sshguard-users

[Sshguard-users] Blocking Attacks

[Art S. <art...@gm...>]

Is there a away to setup certain types of log messages to be banned on first
attempt, and the rest at the default of 4?  The reason why I ask is because
I like the idea of the default of 4, since users can make mistakes when
trying to log in, and that gives them a little room for error, but there are
certain log entries that I feel should be banned on first attempt, example.

Oct  2 13:26:27 srvtwc sshd[7642]: User root from mx.referent.ru not allowed
because not listed in AllowUsers
Oct  2 13:26:27 srvtwc sshguard[30833]: Successfully resolved '
mx.referent.ru' --> 4:'86.111.5.38'.
Oct  2 13:26:27 srvtwc sshguard[30833]: Matched address
86.111.5.38:4attacking service 100
Oct  2 13:26:28 srvtwc sshd[7642]: error: PAM: Authentication failure for
illegal user root from mx.referent.ru
Oct  2 13:26:28 srvtwc sshd[7642]: Failed keyboard-interactive/pam for
invalid user root from 86.111.5.38 port 33046 ssh2
Oct  2 13:26:28 srvtwc sshguard[30833]: Matched address
86.111.5.38:4attacking service 100
Oct  2 13:27:43 srvtwc sshd[7645]: User root from
119-210-96-87.cust.blixtvik.se not allowed because not listed in AllowUsers
Oct  2 13:27:43 srvtwc sshguard[30833]: Successfully resolved '
119-210-96-87.cust.blixtvik.se' --> 4:'87.96.210.119'.
Oct  2 13:27:43 srvtwc sshguard[30833]: Matched address
87.96.210.119:4attacking service 100
Oct  2 13:27:43 srvtwc sshd[7645]: error: PAM: Authentication failure for
illegal user root from 119-210-96-87.cust.blixtvik.se
Oct  2 13:27:43 srvtwc sshd[7645]: Failed keyboard-interactive/pam for
invalid user root from 87.96.210.119 port 41754 ssh2
Oct  2 13:27:43 srvtwc sshguard[30833]: Matched address
87.96.210.119:4attacking service 100
Oct  2 13:28:49 srvtwc sshd[7649]: User root from
static-87-79-66-203.netcologne.de not allowed because not listed in
AllowUsers
Oct  2 13:28:49 srvtwc sshguard[30833]: Successfully resolved '
static-87-79-66-203.netcologne.de' --> 4:'87.79.66.203'.
Oct  2 13:28:49 srvtwc sshguard[30833]: Matched address
87.79.66.203:4attacking service 100
Oct  2 13:28:50 srvtwc sshd[7649]: error: PAM: Authentication failure for
illegal user root from static-87-79-66-203.netcologne.de
Oct  2 13:28:50 srvtwc sshd[7649]: Failed keyboard-interactive/pam for
invalid user root from 87.79.66.203 port 51639 ssh2
Oct  2 13:28:50 srvtwc sshguard[30833]: Matched address
87.79.66.203:4attacking service 100

I've noticed in my logs recently since I've started to use sshguard, that
the attackers scripts are smart enough to know, or remember, that your
server is running sshguard or a service similar, and will attempt brute
force attacks from a rotating set of ip's as to which they will never get
banned by doing this so long as they have enough ip's to come in from.  The
logs show that sshguard is picking it up as an attack properly, but by the
time they cycle through their list of remote ip's and use one that sshguard
has seen already, it's been over the time period where it would count it as
a second attack.

Anything that shows up as "not lised in AllowUsers" or "failure for illegal
user xxx" should be banned on first attempt.  That would be a great addition
to your already awesome app.

Re: [Sshguard-users] Blocking Attacks

[Mij <mi...@ss...>]

the general answer is: working on "attack density" is in TODO.  
Sshguard would
score different patterns with different ways and block when a  
"disturbance level"
is reached. Search previous posts in the ml for more details.


In the specific case of sshd: I'm not sure running the cat-and-mouse  
is the best
approach: logs would still be tainted, there would be not much better  
protection,
and by my experience often their IP pool is so large that you don't  
even see rotation.
See previous post for more details.

I have some ideas for solving this one, but ain't very happy with any.  
The way
DenyHosts (sharing DoS information) is insecure: I can taint the  
global blacklist
by injecting legitimate hosts, thus DoSing thousands of sites.
The "smart" way of measuring the density of attacks and tarpitting TCP  
handshakes
when we're in "distributed attack mode" may prevent of disturb  
legitimate users.

If some users want to share ideas on that, they're highly welcome.  
Otherwise this
task will stay in the idle TODO..



On Oct 2, 2009, at 20:50 , Art Salihu wrote:

> Is there a away to setup certain types of log messages to be banned  
> on first attempt, and the rest at the default of 4?  The reason why  
> I ask is because I like the idea of the default of 4, since users  
> can make mistakes when trying to log in, and that gives them a  
> little room for error, but there are certain log entries that I feel  
> should be banned on first attempt, example.
>
> Oct  2 13:26:27 srvtwc sshd[7642]: User root from mx.referent.ru not  
> allowed because not listed in AllowUsers
> Oct  2 13:26:27 srvtwc sshguard[30833]: Successfully resolved  
> 'mx.referent.ru' --> 4:'86.111.5.38'.
> Oct  2 13:26:27 srvtwc sshguard[30833]: Matched address  
> 86.111.5.38:4 attacking service 100
> Oct  2 13:26:28 srvtwc sshd[7642]: error: PAM: Authentication  
> failure for illegal user root from mx.referent.ru
> Oct  2 13:26:28 srvtwc sshd[7642]: Failed keyboard-interactive/pam  
> for invalid user root from 86.111.5.38 port 33046 ssh2
> Oct  2 13:26:28 srvtwc sshguard[30833]: Matched address  
> 86.111.5.38:4 attacking service 100
> Oct  2 13:27:43 srvtwc sshd[7645]: User root from 119-210-96-87.cust.blixtvik.se 
>  not allowed because not listed in AllowUsers
> Oct  2 13:27:43 srvtwc sshguard[30833]: Successfully resolved  
> '119-210-96-87.cust.blixtvik.se' --> 4:'87.96.210.119'.
> Oct  2 13:27:43 srvtwc sshguard[30833]: Matched address  
> 87.96.210.119:4 attacking service 100
> Oct  2 13:27:43 srvtwc sshd[7645]: error: PAM: Authentication  
> failure for illegal user root from 119-210-96-87.cust.blixtvik.se
> Oct  2 13:27:43 srvtwc sshd[7645]: Failed keyboard-interactive/pam  
> for invalid user root from 87.96.210.119 port 41754 ssh2
> Oct  2 13:27:43 srvtwc sshguard[30833]: Matched address  
> 87.96.210.119:4 attacking service 100
> Oct  2 13:28:49 srvtwc sshd[7649]: User root from static-87-79-66-203.netcologne.de 
>  not allowed because not listed in AllowUsers
> Oct  2 13:28:49 srvtwc sshguard[30833]: Successfully resolved  
> 'static-87-79-66-203.netcologne.de' --> 4:'87.79.66.203'.
> Oct  2 13:28:49 srvtwc sshguard[30833]: Matched address  
> 87.79.66.203:4 attacking service 100
> Oct  2 13:28:50 srvtwc sshd[7649]: error: PAM: Authentication  
> failure for illegal user root from static-87-79-66-203.netcologne.de
> Oct  2 13:28:50 srvtwc sshd[7649]: Failed keyboard-interactive/pam  
> for invalid user root from 87.79.66.203 port 51639 ssh2
> Oct  2 13:28:50 srvtwc sshguard[30833]: Matched address  
> 87.79.66.203:4 attacking service 100
>
> I've noticed in my logs recently since I've started to use sshguard,  
> that the attackers scripts are smart enough to know, or remember,  
> that your server is running sshguard or a service similar, and will  
> attempt brute force attacks from a rotating set of ip's as to which  
> they will never get banned by doing this so long as they have enough  
> ip's to come in from.  The logs show that sshguard is picking it up  
> as an attack properly, but by the time they cycle through their list  
> of remote ip's and use one that sshguard has seen already, it's been  
> over the time period where it would count it as a second attack.
>
> Anything that shows up as "not lised in AllowUsers" or "failure for  
> illegal user xxx" should be banned on first attempt.  That would be  
> a great addition to your already awesome app.
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart  
> your
> developing skills, take BlackBerry mobile applications to market and  
> stay
> ahead of the curve. Join us from November 9-12, 2009. Register  
> now!
> http://p.sf.net/sfu/devconf_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users