Re: Limit the number of erroneous logins of root from the same IP

On Fri, 18 Nov 2011, in the Usenet newsgroup alt.os.linux.redhat, in article
<ja6a11$2ah$2@xxxxxxxxxxxxxxxxxx>, dold@xxxxxxxxxxxxxxxx wrote:

Moe Trin <ibuprofin@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

There would be little difference between same conditions on either
O/S. No server/firewall, and both return the RST or ICMP 3/3.

In my case, the Windows would have been refusing, the Linux accepting,
no firewall on either.

So the windoze box wasn't offering SSH, and Linux was?

Maybe the attempts would have died off by themselves in a day or two.

From a single zombie? Probably finish in a few hours. Of course,

It seemed that there was some cooperation. Maybe not. Even zombies
have some control. Once it was discovered that my Linux was accepting
port 22, then the zombies piled on, trying to brute force crack
root/guest/user/ logins.

Can't say that I've seen that, but I haven't been offering SSH to the
world for years. Even at work, the port is functionally restricted.

ISP abuse desks rarely do anything

The ip addresses were all concentrated in one country.

Which one out of curiosity?

As someone else noted, it might be easiest to allow a few very broad
subnets that are in one's home country.

Probably me - and really I only allow connections from a select list.
There are three firewall rules that forward from a /22 and two /24s (a
total of 1530 addresses out of 3395108304 as of last week or 0.000045%)
to the box running the SSH server. The other 99.999955% of the Internet
isn't forwarded and thus can't even get _any_ response from the server.
The default rule is a REJECT.

A problem about filtering by country - IANA and the five Regional
Internet Registries (RIRs) don't have IPs conveniently arranged by
country (or even regions). Everyone blames China as a bad guy, so how
would you block the 330.49 million IPv4 addresses they're allocated or
assigned?

[planck ~]$ zgrep -c CN [ALR]*
AFRINIC.gz:0
APNIC.gz:3457
ARIN.gz:1
LACNIC.gz:0
RIPE.gz:0
[planck ~]$ zgrep CN ARIN.gz
CN 199.59.240.0 255.255.252.0 allocated 20101209 ar
[planck ~]$ zgrep -h CN A* | cut -d' ' -f2 | cut -d'.' -f1 | sort -n
| uniq -c | column
54 1 21 112 13 140 17 183
17 14 44 113 6 144 2 192
32 27 30 114 7 150 1 199
25 36 28 115 7 153 555 202
10 39 56 116 7 157 970 203
90 42 38 117 1 159 78 210
17 49 50 118 1 161 45 211
44 58 77 119 1 162 73 218
34 59 29 120 6 163 42 219
38 60 49 121 1 166 17 220
89 61 38 122 1 167 64 221
75 101 50 123 1 168 64 222
90 103 72 124 12 171 28 223
23 106 40 125 20 175
42 110 1 134 36 180
34 111 16 139 29 182
[planck ~]$

If you're not a UNIX scripting nut, the first one asks how many
allocations (distributions to Internet Registries for further
assignment/allocation) and assignments (distribute IPs to end-users)
are assigned to China. 3457 from APNIC, 1 from ARIN (and here's what
an entry in these files looks like). This count ignores allocations
and assignments to Hong Kong (.hk), Macau (.mo) and Taiwan (.tw) which
add another 1305 entries. The long one asks what the FIRST octet of
the addresses are, sorts that, counts, and then displays it in columns.
So, there are 54 1.x.x.x networks associated with Chinese companies.
17 14.x.x.x networks, and so on. Not very convenient. Another minor
problem - just because the addresses are _registered_ in country $FOO
doesn't mean that the computers are actually there. Ever heard of
"multi-national" companies? I work for one.

There _used_to_be_ recommendations to block '202.x.x.x, 203.x.x.x,
210.x.x.x and 211.x.x.x to wipe out all of the Asia-Pacific region.
Know your ISO-3166 country codes?

202
AF BN GU JP LK MU NU PK TO VU
AP BT HK KH MH MV NZ PW TV WS
AS CK ID KI MN MY PF SB TW
AU CN IN KR MO NC PG SG US
BD FJ IO LA MP NP PH TH VN

203
AF BT GU IO KR MN NF PF SG VN
AP CN HK JP LA MV NP PG TH VU
AU FJ ID KH LK MY NR PH TW WS
BD GB IN KI MM NC NZ PK US

210
AF BD FJ ID JP MP NZ PK TH VN
AU CN HK IN KR MY PH SG TW

211
AU CN JP KR MY TW

Notice the GB and US entries? One of the US entries is actually a US
Navy facility, and several of the GB entries are British banks.

Another suggestion in the past has been to block addresses where the
IP resolves to a hostname like $FOO.BAR.BAZ.cn. Two problems with
that suggestion - there are a LOT of IP addresses that don't resolve
because the DNS admin there has his/her head up their ass. Second,
it may be a shock to people, but there are a shed-load of .com domains
in _every_ country.

Random zombies try to probe for port 22 on random addresses. If they
find a live port, then they tell all their friends and they hammer
away at login attempts. Using hosts.allow to trim 3/4 of the world
population out of the zombies that could see my port, I would
eliminate the zombies piling on in login attempts.

In the firewall - set the default inbound to DROP or REJECT, and then
add the needed rules to connect those IPs or IP ranges you want to
give access to. In my case, that boils down to just five total lines.

hosts.allow probably has the desired effect, with a more readily
understood format than iptables.

It certainly is more readily understandable, but that was written 14+
years ago, in a different universe, and the original author (Wietse
Venema formally of Eindhoven University of Technology) has not been
maintaining it. See http://www.netfilter.org/documentation/HOWTO/
for ways to get the firewall simple and solid.

Old guy
.

Relevant Pages

  • I have been scammed!
    ... Server 'whois.networksolutions.com' reply: ... country: CN ... hostmaster is not for spam complaint, ... Hostmaster of Beijing Telecom corporation CHINA TELECOM ...
    (alt.marketing.online.ebay)
  • Re: Fair Use (US Legislation) - Philatelic web sites
    ... >>> Thanks to the Fair Use doctrine, the publishing of certain ... >> server located in the USA and available for viewing on computers ... Switzerland is a free country, ... These laws include copyright, which most definitely are ...
    (rec.collecting.stamps.discuss)
  • Re: Basic application design
    ... Database is in one country where the internet is excellent. ... If we go for an ASP net based solution, then the server hosting ... Web Service running on ASP.Net. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: 2 sites
    ... If you have 2 MX records one pointing to each mail server this mailserver ... a way when I"m sending mails from one country that the mail will go out to ... Mail from country1 --> Exchange server in that country ... you don't have a reasonable internet connection local to the user, ...
    (microsoft.public.exchange.connectivity)