RE: HackFest Series: Quick IPTABLES, SSHUTOUT Script Kiddie…

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: plug-discuss@lists.plug.phoenix.az.us
Subject: RE: HackFest Series: Quick IPTABLES, SSHUTOUT Script Kiddie Protection
See minor corrections:
also see DenyHosts








Many of us are constantly plagued with port knocking and script kiddies from places like the Amazon Cloud.

With security issues, the procedural recommended post encroachment steps per CERT are:

1) Remove the computer from your network (probably not workable if this is a server) [use IPtables to protect it initially]
2) Gather log information about specific times, ports and ip addresses (both source and destination)
3) Report to the SWIP authorities including the correct time zones for each exploit.
4) Optional - load BackTrack and run forensics on the system if you CAN reboot it.
5) Optional - setup a honeypot trap for the users including network alerting and logging.

Using IPtables:

Generally,
since you can't always drop large numbers of IPADDRESSES into your IPtables
& the script kiddies just DHCP a new source address, so this is a temporary measure.

First
drop in a basicIP table - here's a good basic example (season to
taste): [Do this while sitting in front of the machine so you don't
accidently shut yourself out]

You going to need iptables (you should have it already):

# dpkg -l iptables
iptables 1.2.11-10 Linux kernel 2.4+ iptables administration to

# rpm -qa | grep iptablesiptables-xxxxx
Check to see if it's there:



# which iptables
/sbin/iptables

If the utility is missing you can install it like so:

APT


# apt-get update && apt-get install iptables
RPM


# rpm -Uvh iptables-xxxx.rpm
Preparing ################################# [100%]

NEXT: Drop in a basic configuration:

# /etc/init.d/iptables start
Cut and copy this basic table example to /root/iptables/iptables.first

This
example only allows port 22, 80 and 443 and does some time based allow log and drop (which might break if you have extensive scp jobs) (season to taste - for
instance if you need another port add it; or you have eth1 change this).
# Generated by iptables-save on Sun Oct 19 23 05:32:09 2008
*filter
:INPUT ACCEPT [273:55355]
:FORWARD ACCEPT [0:0]
:LOGNDROP - [0:0]
:OUTPUT ACCEPT [92376:20668252]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Optional log and drop limits
-A INPUT -j LOGNDROP
-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: " --log-level 7
-A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level 7
-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: " --log-level 7
-A LOGNDROP -j DROP
COMMIT
# Completed on Sun Oct 19 05:32:09 2008Next import it:

# /sbin/iptables-restore </root/iptables/iptables.first
Test - okay?

Borked?

# /etc/init.d/iptables stop
# /sbin/iptables -F

Edit and try again....

Protect from/to a host:

Once you have a basic config in place you can do command line drops:

# /sbin/iptables -A INPUT -s $badguyip -d $myserverip -p tcp --dport 22 -j DROP
-A Tells iptables to 'append' this rule to the INPUT Chain

-s Source Address. This rule only pertains to
traffic coming FROM this IP. Substitute with the IP address you are protecting yourself from.

-d Destination Address. This rule only pertains to traffic going TO this IP. Substitute with the IP of this server.

-p Protocol. Specifying traffic which is TCP.

--dport Destination Port. Specifying traffic which is for TCP Port 22 (SSH)

-j Jump. If everything in this rule matches then 'jump' to DROP
You can even do a quick grep on your logs and script drop all of them into the tables via script:
Protect AFTER the FACT from LOGS (as in now when you discover a whole 48 accesses or attempts on your vsftpd)

#!/bin/sh

# Add own whitelisted hosts here.

whitelist="127.0.0.1 1192.168.7.2 192.168.31.145"

logfile="/var/log/messages"

# Define the checking interval through date-format.

interval=$(date | cut -b 5-15)



# Extract failed vsftpd login attempts; set blocking to 25.

# Modify iptables behavior or use drop all connections from evil script kiddies.

grep "$interval.* failure" $logfile | sed -e
'/vsftpd(pam_unix)\[[0-9]*\]: authentication failure/!d' -e
's/.*rhost=//' -e 's/ user=.*//' | sort |uniq -c | \

while read info

do

        set -- $info


        count=$1


        host=$2


        whitelisted=0


        for white in $whitelist ; do


                if [ "$white" = "$host" ] ; then


                        whitelisted=1


                fi


        done


        if [ "$whitelisted" = "1" ] ; then


                echo "$count attempt(s) from WHITELISTED $host"


        else


                echo "$count attempt(s) from $host"


                if [ "$count" -gt "25" ] ; then


                        /sbin/iptables -I INPUT -s $host -j DROP


                        echo "Host $host blocked"


                        echo "iptable status:"


                        /sbin/iptables --list


                fi


        fi


done

----------------end script example for vsftpd------------------



Here's how my crontab looks like:

# Block offending hosts. Checks for attacks every 10 minutes

9,19,29,39,49,59 * * * * /bin/sh /scripts/Block    


http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts

Saving and Editing your tables:

As a precaution enter /sbin/iptables-save to be sure it's right (and check it via output)
You
can save and restore via crontabs the last iptables (Debian and Redhat
vary as to commands for persistent tables [see references]

# /sbin/iptables-save >/root/iptables/iptables.last
You can hand edit this with vi or joe
# /sbin/iptables-restore </root/iptables/iptables.last

SSH Brute force and Dictionary Attacks:

NOTE:
If your port 22 (or VNC or port 80 webserver) is being hit, you can
write a quick log protection script or use SSHUTOUT (which wraps ssh
and watches for brute force and dictionary attacks), by automagically
dropping to iptables deny anyone who meets the configuration critieria.

Drop
in something like this for now for quick and dirty iptables: (edit your
tables and place these lines under the loopback command replacing your
-A INPUT for ssh above.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m recent --update --hitcount 2 --seconds 60 --name SSHIN -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m recent --set --name SSHIN -j ACCEPT
COMMIT
If you are getting a TON of port 22 knocking - GET a wrapper like SSHOUT:

[if you need to shutout 22]: http://www.techfinesse.com/sshutout/sshutout.html (use this great program)

References: http://www.howtoforge.com/linux_iptables_sarge

http://wapedia.mobi/en/Obnosis | http://en.wiktionary.org/wiki/Citations:obnosis | Obnosis.com (503)754-4452
Laugh at this MSN Footer


When your life is on the go—take your life with you. Try Windows Mobile® today

_________________________________________________________________
Store, manage and share up to 5GB with Windows Live SkyDrive.
http://skydrive.live.com/welcome.aspx?provision=1?ocid=TXT_TAGLM_WL_skydrive_102008---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss