Hi - I am maintaining a brute-force attack source IP blocklist
Entries have a 48 hour expiry.
Contains actual ssh, telnet and smtp failed login attempts.
ibuprofin@painkiller.example.tld.invalid says...
Supratim Sanyal wrote:
Hi - I am maintaining a brute-force attack source IP blocklist
Idle curiosity - Why?
Ummm - got myself a cheapo VPS, have to use it for something
and revived a fortune-cowsay daemon I wrote in school ... put it on
the telnet port - doubles as a honey pot for telnet spam ... no good
reason really ... :)
On Mon, 3 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in article <MPG.325c46579c9d147e989681@reader80.eternal-september.org>,
Supratim Sanyal wrote:
Hi - I am maintaining a brute-force attack source IP blocklist
Idle curiosity - Why?
Entries have a 48 hour expiry.
Good - but that might be on the long side. I have to laugh at people
using a Self-Denial-of-Service tool like 'blocksshd', 'sshguard',
'fail2ban', "DenyHost[s]" and similar, who wonder why their firewall is
so slow when they have over a thousand /32 DROP rules that never expire. That's only the tip of the iceberg, as there are about 3.7e9 non-RFC5735
IPv4 addresses out there (3.64e9 of which are allocated/assigned/in-use) never mind 1.59e34 similar IPv6 addresses (out of 3.37e38 non-RFC6890)
in 30100 blocks. When I was using this style of setup (about 10 years
ago), I expired the address after 720 seconds (12 minutes) as that was
long enough to discourage the id10ts out there. I also had some
"permanent" ranges - ISPs or similar groups that tolerated abusers.
Those blocks (about 20 as I recall) ranged from /17 up to /12 in size.
Contains actual ssh, telnet and smtp failed login attempts.
Do you really NEED to be offering those services to the _entire_ world?
My firewall allows _inbound_ access from a /22 and two /24s "outside"
or a total of 1530 addresses, because I can't see any reason to allow connections from you or anyone else that I haven't approved in advance,
and I really don't expect authorized users to be connecting from
Kazakhstan, Kenya, Kiribati, Korea, Kuwait or Kyrgyzstan and a lot of
other places either. Lest someone from those countries object, I also
don't allow access from nearly all ISPs in the rest of the world Not expected == not allowed.
The perimeter firewall has few rules.
ALLOW established
ALLOW from 3 blocks outside to 4 ports on 2 servers on the LAN
ALLOW ICMP types 3 (some), 0 and 11 inbound
ALLOW ICMP types 3 (some) and 8 outbound
ALLOW new outbound from the LAN
sh!tcan the rest
It also only accepts connections to itself from three hosts on the
LAN side. I don't even bother logging - the firewall prevented the connection, so what MORE do you need? It's not as if the Internet
Police are going to do anything if you complain. This also reduces
the resources needed on the firewall box - for years, mine was the
remains of a 1990s 386SX laptop with a whopping 4 Megs of RAM and a
On Thu, 27 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in article
<MPG.327c65692bdf48dc989683@news.eternal-september.org>, Supratim Sanyal wrote:
ibuprofin@painkiller.example.tld.invalid says...
Supratim Sanyal wrote:
Hi - I am maintaining a brute-force attack source IP blocklist
Idle curiosity - Why?
Ummm - got myself a cheapo VPS, have to use it for something
Officially retired earlier this year, but I've been in the business
since the 1980s. While I'm still doing a bit of part-time consulting, networking is of less interest now. I haven't had a publicly visible
service since about 1997 (website on an home ISDN connection).
and revived a fortune-cowsay daemon I wrote in school ... put it on
the telnet port - doubles as a honey pot for telnet spam ... no good
reason really ... :)
Mentioned, I don't even bother to log connection attempts, much less
respond to them. (My upstream doesn't seem to respond with ICMP type
3 code 1 if the customer's modem/router is turned off, so there is no difference between that and a customer's firewall with a DROP rule.) Occasionally, I may turn on logging for a day, just to get a feel for
what's happening, but nothing really scientific. I have seen a
substantial increase (10:1) in attempts to connect to 23/tcp since
about mid-May, but they act more like 'bots (single SYN packet, rather
than up to 3 from a conventional network stack if there was no
response to the first). Last weekend, I saw a flurry of hits (Hmmm...
why is the network activity light blinking so much on the WAN side?
Lessee, "/usr/sbin/tcpdump -ni eth1 -s 512 -w /tmp/dump") on 23/tcp,
but they looked more like a DDOS attack (up to 6 hits per minute with obviously faked source IPs) than an actual connection attempt. That
went on for several hours Saturday and Sunday during the day before
dropping back to the (current) normal of about 1 per minute. For
every ten hits on 23/tcp, there is also one to 2323/tcp, usually from
one of the same sources with an otherwise identical TCP header. In
July and August, I was also seeing frequent hits (about 1 per minute)
to 53413/udp (attempt to exploit a Chinese chip-set in a home router),
but that seems to have died down lately. Hits on 22/tcp have been
relatively low for over a year (average about 1.5 attempts per hour).
Old guy
ibuprofin@painkiller.example.tld.invalid says...
Hits on 22/tcp have been relatively low for over a year (average
about 1.5 attempts per hour).
iptables + ipset with public blocklists has kept port 22 spam in
control for my internet-facing servers for over a decade now
(your experience is far longer than mine)
but these blocklists are missing a vast number of port 23 bots.
thanks for pinging my host and discovering the unusual ICMP response.
I also see a pure DOS attempt maybe twice a day from numerous IPs in
the same subnet (usually 20x.x.x.x/16),
On Fri, 28 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in article
<MPG.327d9502ab733f6f989682@reader80.eternal-september.org>, Supratim Sanyal wrote:
ibuprofin@painkiller.example.tld.invalid says...
Hits on 22/tcp have been relatively low for over a year (average
about 1.5 attempts per hour).
iptables + ipset with public blocklists has kept port 22 spam in
control for my internet-facing servers for over a decade now
A man page to look at (from 'tar -tvzf tcp_wrappers_7.6.tar.gz')
-r--r--r-- 309/326 15225 1995-01-30 11:51
tcp_wrappers_7.6/hosts_access.5
Notice the date. Then try 'man 5 hosts_access' It's part of the tcp_wrappers or lib_wrap package from the last (April 1997) release
of that now unmaintained (but still useful) program. Look down at the EXAMPLES section (about 9/10 of the way down the man-page). Either you
are "MOSTLY CLOSED" or "MOSTLY OPEN". Do you check the identity of
everyone trying to enter your house and only block them if they are on
a list? Or do you block everyone, and only allow those on a different
list in? Slight difference in practicality. Mentioned, I only
allow blocks where I know authorized users might be located. When I
(or other authorized users) were traveling to unknown places, the
firewall here would have port-knocking enabled (user tries to connect
to closed port $FOO and then $BAR - and the firewall would open from
that IP for 30 seconds to allow establishing a connection to 22/tcp).
That trick has been in use for over 30 years. Biggest problem with it
is that some firewalls on the Internet block outbound connections to "unusual" ports, and that may prevent knocking port $BAZ or $QUX.
(your experience is far longer than mine)
I actually was on DARPA net back in 1976 at NASA Ames, though it was
not a primary part of my job then.
but these blocklists are missing a vast number of port 23 bots.
I'm not sure it's even possible to come up with a reasonably accurate
list - it changes so frequently. It's getting worse even now due to
the "Internet of Things" (commonly written as "IoT") which includes
all of the poorly designed devices in the modern home. Most of the
current crop of 'bots are unprotected DVD players, Internet-enabled
cameras, and similar. Search the Risks digest of the ACM (Association
for Computing Machinery) which you can find as the Usenet newsgroup "news://comp.risks" on most news servers:
ibuprofin@painkiller.example.tld.invalid says...
