban for my pure-ftpd server. Here's my jail.local: | Code: | [pure-ftpd-iptables]
enabled = true
filter = pure-ftpd
action = iptables-allports[name=Pure-FTPD, protocol=all]
sendmail-whois[name=Pure-FTPD, dest=myemail@host.com, sender=fail2ban@myserver]
logpath = /var/log/messages
maxretry = 5 |
I relaxed and had a good long restful sleep, despite severe self-induced dehydration and nightmares of being chased by hordes of flat-chested women wearing Calgary Flames jerseys. When I awoke this morning, I found 52 messages from fail2ban! I was disappointed only when I saw that the messages all claimed to have banned the same ip! So,
$ sudo iptables --list | Code: | Chain fail2ban-Pure-FTPD (1 references)
target prot opt source destination
DROP all -- host0521.cammail.net anywhere
RETURN all -- anywhere anywhere |
Looks ok... so here's an excerpt of /var/log/messages... | Code: | Dec 25 16:01:13 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [INFO] New connection from mail.campusmailuk.com
Dec 25 16:01:14 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]
Dec 25 16:01:18 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]
Dec 25 16:01:27 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]
Dec 25 16:01:37 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]
Dec 25 16:01:51 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]
Dec 25 16:01:58 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [ERROR] Too many authentication failures |
FFS, no wonder I am getting all these emails, the little prick is still at it! After a ping, mail.campusmailuk.com resolves to 80.248.180.173. host0521.cammail.net resolves to 80.248.180.172: maybe that's it...
$ sudo iptables -I INPUT -s 80.248.180.173 -j DROP
$ sudo iptables --list | Code: | Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- host0521.cammail.net anywhere
DROP all -- host0520.cammail.net anywhere
fail2ban-Pure-FTPD all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-Pure-FTPD (1 references)
target prot opt source destination
DROP all -- host0521.cammail.net anywhere
RETURN all -- anywhere anywhere
Chain fail2ban-SSH (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere |
That 's got to be it.
$ sudo tail -10 /var/log/messages | Code: | Dec 25 16:08:30 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [INFO] New connection from mail.campusmailuk.com
Dec 25 16:08:31 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]
Dec 25 16:08:36 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]
Dec 25 16:08:43 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]
Dec 25 16:08:52 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]
Dec 25 16:09:07 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [WARNING] Authentication failed for user [Administrator]
Dec 25 16:09:22 teletran4 pure-ftpd: (?@mail.campusmailuk.com) [ERROR] Too many authentication failures |
%$@&#*#(!!!!!! How is this wanker still getting through?
_________________
~g
emerge -FML... |
|
| Back to top |
|
|
gr0x0rd
Guru
Joined: 12 Aug 2006
Posts: 311
|
| Posted: Sat Dec 26, 2009 1:09 am Post subject: |
|
|
After issuing | Code: | | iptables -A INPUT -s 80.248.180.0/24 -j DROP |
I am finally rid of this limey. What news of the colonies indeed.
Is this a bug in fail2ban, or some sort of ip masking? Has anyone ran into anything like this before?
Finally some peace. Time for some Ho-Ho-Ho.
_________________
~g
emerge -FML... |
|
| Back to top |
|
|
d2_racing
Bodhisattva
Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada
|
| Posted: Sat Dec 26, 2009 4:20 am Post subject: |
|
|
About your ssh attack, did you try this trick ?
| Code: |
iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp -s 0/0 --destination-port 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 10 -j DROP
|
This will ban for 10 minutes the ip that is trying to attack your ssh server.
You can do that with your ftp server too
| Code: |
iptables -A INPUT -p tcp -s 0/0 --destination-port 21 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp -s 0/0 --destination-port 21 -m state --state NEW -m recent --update --seconds 600 --hitcount 10 -j DROP
|
|
|
| Back to top |
|
|
gr0x0rd
Guru
Joined: 12 Aug 2006
Posts: 311
|
| Posted: Sat Dec 26, 2009 6:04 am Post subject: |
|
|
Thanks! Next time I have an attack that fail2ban fails to... ban, I'll give this a shot! Joyeux Noel mon frere.
_________________
~g
emerge -FML... |
|
| Back to top |
|
|
d2_racing
Bodhisattva
Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada
|
| Posted: Sat Dec 26, 2009 3:54 pm Post subject: |
|
|
Toi aussi  |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
