Áåçîïàñíîñòü SSH (dropbear)

Printable View

Show 40 post(s) from this thread on one page

16-01-2007, 21:34
SergeyVl

4 Attachment(s)

Áåçîïàñíîñòü SSH (dropbear)

Èìååòñÿ WL-500gP, ïðîøèâêà 1.9.2.7-7f post5, ðåàëüíûé ÈÏ, è íåîáõîäèìîñòü äîñòóïà ê ðîóòåðó ïî SSH ñ èíòåðíåòà (ñ ðàçëè÷íûõ ÈÏ àäðåñîâ).
Íà ðîóòåðå çàïóùåí dropbear (ðàíåå çàïóùåí áûë èäóùèé â ïðîøèâêå, ñåé÷àñ ïîñòàâèë ïàêåò dropbear 0.48.1-1).
Çàìåòèë â ëîãàõ îãðîìíîå êîëè÷åñòâî ïîïûòîê ïîäêëþ÷åíèÿ ïî ssh:

Code:

Jan 16 15:44:00 dropbear[2160]: Child connection from ::ffff:66.240.221.***:38230 Jan 16 15:44:02 dropbear[2160]: login attempt for nonexistent user from ::ffff:66.240.221.***:38230 Jan 16 15:44:03 dropbear[2160]: exit before auth: Disconnect received

ñ îäíîãî è òîãî æå ÈÏ, èíòåðâàë - 2...4 ñåêóíäû, è óæå áîëåå 10 ÷àñîâ ïîäðÿä, èíîãäà íàòûêàåòñÿ íà ïîëüçîâàòåëÿ 'admin':

Code:

Jan 16 11:07:22 dropbear[29822]: Child connection from ::ffff:66.240.221.***:59692 Jan 16 11:07:24 dropbear[29822]: bad password attempt for 'admin' from ::ffff:66.240.221.***:59692 Jan 16 11:07:24 dropbear[29822]: exit before auth (user 'admin', 1 fails): Disconnect received

Íàñêîëüêî "ñèëüíà" çàùèòà dropbear îò "âçëîìà"?
Êàêîâà ìèíèìàëüíî-ðåêîìåíäóåìàÿ äëèíà ïàðîëÿ äëÿ îáåñïå÷åíèÿ äîñòàòî÷íîé áåçîïàñíîñòè?
Âîçìîæíî ëè áîðîòüñÿ ñ ýòèì (çàäàòü òàéì-àóò íà ïîäêëþ÷åíèå èëè êàê òî åùå), à çà îäíî èçáàâèòüñÿ îò "ïàðàçèòíîãî òðàôèêà"?

ÏÑ. Âîçìîæíî, ìåíÿ áû ýòî íå òàê ñèëüíî ñìóùàëî, åñëè áû íå ðåçóëüòàòû ñêàíèðîâàíèÿ (ñ WAN) ñ ïîìîùüþ XSpider 7.5 (Demo):
16-01-2007, 21:42
imdex

Ïîðò dropbear ñìåíèòå íà êàêîé-íèáóäü èç âûøå 1024. ß òîæå ñïåðâà âûñòàâèë â èíåò db íà 22 ïîðòó, ïàðîëü ïîäáèðàëè êàæäûé äåíü. Íå ïîäîáðàëè, íî ïîòîì ìíå íàäîåëî è ÿ ïåðåâåë db íà 22000, çà ìåñÿö íè îäíîé ïîïûòêè íå çàôèêñèðîâàíî.
17-01-2007, 04:34
FilimoniC

Quote:

Originally Posted by imdex

Ïîðò dropbear ñìåíèòå íà êàêîé-íèáóäü èç âûøå 1024. ß òîæå ñïåðâà âûñòàâèë â èíåò db íà 22 ïîðòó, ïàðîëü ïîäáèðàëè êàæäûé äåíü. Íå ïîäîáðàëè, íî ïîòîì ìíå íàäîåëî è ÿ ïåðåâåë db íà 22000, çà ìåñÿö íè îäíîé ïîïûòêè íå çàôèêñèðîâàíî.

àíàëîãè÷íî. 1022 ïîðò
17-01-2007, 07:54
alexnik

À ÿ ïðîñòî îãðàíè÷èë êîëè÷åñòâî ïîïûòîê

Code:

iptables -t nat -I PREROUTING -i $WAN -p tcp -m state --state NEW --dport 22 \ -m recent --set --name SSH_ATTACKER --rsource iptables -I INPUT -i $WAN -p tcp -m state --state NEW --dport 22 \ -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP
17-01-2007, 09:33
Duke

Ïðîèçâîëüíûé ïîðò ðàíî èëè ïîçíî ìîãóò íàéòè ïðîñòûì ñêàíèðîâàíèåì îòêðûòûõ ïîðòîâ. ÿ õèòðåå íàñòðîèë - íåñêîëüêî ðàç â ÷àñ ïðîâåðÿåòñÿ ëîã íà ïðåäìåò ïîïûòîê ïîäêëþ÷åíèÿ ñ íåâåðíûì ïàðîëåì - ïðîâèíèâøèìñÿ àäðåñàì ïðèêðûâàåòñÿ 22é ïîðò, àäðåñà ñîõðàíÿþòñÿ íà ôëåøêè è ïîñëå ïåðåçàãðóçêè òàêæå áëîêèðóþòñÿ â ïîñò-ôàéðâîëå. Ïåðèîäè÷åñêè âðó÷íóþ ñîðòèðóþ ýòîò ñïèñîê è ïðè äâîéíîì ìîïàäàíèè çàêðûâàþ íàôèã äîñòóï ïî âñåì ïîðòàì íà âñþ ïîäñåòü. Ïðîöåíòîâ 80-90 ëåçóò êèòàéöû (äûðÿâûå ìàñêèâûäàííûõ êèòàéöàìè ïîäñåòåé - ýòî îòäåëüíàÿ ïåñíèÿ)

ÇÛæ Õîòÿ åùå áîëåå ñåêóðíî-îòêðûòü äîñòóï èñêëþ÷èòåëüíî íà ïîäñåòè èç êîòîðûõ ñàì çàõîäèø, íî íå âñåãäà çíàåøü îòêóäà ïðèäåòñÿ ëåçòü..
17-01-2007, 10:29
imdex

Quote:

Originally Posted by Duke

Ïðîèçâîëüíûé ïîðò ðàíî èëè ïîçíî ìîãóò íàéòè ïðîñòûì ñêàíèðîâàíèåì îòêðûòûõ ïîðòîâ. ÿ õèòðåå íàñòðîèë - íåñêîëüêî ðàç â ÷àñ ïðîâåðÿåòñÿ ëîã íà ïðåäìåò ïîïûòîê ïîäêëþ÷åíèÿ ñ íåâåðíûì ïàðîëåì - ïðîâèíèâøèìñÿ àäðåñàì ïðèêðûâàåòñÿ 22é ïîðò, àäðåñà ñîõðàíÿþòñÿ íà ôëåøêè è ïîñëå ïåðåçàãðóçêè òàêæå áëîêèðóþòñÿ â ïîñò-ôàéðâîëå. Ïåðèîäè÷åñêè âðó÷íóþ ñîðòèðóþ ýòîò ñïèñîê è ïðè äâîéíîì ìîïàäàíèè çàêðûâàþ íàôèã äîñòóï ïî âñåì ïîðòàì íà âñþ ïîäñåòü. Ïðîöåíòîâ 80-90 ëåçóò êèòàéöû (äûðÿâûå ìàñêèâûäàííûõ êèòàéöàìè ïîäñåòåé - ýòî îòäåëüíàÿ ïåñíèÿ)

ÇÛæ Õîòÿ åùå áîëåå ñåêóðíî-îòêðûòü äîñòóï èñêëþ÷èòåëüíî íà ïîäñåòè èç êîòîðûõ ñàì çàõîäèø, íî íå âñåãäà çíàåøü îòêóäà ïðèäåòñÿ ëåçòü..

Äà íèêîìó ýòî íå íàäî, ñêàíèðîâàòü âñå ïîðòû. Ðîáîò çàïóùåí èëè ñêðèïò-êèä, ïåðåáèðàåò ñòàíäàðòíûå òèïà 22, 23, 3389, 80, 8080 è ò.ä. Íàõîäèò, ïûòàåòñÿ ïîëîìàòü, íå íàõîäèò, óõîäèò. Âðÿä ëè ó êîãî-òî õðàíÿòñÿ äàííûå, çà êîòîðûå ìîãóò çàïëàòèòü äåíüãè, ÷òîáû äîñòàëè. À åñëè õðàíÿòñÿ, òî âîîáùå íå ñòîèò â èíåò îòêðûâàòü õîòü ÷òî-òî.
17-01-2007, 12:17
seeker

Quote:

Originally Posted by alexnik

À ÿ ïðîñòî îãðàíè÷èë êîëè÷åñòâî ïîïûòîê

Code:

iptables -t nat -I PREROUTING -i $WAN -p tcp -m state --state NEW --dport 22 \ -m recent --set --name SSH_ATTACKER --rsource iptables -I INPUT -i $WAN -p tcp -m state --state NEW --dport 22 \ -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP

à êàê ýòî îãðàíè÷èâàåò êîëè÷åñòâî ïîïûòîê?:)
17-01-2007, 12:43
alexnik

Quote:

à êàê ýòî îãðàíè÷èâàåò êîëè÷åñòâî ïîïûòîê?

Äà ïðîñòî. äîïóñêàåòñÿ íå áîëåå 2 ïîïûòîê âõîäà â òå÷åíèè 10 ìèíóò.
Íî ñàìîå êðàñèâîå (ïðàâäà ïàðàíîèäàëüíîå) ðåøåíèå, êîòîðîå ÿ âèäåë, ýòî êîãäà äëÿ äîñòóïà ïî ssh íàäî ïðåäâàðèòåëüíî ñòóêíóòüñÿ íà êàêîé-íèáóòü íåñòàíäàðòíûé ïîðò, òèïà òîãî-æå 22000, è ïîòîì ïîëó÷àòü äîñòóï ïî 22.
17-01-2007, 12:58
Mam(O)n

alexnik, ó ìåíÿ âîò òàê âîò ïîëó÷àåòñÿ:

Code:

[root@router /tmp]$ iptables -t nat -I PREROUTING -i ppp0 -p tcp -m state --state NEW --dport 22 -m recent --set --name SSH_ATTACKER --rsource iptables: No chain/target/match by that name

Òû êàêèåíèáóäü ìîäóëè äîïîëíèòåëüíûå ê ÿäðó ïðèêðó÷èâàë?
17-01-2007, 13:24
seeker

Quote:

Originally Posted by alexnik

À ÿ ïðîñòî îãðàíè÷èë êîëè÷åñòâî ïîïûòîê

Code:

iptables -t nat -I PREROUTING -i $WAN -p tcp -m state --state NEW --dport 22 \ -m recent --set --name SSH_ATTACKER --rsource iptables -I INPUT -i $WAN -p tcp -m state --state NEW --dport 22 \ -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP

äîáàâèë ýòî â êîíöå post-firewall, ñìåíèâ 22 íà íîìåð ñâîåãî ïîðòà äëÿ ssh, íå ïîìîãàåò. ïûòàéñÿ êîííåòèòüñÿ õîòü ñòî ðàç ïîäðÿä.
17-01-2007, 14:01
alexnik

Quote:

Originally Posted by Mam(O)n

alexnik, ó ìåíÿ âîò òàê âîò ïîëó÷àåòñÿ:

Code:

[root@router /tmp]$ iptables -t nat -I PREROUTING -i ppp0 -p tcp -m state --state NEW --dport 22 -m recent --set --name SSH_ATTACKER --rsource iptables: No chain/target/match by that name

Òû êàêèåíèáóäü ìîäóëè äîïîëíèòåëüíûå ê ÿäðó ïðèêðó÷èâàë?

Âñå â ïðîøèâêå åñòü, ïðîñòî ipt_recent íå çàïóøåí.
insmod ipt_recent òåáå ïîìîæåò.
Äëÿ èñïîëüçîâàíèÿ ïðàâèëà â post-firewall-å äîáàâèòü ýòó ñòðî÷êó â post-boot.
è çàìåíèòü $WAN íà $1
17-01-2007, 14:27
Mam(O)n

alexnik, ñïàñèáî çà íàâîäêó. Ñàì íåäîãàäàëñÿ. Âñå ïðàâèëà ïðîïèñàëèñü:)
17-01-2007, 14:34
seeker

Quote:

Originally Posted by alexnik

Âñå â ïðîøèâêå åñòü, ïðîñòî ipt_recent íå çàïóøåí.
insmod ipt_recent òåáå ïîìîæåò.
Äëÿ èñïîëüçîâàíèÿ ïðàâèëà â post-firewall-å äîáàâèòü ýòó ñòðî÷êó â post-boot.
è çàìåíèòü $WAN íà $1

ÿ ïðàâèëüíî ïîíèìàþ, ÷òî íàäî
à) äîáàâèòü â post-boot ñòðî÷êó â êîíöå

Code:

insmod ipt_recent

á) äîáàâèòü â post-firewall äâå ñòðî÷êè â êîíöå

Code:

iptables -t nat -I PREROUTING -i $1 -p tcp -m state --state NEW --dport 1555 -m recent --set --name SSH_ATTACKER --rsource iptables -I INPUT -i $1 -p tcp -m state --state NEW --dport 1555 -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP

ãäå 1555 - ïîðò ssh

×¸ òà íå ðàáîòàåò íèôèãà...
17-01-2007, 15:26
alexnik

seeker
èìåííî òàê.
Âîçìîæíî íå òîò èíòåðôåéñ ïîäñòàâëÿåòñÿ â post-firewall-å.

Code:

iptables -L -v | grep SSH_ATTACKER

÷òî ãîâîðèò?
17-01-2007, 15:32
alexnik

Code:

25 1428 DROP tcp -- vlan1 any anywhere anywhere state NEW tcp dpt:22 recent: UPDATE seconds: 600 hit_count: 3 name: SSH_ATTACKER side: source

Èíòåðåñóåò íàëè÷èå òàêîé ñòðî÷êè, ïîä÷åðêíóòûé èíòåðôåéñ è òèï ñîåäèíåíèÿ
18-01-2007, 14:13
seeker

Quote:

Originally Posted by alexnik

Code:

25 1428 DROP tcp -- vlan1 any anywhere anywhere state NEW tcp dpt:22 recent: UPDATE seconds: 600 hit_count: 3 name: SSH_ATTACKER side: source

Èíòåðåñóåò íàëè÷èå òàêîé ñòðî÷êè, ïîä÷åðêíóòûé èíòåðôåéñ è òèï ñîåäèíåíèÿ

ñîåäèíåíèå vpn - ppp0. âîò ÷òî ãîâîðèò

Code:

0 0 DROP tcp -- ppp0 any anywhere anywhere state NEW tcp dpt:https recent: UPDATE seconds: 600 hit_count: 3 name: SS H_ATTACKER side: source

íóæíî ÷òî áû çàùèòà ðàáîòàëà ñî ñòîðîíû wan íåçàâèñèìî îò òîãî, àòàêóþò ëè èç íåòà ÷åðåç âïí èëè èç ëîêàëêè ñî âíåøíåé ñòîðîíû.
18-01-2007, 16:10
alexnik

ïðîùå âñåãî ñäåëàòü òàê

Code:

iptables -I INPUT -i ! $3 -p tcp -m state --state NEW --dport 1555 -m recent --set --name SSH_ATTACKER --rsource iptables -I INPUT -i ! $3 -p tcp -m state --state NEW --dport 1555 -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP
18-01-2007, 16:16
seeker

Quote:

Originally Posted by alexnik

ïðîùå âñåãî ñäåëàòü òàê

Code:

iptables -I INPUT -i ! $3 -p tcp -m state --state NEW --dport 1555 -m recent --set --name SSH_ATTACKER --rsource iptables -I INPUT -i ! $3 -p tcp -m state --state NEW --dport 1555 -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP

à ÷òî îçíà÷àåò $3?
18-01-2007, 18:23
midya

Quote:

Originally Posted by seeker

à ÷òî îçíà÷àåò $3?

