Remote ssh access

Quote:

Originally Posted by Wadson

Ëîãè ÷åãî è ãäå?

Ðîóòåðà. Â ðîóòåðå.

Îïèñàííûìè ñïîñîáàìè ìîæíî îãðàíè÷èòü èíòåíñèâíîñòü àòàê, ò.å., íàïðèìåð, íå áîëåå 3 êîííåêòîâ â òå÷åíèå 10 ìèíóò. À êàê ìîæíî îãðàíè÷èòü êîëè÷åñòâî îäíîâðåìåííûõ êîííåêòîâ ê ssh-ñåðâåðó ñ îäíîãî àäðåñà? Êàê ìîæíî îãðàíè÷èòü òàéìàóò ìåæäó óñòàíîâëåíèåì ñîåäèíåíèÿ ñ ssh-ñåðâåðîì è àâòîðèçàöèåé íà íåì?

Quote:

À êàê ìîæíî îãðàíè÷èòü êîëè÷åñòâî îäíîâðåìåííûõ êîííåêòîâ ê ssh-ñåðâåðó ñ îäíîãî àäðåñà?

Ýòî î÷åíü ñòðåìíîå äåéñòâî, ò.ê. íå êàæäàÿ ñåññèÿ çàêðûâàåòñÿ ïðè ðàçðûâå è òàê ìîæíî î÷åíü ëåãêî ñåáÿ îñòàâèòü áåç äîñòóïà âîîáùå.

Äîëãî îí äåðæàëñÿ, â ò.÷. åùå ñåãîäíÿ óòðîì, íî âîò îïÿòü íå ïóñêàåò.
nTorrent âûäàåò "Auth fail".
Â Putty ââîæó root, ââîæó ïàðîëü - ãîâîðèò: "Access denied".
Âîò êîíåö ëîãà:

Quote:

Oct 17 07:32:42 -- MARK --
Oct 17 07:52:46 -- MARK --
Oct 17 08:12:46 -- MARK --
Oct 17 08:32:46 -- MARK --
Oct 17 08:48:04 dropbear[1186]: Child connection from 192.168.1.5:2875
Oct 17 08:48:07 dropbear[1186]: password auth succeeded for 'admin' from 192.168.1.5:2875
Oct 17 08:52:46 -- MARK --
Oct 17 09:12:46 -- MARK --
Oct 17 09:32:46 -- MARK --
Oct 17 09:52:46 -- MARK --
Oct 17 10:12:46 -- MARK --
Oct 17 10:32:46 -- MARK --
Oct 17 10:52:50 -- MARK --
Oct 17 11:12:50 -- MARK --
Oct 17 11:17:52 dropbear[1186]: exit after auth (admin): error reading: Connection reset by peer
Oct 17 11:32:50 -- MARK --
Oct 17 11:52:50 -- MARK --
Oct 17 12:12:51 -- MARK --
Oct 17 12:32:51 -- MARK --
Oct 17 12:52:51 -- MARK --
Oct 17 13:12:51 -- MARK --
Oct 17 13:32:51 -- MARK --
Oct 17 13:52:57 -- MARK --
Oct 17 14:09:15 dropbear[1233]: Child connection from 192.168.1.5:2686
Oct 17 14:09:18 dropbear[1233]: login attempt for nonexistent user from 192.168.1.5:2686
Oct 17 14:09:18 dropbear[1233]: exit before auth: Disconnect received
Oct 17 14:11:53 dropbear[1241]: Child connection from 192.168.1.5:2943
Oct 17 14:12:24 dropbear[1241]: user 'root' has blank password, rejected
Oct 17 14:12:57 -- MARK --
Oct 17 14:13:16 dropbear[1241]: user 'root' has blank password, rejected
Oct 17 14:13:22 dropbear[1241]: user 'root' has blank password, rejected
Oct 17 14:13:27 dropbear[1241]: exit before auth (user 'root', 6 fails): Exited normally
Oct 17 14:16:22 dropbear[1243]: Child connection from 192.168.1.5:3242
Oct 17 14:16:42 dropbear[1243]: user 'root' has blank password, rejected
Oct 17 14:16:47 dropbear[1243]: user 'root' has blank password, rejected
Oct 17 14:21:48 dropbear[1243]: exit before auth (user 'root', 4 fails): Timeout before auth

