Find the answer to your Linux question:
Page 1 of 3 1 2 3 LastLast
Results 1 to 10 of 28
OS = Debian SID Last night I started to write a script that would monitor the auth log and check for failed logins for specified user accounts (I bet you ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2004
    Location
    UK
    Posts
    61

    firewall ip address if it tries to login as a specified user


    OS = Debian SID

    Last night I started to write a script that would monitor the auth log and check for failed logins for specified user accounts (I bet you can guess what is coming next....( Namely test, guest and admin)) and then drop all traffic from that ip address in iptables. Not because my systems are vulnerable, but because I am fed up of logs getting filled up with this lame behaviour, and I dont want anyone on (probably) rooted boxes having any access to my systems anyway.

    However, I had this feeling that I was re-inventing the wheel so stopped.

    Is anyone aware of a script or program that will perform this type of function already?

  2. #2
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    I'm not aware of any. This is a good idea, though. Proactive security.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  3. #3
    Just Joined!
    Join Date
    Apr 2004
    Location
    UK
    Posts
    61
    I have found a nice way to do this using a program called swatch

    apt-get install swatch

    on debian systems or http://sourceforge.net/projects/swatch/

    I am using the following config file saved as /etc/swatchrc

    Code:
    # Bad login attempts
    watchfor   /llegal user test|llegal user guest|llegal user admin/
            exec "/sbin/iptables -A INPUT -s $10 -j DROP"
    Then running swatch with
    swatch -t /var/log/auth.log -c /etc/swatchrc --awk-field-syntax --daemon

    This is having the desired effects

    Please notice the --awk-field-syntax command line argument. Missing that out had me banging my head against this all morning trying to work out why it was not passing the ip address through to ip tables.

    This works fine if your logs look like this..
    Sep 8 21:39:21 localhost sshd[900]: Illegal user test from 192.168.0.193

    If your logs look different, you will need to count which field holds the ip address/hostname and change the $10 in /etc/swatchrc to $N where N is the number of the word that holds the ip/hostname for your log format.

    Redhat requires a different log file to be monitored. Just call swatch using..
    swatch -t /var/log/secure -c /etc/swatchrc --awk-field-syntax --daemon

    Hope this helps others

  4. #4
    Just Joined!
    Join Date
    Oct 2004
    Posts
    37
    This is Excellent I to have my logs filled with this lame behaviour.

    I was looking for something to do just this.
    Thanks for posting it

    Quote Originally Posted by Anigel
    I have found a nice way to do this using a program called swatch

    apt-get install swatch

    on debian systems or http://sourceforge.net/projects/swatch/

    I am using the following config file saved as /etc/swatchrc

    Code:
    # Bad login attempts
    watchfor   /llegal user test|llegal user guest|llegal user admin/
            exec "/sbin/iptables -A INPUT -s $10 -j DROP"
    Then running swatch with
    swatch -t /var/log/auth.log -c /etc/swatchrc --awk-field-syntax --daemon

    This is having the desired effects

    Please notice the --awk-field-syntax command line argument. Missing that out had me banging my head against this all morning trying to work out why it was not passing the ip address through to ip tables.

    This works fine if your logs look like this..
    Sep 8 21:39:21 localhost sshd[900]: Illegal user test from 192.168.0.193

    If your logs look different, you will need to count which field holds the ip address/hostname and change the $10 in /etc/swatchrc to $N where N is the number of the word that holds the ip/hostname for your log format.

    Redhat requires a different log file to be monitored. Just call swatch using..
    swatch -t /var/log/secure -c /etc/swatchrc --awk-field-syntax --daemon

    Hope this helps others

  5. #5
    Just Joined!
    Join Date
    Oct 2004
    Posts
    37
    Quote Originally Posted by Anigel
    Code:
    # Bad login attempts
    watchfor   /llegal user test|llegal user guest|llegal user admin/
            exec "/sbin/iptables -A INPUT -s $10 -j DROP"
    An update I had to change one thing. Took me a bit to figure out why after it added the IP address to IPtables they were still getting through. It was because they were being added after I had already accepted them in.
    Here is what it looks like now.
    Code:
    # Bad login attempts
    watchfor   /llegal user test|llegal user guest|llegal user admin/
            exec "/sbin/iptables -I INPUT 1 -s $10 -j DROP"

  6. #6
    Just Joined!
    Join Date
    Apr 2004
    Location
    UK
    Posts
    61
    # Bad login attempts
    watchfor /llegal user test|llegal user guest|llegal user admin/
    exec "/sbin/iptables -I INPUT 1 -s $10 -j DROP"
    I worked this out myself when they were still getting through and changed the script to insert the rule at a specified level. Stupidly I forgot to update my post here.

    Code:
    # Bad login attempts
    watchfor   /llegal user test|llegal user guest|llegal user admin/
            exec "/sbin/iptables -I INPUT 5 -s $10 -j DROP"
    Puttting the rule in at position 5 instead of position 1 as in your example ensures that my essential rules for access from my other systems are never dropped in priority by any automated script that could have the effect of locking me out of my own system either through testing or through any form of crafted attack. This may not be an issue if you have console access to your server, however if your servers are remotely hosted, then it could be a painful process to regain access once you have been firewalled out of your own server.

    I am glad you found it useful though.

  7. #7
    Just Joined!
    Join Date
    Mar 2005
    Posts
    1

    More Swatch Tweaks

    Hi All.

    I used the posts above to quickly (2 hours) get swatch set up and working!

    I recommend swatch to all readers also.

    I added a few more tweaks to the above setup, and would like to share.
    1) special chain in iptables just for swatch
    2) email myself when stuff happens
    3) add a threshold to allow a few failures before firewalling off

    My swatchrc file now looks like this:

    #Add firewall rules for bad login attempts
    watchfor /llegial user test|llegal user guest|llegal user admin/
    threshold 4:3600
    mail=myself@mydomain.com,subject="swatch match: firewall rule added"
    exec "/sbin/iptables -A swatch_rejects -s $10 -j DROP"


    Read on for more detailed explination of the additions:

    ----------
    1) New swatch_rejects Chain

    I wasn't a fan of allowing swatch to just stick rules directly into the input chain. This could get messy after a while, and it's harder to hunt down and remove any swatch-added rules when you want to restore access.

    a)I added a new chain "swatch_rejects" where swatch (and only swatch) will append rules to.

    'iptables -N swatch_rejects'

    b) create an unconditional jump to this rule in your INPUT chain. I also place it at rule #5 in INPUT - below all of my own rules that accept my IP's (so you don't accidently lock yourself out!)

    'iptables -I INPUT 5 -j swatch_rejects'

    c) Configure in your /etc/swatchrc file the exec to write to the new chain instead of INPUT

    #Bad login attempts
    watchfor /llegial user test|llegial user guest|llegal user admin/
    exec "/sbin/iptables -A swatch_rejects -s $10 -j DROP"

    Now, to see what swatch has been doing to your firewall, simply do a
    'iptables -L swatch_rejects'

    ---------------
    2) Email notification for verboseness

    Simply added to swatchrc file a 'mail' command:

    mail=myself@mydomain.com,subject="Swatch match: illegial user. Firewall rule added"

    ----------
    3) Threshold
    I figured that one failue = firewalled off is a bit harsh. I'd prefer 4 failures in 1 hour's time:

    threshold 4:3600

    Hope this helps. And Thanks to all the previous folks who posted and got me started!

  8. #8
    Just Joined!
    Join Date
    Mar 2005
    Posts
    1

    firewall ip address if it tries to login as a specified user

    Thanks Anigel! I found your post on the --awk-field-syntax thing for swatch and now I can use arguments in my command. I had been pulling my hair out for hours and hours.

    /usr/bin/swatch --config-file=/etc/swatchrc --tail-file=/var/log/syslogs/local6 \
    --awk-field-syntax &

    To keep from locking your own workstation out during the testing phase, you could run 2 ssd daemons on different ports. I have incoming port 22 forwarded to port 23 on the box. So if someone tries an ssh attack, I drop port 23. This allows me to ssh on a different port and delete the rulenumber that had me blocked on port 23.

    watchfor /sshd.*: Failed password for root/
    exec /sbin/iptables -A INPUT -i eth0 -s $11 -d 0/0 -p tcp --dport 23 -j DROP

    --patty

  9. #9
    Just Joined!
    Join Date
    Apr 2005
    Location
    Chicago, IL
    Posts
    1
    I recently implemented a similar solution to the one described here but I ran into a glitch with DNS resolution. On my sytems (Redhat 9, Fedora Core 3, RHEL 4) I find that the log of login failures for some reason performs reverse DNS resolution on the source IP address. That's a problem because as I discovered last night:

    Apr 19 05:27:56 server sshd(pam_unix)[27667]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=pmx.promedexinc.com user=root

    The rhost provided doesn't resolve to an IP address so the blocking of the address failed.

    Is there any way to configure sshd and/or PAM to just show the IP address in the log? I tried to turn off DNS resolution in sshd but that didn't work.

  10. #10
    Just Joined!
    Join Date
    May 2005
    Location
    Toronto
    Posts
    9

    Try the ipt_recent module

    I was noticing ssh login attempts as well and came up with this solution using the recent module for iptables...

    modprobe ipt_recent ip_list_tot=200

    iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS
    -d $IPADDR --dport 22 -m state --state NEW -m recent --rcheck
    --hitcount 3 --seconds 60 --name SSH_PROBERS
    -j LOG --log-prefix "Adaptive-FW SSH Prober: "

    iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS
    -d $IPADDR --dport 22 -m state --state NEW -m recent
    --update --hitcount 3 --seconds 60 --name SSH_PROBERS
    -j DROP

    iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS
    -d $IPADDR --dport 22 -m state --state NEW -m recent
    --set --name SSH_PROBERS -j ACCEPT

    The first time someone attempts to contact the SSH server their IP gets added to the file SSH_PROBERS. If they are legit, their next connections will be established or related and their IP will expire from this file.

    If they failed at logging in and make another new attempt and their IP is listed in the SSH_PROBERS file then the first two rules take effect.

    The first two rules together will check the file and see if there are more than 3 listings of the source IP. If so, the packet is logged and dropped. It updates the SSH_PROBERS file with the new attempt and removes any listings older than 60 seconds.

    This means that to get another chance to try again without being dropped, you must wait until your IP is listed fewer than 3 times in the file. This stops bots from slamming port 22 with login attempts but does not deny you access from remote locations when it is legit.

    So far these rules have not blocked me but have reduced the SSH login attempts by bots for users like admin, guest, test, patrick, god, etc...

    I have also used similar rules to stop ftp probing as well as port scanning. It makes your firewall adapt to rapid portscans by just disappearing from the internet.

    hope this helps.

Page 1 of 3 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •