So I have been reading the ssh attack thread and finally want to ask about something.
I doubt there is a program like this, but I would love to have a program that listens at common ports that I do not use at all...and only allow that program to listen to it, especially the usual ssh port (using a different one for real ssh)...
That program would then, upon receiving a 'sniff' or 'user' would then add that ip to the deny hosts lists..for either a long or short time.
Using this would seem like a win as you can easily grab someone before they can get somewhere one hopes. Also, by opening up a few other ports that are unusual like 8561....well, if someone sniffs that it could be a 3 day ban or a month...
In other words, anyone hitting those ports that are not being used at all except by our sniff protector, would allow instant banning.
So...does something like this exist?
On Sat, 20 Jun 2009 20:35:00 -0400 Bob Hoffman wrote:
So...does something like this exist?
fail2ban
In other words, anyone hitting those ports that are not being used at all except by our sniff protector, would allow instant banning.
So...does something like this exist?
I don't know of a program that specifically listens to defined ports and acts on that, but fail2ban would accomplish the end result adequately.
jlc
However if you are referring to packet sniffers there is no solid way of blocking them.
On Sun, Jun 21, 2009 at 3:49 AM, Joseph L. Casale <JCasale@activenetwerx.com
wrote:
In other words, anyone hitting those ports that are not being used at all except by our sniff protector, would allow instant banning.
So...does something like this exist?
I don't know of a program that specifically listens to defined ports and acts on that, but fail2ban would accomplish the end result adequately.
jlc _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Sat, Jun 20, 2009 at 10:38 PM, Joseph L. CasaleJCasale@activenetwerx.com wrote:
However if you are referring to packet sniffers there is no solid way of blocking them.
How exactly would I sniff the packets from say my work computer between someone's home computer and work server? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Very carefully... as it sounds like you'd be potentially crossing legal/ethical lines... Why would you sniff from your "home" computer? If you are the sysadmin, then you sniff from the server and from home you could ssh to your server to check logs of course.
On a more technical note, you have to be on the same subnet of either the point of origin or the destination machine. In other words at one of the two choke points. That is short of having some tool installed on the other person's home computer which again crosses that line. You obviously can't be at the home user's choke point because what lawful authority would you have to be sniffing on that subnet owned by his ISP?
Jacques B.
On Sun, Jun 21, 2009 at 1:03 AM, Joseph L. CasaleJCasale@activenetwerx.com wrote:
Very carefully...
Lol, you missed the point. It's impossible. I was bluntly suggesting the reply was not applicable nor on topic to the op's post. Port scanning and packet sniffing have nothing to do with each other...
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Ahh, it all makes sense now that I re-read your earlier reply to the OP with the benefit of this posting. I thought you were asking for yourself, not putting the question to the OP to cause reflection on that technical problem. When I saw sniff, I chalked it up to wrong use of terminology figuring he meant port scan. But you are correct in not assuming that fact as I did.
Thanks for the clarification, and glad I was able to inject a bit of humour into the thread in the process.
Jacques B
On Sat, Jun 20, 2009 at 8:35 PM, Bob Hoffmanbob@bobhoffman.com wrote:
So I have been reading the ssh attack thread and finally want to ask about something.
I doubt there is a program like this, but I would love to have a program that listens at common ports that I do not use at all...and only allow that program to listen to it, especially the usual ssh port (using a different one for real ssh)...
That program would then, upon receiving a 'sniff' or 'user' would then add that ip to the deny hosts lists..for either a long or short time.
Using this would seem like a win as you can easily grab someone before they can get somewhere one hopes. Also, by opening up a few other ports that are unusual like 8561....well, if someone sniffs that it could be a 3 day ban or a month...
In other words, anyone hitting those ports that are not being used at all except by our sniff protector, would allow instant banning.
So...does something like this exist?
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
A simple bash script run from a cronjob that looks for entries in /etc/secure for traffic to those ports and then parses out the IP and adds it to your host.deny might work. But if you are looking to set a date/time when it would expire, you could probably achieve this through a comment at the end of the entry containing the expiry date which your bash script would scan with a simple sed command looking for any lines with an expiry date matching the system's current date and removing those lines.
fail2ban was also suggested by a few and I believe that was one I played with briefly a few years back and it worked but I wasn't using it in the scenario you describe but rather simply scanning for multiple failed ssh login attempts (not sure if it was looking for failed ssh login attempts, or "Failed" attempts period regardless the port being targeted) that resulted in a host.deny entry. But of course you can potentially lock yourself out (been there, done that) which is a p.i.t.a. You either have to wait until next day at the office to remove your ban, or try and get another IP from your ISP via disconnecting and reconnecting to your ISP.
Jacques B.
That program would then, upon receiving a 'sniff' or 'user' would then add that ip to the deny hosts lists..for either a long or short time.
Using this would seem like a win as you can easily grab someone before they can get somewhere one hopes. Also, by opening up a few other ports that are unusual like 8561....well, if someone sniffs that it could be a 3 day ban or a month...
In other words, anyone hitting those ports that are not being used at all except by our sniff protector, would allow instant banning.
So...does something like this exist?
fail2ban... near enough a fit...
I doubt there is a program like this, but I would love to have a program that listens at common ports that I do not use at all...and only allow that program to listen to it, especially the usual ssh port (using a different one for real ssh)...
That program would then, upon receiving a 'sniff' or 'user' would then add that ip to the deny hosts lists..for either a long or short time.
Many years ago I used portsentry for this. You can find an article about portsentry at http://www.securityfocus.com/infocus/1580
Barry
Barry Brimer wrote on Sat, 20 Jun 2009 22:51:44 -0500 (CDT):
Many years ago I used portsentry for this. You can find an article about portsentry at http://www.securityfocus.com/infocus/1580
and can be downloaded here: http://sourceforge.net/project/showfiles.php?group_id=80573
Kai
on 6-21-2009 2:31 AM Kai Schaetzl spake the following:
Barry Brimer wrote on Sat, 20 Jun 2009 22:51:44 -0500 (CDT):
Many years ago I used portsentry for this. You can find an article about portsentry at http://www.securityfocus.com/infocus/1580
and can be downloaded here: http://sourceforge.net/project/showfiles.php?group_id=80573
Kai
Does portsentry still compile? It has to be near 10 years old by now.
Bob Hoffman <bob@...> writes:
So I have been reading the ssh attack thread and finally want to ask about something.
I doubt there is a program like this, but I would love to have a program that listens at common ports that I do not use at all...and only allow that program to listen to it, especially the usual ssh port (using a different one for real ssh)...
That program would then, upon receiving a 'sniff' or 'user' would then add that ip to the deny hosts lists..for either a long or short time.
Using this would seem like a win as you can easily grab someone before they can get somewhere one hopes. Also, by opening up a few other ports that are unusual like 8561....well, if someone sniffs that it could be a 3 day ban or a month...
In other words, anyone hitting those ports that are not being used at all except by our sniff protector, would allow instant banning.
So...does something like this exist?
Just in case you want to play around with just the logging port probing information you can add something like the following rule to your firewall:
-A RH-Firewall-1-INPUT -p tcp -m tcp -j LOG -A RH-Firewall-1-INPUT -p udp -m udp -j LOG
Add the rules at the bottom of /etc/sysconfig/iptables but before your ultimate reject rule. Make sure you have enough room in /var/log for the amount of data you will be collecting. The log entries in /var/log/messages will look like:
Jun 16 00:51:01 bend kernel: IN=eth0 OUT= MAC=00:0a:5e:1a:ee:4b:00:0a:5e:1a:e9:c8:08:00 SRC=192.168.0.1 DST=192.168.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59652 DF PROTO=TCP SPT=59356 DPT=17581 WINDOW=17920 RES=0x00 SYN URGP=0
Cheers, Dave
-
Barry Brimer -
Bob Hoffman -
David G. Miller -
Frank Cox -
Jacques B. -
James Matthews -
Joseph L. Casale -
Kai Schaetzl -
Linux Advocate -
Scott Silva