Hello,
Back in de days of clarkconnect Snort / SAM dropped ip-addresses affer brute force attacks. Now running ClearOS 7 Community, it logs over 65000 failed ssh attempts from one (Chinese) IP-Address and IPS or IDS do or log nothing! Kind of dissappointing. (All rules are enabled (except for p2p and chat))..
From the webinterface there is no easy way to drop an ip-address, is there?
How can I obtain more rules (including the "brute force ssh" rule)?
Back in de days of clarkconnect Snort / SAM dropped ip-addresses affer brute force attacks. Now running ClearOS 7 Community, it logs over 65000 failed ssh attempts from one (Chinese) IP-Address and IPS or IDS do or log nothing! Kind of dissappointing. (All rules are enabled (except for p2p and chat))..
From the webinterface there is no easy way to drop an ip-address, is there?
How can I obtain more rules (including the "brute force ssh" rule)?
Share this post:
Responses (5)
-
Accepted Answer
-
Accepted Answer
Ben Chambers wrote:
Please add VPN to your list? It is probably much easier to set up than 3. 2 is a bit of obscurity but is better than nothing. 1 is a waste of effort (and you'll kill your firewall with all the rules you end up with)
1. Install custom fw app, and add:
iptables -I INPUT --source x.x.x.x -j DROP
and keep an eye out for more (not very practicle)
2. In Webconfig, modify your SSH to use alternate port
3. In Webconfig, modify your SSh to use certificates and block user/pw as auth mechanism.
B. -
Accepted Answer
I think with Community 7 you cannot subscribe for a better rule set at CLEARSDN. And yes you are right, ssh should not be open at all: funny thing is: I can't get forwarding from my modem to work, now to find out that someone is able to reach port 22 from the outside :-( :-( Because of that I was not even aware that port 22 was open... Closed it down, add the ip-address to block. -
Accepted Answer
Yup...I've logged into lots of v7 servers since the launch, and that new tool really sheds some light on how quickly brute force scripts start knocking on ports.
I'm surprised you're the first to bring it up here.
There is a bug tracker for what's going on...slow and steady attacks that do not trigger the IDS rules. It's logged here.
In the mean time, suggestions are:
1. Install custom fw app, and add:
iptables -I INPUT --source x.x.x.x -j DROP
and keep an eye out for more (not very practicle)
2. In Webconfig, modify your SSH to use alternate port
3. In Webconfig, modify your SSh to use certificates and block user/pw as auth mechanism.
Maybe this post will push to get a rule added...out of my league. Also, Pete's working on a Fail2Ban app for ClearOS. Finally, another app for ClearOS is in development from eGloo that would also be of great benefit here. More to come on that later.
B. -
Accepted Answer
ClearOS comes with a very old basic rule set. If you want any better you have to pay for it with a ClearSDN subscription or use something like my old Emerging Threats script.
FWIW, I really suggest you don't leave port 22 open. If you need SSH access from the internet, use something like OpenVPN to connect to ClearOS then you can SSH as if you are on the ClearOS LAN. Also install fail2ban which will monitor your logs and shut down repeat offenders.
It is also very easy to drop IP's from the Webconfig in the Network > Incoming Firewall, but you'll find there is a lot to block especially if you have port 22 open. If port 22 is not open then there is no point in blocking port 22 probes.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »