# ssh: fail2ban now obsolete?

## eccerr0r

I don't know if you guys all noticed it, but I'm currently being attacked by a random, new host every 2 minutes.  This sort of obsoletes fail2ban as a new IP is checking every 2 minutes.

While this is not as bad as them flooding my connection with logins, this is still annoying.  It looks like I will have to resort to port knocking or port relocation.

----------

## Stever

I'm seeing the same thing on my server for the past couple days.

I think anyone who is relying on fail2ban or similar tools to cover for weak passwords may be in big trouble.

```
Oct 22 11:23:34 myhost sshd[12052]: ... illegal user root from rueckziegel.de

Oct 22 11:26:01 myhost sshd[19761]: ... illegal user root from 213.203.197.86

Oct 22 11:27:55 myhost sshd[22394]: ... illegal user root from 200.69.219.189

Oct 22 11:29:48 myhost sshd[1803]: ... illegal user root from chello080108092234.22.11.vie.surfer.at

Oct 22 11:32:17 myhost sshd[24030]: ... illegal user root from gw.ptr-62-65-142-213.customer.ch.netstream.com

Oct 22 11:34:10 myhost sshd[8171]: ... illegal user root from devel.teracode.com

Oct 22 11:36:07 myhost sshd[14195]: ... illegal user root from www.asigen.cl

Oct 22 11:38:34 myhost sshd[28546]: ... illegal user root from 200.62.227.204

Oct 22 11:40:25 myhost sshd[21858]: ... illegal user root from 148.245.157.217

Oct 22 11:42:25 myhost sshd[17660]: ... illegal user root from mtl93-10-88-173-209-112.fbx.proxad.net

Oct 22 11:44:52 myhost sshd[19517]: ... illegal user root from 61.9.8.115

Oct 22 11:46:43 myhost sshd[7317]: ... illegal user root from 67.105.126.195.ptr.us.xo.net

Oct 22 11:49:07 myhost sshd[22314]: ... illegal user root from 64.14.4.11

Oct 22 11:51:12 myhost sshd[29988]: ... illegal user root from mailux.bendux.de

Oct 22 11:53:14 myhost sshd[10153]: ... illegal user root from 200.152.205.106

Oct 22 11:55:47 myhost sshd[20075]: ... illegal user root from static-098-027-160.dsl.nextra.sk

Oct 22 11:57:28 myhost sshd[32395]: ... illegal user root from 203.227.15.13

Oct 22 11:59:26 myhost sshd[7889]: ... illegal user root from jaysus.de

Oct 22 12:01:55 myhost sshd[17593]: ... illegal user root from 213.203.197.86

Oct 22 12:03:49 myhost sshd[18269]: ... illegal user root from 124x39x168x43.ap124.ftth.ucom.ne.jp

```

Last edited by Stever on Mon Oct 22, 2007 4:11 pm; edited 1 time in total

----------

## eccerr0r

I suppose I like having clean logfiles, as far as I know, my friends have decent passwords (I hope!) but I guess I dislike seeing so much trash login attempts...

I should ignore them, but, it's still ugly...

----------

## gregf

Been seeing this a lot myself. I use denyhosts but getting more than normal. Personally I'm not to worried since I require anyone using the server to generate a ssh key rather than using passwords. If your getting this many hits you might want to consider coming up with a similar policy. That way even if they were to guess you're password it will not do them any good without the key.

----------

## pteppic

Hmm, haven't seen it myself yet, but will certainly keep my eyes on the log files now. 

I currently use the ssh-blacklist program, written in python and posted on these forums somewhere. If I start to see this kind of behavior then some new rules for matching are going to have to be generated.

I used a program recently on a Doze system that had 'instaban' attached to certain log in usernames, I think this approach could be applied here, c'mon, who allows 'root' to log in on an external SSH box?