à) âû óæ âûÿñíèòå - àäìèí èëè ðóò.
Òåì áîëåå, ÷òî îí âàì àíãëèéñêèì ÿçûêîì ïèøåò -
Oct 17 08:48:07 dropbear[1186]: password auth succeeded for 'admin' from 192.168.1.5:2875
Oct 17 14:13:22 dropbear[1241]: user 'root' has blank password, rejected

Quote:

Originally Posted by asp

à) âû óæ âûÿñíèòå - àäìèí èëè ðóò.
Òåì áîëåå, ÷òî îí âàì àíãëèéñêèì ÿçûêîì ïèøåò -
Oct 17 08:48:07 dropbear[1186]: password auth succeeded for 'admin' from 192.168.1.5:2875
Oct 17 14:13:22 dropbear[1241]: user 'root' has blank password, rejected

À ÷òî òóò âûÿñíÿòü? Ýòî çàõîäû èç ðàçíûõ ïðîãðàìì â ðàçíîå âðåìÿ. Ñ óòðà àâòîðèçàöèÿ ïðîõîäèëà, ïîòîì ïåðåñòàëà. È ïðî òîãî æå àäìèíà ëîã íàïèñàë óæå "íåñóùåñòâóþùèé þçåð". ß ïîòîìó è ïðèâåë âåñü êóñîê.
Åñëè Âàñ ýòî ñìóùàåò, âîò ïîñëåäíèå äåéñòâèÿ:

Quote:

Oct 17 20:21:04 dropbear[643]: Child connection from 192.168.1.5:1203
Oct 17 20:21:07 dropbear[643]: password auth succeeded for 'admin' from 192.168.1.5:1203
Oct 17 20:21:23 dropbear[644]: Child connection from 192.168.1.5:1271
Oct 17 20:21:32 dropbear[644]: password auth succeeded for 'root' from 192.168.1.5:1271

À âîò ïî÷åìó îí îòðóáàåòñÿ è ïåðåñòàåò ïðèíèìàòü ïàðîëü - âîïðîñ.

à êàê æå íàñ÷åò òîãî, ÷òî dropbear äåðæèò íå áîëåå 30 ñîåäèíåíèé îäíîâðåìåííî? òàê äåéñòâèòåëüíî ìîæíî îñòàòüñÿ áåç ñâîáîäíûõ ñîåäèíåíèé.

Ëîãèí/ïàðîëü íà SSH

Ìîæíî ëè ñäåëàòü ëîãèí / ïàðîëü íà SSH òàêèì îáðàçîì, ÷òîáû îí îòëè÷àëñÿ îò telnet?

Quote:

Originally Posted by YVM

Ìîæíî ëè ñäåëàòü ëîãèí / ïàðîëü íà SSH òàêèì îáðàçîì, ÷òîáû îí îòëè÷àëñÿ îò telnet?

âû è òàì è òàì çàõîäèòå ïîä ðóòîì.
íåëüçÿ.

FTP brut force

Ïðîøó ïîìî÷ü ðàçîáðàòüñÿ ñ brut force FTP. Çàäðàëè íàøè æåëòîëèöûå ñîñåäè.
Ïåðå÷èòàâ äàííóþ âåòêó â post-firewall äîáàâèë ñëåäóþùåå ïðàâèëî:

Code:

# for FTP FTP_PORT=21 iptables -N FTPSCAN iptables -A INPUT -p tcp --dport $FTP_PORT -j FTPSCAN iptables -A FTPSCAN -i ! $3 -p tcp --dport $FTP_PORT / -m state --state NEW -m recent --set --name FTP_BR_FR --rsource iptables -A FTPSCAN -i ! $3 -p tcp --dport $FTP_PORT / -m state --state NEW -m recent --update --seconds 60 --hitcount 3 / --name FTP_BR_FR --rsource -j DROP iptables -A FTPSCAN -p tcp --dport $FTP_PORT -j ACCEPT

Code:

$ lsmod Module Size Used by Tainted: P ......... ip_nat_ftp 3912 0 (unused) ip_conntrack_ftp 5216 1 wl 892280 0 (unused) et 31288 0 (unused) ipt_recent 11640 2

Âîò ÷òî ãîâîðèò iptables -L INPUT -vn

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) 34 3076 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 27147 2454K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 188 11280 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW 1129 385K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW 31 868 ACCEPT 2 -- * * 0.0.0.0/0 224.0.0.0/4 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.0/4 udp dpt:!1900 1850 233K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FTPSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21

Äîñòóïà, ñîîòâåòñòâåííî, ê FTP íåò. Ïîðò â òàéìàóòå. Äðóçüÿ, êóäà êîïàòü :confused:

Çàðàíåå áëàãîäàðåí çà ïîìîùü!

Quote:

Originally Posted by Corvus

Âîò ÷òî ãîâîðèò iptables -L INPUT -vn

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) 34 3076 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 27147 2454K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 188 11280 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW 1129 385K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW 31 868 ACCEPT 2 -- * * 0.0.0.0/0 224.0.0.0/4 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.0/4 udp dpt:!1900 1850 233K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FTPSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21

Äîñòóïà, ñîîòâåòñòâåííî, ê FTP íåò. Ïîðò â òàéìàóòå. Äðóçüÿ, êóäà êîïàòü :confused:

âûäåëåííîå æèðíûì ïðàâèëî íå ïðîïóñêàåò íè÷åãî çà ñåáÿ. Òàê ÷òî ïðîâåðêà íà ðàçðåøåííîñòü ftp äîëæíà áûòü âñòàâëåíà ïåðåä íèì

Quote:

Originally Posted by al37919

âûäåëåííîå æèðíûì ïðàâèëî íå ïðîïóñêàåò íè÷åãî çà ñåáÿ. Òàê ÷òî ïðîâåðêà íà ðàçðåøåííîñòü ftp äîëæíà áûòü âñòàâëåíà ïåðåä íèì

al37919, ÑÏÀÑÈÁÎ çà íàâîäêó! Ïðîçåâàë ñòðî÷êó. Î÷èùåíèå öåïî÷êè INPUT áûëî çàêîìåíòèðîâàíî è ðîóòåð, âèäèìî, âòûêàë ñâîå, êàêîå-òî "óìîë÷àëüíîå", DROP-ïðàâèëî ïåðåä ðàçðåøàþùèì äëÿ FTP.

Quote:

Originally Posted by Mam(O)n

Åñëè óæ î÷åíü îõîòà (â öåëÿõ îïòèìèçàöèè) äîáàâèòü ïðàâèëî â êîíåö öåïî÷êè (-A) òîãäà:

Code:

# Óñòàíàâëèâàåì äåéñòâèå ïî-óìîë÷àíèþ(DROP èëè ACCEPT), êîòîðîå áóäåò âûïîëíåíî ïðè äîñòèæåíèè êîíöà öåïî÷êè. Ïî-äåôîëòó ñòîèò ACCEPT. iptables -P INPUT DROP # Óäàëÿåì ïîñëåäíåå ïðàâèëî â öåïî÷êå, êîòîðîå äðîïàåò ïàêåòû. iptables -D INPUT -j DROP # Äîáàâëÿåì â êîíåö öåïî÷êè ïðàâèëî, ðàçðåøàþùåå âõîäÿùèå tcp ïàêåòû íà 1555 ïîðò iptables -A INPUT -p tcp --dport 1555 -j ACCEPT

Åñëè ìû óäàëÿåì ïîñëåäíåå ïðàâèëî â öåïî÷êå, êîòîðîå äðîïàåò ïàêåòû, òî íå ñîçäàñò ëè ýòî "äûðêó" â ôàåðâîëå ÷åðåç êîòîðóþ áóäóò ïðîíèêàòü íåæåëàòåëüíûå ïàêåòû?

Quote:

Originally Posted by Asgard

Åñëè ìû óäàëÿåì ïîñëåäíåå ïðàâèëî â öåïî÷êå, êîòîðîå äðîïàåò ïàêåòû, òî íå ñîçäàñò ëè ýòî "äûðêó" â ôàåðâîëå ÷åðåç êîòîðóþ áóäóò ïðîíèêàòü íåæåëàòåëüíûå ïàêåòû?

Íå ñîçäàñò. Ïðî÷èòàéòå âíèìàòåëüíî äâå ñòðî÷êè âûøå:

Quote:

Originally Posted by Mam(O)n

Code:

# Óñòàíàâëèâàåì äåéñòâèå ïî-óìîë÷àíèþ(DROP èëè ACCEPT), êîòîðîå áóäåò âûïîëíåíî ïðè äîñòèæåíèè êîíöà öåïî÷êè. Ïî-äåôîëòó ñòîèò ACCEPT. iptables -P INPUT DROP # Óäàëÿåì ïîñëåäíåå ïðàâèëî â öåïî÷êå, êîòîðîå äðîïàåò ïàêåòû. iptables -D INPUT -j DROP # Äîáàâëÿåì â êîíåö öåïî÷êè ïðàâèëî, ðàçðåøàþùåå âõîäÿùèå tcp ïàêåòû íà 1555 ïîðò iptables -A INPUT -p tcp --dport 1555 -j ACCEPT

Íåäàâíî íà ìîåì WL-500w ïðîèçîøåë ïðîãðàììíûé ñáîé - ïðèõîäèòñÿ ïåðåíàñòðàèâàòü. Âîò è äåëî äîøëî è äî SSH. Âñå íàñòðîèë áåç ïðîáëåì áëàãîäàðÿ äîõîä÷èâûì ïîÿñíåíèÿì çíàòîêîâ â ýòîé âåòêå, çà ÷òî áîëüøîå èì ñïàñèáî. Äîáàâèë â post-firewall ÷àñòü êîäà äëÿ êîíòðîëÿ ïîïûòîê çàëîãèíèòüñÿ íà ñåðâåð SSH â ñîîòâåòñòâèè ñ ñîîáùåíèåì al37919. Âðîäå, ðàáîòàåò âñå èñïðàâíî. Ïî êðàéíåé ìåðå, ìåíÿ ïóñêàåò íà ìîé ìàðøðóòèçàòîð ñ äðóãèõ êîìïüþòåðîâ ÷åðåç èíòåðíåò. Òàêæå ÿ óñòàíîâèë syslog-ng äëÿ ïóùåé èíôîðìàòèâíîñòè ëîãîâ. Ïåðèîäè÷åñêè íàáëþäàþ ïîïûòêè çàëîãèíèòüñÿ íà ìîåì ñåðâåðå SSH, ïîêà áåçóñïåøíûå. Òîëüêî ïî÷åìó-òî íå âûâîäèòñÿ IP-àäðåñ "ïëîõîãî ïàðíÿ". Âûâîä â òàêîì ôîðìàòå:

Code:

21:46:14 09-09-2010 (info|authpriv|dropbear) dropbear[770]: exit before auth: Exited normally

Ðàíüøå, äî ñáîÿ, ÿ ïîìíþ, ÷òî àäðåñ âûâîäèëñÿ â ëîã.

Âñå ìîè äåéñòâèÿ àâòîðèçàöèè íà ñåðâåðå SSH è âûõîäå ñ íåãî ëîãèðóþòñÿ íîðìàëüíî - ëîã â ïîëíîì îáúåìå, ñ IP-àäðåñîì.

Ïðîøèâêà óñòàíîâëåíà WL500W-1.9.2.7-d-r1825.trx, SSH âñòðîåí â ïðîøèâêó, çàïóùåí íà íåñòàíäàðòíîì ïîðòó (ñêàæåì, 12345). Â âåá-èíòåðôåéñå îòêëþ÷åíà çàùèòà îò ëîáîâîé àòàêè.

Âûâîä iptables (MAC-àäðåñà çàìåíåíû íà ôèêòèâíûå, IP-àäðåñ ìàðøðóòèçàòîðà òîæå - 999.999.999.999, íà ïåðèîä íàñòðîéêè ìàðùðóòèçàòîðà îòêðûò äîñòóï ê âåá-èíòåðôåéñó èç èíòåðíåò ÷åðåç ïîðò 55555):

Code:

IP Tables Chain INPUT (policy DROP 51213 packets, 4185K bytes) pkts bytes target prot opt in out source destination 11381 884K MACS all -- br0 * 0.0.0.0/0 0.0.0.0/0 320 31078 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 64322 45M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 90 5664 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW 5685 400K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW 66497 5262K SECURITY all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW 4 192 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345 flags:0x17/0x02 100 4800 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:80 0 0 SSH_EVAL tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345 Chain FORWARD (policy ACCEPT 192K packets, 16M bytes) pkts bytes target prot opt in out source destination 27M 23G MACS all -- br0 * 0.0.0.0/0 0.0.0.0/0 12483 630K ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 37M 24G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP all -- !br0 eth1 0.0.0.0/0 0.0.0.0/0 45043 2277K SECURITY all -- !br0 * 0.0.0.0/0 0.0.0.0/0 state NEW 13851 696K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT 0 0 DROP all -- * br0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 60421 packets, 51M bytes) pkts bytes target prot opt in out source destination Chain BRUTE (0 references) pkts bytes target prot opt in out source destination Chain MACS (2 references) pkts bytes target prot opt in out source destination 27M 23G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 11:11:11:11:11:11 201 106K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 22:22:22:22:22:22 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 33:33:33:33:33:33 59997 4781K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 44:44:44:44:44:44 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 55:55:55:55:55:55 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 66:66:66:66:66:66 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 77:77:77:77:77:77 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 88:88:88:88:88:88 2 658 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SECURITY (2 references) pkts bytes target prot opt in out source destination 13724 693K RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5 338 13520 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 51099 4179K RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 7 464 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 46372 2653K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SSH_EVAL (1 references) pkts bytes target prot opt in out source destination 0 0 tcp -- !br0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:12345 recent: SET name: SSH_ATTACKER side: source 0 0 DROP tcp -- !br0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:12345 recent: UPDATE seconds: 600 hit_count: 4 name: SSH_ATTACKER side: source 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345 flags:0x17/0x02 Chain logaccept (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT ' 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logdrop (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 IP Tables NAT Chain PREROUTING (policy ACCEPT 277K packets, 26M bytes) pkts bytes target prot opt in out source destination 107K 6710K VSERVER all -- * * 0.0.0.0/0 999.999.999.999 Chain POSTROUTING (policy ACCEPT 15273 packets, 793K bytes) pkts bytes target prot opt in out source destination 1584 78569 SNAT all -- * br0 192.168.1.0/28 192.168.1.0/28 to:192.168.1.1 113K 11M SNAT all -- * eth1 !999.999.999.999 0.0.0.0/0 to:999.999.999.999 Chain OUTPUT (policy ACCEPT 1903 packets, 125K bytes) pkts bytes target prot opt in out source destination Chain VSERVER (1 references) pkts bytes target prot opt in out source destination 513 24624 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:55555 to:192.168.1.1:80 46132 2328K DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:61157 to:192.168.1.3:61157 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10308 to:192.168.1.3:10308 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2302 to:192.168.1.3:2302

Ôàéë /proc/net/ipt_recent/SSH_ATTACKER âñåãäà ïóñò. Õîòÿ äàòà åãî ìîäèôèêàöèè ïîñòîÿííî îáíîâëÿåòñÿ.