[arm-allstar] NOTICE for user's with public ssh on port 222

David McGough kb4fxc at inttek.net
Sun Apr 5 19:44:25 EDT 2020 

Hi Alan,

The /var/log/secure file isn't present in the HamVoIP release, nor most 
(all?) other recent distros which are "strictly" systemd centric, like 
arch linux. 

I'll upload a copy of the code I'm using, if you'd like to experiment 
with it?  This code will get wrapped into a package included in HamVoIP, 
ultimately.


73, David KB4FXC




On Mon, 6 Apr 2020, "Al Beard via ARM-allstar" wrote:

> Hi all,
> 
> Looks like this lists email thing strips attachments. My script:
> ----------- snip -----------
> :
> # ===========================================================
> # Script to check sshd hacking attempts
> # 050802 AFB Initial version.  Uses last 1000 lines
> # Usage: checksshd.sh
> # ===========================================================
> cd /root/rej
> DTE_STAMP=`date "+%Y%m%d %H:%M"`
> echo
> echo "=============== $DTE_STAMP =================="
> 
> ######## line from /var/log/secure ##########
> # Jun  7 15:14:48 webserver sshd[32626]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.248.110.43  user=root
> #################################
> 
> tail -1000 /var/log/secure | grep sshd:auth | grep "authentication failure" | 
> cut -d '=' -f 7 | cut -d ' ' -f 1 | grep -v (my IP address) > rejectssh.lst
> # Report domains
> echo "------------- List of IPs --------------------"
> TOT=`wc -l rejectssh.lst`
> # ============= Sort, uniq =====================
> cat rejectssh.lst |sort | uniq -c > rej_ssh.lst
> sort -rn rej_ssh.lst | head -20 > rej_ssh.tmp
> cat  rej_ssh.tmp
> echo "Total: $TOT"
> # ============= Unblock old IPs ==================
> netstat -rn | grep '!H' | cut -d ' ' -f 1 > rej_old.lst
> while read BADIP
> do
>   echo "Unblocking $BADIP"
>   /sbin/route del -host $BADIP reject
> done < rej_old.lst
> # =========== Block ==============
> while read NUM BADIP
> do
>   echo "Blocking $NUM $BADIP ..."
>   [ "$NUM" -gt 3 ] && /sbin/route add -host $BADIP reject
> # Note to unblock use
> #  /sbin/route del -host $BADIP reject
> done < rej_ssh.tmp
> 
> # =========== logging
> echo "==== $DTE_STAMP ====" >> blocked.log
> cat rej_ssh.tmp >> blocked.log
> ---------- snip -------
> 
> Keep smiling
> 
> Alan VK2ZIW
> 
> 
> On Mon, 6 Apr 2020 08:42:21 +1000, \"Al Beard via ARM-allstar\" wrote
> > Hi all,
> > 
> > Blocking IP addresses for Failed logins.
> > 
> > On my Linux box here, I've been running this for years, no decades.
> > (run from cron hourly)
> > 2 * * * * /usr/local/bin/checksshd.sh > /dev/null 2>&1
> > 
> > It looks at the logs, the last 1000 lines, sorts the list so if there
> > are several hackers, their IP addresses will be grouped. If any IP
> > address has failed logins more than five times, it is blocked.
> > 
> > My script needs to be modified to put the temp files into one of the
> > "tempfs" filesystems so as not to write on the SD card.
> > 
> > Here is a typical Reject list:
> > [root at linux1 rej]# cat rej_ssh.lst
> >      12 103.10.30.207
> >       2 104.131.190.193
> >       9 111.229.48.141
> >       2 148.70.187.205
> >      14 152.168.242.103
> >       3 176.31.253.204
> >      10 181.189.144.206
> >      16 189.18.243.210
> >      14 218.85.119.92
> >       3 218.92.0.158
> >       3 218.92.0.172
> >       6 218.92.0.184
> >       3 222.186.169.192
> >       5 222.186.173.201
> >       3 222.186.173.226
> >       3 222.186.175.140
> >       3 222.186.175.148
> >       3 222.186.175.163
> >       3 222.186.175.167
> >       6 222.186.175.215
> >       2 222.186.180.6
> >       6 45.119.212.125
> >       1 61.177.172.128
> > # netstat -rn
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags   MSS Window 
> >  irtt Iface
> > 0.0.0.0         192.168.20.1    0.0.0.0         UG        0 0        
> >   0 enp0s31f6
> > 45.119.212.125  -               255.255.255.255 !H        - -        
> >   - - 103.10.30.207   -               255.255.255.255 !H        - -  
> >         - - 111.229.48.141  -               255.255.255.255 !H       
> >  - -          - - 152.168.242.103 -               255.255.255.255 !H 
> >        - -          - - 181.189.144.206 -              
> >  255.255.255.255 !H        - -          - - 189.18.243.210  -        
> >        255.255.255.255 !H        - -          - - 192.168.20.0   
> >  0.0.0.0         255.255.255.0   U         0 0          0 enp0s31f6 
> > 192.168.122.0   0.0.0.0         255.255.255.0   U         0 0        
> >   0 virbr0 218.85.119.92   -               255.255.255.255 !H        
> > - -          - - 218.92.0.184    -               255.255.255.255 !H  
> >       - -          - - 222.186.173.201 -               
> > 255.255.255.255 !H        - -          - - 222.186.175.215 -         
> >       255.255.255.255 !H        - -          - -
> > 
> > Keep smiling
> > 
> > Alan VK2ZIW
> > 
> > On Sun, 5 Apr 2020 11:29:21 -0400 (EDT), \"David McGough via ARM-
> > allstar\" wrote
> > > Hi Everyone,
> > > 
> > > Over the recent weeks there has been a HUGE increase in Internet hacking
> > > attempts targeting ALL Internet visible ssh servers on ports 22, 222 
> > > and other ports ending in "22."
> > > 
> > > In general, this hacking is unsuccessful at gaining system access,
> > > assuming that you used a good quality root password!  However, while 
> > > not gaining system access, this hacking can still generate a Denial 
> > > of Service condition for users. The way it does this is by filling 
> > > up logfiles (e.g.:  /var/log/btmp), causing filesystem out-of-space 
> > > related errors. Hacking can also cause audio quality problems 
> > > (dropped packets) due to the shear volume of hacking related network 
> > > traffic.
> > > 
> > > Fortunately, there are some simple solutions. First, if you don't really
> > > need ssh visible to the Internet, just block ssh access at your Internet
> > > router.
> > > 
> > > A Second method is to change the ssh port from 222 to some obscure port;
> > > maybe like: 19876. While "hiding" the port isn't considered the best
> > > strategy, is does work very effectively FOR NOW, remembering that 
> > > hackers continually adapt their techniques.
> > > 
> > > Third, to help mitigate this issue no matter what ssh port you use, we're
> > > adding some very lightweight tools to HamVoIP to monitor various files
> > > (e.g.:  /var/log/btmp) and automatically block hacking attempts 
> > > using iptables. This code is being tested now and will be released 
> > > soon. More details to follow about this.
> > > 
> > > Stay home and stay healthy!
> > > 
> > > 73, David KB4FXC
> > > 
> > > _______________________________________________
> > > 
> > > ARM-allstar mailing list
> > > ARM-allstar at hamvoip.org
> > > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> > > 
> > > Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> > 
> > ---------------------------------------------------
> > Alan Beard
> > 
> > OpenWebMail 2.53
> > 
> > _______________________________________________
> > 
> > ARM-allstar mailing list
> > ARM-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> > 
> > Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> 
> 
> ---------------------------------------------------
> Alan Beard
> 
> OpenWebMail 2.53
> 
> _______________________________________________
> 
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> 
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
>

More information about the ARM-allstar mailing list