Re: [SSHGuard-users] Feature request and suggested patch to merge attacks from subnets

[lists <li...@la...>]

<html><head><style id="outgoing-font-settings">#response_container_BBPPID{font-family: initial; font-size:initial; color: initial;}</style></head><body style="background-color: rgb(255, 255, 255); background-image: initial; line-height: initial;"><div id="response_container_BBPPID" style="outline:none;" dir="auto" contenteditable="false"> <div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;"> I would really like a logging feature and just create a static block list after examination the source. If you use PKI nobody is going to get through. So it becomes a matter of how much CPU effort you spend on blocking versus just let the OS reject the fool. On Centos updating the firewall is a CPU drain.&nbsp;</div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;"><br></div><div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;">I use static blocking lists now for my web and email server. Firewalld uses a fair amount of RAM but very little CPU once the blocking list is processed. With foreign IP space blocked virtually&nbsp; no one messes with my mail server. I have another list of hosting/VPS space that I block from the web server and mail except for port 25. It takes a week these days to gather enough IPs to bother investigating. I find maybe half a dozen companies to block. I block the hackers just to be safe since you never know what zero&nbsp; day is out there.&nbsp;</div>                                                                                                                                      <div name="BB10" id="response_div_spacer_BBPPID" dir="auto" style="width:100%;"> <br style="display:initial"></div><div name="BB10" id="response_div_spacer_BBPPID" dir="auto" style="width:100%;">I find it odd how many no name cloud companies there are out there. There can't possibly be the need for so many players.&nbsp;</div> <div id="blackberry_signature_BBPPID" name="BB10" dir="auto">     <div id="_signaturePlaceholder_BBPPID" name="BB10" dir="auto"></div> </div></div><div id="_original_msg_header_BBPPID" dir="auto">                                                                                                                                             <table width="100%" style="border-spacing: 0px; display: table; outline: none;" contenteditable="false"><tbody><tr><td colspan="2" style="padding: initial; font-size: initial; text-align: initial;">                           <div style="border-right: none; border-bottom: none; border-left: none; border-image: initial; border-top: 1pt solid rgb(181, 196, 223); padding: 3pt 0in 0in; font-family: Tahoma, &quot;BB Alpha Sans&quot;, &quot;Slate Pro&quot;; font-size: 10pt;">  <div id="from"><b>From:</b> jam...@gm...</div><div id="sent"><b>Sent:</b> January 9, 2021 4:23 PM</div><div id="to"><b>To:</b> tes...@po...</div><div id="reply_to"><b>Reply-to:</b> Jam...@gm...</div><div id="cc"><b>Cc:</b> ssh...@li...</div><div id="subject"><b>Subject:</b> Re: [SSHGuard-users] Feature request and suggested patch to merge attacks from subnets</div></div></td></tr></tbody></table> <br> </div><!--start of _originalContent --><div name="BB10" dir="auto" style="background-image: initial; line-height: initial; outline: none;" contenteditable="false"><div dir="ltr">Andreas,<div><br></div><div>I have been thinking about this type of change for a while. I don't know that threats come from clean subnets of similar sizes.&nbsp; My guess is that threats are more strongly&nbsp;correlated to autonomous systems than just subnets.&nbsp; I would guess fixed subnet sizes will just limit the number of rules proportional&nbsp;to the size of the subnetting.&nbsp; I wonder if one approach might be to score based on AS then block all IPs associated&nbsp;with that AS. Similarly instead of a fixed subnet size pick some weights that allow a bigger subnet if there are enough attacks compared to the number of IPs represented in that group.&nbsp; As these weights and subnet sizes vs number of firewall rules might&nbsp;need a significant amount of tuning I was thinking this might be an offline operation where the admin needs to approve the proposed ruleset.&nbsp; &nbsp;</div><div><br></div><div>It might be better to gather real log data, possibly filtered to just remote IP for privacy reasons. Then simulate&nbsp;the different approaches on those data sets and determine what number of rules we get.&nbsp; Finally run those rules through a few of the popular backend firewalls to determine performance impact.&nbsp;&nbsp;</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Jan 9, 2021 at 2:40 PM Testudo Aquatilis &lt;<a href="mailto:tes...@po...">tes...@po...</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb( 204 , 204 , 204 );padding-left:1ex">Hello,<br>
<br>
as sshguard already has the feature to block subnets after an attack, I<br>
would suggest to also merge attacks of the configured subnets.<br>
Especially for IPv6 this would be quite useful because attackers might<br>
have larger subnets available and could otherwise flood with attacks<br>
from individual IPv6 addresses without getting blocked, as attacks are<br>
counted individually.<br>
<br>
The attached patch implements this to the best of my knowledge, so a<br>
review would not harm. It basically uses arpa/inet.h functions, which<br>
are also used in sshguard_whitelist.c. It parses the IP address into<br>
integer format, applies the mask and writes the resulting address back<br>
before further handling the attack.<br>
<br>
The patch does what I would like to have as behavior when setting the<br>
subnet config-variables, so using the same subnet-size for blocking and<br>
merging is a feature from my point of view. But if this conflicts with<br>
other use-cases, it might be considered to have 2 separate subnet-size<br>
command-line flags and config variables for merging and for blocking.<br>
<br>
Best regards,<br>
Andreas<br>
_______________________________________________<br>
sshguard-users mailing list<br>
<a href="mailto:ssh...@li...">ssh...@li...</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/sshguard-users">https://lists.sourceforge.net/lists/listinfo/sshguard-users</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">James Harris<br>Software Engineer<br><a href="mailto:jam...@gm...">jam...@gm...</a><br></div>
<!--end of _originalContent --></div></body></html>