| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Mar 2 13:46:19 2006
From: fd at g-0.org (GroundZero Security)
Subject: reduction of brute force login attempts via
SSHthrough iptables --hashlimit
Oh well...as i said its a QUICK script
and not a PERFECT solution to the problem. I made it for personal
use originally and it does its job..sofar i NEVER had problems with it and usually
an attacker wont know you run it (i know thats not an execuse).
Anyhow its no problem at all to modify, so if you dont like it, just dont use it.
> Please note that this entire script can ALL be done in 1, count them
> 1, awk command. (sed as well, but not worth it).
ok so show me that 1 awk command that replaces the entire script...
> If you are going to ATTEMPT to do something, at least use documented
> options. It's ``grep -A1'' not ``grep -1''. Then a pipe into sed
> THEN into awk?
After all it works. There are always more ways to do it, but if its -A1 or
-1 really doesnt matter at all, its just you have to be pedantic over it i guess.
Yep im not a bash guru maybe,but i really dont care much for optimization
on a lame script like this as long as it WORKS and is not insecure.
> Which brings me to another point. Your use of static temp files in
> the current working directory is just... my god.
Well this script is not ment to be run from a directory that normal users can access.
I know that temporary files can be dangferous but not in a case where a normal user
cant access the temp files i.e. if you run it from /root/bruteblock/ or so.
> Ohh, we are almost done! I liked symlinking m to /dev/urandom. It
> made me feel good about myself.
Looks like you have too much time on your hands. Do something productive instead.
> That just makes no sense, yet again. Here is where you would use -1,
> but with ls(documented and valid switch unlike in grep).
I used a different approach that works out. You can do it that way, i do it this way.
> :( Your not blocking lIP did not matter, like it would anyways. You
> made me sad. Notice your pattern match just LOVED accepting
> 0.0.0.0/0.
Well this script asumes that your local users dont do stupid things. If you manage to
get the script to block 0.0.0.0/0 remotely then let me know. Thats something i would change,
but for now i dont feel like wasting time over this script. It was a simple and quick solution
and does its job unless you cant trust your local users. In that case you should put it in a directory
that only root can access like it is ment to be. Anyhow as i said i originally made it
for personal use and i dont give my users shell access. Anyhow just thought someone else
may have a use for it whos annoyed by those ssh bruteforce attempts.
Its nice of you to point out problems though.
Sure you could optimize it, but that would only speed up the script which isnt needed in my
opinion unless you run Linux on your c64 then i would worry about resource consumption.
If you really think it sucks sooo much that you cant take it, then before you reply to this mail now,
go and optimize it and send your version to FD then you can be happy and feel superior :-)
-sk
----- Original Message -----
From: "nocfed" <nocfed@...il.com>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Thursday, March 02, 2006 1:48 PM
Subject: Re: [Full-disclosure] reduction of brute force login attempts via SSHthrough iptables --hashlimit
> On 3/1/06, GroundZero Security <fd@....org> wrote:
> > Well i had a few minutes time, so i updated the script a bit.
> >
> > I did not use lastb though, as it wouldnt work (read the manpage.....)
> > Anyhow, maybe someone found it usefull so here is v.0.2 :
> >
> > http://www.groundzero-security.com/code/bruteforce-block.sh
> >
> > Any suggestions are welcome, insults and flames can be sent to /dev/null
> >
> > -sk
> >
> > GroundZero Security Research and Software Development
> > http://www.groundzero-security.com
> >
> > Wir widersprechen der Nutzung oder ?bermittlung unserer Daten
> > f?r Werbezwecke oder f?r die Markt- oder Meinungsforschung (? 28 Abs. 4 BDSG).