Ýòî ñêîëüêî Âû çàäîëæàëè ôîðóìó çà ñîâåòû=)))
18-01-2007, 18:40
seeker

Quote:

Originally Posted by alexnik

ïðîùå âñåãî ñäåëàòü òàê

Code:

iptables -I INPUT -i ! $3 -p tcp -m state --state NEW --dport 1555 -m recent --set --name SSH_ATTACKER --rsource iptables -I INPUT -i ! $3 -p tcp -m state --state NEW --dport 1555 -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP

â ðåçóëüòàòå ýòèõ ñòðîê ssh òåïåðü âñåãäà ïîñûëàåò ìåíÿ:) äàæå ñ ëàíà:)
19-01-2007, 09:17
alexnik

Quote:

Originally Posted by seeker

à ÷òî îçíà÷àåò $3?

$3 ýòî lan èíòåðôåéñ, äîëæíî ïîäñòàâèòüñÿ br0.

Quote:

â ðåçóëüòàòå ýòèõ ñòðîê ssh òåïåðü âñåãäà ïîñûëàåò ìåíÿ äàæå ñ ëàíà

íà 22 ïîðò?
19-01-2007, 21:07
seeker

Quote:

Originally Posted by alexnik

ïðîùå âñåãî ñäåëàòü òàê

Code:

iptables -I INPUT -i ! $3 -p tcp -m state --state NEW --dport 1555 -m recent --set --name SSH_ATTACKER --rsource iptables -I INPUT -i ! $3 -p tcp -m state --state NEW --dport 1555 -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP

âîáùåì äîáàâëåíèå äàííûõ ñòðî÷åê íå ïîìîãëî - êîííåêòèòñÿ ïûòàòüñÿ ìîæíî ñêîëüêî óãîäíî ñ âàíà.
âîò ÷òî ãîâîðèò
iptables -L -v | grep SSH_ATTACKER

Code:

0 0 DROP tcp -- !br0 any anywhere anywhere state NEW tcp dpt:https recent: UPDATE seconds: 600 hit_count: 3 name: SS H_ATTACKER side: source 0 0 tcp -- !br0 any anywhere anywhere state NEW tcp dpt:https recent: SET name: SSH_ATTACKER side: source
19-01-2007, 21:44
black_128

Ñäåëàéòå ïðîùå:
---

#!/bin/sh
## WEB,SSH and FTP access from WAN
## Set default policy
iptables -P INPUT DROP
## Removes last default rule
iptables -D INPUT -j DROP
## Open FTP,SSH,WWW ports
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 22 -j brute_force
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
## Block SSH brute force attacks
iptables -N brute_force
iptables -F brute_force
iptables -A brute_force -m state --state NEW -m recent --name attack --set
iptables -A brute_force -m recent --name attack --rcheck --seconds 60 --hitcount 4 -m limit --limit 1/minute --limit-burst 1 -j LOG --log-prefix 'SSH brute force attack'
iptables -A brute_force -m recent --name attack --rcheck --seconds 60 --hitcount 4 -j DROP
iptables -A brute_force -j ACCEPT
## Drop other IPs
iptables -A INPUT -j DROP
#Test for post-firewall.log
echo "post-firewall running...">/var/log/post-firewall.log
20-01-2007, 14:50
alexnik

Quote:

Originally Posted by seeker

âîáùåì äîáàâëåíèå äàííûõ ñòðî÷åê íå ïîìîãëî - êîííåêòèòñÿ ïûòàòüñÿ ìîæíî ñêîëüêî óãîäíî ñ âàíà.
âîò ÷òî ãîâîðèò
iptables -L -v | grep SSH_ATTACKER

Code:

0 0 DROP tcp -- !br0 any anywhere anywhere state NEW tcp dpt:https recent: UPDATE seconds: 600 hit_count: 3 name: SS H_ATTACKER side: source 0 0 tcp -- !br0 any anywhere anywhere state NEW tcp dpt:https recent: SET name: SSH_ATTACKER side: source

À ïåðåíàïðàâëàåøü 1555 ÷åðåç ïðåðîóòèíã? åñëè äà òîãäà ïîðò äîëæåí áûòü ïîðò äëÿ ïðàâèë äîëæåí áûòü 22.
20-01-2007, 14:56
alexnik

Quote:

Originally Posted by black_128

Ñäåëàéòå ïðîùå:
---

#!/bin/sh
## WEB,SSH and FTP access from WAN
## Set default policy
iptables -P INPUT DROP
## Removes last default rule
iptables -D INPUT -j DROP
## Open FTP,SSH,WWW ports
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 22 -j brute_force
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
## Block SSH brute force attacks
iptables -N brute_force
iptables -F brute_force
iptables -A brute_force -m state --state NEW -m recent --name attack --set
iptables -A brute_force -m recent --name attack --rcheck --seconds 60 --hitcount 4 -m limit --limit 1/minute --limit-burst 1 -j LOG --log-prefix 'SSH brute force attack'
iptables -A brute_force -m recent --name attack --rcheck --seconds 60 --hitcount 4 -j DROP
iptables -A brute_force -j ACCEPT
## Drop other IPs
iptables -A INPUT -j DROP
#Test for post-firewall.log
echo "post-firewall running...">/var/log/post-firewall.log

ýòî òîæå ñàìîå, ÷òî îáñóæäàåòñÿ. òîëüêî â öåïî÷êå ñðàçó çàäàåòñÿ âñå. È íàðóæó îòêðûâàåòñÿ 22 ïîðò.
Êñòàòè, åñëè êòî-òî õî÷åò ëîãèðîâàòü îòâåðãíóòûå ïîïûòêè, ðåêîìåíäóþ íå èñïîëüçîâàòü logdrop, à âçÿòü ïðàâèëî ñ îãðàíè÷åíèåì ëîãà, êàê â êîäå. Ëîã íå òàê ðàçáóõàòü áóäåò.
20-01-2007, 18:34
seeker

Quote:

Originally Posted by alexnik

À ïåðåíàïðàâëàåøü 1555 ÷åðåç ïðåðîóòèíã? åñëè äà òîãäà ïîðò äîëæåí áûòü ïîðò äëÿ ïðàâèë äîëæåí áûòü 22.

âîò post-firewall

Code:

iptables -D INPUT -j DROP iptables -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1555 -j DNAT --to-destination 192.168.1.1:22 iptables -A INPUT -j DROP iptables -I INPUT -i ! $3 -p tcp -m state --state NEW --dport 1555 -m recent --set --name SSH_ATTACKER --rsource iptables -I INPUT -i ! $3 -p tcp -m state --state NEW --dport 1555 -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP

ïðîáîâàë ìåíÿòü ïîñëåäíèå äâå ñòðî÷êè - âìåñòî 1555 ïîñòàâèë 22 è ïåðåçàïóñòèë ðîóòåð - ïî êðàéíåé ìåðå ñ ëàíà ïóñêàåò ñêîêà óãîäíî òàêæå, èñî ñòîðîíû âàíà ïîêà ïðîâåðèòü íå ìîãó:).
21-01-2007, 03:04
GearST

ÿ âîò âñå ñëåæó çà òåìîé êîãäà æå íàðîä íàéäåò îïòèìàëüíîå ðåøåíèå =)
íî âñåæå çàõîòåë ðàçîáðàòüñÿ ÷òî åñòü ýòî? :

Code:

## Open FTP,SSH,WWW ports iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --syn --dport 22 -j brute_force iptables -A INPUT -p tcp --dport 80 -j ACCEPT ## Block SSH brute force attacks iptables -N brute_force iptables -F brute_force iptables -A brute_force -m state --state NEW -m recent --name attack --set iptables -A brute_force -m recent --name attack --rcheck --seconds 60 --hitcount 4 -m limit --limit 1/minute --limit-burst 1 -j LOG --log-prefix 'SSH brute force attack' iptables -A brute_force -m recent --name attack --rcheck --seconds 60 --hitcount 4 -j DROP iptables -A brute_force -j ACCEPT ## Drop other IPs iptables -A INPUT -j DROP

êîíêðåòíî êàê ðàáîòàåò ## Block SSH brute force attacks ÷òî òàì ñîáñòâåííî çàäàåòñÿ òî, à òî êîíåøíî ìîæíî òóïî âïèñàòü è íå ïàðèòüñÿ íî õîòåëîñü áû çíàòü êàê îíî ðàáîòàåò =)
21-01-2007, 14:21
black_128

×òîáû ðàñøèôðîâàòü ÷òî è êàê ðàáîòàåò, ïîñìîòðèòå îïèñàíèå êîììàíäû iptables â èíòåðíåòå.

×òî êàñàåòñÿ ñòðî÷åê ##Block brute force, òî äàííûå èíñòðóêöèè áëîêèðóþò âõîäÿùèå îáðàùåíèÿ, ñ ÷àñòîòîé áîëüøå 4-õ â òå÷åíèè îäíîé ìèíóòû. Áëîêèðóåòñÿ îòïðàâèòåëü òàêæå íà îäíó ìèíóòó.

Ýòî ïîçâîëèò îòñåèòü ìàññó ðîáîòîâ.
22-01-2007, 15:54
alexnik

Quote:

Originally Posted by seeker

ïðîáîâàë ìåíÿòü ïîñëåäíèå äâå ñòðî÷êè - âìåñòî 1555 ïîñòàâèë 22 è ïåðåçàïóñòèë ðîóòåð - ïî êðàéíåé ìåðå ñ ëàíà ïóñêàåò ñêîêà óãîäíî òàêæå, èñî ñòîðîíû âàíà ïîêà ïðîâåðèòü íå ìîãó:).

íó ñî ñòîðîíû ëàíà òîæå ìîæíî ïðîâåðèòü óáðàâ -i ! $3.

GearST
Â îáùåì åñòü match recent êîòîðûé ïîçâîëÿåò ìàðêèðîâàòü ïàêåòû.

--rcheck --seconds x --hitcount y

ïðîâåðÿåò çà èíòåðâàë âðåìåíè x íàëè÷èå y ïàêåòîâ è â ñëó÷àå óñïåõà âûïîëíÿåò äåéñòâèå. ñîîòâåòñâåíî çà ïðîìåæóòîê âðåìåíè ïðîïóñêàåòñÿ y-1 ìàðêèðîâàíûé ïàêåò ïàêåò.
22-01-2007, 20:07
black_128

Õàêåðû âçëîìàëè ðîóòåð? Ïîñìîòðèì ëîãè...

Äîáðîãî âðåìåíè ñóòîê!
Ðåáÿòà, ñ íåäàâíåãî âðåìåíè âîçíèêëû íåêèå âîïðîñû ïî íåïîíÿòíîìó ïîâåäåíèþ ðîóòåðà. Ðîóòåð ðàáîòàåò ïðåêðàñíî ñ ñåòüþ netbynet.ru, ðàáîòàåò SAMBA, dropbear, ftp è WWW. Äîìàøíÿÿ ñåòü ñîñòîèò èç 2õ êîìïüþòåðîâ - íîóòáóêà âî WiFi è ñèñòåìíèêà ïî Ethernet êàáåëþ.

Ïîñëå óñòàíîâêè SSH (dropbear) è îòêðûòèþ ïîðòà 22 íàðóæó (òåëíåò îòêëþ÷¸í ðàç 22é îòêðûò), íà÷àëè ëîìèòüñÿ è áðóòôîðñèòü 22é ïîðò - íó äà ëàäíî, ÿ ñäåëàë post-firewall:

Code:

#!/bin/sh ## WEB,SSH and FTP access from WAN ## Set default policy iptables -P INPUT DROP ## Removes last default rule iptables -D INPUT -j DROP ## Open FTP,SSH,WWW ports iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --syn --dport 22 -j brute_force iptables -A INPUT -p tcp --dport 80 -j ACCEPT ## Block SSH brute force attacks iptables -N brute_force iptables -F brute_force iptables -A brute_force -m state --state NEW -m recent --name attack --set iptables -A brute_force -m recent --name attack --rcheck --seconds 60 --hitcount 4 -m limit --limit 1/minute --limit-burst 1 -j LOG --log-prefix 'SSH brute force attack' iptables -A brute_force -m recent --name attack --rcheck --seconds 60 --hitcount 4 -j DROP iptables -A brute_force -j ACCEPT ## Drop other IPs iptables -A INPUT -j DROP #Test for post-firewall.log echo "post-firewall running...">/var/log/post-firewall.log

Ëîìèòüñÿ íà 22é ïîðò ïåðåñòàëè. ÍÎ! ÿ çàìåòèë, ÷òî çàõîäÿ ïî SSH, äèðåêòîðèè ïîÿâèëèñü ìàññà ôàéëîâ ñ íàñòðîéêàìè, êîòîðûå ÿ íèêîãäà íå ïðîïèñûâàë ðó÷êàìè.
Âîò ñêðèíøîò ôàéëîâ:

http://www.notebook-sales.ru/la1.JPG

Ïðè÷åì âíóòðè ñêàæåì ôàéëà filter_rules ìîæíî óâèäåòü ñëåäóþùåå:

Code:

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :MACS - [0:0] :SECURITY - [0:0] :logaccept - [0:0] :logdrop - [0:0] -A SECURITY -p tcp --syn -m limit --limit 1/s -j RETURN -A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN -A SECURITY -p udp -m limit --limit 5/s -j RETURN -A SECURITY -p icmp -m limit --limit 5/s -j RETURN -A SECURITY -j DROP -A INPUT -m state --state INVALID -j DROP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i lo -m state --state NEW -j ACCEPT -A INPUT -i br0 -m state --state NEW -j ACCEPT -A INPUT -i ppp0 -m state --state NEW -j SECURITY -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 7776 -j ACCEPT -A INPUT -p tcp -m tcp --dport 7777 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -j DROP -A FORWARD -i br0 -o br0 -j ACCEPT -A FORWARD -m state --state INVALID -j DROP -A FORWARD -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -o ppp0 ! -i br0 -j DROP -A FORWARD -o vlan1 ! -i br0 -j DROP -A FORWARD ! -i br0 -m state --state NEW -j SECURITY -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT -A FORWARD -o br0 -j DROP -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options -A logaccept -j ACCEPT -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options -A logdrop -j DROP COMMIT

Ïðè÷åì íèêàêèõ ïîðòîâ 7777 è 7776 ÿ íå çàäàâàë. È WEB êàìåðû ó ìåíÿ íåò.

Â ëîãå ñòàëè ïîÿâëÿòüñÿ ñîîáùåíèÿ (îáðàòèòå âíèìàíèå íà êîëè÷åñòâî ïîñëàííûé è ïðèíÿòûõ áàéò).

Code:

Jan 22 11:53:38 pppd[112]: Child process /usr/sbin/pptp 10.7.255.249 --nolaunchpppd (pid 443) terminated with signal 15 Jan 22 11:53:38 pppd[112]: Modem hangup Jan 22 11:53:38 pppd[112]: Connection terminated. Jan 22 11:53:38 pppd[112]: Connect time 59.0 minutes. Jan 22 11:53:38 pppd[112]: Sent 19494331 bytes, received 215195095 bytes. Jan 22 11:53:38 pppd[112]: Connect time 59.0 minutes. Jan 22 11:53:38 pppd[112]: Sent 19494331 bytes, received 215195095 bytes. Jan 22 11:53:38 pppd[112]: Exit. Jan 22 04:54:39 pppd[112]: Starting link Jan 22 04:54:39 pppd[112]: Serial connection established. Jan 22 04:54:39 pppd[112]: Connect: ppp0 <--> /dev/pts/0 Jan 22 04:54:39 pptp[390]: anon log[main:pptp.c:267]: The synchronous pptp option is NOT activated Jan 22 04:54:39 pptp[393]: anon warn[route_add:pptp_callmgr.c:457]: route_add: not adding existing route Jan 22 04:54:39 pptp[393]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request' Jan 22 04:54:39 pptp[393]: anon log[ctrlp_disp:pptp_ctrl.c:732]: Received Start Control Connection Reply Jan 22 04:54:39 pptp[393]: anon log[ctrlp_disp:pptp_ctrl.c:766]: Client connection established. Jan 22 04:54:40 pptp[393]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request' Jan 22 04:54:40 pptp[393]: anon log[ctrlp_disp:pptp_ctrl.c:851]: Received Outgoing Call Reply. Jan 22 04:54:40 pptp[393]: anon log[ctrlp_disp:pptp_ctrl.c:890]: Outgoing call established (call ID 0, peer's call ID 32768). Jan 22 04:54:40 pppd[112]: MPPE 128-bit stateless compression enabled Jan 22 04:54:43 pppd[112]: Remote IP address changed to 192.168.254.10 Jan 22 04:54:43 PPTP: connect to ISP

Ïðè÷åì â ýòî âðåìÿ (ÿ çíàþ òî÷íî), êîìïüþòåðû â ëîêàëêå áûëè âûêëþ÷åíû. Ñêàæèòå, ìîæíî ëè ñî âñåì ýòèì ðàçîáðàòüñÿ, è ÷òî äåëàòü???

Ïðîøó Âàñ ïðîòåñòèðîâàòü ìîþ ñèñòåìó íà ïðåäìåò óÿçâèìîñòåé, è ïîìî÷ü çàêðûòü îò àòàê ìîé ðîóòåð.

ÑÏÈÑÈÁÎ!
23-01-2007, 10:26
Oleg

Â äèðåêòîðèè /tmp ïîÿâëÿþòñÿ ôàéëû, ãåíåðèðóåìûå äèíàìè÷åñêè. Òå, ôàéëû, êîòîðûå Âû îòìåòèëè - ñàìûå îáû÷íûå.

nas - ýòî êîíôèã äëÿ WPA/WPA-PSK

resolv.conf - ÄÍÑ
filter_rules - Âñòðîåííûé Firewall.

Ïîðò 7776 è 7777 - ñâÿçàíû ñ âåáêàìåðîé. Ó Âàñ å¸ íåò, íî ñåðâèñ î÷åâèäíî ðàçðåø¸í.

×òî êàñàåòñÿ òðàôôèêà - òóò ÿ íè÷åãî ñêàçàòü íå ìîãó. Ïîïðîáóéòå óñòàíîâèòü darkstat, ïóñòü îí ïîñ÷èòàåò åãî.

Ó Âàñ äëÿ WiFi WEP çàïðåù¸í, íàäåþñü?
23-01-2007, 10:37
black_128

Ñïàñèáî çà Âàø îòâåò!

Äà, WEP âûêëþ÷åí, âêëþ÷¸í WPA-PSK (c WiFi ïðîáëåì íåò).

http://www.notebook-sales.ru/wifi.jpg

Íî ïîÿâèëñÿ äðóãîé òðàáë. Íè÷åãî íå èçìåíÿÿ â íàñòðîéêàõ, è èìåÿ ðàíåå äîñòóï ïî SSH èç WAN ïî 22ìó ïîðòó, ùàñ 22é ïîðò âîîáùå íå îòâå÷àåò, ñóäÿ ïî telnet ìîé_ip 22 (ðàíåå âûâîäèëñÿ øåëë SSH), ïðè÷åì ñ äîìàøíèõ ìàøèí SSH ê ðîóòåðó ðàáîòàåò.

dropbear çàïóùåí.

Code:

Jan 1 03:00:07 pppd[109]: Starting link Jan 1 03:00:07 pppd[109]: Serial connection established. Jan 1 03:00:07 pppd[109]: Connect: ppp0 <--> /dev/pts/0 Jan 1 03:00:08 pptp[121]: anon log[main:pptp.c:267]: The synchronous pptp option is NOT activated Jan 1 03:00:08 kernel: ipt_recent v0.2.3: Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/ Jan 1 03:00:08 dropbear[126]: Running in background
23-01-2007, 11:28
Oleg

Quote:

Originally Posted by black_128

Ñïàñèáî çà Âàø îòâåò!

Äà, WEP âûêëþ÷åí, âêëþ÷¸í WPA-PSK (c WiFi ïðîáëåì íåò).

Òîãäà âñ¸ äîëæíî áûòü õîðîøî.

Quote:

Íî ïîÿâèëñÿ äðóãîé òðàáë. Íè÷åãî íå èçìåíÿÿ â íàñòðîéêàõ, è èìåÿ ðàíåå äîñòóï ïî SSH èç WAN ïî 22ìó ïîðòó, ùàñ 22é ïîðò âîîáùå íå îòâå÷àåò, ñóäÿ ïî telnet ìîé_ip 22 (ðàíåå âûâîäèëñÿ øåëë SSH), ïðè÷åì ñ äîìàøíèõ ìàøèí SSH ê ðîóòåðó ðàáîòàåò.

dropbear çàïóùåí.

Íó òàê ìîæåò recent ÷òî-òî òàì "õèìè÷èò"? Ïîïðîáóéòå åãî îòêëþ÷èòü.
23-01-2007, 21:01
FilimoniC

à íå ïðîùå ssh ïåðåâåñèòü íà íåñòàíäàðòíûé ïîðò?

BTW âîïðîñ: ìîæíî ëè ñäåëàòü òàê, ÷òîáû SSH íå îòäàâàë ñåðòèôèêàò? ò.å. ÷òîáû êííåêòèòñÿ ìîæíî áûëî òîëüêî ñ ìàøèíû, íà êîòîðîé ñòîèò çàùèùåííûé ïàðîëåì ñåðòèôèêàò (âçÿòûé ó êîãî-òî èëè ãäå-òî, ò.å. íå ïîëó÷åííûé îò ÑÑØ)?

BTW âîïðîñ2: êàê ñäåëàòü ÷òîáû íåëüçÿ áûëî äåëàòü SSH-Òóííåëè ÷åðåç putty ? (ïî äåôàëòó ìîæíî - â ïóòòè â ãðàôå tunnles. ïðîâåðÿë - ïàøåò.)
24-01-2007, 06:04
gaaronk

ïî÷èòàòü äîêó

êëþ÷è çàïóñêà

-j
Disable local port forwarding.
-k
Disable remote port forwarding.
24-01-2007, 15:13
alexnik

íà ñòðèìå ðàáîòàåò

Code:

iptables -t nat -I PREROUTING -i ! $3 -p tcp -m state --state NEW --dport 22 -m recent --set --name SSH_ATTACKER --rsource iptables -I INPUT 7 -i ! $3 -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 600 --hitcount 4 --name SSH_ATTACKER --rsource -j DROP

íó è êîä äëÿ ïàðàíîèêîâ

Code:

iptables -I INPUT 7 -m state --state NEW -m tcp -p tcp --dport 22 -m recent --rcheck --name SSH -j ACCEPT iptables -I INPUT 8 -m state --state NEW -m tcp -p tcp --dport 1499 -m recent --name SSH --remove -j DROP iptables -I INPUT 9 -m state --state NEW -m tcp -p tcp --dport 1500 -m recent --name SSH --set -j DROP iptables -I INPUT 10 -m state --state NEW -m tcp -p tcp --dport 1501 -m recent --name SSH --remove -j DROP iptables -I INPUT 11 -p tcp --dport 22 -j DROP

äëÿ äîñòóïà ïî ssh íàäî ïîñòó÷àòü íà ïîðò 1500.
äëÿ çàêðûòèÿ äîñòóïà íà 1499 èëè 1501
ñòó÷àòü ïðèìåðíî òàê

Code:

telnet myhost 1500
06-02-2007, 04:44
Mam(O)n

Quote:

Originally Posted by alexnik

insmod ipt_recent òåáå ïîìîæåò.
Äëÿ èñïîëüçîâàíèÿ ïðàâèëà â post-firewall-å äîáàâèòü ýòó ñòðî÷êó â post-boot

Çàìåòèë, ÷òî ó ìåíÿ ïîñëå äîáàâëåíèÿ ýòîé ñòðîêè â êîíåö post-boot íå óñïåâàë ïîäãðóæàòüñÿ äàííûé ìîäóëü, ïðåæäå, ÷åì çàïóñòèòñÿ post-firewall, ïî ïðè÷èíå òîãî, ÷òî äî ýòîãî âûïîëíÿëîñü åùå ìíîãî ñòðîê bost-boot'à è â ñëåäñòâèå ÷åãî ïðàâèëà, îãðàíè÷èâàþùèå äîñòóï ê ssh íå ïðîïèñûâàëèñü. Áóäüòå âíèìàòåëüíû! Ëó÷øå "insmod ipt_recent" äîáàâèòü â pre-boot.
08-02-2007, 22:26
shooter

Äëÿ óñèëåíèÿ ïàðàíîè ìîæíî ïîäíÿòü stunnel è òðåáîâàòü ïðîâåðêè ñåðòèôèêàòà íà ïîðòó, îòêðûâàåìîì ïîñëå ñõåìû ñ ñòóêîì ïî äîï. ïîðòàì. À èç stunnel ïî 127.0.0.1 íà 22 ïîðò.

À ñåðò ñ êëþ÷àìè íîñèòü ñ ñîáîé íà ÊÏÊ/ôëøêå.
Â ñëó÷àå ôëåøêè ðåãóëÿðíî âíîñèòü åãî â CRL ïîñëå èñïîëüçîâàíèÿ â òåìíîì ìåñòå è ãåíåðèðîâàòü íîâûé. =)
08-02-2007, 22:42
imdex

Quote:

Originally Posted by shooter

Äëÿ óñèëåíèÿ ïàðàíîè ìîæíî ïîäíÿòü stunnel è òðåáîâàòü ïðîâåðêè ñåðòèôèêàòà íà ïîðòó, îòêðûâàåìîì ïîñëå ñõåìû ñ ñòóêîì ïî äîï. ïîðòàì. À èç stunnel ïî 127.0.0.1 íà 22 ïîðò.

À ñåðò ñ êëþ÷àìè íîñèòü ñ ñîáîé íà ÊÏÊ/ôëøêå.
Â ñëó÷àå ôëåøêè ðåãóëÿðíî âíîñèòü åãî â CRL ïîñëå èñïîëüçîâàíèÿ â òåìíîì ìåñòå è ãåíåðèðîâàòü íîâûé. =)

Åñëè âû íå ïàðàíîèê, ýòî âîâñå íå çíà÷èò, ÷òî çà âàìè íå ñëåäÿò. :)
29-04-2007, 13:05
Vitaly_k

Ìîæíî ëè ÷åðåç ftp âèäåòü ôàéëîâóþ ñèñòåìó ðîóòåðà?

Â Äðèìáîêñå óäîáíî ñäåëàíî - çàõîäèøü ïî ftp è âèäèøü âñå ôàéëîâóþ ñèñòåìó äèâàéñà. Ìîæíî ëè â Àñóñå âèäåòü íå âíåøíèé USB-äèñê, à êîðåíü ôàéëîâîé ñèñòåìû?

Show 40 post(s) from this thread on one page