Menu
▾
▴
Re: [SSHGuard-users] Fwd: Auth error ignored by sshguard
|
From: <li...@la...> - 2017-01-24 19:31:10
|
<html><head></head><body lang="en-US" style="background-color: rgb(255, 255, 255); line-height: initial;"> <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">I see your point, but in reality, you will only be hit three times in a brute force attack. You won't get flooded. If they snowshoe, I suppose that is a different story.</div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><br></div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">My VPS only allows a key based login on ssh, but their distribution of FreeBSD leaves the password login open. Not being familiar with FreeBSD or keygen type login, I didn't know to disable the password auth. But I figure that the list of IPs collected by sshguard is useful info in that it can be used to block other services. </div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><span style="font-size: initial; line-height: initial; text-align: initial;"><br></span></div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><span style="font-size: initial; line-height: initial; text-align: initial;">I can tell you that a full scan from zenmap will earn you a block from sshguard, so the IP gathering isn't exactly useless if you want to block probers. I ran zenmap as a pen test and blocked my own access. I had to tether through my phone to get back in and delete my IP from the table. </span></div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><span style="font-size: initial; line-height: initial; text-align: initial;"><br></span></div> <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><br style="display:initial"></div> <div style="font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"></div> <table width="100%" style="background-color:white;border-spacing:0px;"> <tbody><tr><td colspan="2" style="font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"> <div style="border-style: solid none none; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding: 3pt 0in 0in; font-family: Tahoma, 'BB Alpha Sans', 'Slate Pro'; font-size: 10pt;"> <div><b>From: </b>Reshey</div><div><b>Sent: </b>Tuesday, January 24, 2017 8:05 AM</div><div><b>To: </b>ssh...@li...</div><div><b>Subject: </b>[SSHGuard-users] Fwd: Auth error ignored by sshguard</div></div></td></tr></tbody></table><div style="border-style: solid none none; border-top-color: rgb(186, 188, 209); border-top-width: 1pt; font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"></div><br><div id="_originalContent" style=""><div dir="ltr">New to this mailing list thing. sorry if I sent it two times.<div><br><div class="gmail_quote">--Thank you for your replay<div dir="ltr"><div><br></div><div><div>I got sshguard working in OpenBSD 6.0. </div><div>It seems the problem was, I had enforced key based login for ssh.</div><div><br></div><div>Question : Is it possible for sshguard to ban bruteforcer, while having password login disabled?</div><div>sshguard bans user who fails password login, but does nothing to brutforcers who is trying while password login is disabled.</div><div>Attached log:</div><div><br></div><div># I hammer server from putty, with no key file. sshd is set to ONLY accept key based login. sshguard does not ban this "attacker". </div><div><br></div><div>Jan 24 16:03:12 wall sshd[99571]: Received disconnect from 176.11.88.222 port 49902:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:12 wall sshd[99571]: Disconnected from 176.11.88.222 port 49902 [preauth]</div><div>Jan 24 16:03:16 wall sshd[25553]: Received disconnect from 176.11.88.222 port 49903:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:16 wall sshd[25553]: Disconnected from 176.11.88.222 port 49903 [preauth]</div><div>Jan 24 16:03:21 wall sshd[78292]: Received disconnect from 176.11.88.222 port 49904:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:21 wall sshd[78292]: Disconnected from 176.11.88.222 port 49904 [preauth]</div><div>Jan 24 16:03:25 wall sshd[61028]: Received disconnect from 176.11.88.222 port 49905:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:25 wall sshd[61028]: Disconnected from 176.11.88.222 port 49905 [preauth]</div><div>Jan 24 16:03:28 wall sshd[47277]: Received disconnect from 176.11.88.222 port 49907:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:28 wall sshd[47277]: Disconnected from 176.11.88.222 port 49907 [preauth]</div><div>Jan 24 16:03:31 wall sshd[3940]: Received disconnect from 176.11.88.222 port 49908:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:31 wall sshd[3940]: Disconnected from 176.11.88.222 port 49908 [preauth]</div><div>Jan 24 16:03:34 wall sshd[94581]: Received disconnect from 176.11.88.222 port 49909:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:34 wall sshd[94581]: Disconnected from 176.11.88.222 port 49909 [preauth]</div><div>Jan 24 16:03:35 wall sshd[61363]: Connection closed by 123.183.209.132 port 64750 [preauth]</div><div>Jan 24 16:03:40 wall sshd[31923]: Received disconnect from 176.11.88.222 port 49910:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:40 wall sshd[31923]: Disconnected from 176.11.88.222 port 49910 [preauth]</div><div>Jan 24 16:03:46 wall sshd[13880]: Received disconnect from 176.11.88.222 port 49911:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:03:46 wall sshd[13880]: Disconnected from 176.11.88.222 port 49911 [preauth]</div><div>Jan 24 16:04:50 wall sshd[80716]: Received disconnect from 123.183.209.132 port 53406:11: [preauth]</div><div>Jan 24 16:04:50 wall sshd[80716]: Disconnected from 123.183.209.132 port 53406 [preauth]</div><div><br></div><div><br></div><div># I then changed sshd to accept password login, and restarted sshd.</div><div>Jan 24 16:05:22 wall sshd[75937]: Received signal 15; terminating.</div><div>Jan 24 16:05:22 wall sshd[73886]: Server listening on 0.0.0.0 port 22.</div><div>Jan 24 16:05:22 wall sshd[73886]: Server listening on :: port 22.</div><div><br></div><div># I continue o hammer from putty, at the sever. Now sshguard bans "attacker"</div><div><br></div><div>Jan 24 16:06:06 wall sshd[75413]: Failed password for xxx from 176.11.88.222 port 49945 ssh2</div><div>Jan 24 16:06:06 wall sshd[75413]: Received disconnect from 176.11.88.222 port 49945:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:06:06 wall sshd[75413]: Disconnected from 176.11.88.222 port 49945 [preauth]</div><div>Jan 24 16:06:06 wall sshd[18262]: Failed password for root from 123.183.209.132 port 61962 ssh2</div><div>Jan 24 16:06:07 wall sshd[18262]: Failed password for root from 123.183.209.132 port 61962 ssh2</div><div>Jan 24 16:06:09 wall sshd[35947]: Failed password for xxx from 176.11.88.222 port 49946 ssh2</div><div>Jan 24 16:06:09 wall sshd[35947]: Received disconnect from 176.11.88.222 port 49946:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:06:09 wall sshd[35947]: Disconnected from 176.11.88.222 port 49946 [preauth]</div><div>Jan 24 16:06:12 wall sshd[18262]: Received disconnect from 123.183.209.132 port 61962:11: [preauth]</div><div>Jan 24 16:06:12 wall sshd[18262]: Disconnected from 123.183.209.132 port 61962 [preauth]</div><div>Jan 24 16:06:12 wall sshd[29005]: Failed password for xxx from 176.11.88.222 port 49947 ssh2</div><div>Jan 24 16:06:12 wall sshd[29005]: Received disconnect from 176.11.88.222 port 49947:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:06:12 wall sshd[29005]: Disconnected from 176.11.88.222 port 49947 [preauth]</div><div>Jan 24 16:06:15 wall sshd[22704]: Failed password for xxx from 176.11.88.222 port 49948 ssh2</div><div>Jan 24 16:06:15 wall sshd[22704]: Received disconnect from 176.11.88.222 port 49948:11: Normal Shutdown, Thank you for playing [preauth]</div><div>Jan 24 16:06:15 wall sshd[22704]: Disconnected from 176.11.88.222 port 49948 [preauth]</div><div>Jan 24 16:06:15 wall sshguard[42310]: Blocking <a href="http://176.11.88.222:4" target="_blank">176.11.88.222:4</a> for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses </div><div>over 9s)</div><div><br></div><div><br></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jan 22, 2017 at 11:54 PM, <span dir="ltr"><<a href="mailto:li...@la..." target="_blank">li...@la...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ha, I am the only legitimate client. ;-) Besides, if I don't support the standard, nothing will get through. I caught some OVH VPS hammering my email server with an outmoded crypto, which was related to poodle and/or heartbleed.<br> <a href="http://disablessl3.com/" rel="noreferrer" target="_blank">http://disablessl3.com/</a><br> <br> SHA1 is out of favor these days. Commercially they won't issue certs with SHA1.<br> <a href="http://arstechnica.com/security/2016/05/microsoft-to-retire-support-for-sha1-certificates-in-the-next-4-months/" rel="noreferrer" target="_blank">http://arstechnica.com/securit<wbr>y/2016/05/microsoft-to-retire-<wbr>support-for-sha1-certificates-<wbr>in-the-next-4-months/</a><br> <br> One of those Chinese certs was "illegally" (as if certs have any legal standing) issuing SHA1 certs. WoSign I think.<br> <br> My philosophy is if someone is doing goofy stuff, block them. Today you can repel them, but tomorrow there may be a zero day. In any event, these clowns can flood a service. <br> <br> I've been reluctant to use the ipfw table 22 the sshguard generates for anything other than port 22, but I think I will add Web and email rules. Just not port 25 because that would probably block some legitimate email. <br> <br> I have a number of blocks on email other than port 25, and some days block 30 or so IP addresses trying to hack the ports. I traced one supposed hacker to a (cough cough) research team claiming to be doing a survey on email ports. They provided CIDRs, so I guess they were really doing research. On the other hand, the University of Michigan attempts to mess with my imap on a daily basis, and attempts to contact them via email go nowhere. Obviously they get firewall blocked now except on 25.<br> <br> <br> Original Message <br> From: Daniel Aleksandersen<br> Sent: Sunday, January 22, 2017 1:55 PM<br> To: <a href="mailto:ssh...@li..." target="_blank">ssh...@li...urcefor<wbr>ge.net</a><br> Subject: Re: [SSHGuard-users] Auth error ignored by sshguard<br> <div class="m_-7452452538434328909HOEnZb"><div class="m_-7452452538434328909h5"><br> On Sun, Jan 22, 2017, at 11:53, <a href="mailto:li...@la..." target="_blank">li...@la...</a> wrote:<br> > >From FreeBsd auth.log:<br> > ------------------------------<wbr>----<br> > Jan 22 04:16:13 theranch sshd[48754]: fatal: Unable to negotiate with<br> > 198.50.142.115 port 57860: no matching key exchange method found. Their<br> > offer: diffie-hellman-group1-sha1 [pre auth]<br> > ---------------------<br> > I suppose this is an odd case for an ssh login attempt, but I figured<br> > I'd post it for what it is worth. Sshguard didn't block the IP. Now I<br> > suppose you can say if the key exchange method isn't supported, they<br> > will never get it, but it seems to me that could leave the system open<br> > to some exploit.<br> <br> Hm. Wouldn’t that potentially block some legitimate clients that are<br> trying to negotiate a connection?<br> <br> > I'm still on rev 1.7.<br> ><br> > IP is OVH. Oh, I'm shocked. ;-)<br> --<br> Daniel Aleksandersen<br> <br> ------------------------------<wbr>------------------------------<wbr>------------------<br> Check out the vibrant tech community on one of the world's most<br> engaging tech sites, SlashDot.org! <a href="http://sdm.link/slashdot" rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br> ______________________________<wbr>_________________<br> sshguard-users mailing list<br> <a href="mailto:ssh...@li..." target="_blank">ssh...@li...urcefor<wbr>ge.net</a><br> <a href="https://lists.sourceforge.net/lists/listinfo/sshguard-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/sshguard-users</a><br> <br> ------------------------------<wbr>------------------------------<wbr>------------------<br> Check out the vibrant tech community on one of the world's most<br> engaging tech sites, SlashDot.org! <a href="http://sdm.link/slashdot" rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br> ______________________________<wbr>_________________<br> sshguard-users mailing list<br> <a href="mailto:ssh...@li..." target="_blank">ssh...@li...urcefor<wbr>ge.net</a><br> <a href="https://lists.sourceforge.net/lists/listinfo/sshguard-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/sshguard-users</a><br> </div></div></blockquote></div><br></div> </div></div></div><br></div></div> <br><!--end of _originalContent --></div></body></html> |
