Links
- My Non-Geek Blog
- Bits O' News
- Reloader-Man
- Texas Hunter
- Jeff's Website
- Nicky's Blog
- Stripper-Mom
- Homestar Runner
- Joe Cartoon
- Twink Schiff
- The Onion
- Merriam-Webster
- Froogle
Archives
My Geek-Blog!!
Friday, August 05, 2005
The details
The details of what my log-watch system:
1. mkfifo /tmp/log_fifo
2. edit /etc/syslog.conf and add:
*.info;authpriv.none |/tmp/log_fifo
3. edit /etc/sysconfig/iptables and add a new table called "BADGUYS"
a. in the "filter" section (at the top):
:BADGUYS - [0:0]
b. in the INPUT table:
-A INPUT --in-interface eth+ --jump BADGUYS
c. in the BADGUYS table (add this at the bottom):
-A BADGUYS --in-interface eth+ --source 169.254.0.0/16 --jump DROP
or some other "bad" IP address.
3. service syslog restart
4. run my logmonitor script which watches the /tmp/log_fifo "file" (more on this later)
By default, the logmonitor wakes up whenever a new entry appears in the log_fifo -- i.e. every time a login fails, but also every time any other crap goes into the log file. Every 5 minutes, it also wakes up and checks if any of the banned IP addresses has expired -- right now a ban is for 12 hours. I think the overhead on the system is minimal, and it catches script kiddies after 3 failed attempts, not 50.
1. mkfifo /tmp/log_fifo
2. edit /etc/syslog.conf and add:
*.info;authpriv.none |/tmp/log_fifo
3. edit /etc/sysconfig/iptables and add a new table called "BADGUYS"
a. in the "filter" section (at the top):
:BADGUYS - [0:0]
b. in the INPUT table:
-A INPUT --in-interface eth+ --jump BADGUYS
c. in the BADGUYS table (add this at the bottom):
-A BADGUYS --in-interface eth+ --source 169.254.0.0/16 --jump DROP
or some other "bad" IP address.
3. service syslog restart
4. run my logmonitor script which watches the /tmp/log_fifo "file" (more on this later)
By default, the logmonitor wakes up whenever a new entry appears in the log_fifo -- i.e. every time a login fails, but also every time any other crap goes into the log file. Every 5 minutes, it also wakes up and checks if any of the banned IP addresses has expired -- right now a ban is for 12 hours. I think the overhead on the system is minimal, and it catches script kiddies after 3 failed attempts, not 50.
Geek blog
Every now and then I tend to "geek out" and so I figured I'd start a blog to post my progress.
The latest thing I've been hacking on is a security system for my computer ... there are lots of script kiddies out there now, and if you turn on a brand-new computer, they say it will be "rooted" or compromised within minutes. In my own computer's logs, I'm seeing 2-10 brute-force attempts to login by random machines. Generally, these are very easy to detect:
Basically, they're just trying random passwords into widely-used usernames -- admin, betty, bob, joe. But they also try it a few times at each of 50 different usernames, so they could slowly figure out a correct combination.
My approach has been to give them 3 tries to get in, then I start dropping all their packets -- it's as if my computer never sees them again. If it is a legit user, they'll probably get their password right in 3 tries, so it isn't a big inconvenience to real users.
The latest thing I've been hacking on is a security system for my computer ... there are lots of script kiddies out there now, and if you turn on a brand-new computer, they say it will be "rooted" or compromised within minutes. In my own computer's logs, I'm seeing 2-10 brute-force attempts to login by random machines. Generally, these are very easy to detect:
Jul 31 23:03:35 192 sshd[32563]: Illegal user admin from 200.220.192.86
Jul 31 23:03:35 192 sshd(pam_unix)[32563]: check pass; user unknown
Jul 31 23:03:35 192 sshd(pam_unix)[32563]: authentication failure; logname=
uid=0 euid=0 tty=NODEVssh ruser= rhost=nagios.nqt.com.br
Jul 31 23:03:37 192 sshd[32563]: Failed password for illegal user admin from
200.220.192.86 port 52533 ssh2
Jul 31 23:03:39 192 sshd[32565]: Illegal user admin from 200.220.192.86
Jul 31 23:03:39 192 sshd(pam_unix)[32565]: check pass; user unknown
Jul 31 23:03:39 192 sshd(pam_unix)[32565]: authentication failure; logname=
uid=0 euid=0 tty=NODEVssh ruser= rhost=nagios.nqt.com.br
Basically, they're just trying random passwords into widely-used usernames -- admin, betty, bob, joe. But they also try it a few times at each of 50 different usernames, so they could slowly figure out a correct combination.
My approach has been to give them 3 tries to get in, then I start dropping all their packets -- it's as if my computer never sees them again. If it is a legit user, they'll probably get their password right in 3 tries, so it isn't a big inconvenience to real users.
