Stupid people
At work we launched the new colo over last weekend. In the aftermath it was time to get pam_abl installed. However for some reason it wouldn’t work. I found one blog post that suggested that the OpenSSH server that is on Dapper doesn’t properly call pam and so you need a patched version to run pam_abl. Well the idea that 1. I only found it in one blog, and 2. He was offering a deb that was patched, didn’t really sit well with me.
I am all about community, but something as fundamental as ssh, I am sorry I am not willing to install that on the word of some yabo with a wordpress blog.
I decided that there was more than one way to skin a cat, and that I would give DenyHosts a try. It’s a simple idea. It’s a python script that adds IP’s to /etc/hosts.deny on failed attempts at whatever protocol you give it. I just wanted to stop the lame ssh brute force attacks (and really if I had my druthers I would have used pam_abl, I think it’s much more elegant). I installed DenyHosts and am pretty pleased so far. I set it up to send me a notification when a host is blocked (at least for a little while till I trust it). It’s not surprising that I get about 8 emails at a time. The brute force script just goes down the line of IP’s on the subnet and tries each one…so in turn each server blocks the ip and sends me an email.
This is the most recent jackass: 69.249.96.57 (c-69-249-96-57.hsd1.nj.comcast.net)
Fricken stupid people.
I’m using an iptables blocking method; I stick this before any “-m tcp -m state –state ESTABLISHED,RELATED” lines:
-A INPUT -p tcp -m state –state NEW –dport 22 -m recent –name sshattack –set
-A INPUT -p tcp –dport 22 -m state –state NEW -m recent –name sshattack –update
–seconds 30 –hitcount 4 -j LOG –log-prefix “SSH REJECT: ”
-A INPUT -p tcp –dport 22 -m state –state NEW -m recent –name sshattack –update
–seconds 30 –hitcount 4 -j REJECT –reject-with tcp-reset
This blocks any new connections within 30 seconds after the 4th try.
Mmm… zombied machines. Gotta love botnets.
I really like non-standard ports. Just distribute a copy of the ~/.ssh/config snippet needed, like:
Host gw.corp.com
User me
Port 2222
Tandem that with Doug’s solution above and you get very little log noise.
Just for a frame of reference; with the above iptables config I cut a 1MB+ logwatch email down to