You are viewing a plain text version of this content. The canonical link for it is here.

Posted to infrastructure-issues@apache.org by "Roy T. Fielding (JIRA)" <ji...@apache.org> on 2007/12/03 01:10:43 UTC

[jira] Created: (INFRA-1428) Have sshd tell IPFW to block scanner IPs

Have sshd tell IPFW to block scanner IPs
----------------------------------------

                 Key: INFRA-1428
                 URL: https://issues.apache.org/jira/browse/INFRA-1428
             Project: Infrastructure
          Issue Type: Wish
      Security Level: public (Regular issues)
          Components: Infra Wishlist
            Reporter: Roy T. Fielding


It would be nice if we could detect an attempt to login to the account 'admin'
and automatically firewall that IP.  It is one of the first accounts attempted
by those stupid ssh rootkits.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Issue Comment Edited: (INFRA-1428) Have sshd tell IPFW to block scanner IPs

Posted by "Noel J. Bergman (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/INFRA-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12564643#action_12564643 ] 

noel edited comment on INFRA-1428 at 1/31/08 9:12 PM:
-----------------------------------------------------------------

I run sshblack (http://www.pettingers.org/code/sshblack.html) on multiple systems.  It seems both easy to install and suitable in its operation.  Do we want to install it on ASF systems?

      was (Author: noel):
    I run sshblack on multiple systems.  It seems both easy to install and suitable in its operation.  Do we want to install it on ASF systems?
  
> Have sshd tell IPFW to block scanner IPs
> ----------------------------------------
>
>                 Key: INFRA-1428
>                 URL: https://issues.apache.org/jira/browse/INFRA-1428
>             Project: Infrastructure
>          Issue Type: Wish
>      Security Level: public(Regular issues) 
>          Components: Infra Wishlist
>            Reporter: Roy T. Fielding
>
> It would be nice if we could detect an attempt to login to the account 'admin'
> and automatically firewall that IP.  It is one of the first accounts attempted
> by those stupid ssh rootkits.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (INFRA-1428) Have sshd tell IPFW to block scanner IPs

Posted by "Tony Stevenson (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/INFRA-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12631536#action_12631536 ] 

Tony Stevenson commented on INFRA-1428:
---------------------------------------

I think we should look at using this tool ->  http://sourceforge.net/projects/fail2ban

It not only covers SSH/HTTP/HTTPS - It can be expanded very easily to check any other service that outputs to a log file.  
Potentially it could be used to protect rsync, or any other netwrok service.

The problem with SSHblack is that the code is limited to SSH. The author has also produced DABblack.  But that is it.  No other's included.  Maybe that could change with some code hacks.  

Fail2Ban can be extended by adding config updates, and using sensible regex.

Working like a charm on my personal servers.

> Have sshd tell IPFW to block scanner IPs
> ----------------------------------------
>
>                 Key: INFRA-1428
>                 URL: https://issues.apache.org/jira/browse/INFRA-1428
>             Project: Infrastructure
>          Issue Type: Wish
>      Security Level: public(Regular issues) 
>          Components: Infra Wishlist
>            Reporter: Roy T. Fielding
>
> It would be nice if we could detect an attempt to login to the account 'admin'
> and automatically firewall that IP.  It is one of the first accounts attempted
> by those stupid ssh rootkits.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (INFRA-1428) Have sshd tell IPFW to block scanner IPs

Posted by "Tony Stevenson (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/INFRA-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tony Stevenson resolved INFRA-1428.
-----------------------------------

    Resolution: Fixed
      Assignee: Tony Stevenson

Installed on mino - Looking to rollout further should this trial be successful.

> Have sshd tell IPFW to block scanner IPs
> ----------------------------------------
>
>                 Key: INFRA-1428
>                 URL: https://issues.apache.org/jira/browse/INFRA-1428
>             Project: Infrastructure
>          Issue Type: Wish
>      Security Level: public(Regular issues) 
>          Components: Infra Wishlist
>            Reporter: Roy T. Fielding
>            Assignee: Tony Stevenson
>
> It would be nice if we could detect an attempt to login to the account 'admin'
> and automatically firewall that IP.  It is one of the first accounts attempted
> by those stupid ssh rootkits.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (INFRA-1428) Have sshd tell IPFW to block scanner IPs

Posted by "Tony Stevenson (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/INFRA-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12634128#action_12634128 ] 

Tony Stevenson commented on INFRA-1428:
---------------------------------------

fail2ban has now been deployed on mino, as an initial test.

With a few IP addresses banned within the first 12 hours of operation.  It is now a case of ensuring that we are using the best regex to catch all the idiots.




> Have sshd tell IPFW to block scanner IPs
> ----------------------------------------
>
>                 Key: INFRA-1428
>                 URL: https://issues.apache.org/jira/browse/INFRA-1428
>             Project: Infrastructure
>          Issue Type: Wish
>      Security Level: public(Regular issues) 
>          Components: Infra Wishlist
>            Reporter: Roy T. Fielding
>
> It would be nice if we could detect an attempt to login to the account 'admin'
> and automatically firewall that IP.  It is one of the first accounts attempted
> by those stupid ssh rootkits.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (INFRA-1428) Have sshd tell IPFW to block scanner IPs

Posted by "Noel J. Bergman (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/INFRA-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12564643#action_12564643 ] 

Noel J. Bergman commented on INFRA-1428:
----------------------------------------

I run sshblack on multiple systems.  It seems both easy to install and suitable in its operation.  Do we want to install it on ASF systems?

> Have sshd tell IPFW to block scanner IPs
> ----------------------------------------
>
>                 Key: INFRA-1428
>                 URL: https://issues.apache.org/jira/browse/INFRA-1428
>             Project: Infrastructure
>          Issue Type: Wish
>      Security Level: public(Regular issues) 
>          Components: Infra Wishlist
>            Reporter: Roy T. Fielding
>
> It would be nice if we could detect an attempt to login to the account 'admin'
> and automatically firewall that IP.  It is one of the first accounts attempted
> by those stupid ssh rootkits.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (INFRA-1428) Have sshd tell IPFW to block scanner IPs

Posted by "Paul Querna (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/INFRA-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12558838#action_12558838 ] 

Paul Querna commented on INFRA-1428:
------------------------------------

We should just block after N attempted logins from the same IP.... lots of tools to do that:
http://freebsdwiki.org/index.php/Block_repeated_illegal_or_failed_SSH_logins

> Have sshd tell IPFW to block scanner IPs
> ----------------------------------------
>
>                 Key: INFRA-1428
>                 URL: https://issues.apache.org/jira/browse/INFRA-1428
>             Project: Infrastructure
>          Issue Type: Wish
>      Security Level: public(Regular issues) 
>          Components: Infra Wishlist
>            Reporter: Roy T. Fielding
>
> It would be nice if we could detect an attempt to login to the account 'admin'
> and automatically firewall that IP.  It is one of the first accounts attempted
> by those stupid ssh rootkits.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.