Menu
▾
▴
sshguard-users
|
From: @lbutlr <kr...@kr...> - 2018-10-05 00:26:20
|
Is it possible to confuse sshguard to instantly block anyone who tries to login as ‘root’ or ‘admin’ or some predefined list of users? There is no possibility that any legitimate connection will ever try to logon as root, admin, toor, user*, pi, guest, test, Dave, sshuser, ftpuser, and quite a few others that I see over and over again. Anyone who tries to ssh in as one of these accounts I just want permabanned. Possible? -- The "H" in Jesus H Christ comes from "Harold be Thy name" in the Lord's Prayer. |
|
From: Kevin Z. <kev...@gm...> - 2018-10-05 16:31:25
|
On 10/4/18 5:01 PM, @lbutlr wrote: > Is it possible to confuse sshguard to instantly block anyone who tries to login as ‘root’ or ‘admin’ or some predefined list of users? There is no possibility that any legitimate connection will ever try to logon as root, admin, toor, user*, pi, guest, test, Dave, sshuser, ftpuser, and quite a few others that I see over and over again. > > Anyone who tries to ssh in as one of these accounts I just want permabanned. > > Possible? Currently, no. But it wouldn't be too hard to hack together. It'd be slightly harder to get this working nice with the rest of SSHGuard; specifically, not requiring you to recompile to enable/disable this functionality and change the list of blacklisted users. If you're comfortable compiling from source I can help you hack this together and see how well it works. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: @lbutlr <kr...@kr...> - 2018-10-05 17:38:54
|
On 05 Oct 2018, at 10:31, Kevin Zheng <kev...@gm...> wrote: > If you're comfortable compiling from source I can help you hack this > together and see how well it works. I’m more comfortable writing a bash script to run on occasion and add the IPs to the blacklist myself, but I don’t know how sshguard tracks the permanent list as opposed to the timed list. -- Nothing like grilling a kosher dog over human hair to bring out the subtle flavors. |
|
From: Kevin Z. <kev...@gm...> - 2018-10-05 18:48:20
|
On 10/5/18 10:38 AM, @lbutlr wrote: > On 05 Oct 2018, at 10:31, Kevin Zheng <kev...@gm...> wrote: >> If you're comfortable compiling from source I can help you hack >> this together and see how well it works. > > I’m more comfortable writing a bash script to run on occasion and add > the IPs to the blacklist myself, but I don’t know how sshguard tracks > the permanent list as opposed to the timed list. That doesn't make a difference, the username detection would currently require a compile-time change. There's a planned change from the permanent list vs timed list to one persistent list, and I can put more work into that if there's actually interest. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: @lbutlr <kr...@kr...> - 2018-10-06 01:30:44
|
On 05 Oct 2018, at 11:38, @lbutlr <kr...@kr...> wrote: > I’m more comfortable writing a bash script to run on occasion and add the IPs to the blacklist myself, but I don’t know how sshguard tracks the permanent list as opposed to the timed list. I have a cunning plan.<1> If I use a facility like log rotate to create multiple log lines for the connection attempts I want to permaban, will sshguard be fooled into seeing one attempt as, say, 16 attempts in the same second? <1> http://blackadderquotes.com/i-have-a-cunning-plan -- All great truths begin as blasphemies. |
|
From: James H. <jam...@gm...> - 2018-10-06 01:47:45
|
I have had a similar idea about offline processing. Instead of banning people that are trying to brute force with default usernames, I was thinking about blocking subnets or whole network providers by determine the AS (autonomous system) associated with the IP. I often see brute force attempts originating by IPs close to each other. The script would take a look at all the IPs and suggest rules to block entire networks not only would it be proactive against IPs likely to be used in the future for attacks but it would also reduce the number of firewall rules thus taxing the system less. On Fri, Oct 5, 2018 at 6:30 PM @lbutlr <kr...@kr...> wrote: > On 05 Oct 2018, at 11:38, @lbutlr <kr...@kr...> wrote: > > I’m more comfortable writing a bash script to run on occasion and add > the IPs to the blacklist myself, but I don’t know how sshguard tracks the > permanent list as opposed to the timed list. > > I have a cunning plan.<1> > > If I use a facility like log rotate to create multiple log lines for the > connection attempts I want to permaban, will sshguard be fooled into seeing > one attempt as, say, 16 attempts in the same second? > > <1> http://blackadderquotes.com/i-have-a-cunning-plan > > -- > All great truths begin as blasphemies. > > > > > > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > -- James Harris Software Engineer jam...@gm... |
|
From: Jim S. <jse...@Li...> - 2018-10-06 14:49:56
|
On Fri, 5 Oct 2018 18:47:25 -0700
James Harris <jam...@gm...> wrote:
> I have had a similar idea about offline processing. Instead of
> banning people that are trying to brute force with default
> usernames, I was thinking about blocking subnets or whole network
> providers by determine the AS (autonomous system) associated with
> the IP.
[snip]
The people who run the servers that supply the ASN data may not
appreciate the traffic if many people started doing that.
I used to run an automated blocklisting system that worked like this:
. One (1) spam got you blocklisted for time T with a probationary
period P
. Repeated spams after T expired, but w/in P, re-blocklisted with
incremented T and P
. T would increment to infinity after N relistings
. A script ran every 24 hours that would count the number of
unique listed IP addresses w/in each /24. More than X unique IP
addresses w/in a /24 got the entire /24 listed.
. I had two manual netblock lists:
. A list that, any IP address w/in the list that spammed me
earned immediate infinite listing
. A manual list that was an immediate listing of the entire
netblock
(I'd briefly considered the ASN thing, too. But the ASN server abuse
thing was a bit of a show-stopper.)
Let me tell you how effective all that was: I stopped running it long
ago. Of all the spam blocked by the various mechanisms I used, my
system accounted for a fraction of a percent. (Mainly what all that
effort did was give me a heckuva education in some pretty nifty RDBMS
methods.)
I never got around to running an analysis of sshguard repeat
offenders on my systems, but, if the results of my efforts at creating
my own spam blocklist is any guide: Probably relatively low. There
are *a lot* of IP addresses out there.
The truth is there are so many infected systems out there, so many
systems ripe for infection--due to poor code, poor administration or
both, and so many bad actors exploiting all that, that no automated
system beyond what sshguard is already doing will have much
incremental effect.
IMO: To *really* improve the efficacy of sshguard, many, many
instances of sshguard, across the 'net, would have to be "meshed."
Heuristics and trust mechanisms, similar to those employed by NTP,
would have to be developed. (I actually once considered doing that
between my systems a few years ago.)
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X