----------

## eccerr0r

Well, it's not that attempting log in as 'root' is the issue, I wish to not see these attempts at all, I wish my computer not even bother replying with an invitation to try to login if it knows it will be a fruitless attempt.

Unfortunately my internet link is limited, I do not want to be transmitting more packets than needed.

I wish everyone would fix their computers.  *sigh*

----------

## gregf

Theres more than just root user being attacked though, a few times the logs looked they they were using a random name generator as well. Although I have not seen my login name listed just yet. :) Attacks seem to have stepped up over this last week though.

----------

## pteppic

 *gregf wrote:*   

> Attacks seem to have stepped up over this last week though.

 

X2, your right there. I've had more in the last week than the previous 6.

/me considers installing the TARPIT patches again...

----------

## gimpel

/me suggests handing out publickeys to those allowed to access the box, and disable pw logins in general.

----------

## upengan78

what exactly is lacked by fail2ban here that it does not scan these lines in log files

Are we missing something in filter files ?

----------

## eccerr0r

The problem is that they're using a multi-thousand-strong zombie bot force.  If each machine sends *one* attempt to your computer, three thousand unique host attempts has been sent to your machine.  Your machine will have _no_ way to figure out whether they're legit or not.

This is different than using _one_ of the random zombie bots to send 3000 attempts to your computer.  That is easily covered by fail2ban.

That being said, the random host storm has subsided a bit.  I think they may be afraid of people putting up port knocking.

----------

## upengan78

Thanks  :Smile: 

what does it mean by port knocking that they are afraid of it?

----------

## vaguy02

Port Knocking is where you have your ssh port closed to everyone. 

In order to open it you hit certain ports with requests, say tcp 123 udp 234 tcp 345. This is observed by the computer, if it's the right combination. It adds a line to iptables saying accept ssh from this one specific ipaddress. You can set time limits and the rest.

The only problem with port knocking is if someone is sitting with a network sniffer, they can see which ports are hit and which order and they will be able to send the right signal and open it up for themselves as well.

It's all tradeoffs with security.

Robert

----------

## upengan78

Ahh Cool, Thanks

Can you tell me what r steps to get this working

I installed knock 0.5

and started knock with default configuration.

How does it work after this?

----------

## vaguy02

I've personally never used it. I've just researched it as a possiblity for my network. I find that it is much more effective to just block A class networks that I would never use. Example, No one that would access my network would ever come from the ASIA Pacific Network Information Centre (Big problem ISP for me) located in AU. Anyways, I block all of their class A networks, example 122.0.0.0/255.0.0.0 This has been very effective against alot of brute force attempts I've had. I only leave the US and a couple other country actually on. 

Sorry I couldn't better answer your question. I defer this to someone with more experience with Knock.

Robert

----------

## upengan78

Thanks !

How does one come to know what ranges are used in USA and what not. This idea of blocking IP range is nice when you know that really no one is going to access ssh from that range.

----------

## vaguy02

This is somewhat helpful at determining who owns entire A class networks.

http://www.iana.org/assignments/ipv4-address-space

003.0.0.0 - May 94 General Electric Company

Etc.....

You see what I mean.

APNIC - is Asia Pacific that I talked about

RIPE NCC - is an ISP in europe.

AfriNic - you can guess.

So on and so forth.

If you detect a brute force attempt, I usually use 

http://www.analysespider.com/ip2country/lookup.html (you get 10 free a day)

And if you want contact info or how large their subnet is I personally use this

http://www.arin.net/whois/ it will tell you the registered owner and if they own the whole A class 122.0.0.0 - 122.255.255.255 or if they just own part of it, ex. 122.150.0.0 - 122.255.0.0.0

Hope this helps, I have yet to find a complete free comprehensive listing of all US based ip networks.

Robert

----------

## upengan78

Thank you very much !!!!  :Smile: 

----------

## vaguy02

No problem. Let me know if you have any other question.

If anyone reads this and knows of a good free comprehensive US ipv4 listing, please let me know!

----------

## linuxkrn

Try this:

http://www.iana.org/assignments/ipv4-address-space

The big ones such as RIPE/APNIC are non-us.  :Smile: 

And this for fun: http://www.circleid.com/images/uploads/map_of_the_internet.jpg

----------

## vaguy02

I already had that link in my message, it's the first one. Good try though.  :Smile: 

----------

## upengan78

 :Very Happy: 

----------

## upengan78

I have banned these guys on my machine !

 *Quote:*   

> 
> 
> 222.0.0.0/8
> 
> 221.0.0.0/8
> ...

 

 :Mad:    I am sorry !  :Laughing: 

----------

## upengan78

 *Quote:*   

> DROP       all  --  207.138.124.4        0.0.0.0/0           
> 
> DROP       all  --  203.156.240.75       0.0.0.0/0           
> 
> DROP       all  --  222.246.132.212      0.0.0.0/0           
> ...

 

 :Rolling Eyes: 

----------

## vaguy02

```

 iptables -A BADDOMAINS -s 6.0.0.0/255.0.0.0 -j DROP #DoD - AISC

 iptables -A BADDOMAINS -s 11.0.0.0/255.0.0.0 -j DROP #DoD - Intel

 iptables -A BADDOMAINS -s 21.0.0.0/255.0.0.0 -j DROP #DoD

 iptables -A BADDOMAINS -s 22.0.0.0/255.0.0.0 -j DROP #DoD - DISA

 iptables -A BADDOMAINS -s 25.0.0.0/255.0.0.0 -j DROP #UK - MoD

 iptables -A BADDOMAINS -s 26.0.0.0/255.0.0.0 -j DROP #DoD - DISA

 iptables -A BADDOMAINS -s 29.0.0.0/255.0.0.0 -j DROP #DoD - DISA

 iptables -A BADDOMAINS -s 30.0.0.0/255.0.0.0 -j DROP #DoD - DISA

 iptables -A BADDOMAINS -s 51.0.0.0/255.0.0.0 -j DROP #UK - Social Security

 iptables -A BADDOMAINS -s 55.0.0.0/255.0.0.0 -j DROP #DoD - NIC

 iptables -A BADDOMAINS -s 60.0.0.0/255.0.0.0 -j DROP #APNIC - AU

 iptables -A BADDOMAINS -s 61.0.0.0/255.0.0.0 -j DROP #APNIC - AU

 iptables -A BADDOMAINS -s 80.0.0.0/255.0.0.0 -j DROP #RIPE - NL

 iptables -A BADDOMAINS -s 81.0.0.0/255.0.0.0 -j DROP #RIPE - NL

 iptables -A BADDOMAINS -s 83.0.0.0/255.0.0.0 -j DROP #RIPE - NL

 iptables -A BADDOMAINS -s 86.0.0.0/255.0.0.0 -j DROP #RIPE - NL

 iptables -A BADDOMAINS -s 87.0.0.0/255.0.0.0 -j DROP #RIPE - NL

 iptables -A BADDOMAINS -s 89.0.0.0/255.0.0.0 -j DROP #RIPE - NL

 iptables -A BADDOMAINS -s 122.0.0.0/255.0.0.0 -j DROP #APNIC - AU

 iptables -A BADDOMAINS -s 125.0.0.0/255.0.0.0 -j DROP #APNIC - AU

 iptables -A BADDOMAINS -s 134.0.0.0/255.0.0.0 -j DROP

 iptables -A BADDOMAINS -s 189.0.0.0/255.0.0.0 -j DROP #LACNIC -UY

 iptables -A BADDOMAINS -s 190.0.0.0/255.0.0.0 -j DROP #LACNIC - UY

 iptables -A BADDOMAINS -s 193.0.0.0/255.0.0.0 -j DROP #RIPE - NL

 iptables -A BADDOMAINS -s 200.0.0.0/255.0.0.0 -j DROP #LACNIC - UY

 iptables -A BADDOMAINS -s 201.0.0.0/255.0.0.0 -j DROP #LACNIC - UY

 iptables -A BADDOMAINS -s 202.0.0.0/255.0.0.0 -j DROP #APNIC - AU

 iptables -A BADDOMAINS -s 203.0.0.0/255.0.0.0 -j DROP #APNIC - AU

 iptables -A BADDOMAINS -s 207.253.73.0/255.255.255.0 -j DROP # Canada

 iptables -A BADDOMAINS -s 210.0.0.0/255.0.0.0 -j DROP #APNIC - AU

 iptables -A BADDOMAINS -s 211.0.0.0/255.0.0.0 -j DROP #APNIC - AU

 iptables -A BADDOMAINS -s 213.0.0.0/255.0.0.0 -j DROP #RIPE - NL

 iptables -A BADDOMAINS -s 214.0.0.0/255.0.0.0 -j DROP #DoD

 iptables -A BADDOMAINS -s 215.0.0.0/255.0.0.0 -j DROP #DoD

 iptables -A BADDOMAINS -s 217.0.0.0/255.0.0.0 -j DROP #RIPE - NL

 iptables -A BADDOMAINS -s 218.0.0.0/255.0.0.0 -j DROP #APNIC - AU

 iptables -A BADDOMAINS -s 219.0.0.0/255.0.0.0 -j DROP #APNIC - AU

 iptables -A BADDOMAINS -s 221.0.0.0/255.0.0.0 -j DROP #APNIC - AU

```

I've blocked Most APNIC, LACNIC, RIPE subnets I could find, as well as DoD (military and intel) subnets that I could get my hands on.

Robert

----------

## upengan78

Great,

I hope I can write network like this a.b.c.d/8 in iptables  :Smile: 

----------

## upengan78

I could not open michelin tires site after blocking these ips for DROP to 0.0.0.0  :Sad: 

----------

## vaguy02

Haha, Sorry. I guess I should have clarified, what you want to do is accept port 80,443 HTTP/HTTPS respectively first, then put your blocks in. That way http/https traffic can get forwarded to your clients, but all other ports are blocked. 

And yes, you can write a network 122.0.0.0/8

Robert

----------

## upengan78

This is what I have written...

 *Quote:*   

> while read user;do
> 
> iptables -A INPUT -p tcp -s $user --dport 80 -j ACCEPT
> 
> iptables -A INPUT -p tcp -s $user --dport 443 -j ACCEPT
> ...

 

 *Quote:*   

> 
> 
> cat IP
> 
> 1.0.0.0/8
> ...

 

Is this okay ?

----------

## vaguy02

Actually you can make it easier, just do

eth0 is your network interface

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

Those will accept 80 and 443 from everyone, then do your drop loop on the networks.  That way you don't have to clutter up your iptables scripts with a -j ACCEPT from every single host.

Robert

P.S. - But you could do it your way too, although it wouldn't be -I anymore on your -j DROP that you provided.

----------

## eccerr0r

Any Chinese users reading these boards?  I'm wondering if a typical Chinese user is banning 24.0.0.0/8 just like we're doing 210.0.0.0/8 ?

heh... Sigh.  I tend to refuse to do the sort, wish people would fix their computers!

----------

## upengan78

How about udp ?

I think we need to add for udp for port 80

----------

## vaguy02

You could if you wanted to, same thing

iptables -A INPUT -p udp --dport 80 -j ACCEPT

I personally don't, but you could if you wanted to.

Robert

P.S.- If anyone is reading this board from China, I'm sorry, I don't mean to be against you on this, but I'm just going where the facts lead me. Plus, you have your Great Firewall of China to protect you  :Wink: . haha, sorry again. I had to.

----------

## melinux

Some entered ip's on this list (like 193.*) are european ip's that's why the michelin site would be blocked..

----------

