Menu
▾
▴
Re: [Sshguard-users] init scripts, large blocks, hit counts
|
From: Kevin Z. <kev...@gm...> - 2015-05-07 20:48:09
|
On 05/06/2015 15:46, James Harris wrote: > I see the freebsd init script was removed from the repo. Was the script > removed because it is broken or unwanted? I have a systmed unit file > that I have been debating make a pull-up request for. I thought if at > least an example unit file was included we might be able to encourage > others to package sshguard for their preferred OS/distro. Mostly because the FreeBSD startup script is being maintained outside of the SSHGuard tree. What was left in the repository was a very old version that once upon a time was in the FreeBSD ports tree. Since startup scripts tend to be OS-specific, I decided to take it out. I'm not sure what to feel about a systemd unit file. It sounds like it could be useful for every Linux distribution that uses systemd, and wouldn't hurt anyone else. Different OSes are probably going to make distro specific changes, though. Full disclosure: I'm a FreeBSD user, so I'm inherently biased against systemd. I don't have any convincing arguments against it, though, except that I *did* take out the FreeBSD startup script. > On another topic. I have see my current loaded blacklist is up to about > 1260 addresses. Out curiosity I started writing some scripts to do some > analysis of the IPs. My thought was maybe people that get issued a DHCP > address from their provider start to reject addresses until till they > get a new one that hasn't been blocked by their targets. I would guess > those addresses are rather close to each other or at least issued to the > same AS. If many attacks came from the same net block it would be faster > to block a range of addresses. Fewer rules should make the firewall > faster also it would be proactive blocking the other addresses they are > likely to get. Sorting by AS I can see I have 39 hits from AS12876 from > France which has 4 allocations but most of my hits are from only one. > From AS4837 I have 38 blacklisted but they have several /16 or /15 > ranges and my hits come from across many of them. From AS4134 I have > 452 black listed and they also also have 20some /15/ or /16 allocated > blocks. I can provide the scripts if anyone is interested. I pulled the > AS data from Team cymru via their dns > gateway http://www.team-cymru.org/IP-ASN-mapping.html#dns. This proposal sounds promising. The biggest hurdle was getting block information from IP addresses (a WHOIS on every incoming attacker doesn't sound like a good plan). With DNS this seems more feasible. So would attacks be recorded on a per-address-block basis? What if an attacker sitting on a huge public block (say, a university's class A) gets the block blacklisted. Isn't this a denial of service? > Finally I was looking over the iptables capabilities and it looks like > it is possible to get hit count on rules.I would suspect most of the > backend support this. Would there be interest in adding hit count thrush > holds to the temporary blocks, black listing promotions? So as the > temporary rules continue to receive hits they should stay in place > resetting the expire timer and given enough hits be promoted to a > blacklist. Instead of waiting for several violations to occur only one > may be needed. Then as the rule is continued to be triggered by likely > attacks it can be extended or made permanent never opening the service > back to the attacker. Perhaps. Again, this circles back to the issue of blacklists. I tend to not like permanent blacklisting because dynamic IPs can be recycled very frequently. One could argue that instead of using SSHGuard, a low-traffic host might be better off blocking IP blocks from (insert your favorite botnet region here) on a firewall. But again, I'm super biased and am aware that some features would be useful to SSHGuard even though *I* don't use them. I'm really interested in hearing opinions on this. Thanks, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
