Subject: Re: Autoblocking sites after ssh probes
To: Martin Husemann <martin@duskware.de>
From: Roberto <roberto.trovo@redix.it>
List: current-users
Date: 01/31/2005 14:59:14
> I guess this is completely off-topic, but anyway: for unrelated reasons
> I am running a diagnostic/debug kernel on my router right now. So I
> noticed
> this messages on the console:
>
> trapdebug: emul netbsd UNIPL syscall 210:unknown syscall
> trapdebug: emul netbsd UNIPL syscall 210:unknown syscall
>
> (tons of them)
>
> IIRC this is sshd doing some AFS syscall. So I checked what's going on and
> saw
> the typical ssh login probes in /var/log/authlog:
>
> Jan 27 23:06:40 setting-sun sshd[10795]: Illegal user lbenson from
> 219.117.250.205
> Jan 27 23:06:44 setting-sun sshd[11053]: Illegal user jlawrence from
> 219.117.250.205
> Jan 27 23:06:47 setting-sun sshd[8759]: Illegal user rnelson from
> 219.117.250.205
> Jan 27 23:06:51 setting-sun sshd[10297]: Illegal user mankney from
> 219.117.250.205
>
> This is no problem itself, of course my sshd is configured to not allow
> login
> authentication. But the spewing of messages on the console was ... somehow
> disturbing so I just added an ipf rule
>
>   block in quick on pppoe0 from 219.117.250.205
>
> Checking older logs from the last two days I found similar things from 5
> different IPs. Most (all?) of them seem to be dynamic IPs, so blocking
> those
> permantly does not make much sense.
>
> Now, here is the question: does anyone know of a tool to automagically
> recognize
> this sequence of logs that temporarily adds the coresponding block rules
> to
> ipf and expires them after, say, 24 hours?
>
> Is there anything wrong from a security point of view with this aproach?
> It's not a protection in itself, and it's just one common attack (out of
> hundreds, I guess). But maybe as an additional obstacle?
>
> Martin
>

I've the same problem about ssh login attempt; here is my opinion /
suggestions:

 1) enable a set of source IP (if any) that can connect to your SSH server;
 2) move ssh to onother port (e.g. 2200);

 (N.B.:it is a "must" to disable login authentications)

My own opinion about modify the firewall rules are not positive: I'm not
feel confident with a dynamic ruleset (there can be mistakes somewere: but
it is ---only my opinion---);

Anyway I'm curious about the "more voted" solution.

Kind regards,
Roberto


-- 

e-mail roberto.trovo [at] redix.it