Forums

Resolved
0 votes
Hey,

i have the ClearOS paid edition with Intrusion Detection, Intrusion Prevention and Intrusion Protection Updates.

somehow i dont see anything in the logs and it looks like snortsam is bugged? I am up to date.

Treid to test with: LOIC, NMAP (to test port scans etc.)
Wednesday, December 31 2014, 09:36 AM
Share this post:
Responses (6)
  • Accepted Answer

    Tuesday, January 13 2015, 09:08 AM - #Permalink
    Resolved
    0 votes
    Never mind it works ;) Seems i need some more bad people on my network haha
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 01 2015, 02:03 PM - #Permalink
    Resolved
    0 votes
    Nick you are absolutely right about closing port 22, although I need it to be open.
    I know the results of fail2ban, had it running for years on clearos 5.2, just upgraded to 6.5 and hoped that the additional ruleset of clearos would handle this kind of attempts.

    OpenVPN is also a good alternative, although not suitable in my case, don't want people by accident into my lan.

    I will go for fail2ban again. It never hurts to have two methods to tackle attackers.

    Br,
    Wiljon

    PS. Although not perfect, it's worth to invest $30 a year for the additional rule sets.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 01 2015, 01:47 PM - #Permalink
    Resolved
    0 votes
    If you don't have port 22 open then, to be honest, you don't need snort rules for it. If you do have it open, can I suggest you look at fail2ban (available in clearos-epel) which is great for clocking these types of attacks.

    If you do want remote ssh access, can I suggest you use something like OpenVPN then you can connect by ssh a if you were connected to the LAN rather than WAN. Other suggestions are to switch the ssh port to a non-standard one or to use certificate authentication.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 01 2015, 01:32 PM - #Permalink
    Resolved
    0 votes
    Sorry my fault snort is working as intended, the hackers are also aware of the snort rules and are doing there best to avoid being blocked.

    The normal 3000001 rule needs 6 attempts within 30 seconds before it activates snortsam.
    For myself I changed in the 5000001 rule this morning to 3 attempts within 30 seconds and that triggers snortsam better.

    Reason see the following Brute force attempt a fragment of 1 minute of the secure log (it goes on for hours):
    04:02:00 firewall sshd[2233]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:02 firewall sshd[2233]: Failed password for root from 103.41.124.40 port 44715 ssh2
    Dec 30 04:02:04 firewall sshd[2233]: Failed password for root from 103.41.124.40 port 44715 ssh2
    Dec 30 04:02:06 firewall sshd[2233]: Failed password for root from 103.41.124.40 port 44715 ssh2
    Dec 30 04:02:06 firewall sshd[2235]: Received disconnect from 103.41.124.40: 11:
    Dec 30 04:02:06 firewall sshd[2233]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:08 firewall sshd[2273]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:10 firewall sshd[2273]: Failed password for root from 103.41.124.40 port 41931 ssh2
    Dec 30 04:02:12 firewall sshd[2273]: Failed password for root from 103.41.124.40 port 41931 ssh2
    Dec 30 04:02:14 firewall sshd[2273]: Failed password for root from 103.41.124.40 port 41931 ssh2
    Dec 30 04:02:14 firewall sshd[2274]: Received disconnect from 103.41.124.40: 11:
    Dec 30 04:02:14 firewall sshd[2273]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:16 firewall sshd[2276]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:17 firewall sshd[2276]: Failed password for root from 103.41.124.40 port 39851 ssh2
    Dec 30 04:02:19 firewall sshd[2276]: Failed password for root from 103.41.124.40 port 39851 ssh2
    Dec 30 04:02:22 firewall sshd[2276]: Failed password for root from 103.41.124.40 port 39851 ssh2
    Dec 30 04:02:22 firewall sshd[2277]: Received disconnect from 103.41.124.40: 11:
    Dec 30 04:02:22 firewall sshd[2276]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:23 firewall sshd[2278]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:25 firewall sshd[2278]: Failed password for root from 103.41.124.40 port 35412 ssh2
    Dec 30 04:02:28 firewall sshd[2278]: Failed password for root from 103.41.124.40 port 35412 ssh2
    Dec 30 04:02:29 firewall sshd[2278]: Failed password for root from 103.41.124.40 port 35412 ssh2
    Dec 30 04:02:30 firewall sshd[2279]: Received disconnect from 103.41.124.40: 11:
    Dec 30 04:02:30 firewall sshd[2278]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:31 firewall sshd[2286]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:33 firewall sshd[2286]: Failed password for root from 103.41.124.40 port 60372 ssh2
    Dec 30 04:02:36 firewall sshd[2286]: Failed password for root from 103.41.124.40 port 60372 ssh2
    Dec 30 04:02:38 firewall sshd[2286]: Failed password for root from 103.41.124.40 port 60372 ssh2
    Dec 30 04:02:39 firewall sshd[2287]: Received disconnect from 103.41.124.40: 11:
    Dec 30 04:02:39 firewall sshd[2286]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:40 firewall sshd[2291]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:41 firewall sshd[2291]: Failed password for root from 103.41.124.40 port 60776 ssh2
    Dec 30 04:02:44 firewall sshd[2291]: Failed password for root from 103.41.124.40 port 60776 ssh2
    Dec 30 04:02:47 firewall sshd[2291]: Failed password for root from 103.41.124.40 port 60776 ssh2
    Dec 30 04:02:47 firewall sshd[2292]: Received disconnect from 103.41.124.40: 11:
    Dec 30 04:02:47 firewall sshd[2291]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:48 firewall sshd[2294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:50 firewall sshd[2294]: Failed password for root from 103.41.124.40 port 58696 ssh2
    Dec 30 04:02:53 firewall sshd[2294]: Failed password for root from 103.41.124.40 port 58696 ssh2
    Dec 30 04:02:55 firewall sshd[2294]: Failed password for root from 103.41.124.40 port 58696 ssh2
    Dec 30 04:02:55 firewall sshd[2295]: Received disconnect from 103.41.124.40: 11:
    Dec 30 04:02:55 firewall sshd[2294]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:57 firewall sshd[2297]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
    Dec 30 04:02:59 firewall sshd[2297]: Failed password for root from 103.41.124.40 port 57695 ssh2
    Dec 30


    It's only a burts of 3 passwords and 4 connections within 30 seconds, this will never trigger rule 3000001 as it needs 6 attempts within 30 seconds and therefore this breakin attempt keeps going for hours.

    It will trigger my own 50000001 rule now as it allows only 3 attempts within 30 seconds.
    alert tcp any any -> any 22 ( msg:"SSH potential brute force attack"; flow:to_server; flags:S; threshold:type threshold, track by_src, count 3, seconds 30; classtype:suspicious-login; sid:5000001; rev:5; fwsam:src, 86400 seconds; )

    Br,
    Wiljon
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 31 2014, 04:02 PM - #Permalink
    Resolved
    0 votes
    Hi, I am experincing the somwhat the same issue's.

    Installed the ClearCenter Rule Set
    Last Update Mon Nov 10 21:33:46 2014
    Rule Sets 41
    Total Number of Rules 15973

    But still not enough blockage on brute force attacks on ssh.

    Ongoing and filling my security log:
    Dec 31 16:51:59 firewall sshd[27393]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
    Dec 31 16:51:59 firewall sshd[27393]: PAM service(sshd) ignoring max retries; 6 > 3
    Dec 31 16:52:00 firewall sshd[27468]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
    Dec 31 16:52:02 firewall sshd[27468]: Failed password for root from 176.53.22.147 port 45394 ssh2
    Dec 31 16:52:05 firewall sshd[27468]: Failed password for root from 176.53.22.147 port 45394 ssh2
    Dec 31 16:52:07 firewall sshd[27468]: Failed password for root from 176.53.22.147 port 45394 ssh2
    Dec 31 16:52:09 firewall sshd[27468]: Failed password for root from 176.53.22.147 port 45394 ssh2
    Dec 31 16:52:11 firewall sshd[27468]: Failed password for root from 176.53.22.147 port 45394 ssh2
    Dec 31 16:52:13 firewall sshd[27469]: Disconnecting: Too many authentication failures for root
    Dec 31 16:52:13 firewall sshd[27468]: Failed password for root from 176.53.22.147 port 45394 ssh2
    Dec 31 16:52:13 firewall sshd[27468]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
    Dec 31 16:52:13 firewall sshd[27468]: PAM service(sshd) ignoring max retries; 6 > 3
    Dec 31 16:52:14 firewall sshd[27526]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
    Dec 31 16:52:16 firewall sshd[27526]: Failed password for root from 176.53.22.147 port 47993 ssh2
    Dec 31 16:52:18 firewall sshd[27526]: Failed password for root from 176.53.22.147 port 47993 ssh2
    Dec 31 16:52:20 firewall sshd[27526]: Failed password for root from 176.53.22.147 port 47993 ssh2
    Dec 31 16:52:21 firewall sshd[27526]: Failed password for root from 176.53.22.147 port 47993 ssh2
    Dec 31 16:52:24 firewall sshd[27526]: Failed password for root from 176.53.22.147 port 47993 ssh2
    Dec 31 16:52:27 firewall sshd[27526]: Failed password for root from 176.53.22.147 port 47993 ssh2
    Dec 31 16:52:27 firewall sshd[27527]: Disconnecting: Too many authentication failures for root
    Dec 31 16:52:27 firewall sshd[27526]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
    Dec 31 16:52:27 firewall sshd[27526]: PAM service(sshd) ignoring max retries; 6 > 3
    Dec 31 16:52:28 firewall sshd[27601]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
    Dec 31 16:52:29 firewall sshd[27601]: Failed password for root from 176.53.22.147 port 50539 ssh2
    Dec 31 16:52:31 firewall sshd[27601]: Failed password for root from 176.53.22.147 port 50539 ssh2
    Dec 31 16:52:33 firewall sshd[27601]: Failed password for root from 176.53.22.147 port 50539 ssh2
    Dec 31 16:52:36 firewall sshd[27601]: Failed password for root from 176.53.22.147 port 50539 ssh2
    Dec 31 16:52:38 firewall sshd[27601]: Failed password for root from 176.53.22.147 port 50539 ssh2
    Dec 31 16:52:40 firewall sshd[27602]: Disconnecting: Too many authentication failures for root
    Dec 31 16:52:40 firewall sshd[27601]: Failed password for root from 176.53.22.147 port 50539 ssh2
    Dec 31 16:52:40 firewall sshd[27601]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
    Dec 31 16:52:40 firewall sshd[27601]: PAM service(sshd) ignoring max retries; 6 > 3
    Dec 31 16:52:41 firewall sshd[27658]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root

    Snort is running and give some responses, but is definitely not looking for the above attacks.

    Snortsam is blocking for sure:
    Blocked List

    Show entriesSearch:
    IP Address
    Security ID
    Block Time

    39.68.249.217 3100001 Wed Dec 31 15:54:44 2014
    White List

    Delete
    49.89.253.78 3100001 Wed Dec 31 06:28:16 2014
    White List

    Delete
    58.18.86.94 3100001 Wed Dec 31 16:22:16 2014
    White List

    Delete
    61.174.50.140 5000001 Tue Dec 30 17:30:56 2014
    White List

    Delete
    61.174.51.200 5000001 Tue Dec 30 23:14:47 2014
    White List

    Delete
    61.174.51.211 5000001 Wed Dec 31 11:09:17 2014
    White List

    Delete
    61.240.144.64 3100001 Tue Dec 30 19:43:48 2014
    White List

    Delete
    62.210.136.203 3100001 Wed Dec 31 05:16:33 2014
    White List

    Delete
    78.160.218.148 3100001 Tue Dec 30 23:14:11 2014
    White List

    Delete
    79.117.188.99 3100001 Wed Dec 31 06:45:37 2014
    White List

    Delete
    85.102.23.39 3100001 Wed Dec 31 08:10:53 2014
    White List

    PS. The 5000001 rule is my own attempt to block those ssh attacks:
    alert tcp any any -> any 22 ( msg:"SSH potential brute force attack"; flow:to_server; flags:S; threshold:type threshold, track by_src, count 6, seconds 30; classtype:suspicious-login; sid:5000001; rev:5; fwsam:src, 86400 seconds; )

    Hope someone can help me out.
    Br,
    Wiljon
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 31 2014, 10:05 AM - #Permalink
    Resolved
    0 votes
    Is snort running? If it is failing to start, have a look in /var/log/messages for clues.
    The reply is currently minimized Show
Your Reply