[lug] Attacks Intensifying

Lee Woodworth blug-mail at duboulder.com
Thu Oct 28 13:06:44 MDT 2004 

Unless you have the requirement that users can SSH from anywhere, 
blocking attackers is opposite of recommended security policy:
    specifically allow known sources, deny all others.

My file exchange server requires users to have keys, no passwords 
allowed. It looks to me that the time I spent setting up user keys and 
allowing their addresses is less than the time you are going to spend on 
blocking attackers.

Daniel Webb wrote:
> On Thu, Oct 28, 2004 at 10:56:47AM -0600, Jani Averbach wrote:
> 
> 
>>Seriously, I have planned and sketched a system where we have a
>>(sshd/httpd) log analyzator, SQL database and firewall which is
>>updated based on incoming log in attempts. It also uses a white list
>>to ensure that you could log in, even if you have mistyped your
>>password.
>>
>>Unfortunately I don't have anything really working at the moment.
>>
>>Do you know if there is something similar already done?
> 
> 
> I created a simple hacked-together system a few months ago when all this
> started that auto-bans all the guys doing this.  It's part of my overall
> firewall script, so I'll just include the relevant parts of the firewall
> script, and attach the script that bans new attackers and and the current ban
> list.  It just searches the syslog file and bans IPs that have too many failed
> attempts by adding the IP to a list in a file.  You'll have to customize it
> for your system, but it should allow you to do what you're talking about with
> little effort.  A SQL database seems overboard, since I have 311 banned IPs
> for several months worth of collecting, but maybe you're getting attacked more
> than I am.
> 
> (part of my firewall script):
> 
> -----
> # Deny packets from banned IPs to SSH
> # (see /root/script/firewall/generate-banned-ips)
> #
> [ ! -f $FIREWALL_DIR/banned-ips ] && echo "can't find $FIREWALL_DIR/banned-ips"
> echo "Denying SSH to:"
> for f in $(cat $FIREWALL_DIR/banned-ips); do
>     echo -n "$f "
>     $IPTABLES -A INPUT -p TCP -i $INET_IFACE -s $f \
>         --destination-port 22 -j REJECT
> done
> -----
> 
> Daniel
> 
> 
> ------------------------------------------------------------------------
> 
> #!/bin/sh
> #
> # Generate a list of banned IPs by looking in the log files
> # Put the banned list in /root/scripts/firewall so the firewall scripts can
> # use it.
> 
> TF=$(mktemp)
> ADD=$(mktemp)
> BANS=/root/scripts/firewall/banned-ips
> touch $BANS
> 
> # Ban on one attempt at "test" account
> cat /var/log/auth.log | grep "Failed password for test from" \
>     | nice perl -p -e 's/.* ((\d{1,3}\.){3}\d{1,3}).*/$1/' \
>     >> $TF
> 
> # Add lines that start with "Failed password for root from"
> # pull the IP from those lines
> # Uniqify and Prepend a count of the number of each IP
> # Remove IPs that have 3 or less failures
> # Remove the prepended count from the rest
> cat /var/log/auth.log | nice grep "Failed password for root from" \
>     | perl -p -e 's/.* ((\d{1,3}\.){3}\d{1,3}).*/$1/' \
>     | sort | uniq --count \
>     | egrep -v '[[:space:]]1[[:space:]]' \
>     | egrep -v '[[:space:]]2[[:space:]]' \
>     | egrep -v '[[:space:]]3[[:space:]]' \
>     | perl -p -e 's/\s+\d+\s+(.*)/$1/' \
>     >> $TF
> 
> cat $TF | sort | uniq > $ADD
> NEW=$(cat $ADD $BANS $BANS | sort | uniq --unique)
> if [ ! -z "$NEW" ]; then
>     echo "Adding new IPs to ban list:"
>     echo $NEW
>     # Load new firewall
>     ./rc.firewall >/dev/null
> fi
> 
> # Uniqify the final ban list
> cat $BANS $ADD | sort | uniq > $TF
> cat $TF > $BANS
> 
> rm -f $TF
> rm -f $ADD
> 
> 
> ------------------------------------------------------------------------
> 
> 12.181.128.5
> 128.121.10.3
> 128.123.180.84
> 128.138.202.97
> 128.146.169.135
> 128.164.159.98
> 128.19.10.214
> 129.49.26.126
> 130.101.10.1
> 130.104.190.198
> 133.87.72.94
> 134.174.176.76
> 134.21.2.227
> 140.109.82.84
> 140.110.17.105
> 140.115.238.251
> 140.115.34.200
> 140.116.179.34
> 140.122.85.152
> 140.127.198.65
> 140.130.177.203
> 140.135.112.177
> 140.160.136.46
> 143.107.203.154
> 143.107.228.251
> 143.248.139.221
> 143.248.52.68
> 145.253.90.115
> 147.162.146.203
> 147.46.116.99
> 147.46.22.130
> 148.208.179.3
> 150.164.12.158
> 150.187.25.11
> 159.226.50.10
> 159.226.71.40
> 160.129.116.189
> 161.116.73.218
> 163.180.116.239
> 163.19.115.8
> 163.21.48.101
> 163.25.65.3
> 163.26.93.226
> 163.30.167.9
> 164.125.104.82
> 164.77.202.91
> 165.229.193.163
> 168.126.168.12
> 168.131.93.119
> 168.179.113.141
> 168.26.194.105
> 192.116.15.136
> 192.217.137.2
> 193.19.160.12
> 193.194.80.194
> 193.91.69.196
> 194.78.243.110
> 194.90.91.41
> 195.13.223.66
> 195.182.228.9
> 195.188.18.219
> 195.227.113.99
> 195.235.100.122
> 195.5.28.73
> 196.44.6.33
> 198.144.42.68
> 200.153.74.133
> 200.181.46.200
> 200.204.175.23
> 200.206.182.38
> 200.33.20.234
> 200.75.146.149
> 200.76.49.243
> 200.80.220.100
> 200.87.53.130
> 202.109.73.115
> 202.123.169.217
> 202.124.145.22
> 202.129.46.156
> 202.129.59.150
> 202.142.122.14
> 202.145.62.77
> 202.163.126.5
> 202.181.212.142
> 202.194.7.245
> 202.64.28.81
> 202.65.195.35
> 202.66.8.210
> 202.71.148.180
> 202.81.160.121
> 203.115.96.151
> 203.138.138.66
> 203.146.102.54
> 203.155.49.67
> 203.157.44.195
> 203.172.67.151
> 203.195.178.67
> 203.195.183.10
> 203.198.72.210
> 203.227.204.26
> 203.227.204.32
> 203.227.204.8
> 203.236.213.126
> 203.237.140.225
> 203.251.69.201
> 203.69.226.242
> 203.75.73.211
> 203.85.183.10
> 203.86.72.243
> 203.98.166.25
> 204.210.78.177
> 204.210.79.82
> 205.133.198.31
> 205.209.132.190
> 205.209.141.50
> 205.209.168.10
> 205.209.168.30
> 205.209.174.70
> 205.237.246.164
> 206.245.188.8
> 207.36.86.225
> 207.44.208.42
> 208.186.255.1
> 209.174.152.151
> 209.208.103.98
> 209.210.237.11
> 210.0.186.83
> 210.1.9.227
> 210.115.49.126
> 210.115.49.143
> 210.116.114.229