> >
> > pub 1024D/69928CB8 2004-09-27 Stefan Klaas <sk@...undzero-security.com>
> > sub 2048g/2A3C7800 2004-09-27
> >
> > Key fingerprint = A93E 41F8 7E82 5F2C 3E76 41F1 4BCF 3096 6992 8CB8
> >
> > -----BEGIN PGP PUBLIC KEY BLOCK-----
> > Version: GnuPG v1.0.6 (GNU/Linux)
> > Comment: For info see http://www.gnupg.org
> >
> > mQGiBEFX440RBADGTKOgZR9Y9VA/cfNLWTIN/OmXe9l6UZJ6pY8Hqcv6DFE//Kt9
> > UfQMU470i+I7SvIHZN066Kl4ts4r90sLxXrE4r5VQCLTsJM68cliatrM8MbbZZs+
> > xf3ldelZrHNvHkXDk4I/n3O56F9M6tZ/S71AIj++raIbFX57fn8Z8NNOnwCgwDr6
> > LDVP+5N4DML1/+uvXNtoL30D/A/GUXd6lJ8i7MoZMzwKk1uwDsgWwP+Wm0hMwJMr
> > fR/di9K55pGdlGFNO5P2L3qOl2BaC8raNkLcXaweW+bao3P66nzpdtmecsjCMWq2
> > tQWgu/O7S1FgzlUAKJSOc2Th5PY9Raum8bXnSv4gnHZCKjNskIdrz8WDxCzEoPtZ
> > eCssA/9ydHRvNIPjOTmzjXoE+UbJrB/U//u3dpAsLkzclKeSgjV2eYUgHGcqYn+H
> > cFoubD78yFWqZqYtxfiyjBlItsIn9ls0gAZFKDFHd1XfOLFSa0/NHNpHLxCZGFIA
> > tQ0Gp47VRmTPkWJ7lB505w0XioNs1H/1K1RSp++7+t1SNkBlobQpU3RlZmFuIEts
> > YWFzIDxza0Bncm91bmR6ZXJvLXNlY3VyaXR5LmNvbT6IVwQTEQIAFwUCQVfjjQUL
> > BwoDBAMVAwIDFgIBAheAAAoJEEvPMJZpkoy4AnYAmwTot1PMUty1YoCuMVg6cpr7
> > HKy1AJ98jyzD365YkIQAEiihXlQJ4zrxBLkCDQRBV+OvEAgAiu75prsTQZdNijtY
> > eMQhl4tEL8qi8JOFluYGnvPYjDzU0PY9E4mNx/w2BgYcM3lTVzSmaiLEJ1AzeOHn
> > w+pLDWsorRZuVI9q3+ExW3s2yFX4ppdHAVBMuYsQyVJRkbobCkcwTbUYXr23pKzh
> > D8WRAJ991k2lNcQHxMgixAN+55XBFLhwLB0Yz7XmhFYLid5dLxdPllLIV3ZHDeY0
> > SEqMSpw96+gV0QpX7YH9U2VBr3Wz7Ss6qNZkcgHQw1xmk6Yy24QnT4a9oZD06Yjr
> > cCocXnyI/YLW1wXo/6Hh44UH3b9mKUX6eh8ybn7QCnZDG7AdxbglLiPTkdcx0YoT
> > NANZBwADBwf8CrjVKiXSzyhUsdH1es1KQCZ/zH6PvPzdxqYuGuVVMzgaJeeOMS2G
> > 4rLfw2ILahAS0fjng6zX2c1ndPVJ6oAq3IygWsqJH6Uh23NmKTlyx3KtSgyW7YsB
> > Rn/4wobuojArTHTl+X3U4JZTUEb9E4osB9bFjdsgXcxNSwXghQMh1x5eS5/fcjLd
> > tACNq0x2/zh8zTJFHK+oNCLY2+iBjTUn7K03rEhQo6HqbPYwyc3LUCwBuFHFDVWp
> > bZqa4knO0H5BBmbiI09kaVPOs0qRLXCAf1oy9PxK5ZBJ4WfQAnMAU+TuNrTuW2SU
> > NMh92TCELdDpl/pMDbbBGeJdMvXZmY99HIhGBBgRAgAGBQJBV+OvAAoJEEvPMJZp
> > koy4p1QAoIaYw3VxA0/mixUsMO4R13sXIL/pAJ9zodR+A9+bLqCRlVusG8JhItv1
> > Ow==
> > =E0o1
> > -----END PGP PUBLIC KEY BLOCK-----
> >
> > Diese E-Mail kann vertrauliche Informationen enthalten. Wenn Sie nicht der
> > richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren
> > Sie bitte sofort den Absender und vernichten Sie diese E-Mail.
> > Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail oder von
> > Teilen dieser E-Mail ist nicht gestattet.
> >
> > This E-mail might contain confidential information. If you are not the right addressee
> > or you have recived this Mail in error, please inform the Sender as soon as possible
> > and delete this E-Mail immediately. You are not allowed to make any copies or
> > relay this E-Mail.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> Is this supposed to be like some 'My first attempt at scripting?
>
> Please do not offer scripts like this as some people might believe it
> is useful, or even secure. The same people that will run this in /tmp
> with . in their path.
>
> Please note that this entire script can ALL be done in 1, count them
> 1, awk command. (sed as well, but not worth it).
>
> WTF is this?
>
> lIP=`ifconfig|grep -1 eth0|grep inet|sed 's/inet addr://'|awk '{print $1}'`
>
> If you are going to ATTEMPT to do something, at least use documented
> options. It's ``grep -A1'' not ``grep -1''. Then a pipe into sed
> THEN into awk?
>
> lIP=`/sbin/ifconfig | awk '/^eth0/{getline; sub(".*:","",$2); print $2}'`
> lIP=`/sbin/ifconfig | sed -ne '/^eth0/{n;s/^.*addr:\([^ \x09]*\).*/\1/;p}'`
>
>
> cat /var/log/messages |grep "Failed password" >$fail
> cat /var/log/messages |grep "Illegal user" >$fail2
> cat /var/log/messages |grep "Invalid user" >$fail3
> cat /var/log/messages |grep "Failed keyboard" >$fail4
>
> Really? Really? yeah, /var/log/messages only has to be read ONE time
> and the other files can be written to.
>
> Which brings me to another point. Your use of static temp files in
> the current working directory is just... my god. We will just assume
> that 99% of all users do not use noclobber. You do know the
> implemencations of this, right?
>
> if [ "` cat $fail |grep "Failed password" |awk '{ print $15 }'`" == "" ];
> then
> cat $fail |grep "Failed password" |awk '{ print $11 }' >ips1
> fi
> if [ "` cat $fail2 |grep "Illegal user" |awk '{ print $14 }'`" == "" ];
> then
> cat $fail2 |grep "Illegal user" |awk '{ print $10 }' >ips2
> fi
> if [ "` cat $fail3 |grep "Invalid user" |awk '{ print $14 }'`" == "" ];
> then
> cat $fail3 |grep "Invalid user" |awk '{ print $10 }' >ips3
> fi
> if [ "` cat $fail4 |grep "Failed keyboard" |awk '{ print $17 }'`" == "" ];
> then
> cat $fail4 |grep "Failed keyboard" |awk '{ print $13 }' >ips4
> fi
>
>
> Ughh, reading those files enough? That makes no sense anyways, and
> yet again we are clobbering static TEMPORARY files in the current
> working directory.
>
> echo "~ sorting out ip by ip"
> for line in `cat ips1` # |read line
> do
> echo $line| grep '^[^.][^.]*\.[^.][^.]*\.[^.][^.]*\.[^.][^.]*$' >>ip.$line
> done
> for line in `cat ips2` # |read line
> do
> echo $line| grep '^[^.][^.]*\.[^.][^.]*\.[^.][^.]*\.[^.][^.]*$' >>ip.$line
> done
> for line in `cat ips3` # |read line
> do
> echo $line| grep '^[^.][^.]*\.[^.][^.]*\.[^.][^.]*\.[^.][^.]*$' >>ip.$line
> done
> for line in `cat ips4` # |read line
> do
> echo $line| grep '^[^.][^.]*\.[^.][^.]*\.[^.][^.]*\.[^.][^.]*$' >>ip.$line
> done
>
>
> See above. Not even going to comment on that again, let alone the
> pattern match. Will throw something at that in a minute.
>
>
> ls -la ip.*|awk '{ print $9 }' > ip.lst
>
> That just makes no sense, yet again. Here is where you would use -1,
> but with ls(documented and valid switch unlike in grep).
