Full Disclosure mailing list archives

Re: reduction of brute force login attempts via SSH through iptables --hashlimit

From: nocfed <nocfed () gmail com>
Date: Thu, 2 Mar 2006 06:48:58 -0600

On 3/1/06, GroundZero Security <fd () g-0 org> wrote:

Well i had a few minutes time, so i updated the script a bit.

I did not use lastb though, as it wouldnt work (read the manpage.....)
Anyhow, maybe someone found it usefull so here is v.0.2 :

http://www.groundzero-security.com/code/bruteforce-block.sh

Any suggestions are welcome, insults and flames can be sent to /dev/null

-sk

GroundZero Security Research and Software Development
http://www.groundzero-security.com

Wir widersprechen der Nutzung oder Übermittlung unserer Daten
für Werbezwecke oder für die Markt- oder Meinungsforschung (§ 28 Abs. 4 BDSG).

pub  1024D/69928CB8 2004-09-27 Stefan Klaas <sk () groundzero-security com>
sub  2048g/2A3C7800 2004-09-27

Key fingerprint = A93E 41F8 7E82 5F2C 3E76  41F1 4BCF 3096 6992 8CB8

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBEFX440RBADGTKOgZR9Y9VA/cfNLWTIN/OmXe9l6UZJ6pY8Hqcv6DFE//Kt9
UfQMU470i+I7SvIHZN066Kl4ts4r90sLxXrE4r5VQCLTsJM68cliatrM8MbbZZs+
xf3ldelZrHNvHkXDk4I/n3O56F9M6tZ/S71AIj++raIbFX57fn8Z8NNOnwCgwDr6
LDVP+5N4DML1/+uvXNtoL30D/A/GUXd6lJ8i7MoZMzwKk1uwDsgWwP+Wm0hMwJMr
fR/di9K55pGdlGFNO5P2L3qOl2BaC8raNkLcXaweW+bao3P66nzpdtmecsjCMWq2
tQWgu/O7S1FgzlUAKJSOc2Th5PY9Raum8bXnSv4gnHZCKjNskIdrz8WDxCzEoPtZ
eCssA/9ydHRvNIPjOTmzjXoE+UbJrB/U//u3dpAsLkzclKeSgjV2eYUgHGcqYn+H
cFoubD78yFWqZqYtxfiyjBlItsIn9ls0gAZFKDFHd1XfOLFSa0/NHNpHLxCZGFIA
tQ0Gp47VRmTPkWJ7lB505w0XioNs1H/1K1RSp++7+t1SNkBlobQpU3RlZmFuIEts
YWFzIDxza0Bncm91bmR6ZXJvLXNlY3VyaXR5LmNvbT6IVwQTEQIAFwUCQVfjjQUL
BwoDBAMVAwIDFgIBAheAAAoJEEvPMJZpkoy4AnYAmwTot1PMUty1YoCuMVg6cpr7
HKy1AJ98jyzD365YkIQAEiihXlQJ4zrxBLkCDQRBV+OvEAgAiu75prsTQZdNijtY
eMQhl4tEL8qi8JOFluYGnvPYjDzU0PY9E4mNx/w2BgYcM3lTVzSmaiLEJ1AzeOHn
w+pLDWsorRZuVI9q3+ExW3s2yFX4ppdHAVBMuYsQyVJRkbobCkcwTbUYXr23pKzh
D8WRAJ991k2lNcQHxMgixAN+55XBFLhwLB0Yz7XmhFYLid5dLxdPllLIV3ZHDeY0
SEqMSpw96+gV0QpX7YH9U2VBr3Wz7Ss6qNZkcgHQw1xmk6Yy24QnT4a9oZD06Yjr
cCocXnyI/YLW1wXo/6Hh44UH3b9mKUX6eh8ybn7QCnZDG7AdxbglLiPTkdcx0YoT
NANZBwADBwf8CrjVKiXSzyhUsdH1es1KQCZ/zH6PvPzdxqYuGuVVMzgaJeeOMS2G
4rLfw2ILahAS0fjng6zX2c1ndPVJ6oAq3IygWsqJH6Uh23NmKTlyx3KtSgyW7YsB
Rn/4wobuojArTHTl+X3U4JZTUEb9E4osB9bFjdsgXcxNSwXghQMh1x5eS5/fcjLd
tACNq0x2/zh8zTJFHK+oNCLY2+iBjTUn7K03rEhQo6HqbPYwyc3LUCwBuFHFDVWp
bZqa4knO0H5BBmbiI09kaVPOs0qRLXCAf1oy9PxK5ZBJ4WfQAnMAU+TuNrTuW2SU
NMh92TCELdDpl/pMDbbBGeJdMvXZmY99HIhGBBgRAgAGBQJBV+OvAAoJEEvPMJZp
koy4p1QAoIaYw3VxA0/mixUsMO4R13sXIL/pAJ9zodR+A9+bLqCRlVusG8JhItv1
Ow==
=E0o1
-----END PGP PUBLIC KEY BLOCK-----

Diese E-Mail kann vertrauliche Informationen enthalten. Wenn Sie nicht der
richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren
Sie bitte sofort den Absender und vernichten Sie diese E-Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail oder von
Teilen dieser E-Mail ist nicht gestattet.

This E-mail might contain confidential information. If you are not the right addressee
or you have recived this Mail in error, please inform the Sender as soon as possible
and delete this E-Mail immediately. You are not allowed to make any copies or
relay this E-Mail.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Is this supposed to be like some 'My first attempt at scripting?

Please do not offer scripts like this as some people might believe it
is useful, or even secure.  The same people that will run this in /tmp
with . in their path.

Please note that this entire script can ALL be done in 1, count them
1, awk command. (sed as well, but not worth it).

WTF is this?

lIP=`ifconfig|grep -1 eth0|grep inet|sed 's/inet addr://'|awk '{print $1}'`

If you are going to ATTEMPT to do something, at least use documented
options.  It's ``grep -A1'' not ``grep -1''.  Then a pipe into sed
THEN into awk?

lIP=`/sbin/ifconfig | awk '/^eth0/{getline; sub(".*:","",$2); print $2}'`
lIP=`/sbin/ifconfig | sed -ne '/^eth0/{n;s/^.*addr:\([^ \x09]*\).*/\1/;p}'`


 cat /var/log/messages |grep "Failed password" >$fail
 cat /var/log/messages |grep "Illegal user" >$fail2
 cat /var/log/messages |grep "Invalid user" >$fail3
 cat /var/log/messages |grep "Failed keyboard" >$fail4

Really?  Really?  yeah, /var/log/messages only has to be read ONE time
and the other files can be written to.

Which brings me to another point.  Your use of static temp files in
the current working directory is just... my god.  We will just assume
that 99% of all users do not use noclobber.  You do know the
implemencations of this, right?

 if [ "` cat $fail |grep "Failed password" |awk '{ print $15 }'`" == "" ];
 then
         cat $fail |grep "Failed password" |awk '{ print $11 }' >ips1
 fi
 if [ "` cat $fail2 |grep "Illegal user" |awk '{ print $14 }'`" == "" ];
 then
         cat $fail2 |grep "Illegal user" |awk '{ print $10 }' >ips2
 fi
 if [ "` cat $fail3 |grep "Invalid user" |awk '{ print $14 }'`" == "" ];
 then
         cat $fail3 |grep "Invalid user" |awk '{ print $10 }' >ips3
 fi
 if [ "` cat $fail4 |grep "Failed keyboard" |awk '{ print $17 }'`" == "" ];
 then
         cat $fail4 |grep "Failed keyboard" |awk '{ print $13 }' >ips4
 fi


Ughh, reading those files enough?  That makes no sense anyways, and
yet again we are clobbering static TEMPORARY files in the current
working directory.

 echo "~ sorting out ip by ip"
 for line in `cat ips1` # |read line
 do
    echo $line| grep '^[^.][^.]*\.[^.][^.]*\.[^.][^.]*\.[^.][^.]*$' >>ip.$line
 done
 for line in `cat ips2` # |read line
 do
    echo $line| grep '^[^.][^.]*\.[^.][^.]*\.[^.][^.]*\.[^.][^.]*$' >>ip.$line
 done
 for line in `cat ips3` # |read line
 do
    echo $line| grep '^[^.][^.]*\.[^.][^.]*\.[^.][^.]*\.[^.][^.]*$' >>ip.$line
 done
 for line in `cat ips4` # |read line
 do
    echo $line| grep '^[^.][^.]*\.[^.][^.]*\.[^.][^.]*\.[^.][^.]*$' >>ip.$line
 done


See above.  Not even going to comment on that again, let alone the
pattern match.  Will throw something at that in a minute.


 ls -la ip.*|awk '{ print $9 }' > ip.lst

That just makes no sense, yet again.  Here is where you would use -1,
but with ls(documented and valid switch unlike in grep).


 for line in `cat ip.lst`
 do
    if [ `wc -l $line |awk '{ print $1 }'` = '1' ];
        then
            # echo ""
            # echo "not enough failed logins, probably no attack from: $line"
            echo -n "*"
        else if [ `wc -l $line |awk '{ print $1 }'` = '2' ];
        then
            # echo ""
            # echo "not enough failed logins, probably no attack from: $line"
            echo -n "*"
        else if [ `wc -l $line |awk '{ print $1 }'` = '3' ];
        then
            # echo ""
            # echo "not enough failed logins, probably no attack from: $line"
            echo -n "*"
        else if [ `wc -l $line |awk '{ print $1 }'` = '4' ];
        then
            # echo ""
            # echo "not enough failed logins, probably no attack from: $line"
            echo -n "*"
    else
        # generate list of the ip's to be blocked
        # echo "* IP: $line will be blocked!"
        echo -n "."
        echo $line >>$blocklist
        i=1;
        fi
        fi
        fi
    fi
 done


You should have just done this way differently in the first place. And
Yippy! Another static temp file.  $blocklist can be fun.  This time no
clobbering so its even easier.

if [ $i != 0 ];
then
 # edit blocklist (sometimes needs to be commented out or edited)
 cat $blocklist |sed 's/ip.::ffff://' >g && mv g $blocklist

 # cleanup
 rm -f ip.* ips1 ips2 ips3 ips4 ip.lst $fail $fail2 $fail3 $fail4

 for host in `cat $blocklist`
 do
        if ((${#host}>6)) && ((${#host}<16))
        then
            blk="`echo $host| grep
'^[^.][^.]*\.[^.][^.]*\.[^.][^.]*\.[^.][^.]*$'`"
            if [[ "$blk" != "$lIP" && "$blk" != "" ]];
            then

                echo "  blocking IP: $blk" >> $log
                echo "host: $host blk: $blk"
                $fw -A INPUT -s $blk -j REJECT
            fi
        fi
 done
 cp $blocklist saved.blocklist
 rm -f $blocklist

 # left this in, in case you may not want to run this in background.
 #
 # echo "~ do you want to clean those entries from /var/log/messages ?"
 # read -e answer

 # if [ "$answer" == "y" ];
 #   then
         echo "+ cleaning system logs.."
         cat /var/log/messages |grep -v "llegal user" |grep -v "ailed
password" |grep -v "nvalid user"|grep -v "ailed keyboard" >m
         echo "+ creating backup of old logfile.."
         cp /var/log/messages msg.copy
         echo "+ replacing logfile.."
         cat m > /var/log/messages
         rm -f m
 # fi
 else
     echo "no attackers found."
 fi
 echo "finished."


Ohh, we are almost done!   I liked symlinking m to /dev/urandom.  It
made me feel good about myself.

grep | grep | grep | grep | grep | tee | grep | grep | cat | grep > /dev/stdout

What else do we have here?

$ export blocklist=blocklist fw=echo log=log
$ echo 0.0.0.0/0 >> $blocklist
$  for host in `cat $blocklist`

 do
        if ((${#host}>6)) && ((${#host}<16))
        then
            blk="`echo $host| grep '^[^.][^.]*\.[^.][^.]*\.[^.][^.]*\.[^.][^.]*$'`"
            if [[ "$blk" != "$lIP" && "$blk" != "" ]];
            then

                echo "  blocking IP: $blk" >> $log
                echo "host: $host blk: $blk"
                $fw -A INPUT -s $blk -j REJECT
            fi
        fi
 done

host: 0.0.0.0/0 blk: 0.0.0.0/0
-A INPUT -s 0.0.0.0/0 -j REJECT
$ cat log
  blocking IP: 0.0.0.0/0

:(  Your not blocking lIP did not matter, like it would anyways.   You
made me sad.  Notice your pattern match just LOVED accepting
0.0.0.0/0.

Hints:
bash
 [ -e "$file" ]
 [ -h "$file" ]
 [ -n "$variable" ]
 set -o
 case/esac
 IFS=.; set -- $host
 ${VAR//}
bc
mktemp
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

reduction of brute force login attempts via SSH through iptables --hashlimit Jay Libove (Mar 01)
- Re: reduction of brute force login attempts via SSH through iptables --hashlimit GroundZero Security (Mar 01)
  - Re: reduction of brute force login attempts via SSH through iptables --hashlimit Giancarlo Razzolini (Mar 01)
  - Re: reduction of brute force login attempts via SSH through iptables --hashlimit nocfed (Mar 02)
    - Re: reduction of brute force login attempts via SSHthrough iptables --hashlimit GroundZero Security (Mar 02)
    - Re: reduction of brute force login attempts via SSHthrough iptables --hashlimit Gary Leons (Mar 02)
    - Re: reduction of brute force login attempts via SSHthrough iptables --hashlimit GroundZero Security (Mar 02)
    - Re: reduction of brute force login attempts via SSHthrough iptables --hashlimit Benjamin Bennett (Mar 02)
    - Re: reduction of brute force login attempts via SSHthrough iptables --hashlimit Gary Leons (Mar 02)
    - Re: reduction of brute force login attempts via SSHthrough iptables --hashlimit GroundZero Security (Mar 02)
    - Re: reduction of brute force login attempts viaSSHthrough iptables --hashlimit Dave Korn (Mar 03)
    - Re: Re: reduction of brute force login attemptsviaSSHthrough iptables --hashlimit GroundZero Security (Mar 03)