> 210.118.74.235
> 210.15.112.41
> 210.168.217.132
> 210.179.119.10
> 210.18.65.46
> 210.180.195.4
> 210.183.235.253
> 210.198.12.50
> 210.202.109.29
> 210.202.116.253
> 210.205.6.157
> 210.207.152.26
> 210.22.128.135
> 210.223.178.180
> 210.250.51.252
> 210.66.217.147
> 210.76.97.118
> 210.92.110.56
> 210.92.30.90
> 210.96.103.105
> 210.99.250.246
> 211.101.6.3
> 211.114.173.193
> 211.114.176.163
> 211.115.80.150
> 211.136.107.116
> 211.147.56.8
> 211.173.81.252
> 211.185.202.3
> 211.20.24.77
> 211.21.75.133
> 211.217.193.180
> 211.219.30.11
> 211.221.246.28
> 211.229.177.114
> 211.23.242.186
> 211.233.15.51
> 211.238.160.28
> 211.239.152.44
> 211.248.38.252
> 211.248.57.126
> 211.34.15.5
> 211.34.43.130
> 211.46.163.166
> 211.57.214.74
> 211.57.80.252
> 211.60.219.250
> 211.68.120.41
> 211.72.9.138
> 211.75.221.105
> 211.91.98.115
> 211.98.28.124
> 212.238.137.205
> 212.64.210.221
> 212.68.226.139
> 212.78.150.64
> 213.136.14.51
> 213.176.124.12
> 213.183.107.133
> 216.136.66.81
> 216.37.220.242
> 216.40.203.13
> 216.94.170.95
> 216.98.142.126
> 217.14.177.65
> 217.160.178.172
> 217.172.182.148
> 217.66.83.186
> 217.71.161.49
> 218.103.82.99
> 218.106.100.101
> 218.106.100.98
> 218.108.247.67
> 218.145.226.85
> 218.149.84.114
> 218.18.208.144
> 218.21.129.104
> 218.21.129.105
> 218.234.208.2
> 218.236.1.102
> 218.237.64.193
> 218.25.120.5
> 218.3.161.2
> 218.30.21.236
> 218.38.136.47
> 218.38.14.54
> 218.38.2.1
> 218.4.139.234
> 218.62.7.234
> 218.75.54.67
> 218.89.36.109
> 218.89.36.110
> 219.140.166.19
> 219.147.198.177
> 219.147.65.247
> 219.153.4.62
> 219.166.65.51
> 219.254.35.182
> 220.168.17.55
> 220.64.160.18
> 220.69.12.96
> 220.73.215.151
> 221.147.48.55
> 221.147.57.23
> 221.166.169.102
> 221.186.104.77
> 222.118.5.179
> 222.45.45.132
> 222.88.82.76
> 24.202.124.31
> 24.208.136.184
> 24.226.230.76
> 24.97.123.67
> 61.129.102.174
> 61.143.64.20
> 61.144.253.218
> 61.156.14.23
> 61.157.226.106
> 61.166.6.60
> 61.174.171.18
> 61.193.167.19
> 61.197.247.50
> 61.206.125.28
> 61.221.212.163
> 61.222.151.180
> 61.234.70.11
> 61.251.165.151
> 61.251.59.132
> 61.251.74.219
> 61.34.6.105
> 61.36.184.166
> 61.56.244.182
> 61.57.26.106
> 62.111.148.50
> 62.112.131.21
> 62.129.173.135
> 62.193.225.147
> 62.193.225.46
> 63.72.238.66
> 64.114.81.120
> 64.191.34.180
> 64.191.87.151
> 64.246.42.65
> 64.250.226.3
> 64.27.0.7
> 64.35.113.151
> 64.60.20.74
> 64.95.31.15
> 65.37.37.15
> 65.42.15.250
> 65.78.159.59
> 66.103.251.130
> 66.103.96.14
> 66.197.197.69
> 66.216.122.116
> 66.220.27.241
> 66.236.24.228
> 66.55.167.210
> 66.79.161.66
> 66.79.170.220
> 66.98.186.87
> 67.15.2.8
> 67.15.54.25
> 67.153.190.3
> 67.18.184.210
> 67.19.126.106
> 67.19.150.213
> 68.121.176.36
> 68.166.46.202
> 68.208.211.139
> 68.79.144.34
> 69.60.111.197
> 69.89.66.18
> 80.55.1.198
> 80.57.166.112
> 80.86.167.140
> 81.4.75.96
> 82.182.115.122
> 82.43.214.213
> 82.79.88.147
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list