>
>
> for line in `cat ip.lst`
> do
> if [ `wc -l $line |awk '{ print $1 }'` = '1' ];
> then
> # echo ""
> # echo "not enough failed logins, probably no attack from: $line"
> echo -n "*"
> else if [ `wc -l $line |awk '{ print $1 }'` = '2' ];
> then
> # echo ""
> # echo "not enough failed logins, probably no attack from: $line"
> echo -n "*"
> else if [ `wc -l $line |awk '{ print $1 }'` = '3' ];
> then
> # echo ""
> # echo "not enough failed logins, probably no attack from: $line"
> echo -n "*"
> else if [ `wc -l $line |awk '{ print $1 }'` = '4' ];
> then
> # echo ""
> # echo "not enough failed logins, probably no attack from: $line"
> echo -n "*"
> else
> # generate list of the ip's to be blocked
> # echo "* IP: $line will be blocked!"
> echo -n "."
> echo $line >>$blocklist
> i=1;
> fi
> fi
> fi
> fi
> done
>
>
> You should have just done this way differently in the first place. And
> Yippy! Another static temp file. $blocklist can be fun. This time no
> clobbering so its even easier.
>
> if [ $i != 0 ];
> then
> # edit blocklist (sometimes needs to be commented out or edited)
> cat $blocklist |sed 's/ip.::ffff://' >g && mv g $blocklist
>
> # cleanup
> rm -f ip.* ips1 ips2 ips3 ips4 ip.lst $fail $fail2 $fail3 $fail4
>
> for host in `cat $blocklist`
> do
> if ((${#host}>6)) && ((${#host}<16))
> then
> blk="`echo $host| grep
> '^[^.][^.]*\.[^.][^.]*\.[^.][^.]*\.[^.][^.]*$'`"
> if [[ "$blk" != "$lIP" && "$blk" != "" ]];
> then
>
> echo " blocking IP: $blk" >> $log
> echo "host: $host blk: $blk"
> $fw -A INPUT -s $blk -j REJECT
> fi
> fi
> done
> cp $blocklist saved.blocklist
> rm -f $blocklist
>
> # left this in, in case you may not want to run this in background.
> #
> # echo "~ do you want to clean those entries from /var/log/messages ?"
> # read -e answer
>
> # if [ "$answer" == "y" ];
> # then
> echo "+ cleaning system logs.."
> cat /var/log/messages |grep -v "llegal user" |grep -v "ailed
> password" |grep -v "nvalid user"|grep -v "ailed keyboard" >m
> echo "+ creating backup of old logfile.."
> cp /var/log/messages msg.copy
> echo "+ replacing logfile.."
> cat m > /var/log/messages
> rm -f m
> # fi
> else
> echo "no attackers found."
> fi
> echo "finished."
>
>
> Ohh, we are almost done! I liked symlinking m to /dev/urandom. It
> made me feel good about myself.
>
> grep | grep | grep | grep | grep | tee | grep | grep | cat | grep > /dev/stdout
>
> What else do we have here?
>
> $ export blocklist=blocklist fw=echo log=log
> $ echo 0.0.0.0/0 >> $blocklist
> $ for host in `cat $blocklist`
> > do
> > if ((${#host}>6)) && ((${#host}<16))
> > then
> > blk="`echo $host| grep '^[^.][^.]*\.[^.][^.]*\.[^.][^.]*\.[^.][^.]*$'`"
> > if [[ "$blk" != "$lIP" && "$blk" != "" ]];
> > then
> >
> > echo " blocking IP: $blk" >> $log
> > echo "host: $host blk: $blk"
> > $fw -A INPUT -s $blk -j REJECT
> > fi
> > fi
> > done
> host: 0.0.0.0/0 blk: 0.0.0.0/0
> -A INPUT -s 0.0.0.0/0 -j REJECT
> $ cat log
> blocking IP: 0.0.0.0/0
>
> :( Your not blocking lIP did not matter, like it would anyways. You
> made me sad. Notice your pattern match just LOVED accepting
> 0.0.0.0/0.
>
> Hints:
> bash
> [ -e "$file" ]
> [ -h "$file" ]
> [ -n "$variable" ]
> set -o
> case/esac
> IFS=.; set -- $host
> ${VAR//}
> bc
> mktemp
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists