DragonFly users List (threaded) for 2010-03
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[
Date Index][
Thread Index]
Re: Security process
I was running a little program based off of syslog for a long time.
I've included the C code below as well.
auth.info;authpriv.info |exec /root/adm/sshlockout
It basically checks for login failures and then adds a rule via
ipfw.
However, I eventually gave up doing this as more and more attacks
are coming from large numbers IP addresses. Instead I now just
disallow passworded access via ssh entirely and let the attackers
waste their time.
In my personal experience the most important thing you need to
deal with security breeches are at least daily backups going back
far enough such that you can track down where the breech occurred
and definitively clean up any trojans that were installed. Trojans
can be anything... they aren't necessarily going to be the suid
shells the irc script kiddies were installing in the 90s. They
can be as simple as a slight modification to a firewall rule set,
or PAM, or some other system configuration file which gives the
attacker a backdoor exploit.
Without backups to compare against sanitizing a breeched system is
very difficult. Just make sure the backup machine itself cannot
be accessed from the vulnerable machines.
--
Service separation can also be a good tool. One can run vkernels
for low-bandwidth services, use jails, VMs, and so on and so forth.
-Matt
Matthew Dillon
<dillon@backplane.com>
/*
* SSHLOCKOUT.C
*
* Use: pipe syslog auth output to this program. e.g. in /etc/syslog.conf:
*
* auth.info;authpriv.info /var/log/auth.log
* auth.info;authpriv.info |exec /root/adm/sshlockout
*
* Detects failed ssh login attempts and maps out the originating IP
* using IPFW.
*
* *VERY* simplistic. ipfw entries do not timeout, duplicate entries may
* occur (though normally not since ssh won't see new connections from
* the IP otherwise), there are no checks made for local IPs or nets,
* or for prior successful logins, etc.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdarg.h>
#include <syslog.h>
static void lockout(char *str);
int
main(int ac, char **av)
{
char buf[1024];
char *str;
openlog("sshlockout", LOG_PID|LOG_CONS, LOG_AUTH);
syslog(LOG_ERR, "sshlockout starting up");
freopen("/dev/null", "w", stdout);
freopen("/dev/null", "w", stderr);
while (fgets(buf, sizeof(buf), stdin) != NULL) {
if (strstr(buf, "sshd") == NULL)
continue;
if ((str = strstr(buf, "Failed password for root from")) != NULL ||
(str = strstr(buf, "Failed password for admin from")) != NULL
) {
while (*str && (*str < '0' || *str > '9'))
++str;
lockout(str);
continue;
}
if ((str = strstr(buf, "Failed password for invalid user")) != NULL) {
str += 32;
while (*str == ' ')
++str;
while (*str && *str != ' ')
++str;
if (strncmp(str, " from", 5) == 0)
lockout(str + 5);
continue;
}
if ((str = strstr(buf, "Illegal user")) != NULL) {
str += 12;
while (*str == ' ')
++str;
while (*str && *str != ' ')
++str;
if (strncmp(str, " from", 5) == 0)
lockout(str + 5);
}
}
syslog(LOG_ERR, "sshlockout exiting");
return(0);
}
static void
lockout(char *str)
{
int n1, n2, n3, n4;
char buf[256];
if (sscanf(str, "%d.%d.%d.%d", &n1, &n2, &n3, &n4) == 4) {
syslog(LOG_ERR, "Detected Illegal ssh login attempt, locking out %d.%d.%d.%d\n", n1, n2, n3, n4);
snprintf(buf, sizeof(buf), "ipfw add 2100 deny tcp from %d.%d.%d.%d to me 22", n1, n2, n3, n4);
system(buf);
}
}
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[
Date Index][
Thread Index]