[arm-allstar] NOTICE for user's with public ssh on port 222
Al Beard
beardal at unixservice.com.au
Sun Apr 5 19:31:31 EDT 2020
Hi all,
Looks like this lists email thing strips attachments. My script:
----------- snip -----------
:
# ===========================================================
# Script to check sshd hacking attempts
# 050802 AFB Initial version. Uses last 1000 lines
# Usage: checksshd.sh
# ===========================================================
cd /root/rej
DTE_STAMP=`date "+%Y%m%d %H:%M"`
echo
echo "=============== $DTE_STAMP =================="
######## line from /var/log/secure ##########
# Jun 7 15:14:48 webserver sshd[32626]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.248.110.43 user=root
#################################
tail -1000 /var/log/secure | grep sshd:auth | grep "authentication failure" |
cut -d '=' -f 7 | cut -d ' ' -f 1 | grep -v (my IP address) > rejectssh.lst
# Report domains
echo "------------- List of IPs --------------------"
TOT=`wc -l rejectssh.lst`
# ============= Sort, uniq =====================
cat rejectssh.lst |sort | uniq -c > rej_ssh.lst
sort -rn rej_ssh.lst | head -20 > rej_ssh.tmp
cat rej_ssh.tmp
echo "Total: $TOT"
# ============= Unblock old IPs ==================
netstat -rn | grep '!H' | cut -d ' ' -f 1 > rej_old.lst
while read BADIP
do
echo "Unblocking $BADIP"
/sbin/route del -host $BADIP reject
done < rej_old.lst
# =========== Block ==============
while read NUM BADIP
do
echo "Blocking $NUM $BADIP ..."
[ "$NUM" -gt 3 ] && /sbin/route add -host $BADIP reject
# Note to unblock use
# /sbin/route del -host $BADIP reject
done < rej_ssh.tmp
# =========== logging
echo "==== $DTE_STAMP ====" >> blocked.log
cat rej_ssh.tmp >> blocked.log
---------- snip -------
Keep smiling
Alan VK2ZIW
On Mon, 6 Apr 2020 08:42:21 +1000, \"Al Beard via ARM-allstar\" wrote
> Hi all,
>
> Blocking IP addresses for Failed logins.
>
> On my Linux box here, I've been running this for years, no decades.
> (run from cron hourly)
> 2 * * * * /usr/local/bin/checksshd.sh > /dev/null 2>&1
>
> It looks at the logs, the last 1000 lines, sorts the list so if there
> are several hackers, their IP addresses will be grouped. If any IP
> address has failed logins more than five times, it is blocked.
>
> My script needs to be modified to put the temp files into one of the
> "tempfs" filesystems so as not to write on the SD card.
>
> Here is a typical Reject list:
> [root at linux1 rej]# cat rej_ssh.lst
> 12 103.10.30.207
> 2 104.131.190.193
> 9 111.229.48.141
> 2 148.70.187.205
> 14 152.168.242.103
> 3 176.31.253.204
> 10 181.189.144.206
> 16 189.18.243.210
> 14 218.85.119.92
> 3 218.92.0.158
> 3 218.92.0.172
> 6 218.92.0.184
> 3 222.186.169.192
> 5 222.186.173.201
> 3 222.186.173.226
> 3 222.186.175.140
> 3 222.186.175.148
> 3 222.186.175.163
> 3 222.186.175.167
> 6 222.186.175.215
> 2 222.186.180.6
> 6 45.119.212.125
> 1 61.177.172.128
> # netstat -rn
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window
> irtt Iface
> 0.0.0.0 192.168.20.1 0.0.0.0 UG 0 0
> 0 enp0s31f6
> 45.119.212.125 - 255.255.255.255 !H - -
> - - 103.10.30.207 - 255.255.255.255 !H - -
> - - 111.229.48.141 - 255.255.255.255 !H
> - - - - 152.168.242.103 - 255.255.255.255 !H
> - - - - 181.189.144.206 -
> 255.255.255.255 !H - - - - 189.18.243.210 -
> 255.255.255.255 !H - - - - 192.168.20.0
> 0.0.0.0 255.255.255.0 U 0 0 0 enp0s31f6
> 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0
> 0 virbr0 218.85.119.92 - 255.255.255.255 !H
> - - - - 218.92.0.184 - 255.255.255.255 !H
> - - - - 222.186.173.201 -
> 255.255.255.255 !H - - - - 222.186.175.215 -
> 255.255.255.255 !H - - - -
>
> Keep smiling
>
> Alan VK2ZIW
>
> On Sun, 5 Apr 2020 11:29:21 -0400 (EDT), \"David McGough via ARM-
> allstar\" wrote
> > Hi Everyone,
> >
> > Over the recent weeks there has been a HUGE increase in Internet hacking
> > attempts targeting ALL Internet visible ssh servers on ports 22, 222
> > and other ports ending in "22."
> >
> > In general, this hacking is unsuccessful at gaining system access,
> > assuming that you used a good quality root password! However, while
> > not gaining system access, this hacking can still generate a Denial
> > of Service condition for users. The way it does this is by filling
> > up logfiles (e.g.: /var/log/btmp), causing filesystem out-of-space
> > related errors. Hacking can also cause audio quality problems
> > (dropped packets) due to the shear volume of hacking related network
> > traffic.
> >
> > Fortunately, there are some simple solutions. First, if you don't really
> > need ssh visible to the Internet, just block ssh access at your Internet
> > router.
> >
> > A Second method is to change the ssh port from 222 to some obscure port;
> > maybe like: 19876. While "hiding" the port isn't considered the best
> > strategy, is does work very effectively FOR NOW, remembering that
> > hackers continually adapt their techniques.
> >
> > Third, to help mitigate this issue no matter what ssh port you use, we're
> > adding some very lightweight tools to HamVoIP to monitor various files
> > (e.g.: /var/log/btmp) and automatically block hacking attempts
> > using iptables. This code is being tested now and will be released
> > soon. More details to follow about this.
> >
> > Stay home and stay healthy!
> >
> > 73, David KB4FXC
> >
> > _______________________________________________
> >
> > ARM-allstar mailing list
> > ARM-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >
> > Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
>
> ---------------------------------------------------
> Alan Beard
>
> OpenWebMail 2.53
>
> _______________________________________________
>
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
---------------------------------------------------
Alan Beard
OpenWebMail 2.53
More information about the ARM-allstar
mailing list