Many of us are constantly plagued with port knocking and script kiddies from places like the Amazon Cloud.
With security issues, the procedural recommended post encroachment steps per CERT are:
1) Remove the computer from your network (probably not workable if this is a server) [use IPtables to protect it initially]
2) Gather log information about specific times, ports and ip addresses (both source and destination)
3) Report to the SWIP authorities including the correct time zones for each exploit.
4) Optional - load BackTrack and run forensics on the system if you CAN reboot it.
5) Optional - setup a honeypot trap for the users including network alerting and logging.
Using IPtables:Generally,
since you can't always drop large numbers of IPADDRESSES into your IPtables
& the script kiddies just DHCP a new source address, so this is a temporary measure.
First
drop in a basicIP table - here's a good basic example (season to
taste): [Do this while sitting in front of the machine so you don't
accidently shut yourself out]
You going to need iptables (
you should have it already):
# dpkg -l iptables
iptables 1.2.11-10 Linux kernel 2.4+ iptables administration to
# rpm -qa | grep iptablesiptables-xxxxxCheck to see if it's there:
# which iptables/sbin/iptables
If the utility is missing you can install it like so:
APT
# apt-get update && apt-get install iptablesRPM
# rpm -Uvh iptables-xxxx.rpmPreparing ################################# [100%]
NEXT: Drop in a basic configuration:# /etc/init.d/iptables startCut and copy this basic table example to /root/iptables/iptables.first
This
example only allows port 22, 80 and 443 and does some time based allow log and drop (which might break if you have extensive scp jobs) (season to taste - for
instance if you need another port add it; or you have eth1 change this).
# Generated by iptables-save on Sun Oct 19 23 05:32:09 2008
*filter
:INPUT ACCEPT [273:55355]
:FORWARD ACCEPT [0:0]
:LOGNDROP - [0:0]
:OUTPUT ACCEPT [92376:20668252]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Optional log and drop limits
-A INPUT -j LOGNDROP
-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: " --log-level 7
-A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level 7
-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: " --log-level 7
-A LOGNDROP -j DROP
COMMIT
# Completed on Sun Oct 19 05:32:09 2008
Next import it:
# /sbin/iptables-restore </root/iptables/iptables.firstTest - okay?
Borked?
# /etc/init.d/iptables stop# /sbin/iptables -FEdit and try again....
Protect from/to a host:Once you have a basic config in place you can do command line drops:
# /sbin/iptables -A INPUT -s $badguyip -d $myserverip -p tcp --dport 22 -j DROP- -A Tells iptables to 'append' this rule to the INPUT Chain
- -s Source Address. This rule only pertains to
traffic coming FROM this IP. Substitute with the IP address you are protecting yourself from.
- -d Destination Address. This rule only pertains to traffic going TO this IP. Substitute with the IP of this server.
- -p Protocol. Specifying traffic which is TCP.
- --dport Destination Port. Specifying traffic which is for TCP Port 22 (SSH)
- -j Jump. If everything in this rule matches then 'jump' to DROP
You can even do a quick grep on your logs and script drop all of them into the tables via script:
Protect AFTER the FACT from LOGS (as in now when you discover a whole 48 accesses or attempts on your vsftpd)
#!/bin/sh
# Add own whitelisted hosts here.
whitelist="127.0.0.1 1192.168.7.2 192.168.31.145"
logfile="/var/log/messages"
# Define the checking interval through date-format.
interval=$(date | cut -b 5-15)
# Extract failed vsftpd login attempts; set blocking to 25.
# Modify iptables behavior or use drop all connections from evil script kiddies.
grep "$interval.* failure" $logfile | sed -e
'/vsftpd(pam_unix)\[[0-9]*\]: authentication failure/!d' -e
's/.*rhost=//' -e 's/ user=.*//' | sort |uniq -c | \
while read info
do
set -- $info
count=$1
host=$2
whitelisted=0
for white in $whitelist ; do
if [ "$white" = "$host" ] ; then
whitelisted=1
fi
done
if [ "$whitelisted" = "1" ] ; then
echo "$count attempt(s) from WHITELISTED $host"
else
echo "$count attempt(s) from $host"
if [ "$count" -gt "25" ] ; then
/sbin/iptables -I INPUT -s $host -j DROP
echo "Host $host blocked"
echo "iptable status:"
/sbin/iptables --list
fi
fi
done
----------------end script example for vsftpd------------------
Here's how my crontab looks like:
# Block offending hosts. Checks for attacks every 10 minutes
9,19,29,39,49,59 * * * * /bin/sh /scripts/Block
http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts
Saving and Editing your tables:As a precaution enter /sbin/iptables-save to be sure it's right (and check it via output)
You
can save and restore via crontabs the last iptables (Debian and Redhat
vary as to commands for persistent tables [see references]
# /sbin/iptables-save >/root/iptables/iptables.lastYou can hand edit this with vi or joe
# /sbin/iptables-restore </root/iptables/iptables.lastSSH Brute force and Dictionary Attacks:NOTE:
If your port 22 (or VNC or port 80 webserver) is being hit, you can
write a quick log protection script or use SSHUTOUT (which wraps ssh
and watches for brute force and dictionary attacks), by automagically
dropping to iptables deny anyone who meets the configuration critieria.
Drop
in something like this for now for quick and dirty iptables: (edit your
tables and place these lines under the loopback command replacing your
-A INPUT for ssh above.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m recent --update --hitcount 2 --seconds 60 --name SSHIN -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m recent --set --name SSHIN -j ACCEPT
COMMIT
If you are getting a TON of port 22 knocking - GET a wrapper like SSHOUT:
[if you need to shutout 22]: http://www.techfinesse.com/sshutout/sshutout.html (use this great program)
References: http://www.howtoforge.com/linux_iptables_sarge