Supratim Sanyal wrote:
but these blocklists are missing a vast number of port 23 bots.
I'm not sure it's even possible to come up with a reasonably accurate
list - it changes so frequently. It's getting worse even now due to
the "Internet of Things" (commonly written as "IoT") which includes
all of the poorly designed devices in the modern home. Most of the
current crop of 'bots are unprotected DVD players, Internet-enabled
cameras, and similar.
interesting - looks like mirai would have eventually got into your DVD >players
looked up the password list it uses, it covers the ones your
DVD players came with
On Tue, 22 Nov 2016, in the Usenet newsgroup comp.os.linux.security, in article
<MPG.329ea37bff320fd4989681@news.albasani.net>, Supratim Sanyal wrote:
ibuprofin@painkiller.example.tld.invalid says...
Supratim Sanyal wrote:
but these blocklists are missing a vast number of port 23 bots.
I'm not sure it's even possible to come up with a reasonably accurate
list - it changes so frequently. It's getting worse even now due to
the "Internet of Things" (commonly written as "IoT") which includes
all of the poorly designed devices in the modern home. Most of the
current crop of 'bots are unprotected DVD players, Internet-enabled
cameras, and similar.
interesting - looks like mirai would have eventually got into your DVD >players
Not likely mine - the firewall here blocks those unwanted inbounds, and
the DVD players are intentionally not networked. If you want a simple
hint about the prevalence of 'bots, set your firewall to "IGNORE" or
"DROP" TCP connection attempts to ports 23 (and 2323), and then look at
the values of the variables in the SYN packet headers received (the
initial packet used to set up a TCP connection) - source port number is
one, TCP window size is another (see a good networking textbook such as "TCP/IP Illustrated - Volume 1" by the late W. Richard Stevens for what
is "normal" and notice the differences in what's hitting your address
now). Also note the 'bots make a single SYN (in the absence of a reply) rather than 3 spaced several seconds apart. Last month, I enabled
logging on the firewall for a day, and was seeing an _average_ of 81
rather obvious 'bots per hour during the entire period. Based on the
RFC defined protocols, more than 95% of the connection attempts I saw
(1953 of 2029 in 24 hours) were 'bots. My firewall normally drops all
"new" inbounds (not just to 23/tcp) and does not bother logging the
idiots - which would be a waste of CPU cycles and disk space.
looked up the password list it uses, it covers the ones your
DVD players came with
I ceased to be amazed at the gross stupidity of some manufacturers
long ago. For a while in 2005, I was browsing a Usenet newsgroup
named "alt.privacy.spyware" (still exists, but I haven't bothered with
it since), and there were semi-regular posts with pointers to large
lists of default passwords used by manufacturers who should have known better. "admin" with "admin" was very common, as was "admin with ""
(just hit Enter). and "admin" with "password" - the lead engineer and managers of those products should be lined up and shot _repeatedly_
with a rusty keyboard. But they don't care, so I'm not sure it would
ibuprofin@painkiller.example.tld.invalid says...
Last month, I enabled logging on the firewall for a day, and was
seeing an _average_ of 81 rather obvious 'bots per hour during the
entire period. Based on the RFC defined protocols, more than 95% of
the connection attempts I saw (1953 of 2029 in 24 hours) were 'bots.
Made some progress. Looked deeper at one of my internet-facing OpenVMS
VMs, clearly see "/bin/busybox MIRAI" forced right after the attempted >password. I have OpenVMS logs already forwarded to a central linux
syslog server, wrote a bash script to parse these and spoof pam
privlog lines. fail2ban picks them up, and bans them as well as
reports to blocklist.de ...
spam has gone down but will not disappear
OpenVMS logs the hostname after a lookup and reverse-DNS does not work
for all of the hostnames it logs.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 52:42:41 |
Calls: | 6,650 |
Calls today: | 2 |
Files: | 12,200 |
Messages: | 5,330,393 |