Hey,
i have the ClearOS paid edition with Intrusion Detection, Intrusion Prevention and Intrusion Protection Updates.
somehow i dont see anything in the logs and it looks like snortsam is bugged? I am up to date.
Treid to test with: LOIC, NMAP (to test port scans etc.)
i have the ClearOS paid edition with Intrusion Detection, Intrusion Prevention and Intrusion Protection Updates.
somehow i dont see anything in the logs and it looks like snortsam is bugged? I am up to date.
Treid to test with: LOIC, NMAP (to test port scans etc.)
Share this post:
Responses (6)
-
Accepted Answer
-
Accepted Answer
Nick you are absolutely right about closing port 22, although I need it to be open.
I know the results of fail2ban, had it running for years on clearos 5.2, just upgraded to 6.5 and hoped that the additional ruleset of clearos would handle this kind of attempts.
OpenVPN is also a good alternative, although not suitable in my case, don't want people by accident into my lan.
I will go for fail2ban again. It never hurts to have two methods to tackle attackers.
Br,
Wiljon
PS. Although not perfect, it's worth to invest $30 a year for the additional rule sets. -
Accepted Answer
If you don't have port 22 open then, to be honest, you don't need snort rules for it. If you do have it open, can I suggest you look at fail2ban (available in clearos-epel) which is great for clocking these types of attacks.
If you do want remote ssh access, can I suggest you use something like OpenVPN then you can connect by ssh a if you were connected to the LAN rather than WAN. Other suggestions are to switch the ssh port to a non-standard one or to use certificate authentication. -
Accepted Answer
Sorry my fault snort is working as intended, the hackers are also aware of the snort rules and are doing there best to avoid being blocked.
The normal 3000001 rule needs 6 attempts within 30 seconds before it activates snortsam.
For myself I changed in the 5000001 rule this morning to 3 attempts within 30 seconds and that triggers snortsam better.
Reason see the following Brute force attempt a fragment of 1 minute of the secure log (it goes on for hours):
04:02:00 firewall sshd[2233]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:02 firewall sshd[2233]: Failed password for root from 103.41.124.40 port 44715 ssh2
Dec 30 04:02:04 firewall sshd[2233]: Failed password for root from 103.41.124.40 port 44715 ssh2
Dec 30 04:02:06 firewall sshd[2233]: Failed password for root from 103.41.124.40 port 44715 ssh2
Dec 30 04:02:06 firewall sshd[2235]: Received disconnect from 103.41.124.40: 11:
Dec 30 04:02:06 firewall sshd[2233]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:08 firewall sshd[2273]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:10 firewall sshd[2273]: Failed password for root from 103.41.124.40 port 41931 ssh2
Dec 30 04:02:12 firewall sshd[2273]: Failed password for root from 103.41.124.40 port 41931 ssh2
Dec 30 04:02:14 firewall sshd[2273]: Failed password for root from 103.41.124.40 port 41931 ssh2
Dec 30 04:02:14 firewall sshd[2274]: Received disconnect from 103.41.124.40: 11:
Dec 30 04:02:14 firewall sshd[2273]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:16 firewall sshd[2276]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:17 firewall sshd[2276]: Failed password for root from 103.41.124.40 port 39851 ssh2
Dec 30 04:02:19 firewall sshd[2276]: Failed password for root from 103.41.124.40 port 39851 ssh2
Dec 30 04:02:22 firewall sshd[2276]: Failed password for root from 103.41.124.40 port 39851 ssh2
Dec 30 04:02:22 firewall sshd[2277]: Received disconnect from 103.41.124.40: 11:
Dec 30 04:02:22 firewall sshd[2276]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:23 firewall sshd[2278]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:25 firewall sshd[2278]: Failed password for root from 103.41.124.40 port 35412 ssh2
Dec 30 04:02:28 firewall sshd[2278]: Failed password for root from 103.41.124.40 port 35412 ssh2
Dec 30 04:02:29 firewall sshd[2278]: Failed password for root from 103.41.124.40 port 35412 ssh2
Dec 30 04:02:30 firewall sshd[2279]: Received disconnect from 103.41.124.40: 11:
Dec 30 04:02:30 firewall sshd[2278]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:31 firewall sshd[2286]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:33 firewall sshd[2286]: Failed password for root from 103.41.124.40 port 60372 ssh2
Dec 30 04:02:36 firewall sshd[2286]: Failed password for root from 103.41.124.40 port 60372 ssh2
Dec 30 04:02:38 firewall sshd[2286]: Failed password for root from 103.41.124.40 port 60372 ssh2
Dec 30 04:02:39 firewall sshd[2287]: Received disconnect from 103.41.124.40: 11:
Dec 30 04:02:39 firewall sshd[2286]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:40 firewall sshd[2291]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:41 firewall sshd[2291]: Failed password for root from 103.41.124.40 port 60776 ssh2
Dec 30 04:02:44 firewall sshd[2291]: Failed password for root from 103.41.124.40 port 60776 ssh2
Dec 30 04:02:47 firewall sshd[2291]: Failed password for root from 103.41.124.40 port 60776 ssh2
Dec 30 04:02:47 firewall sshd[2292]: Received disconnect from 103.41.124.40: 11:
Dec 30 04:02:47 firewall sshd[2291]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:48 firewall sshd[2294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:50 firewall sshd[2294]: Failed password for root from 103.41.124.40 port 58696 ssh2
Dec 30 04:02:53 firewall sshd[2294]: Failed password for root from 103.41.124.40 port 58696 ssh2
Dec 30 04:02:55 firewall sshd[2294]: Failed password for root from 103.41.124.40 port 58696 ssh2
Dec 30 04:02:55 firewall sshd[2295]: Received disconnect from 103.41.124.40: 11:
Dec 30 04:02:55 firewall sshd[2294]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:57 firewall sshd[2297]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.40 user=root
Dec 30 04:02:59 firewall sshd[2297]: Failed password for root from 103.41.124.40 port 57695 ssh2
Dec 30
It's only a burts of 3 passwords and 4 connections within 30 seconds, this will never trigger rule 3000001 as it needs 6 attempts within 30 seconds and therefore this breakin attempt keeps going for hours.
It will trigger my own 50000001 rule now as it allows only 3 attempts within 30 seconds.
alert tcp any any -> any 22 ( msg:"SSH potential brute force attack"; flow:to_server; flags:S; threshold:type threshold, track by_src, count 3, seconds 30; classtype:suspicious-login; sid:5000001; rev:5; fwsam:src, 86400 seconds; )
Br,
Wiljon -
Accepted Answer
Hi, I am experincing the somwhat the same issue's.
Installed the ClearCenter Rule Set
Last Update Mon Nov 10 21:33:46 2014
Rule Sets 41
Total Number of Rules 15973
But still not enough blockage on brute force attacks on ssh.
Ongoing and filling my security log:
Dec 31 16:51:59 firewall sshd[27393]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
Dec 31 16:51:59 firewall sshd[27393]: PAM service(sshd) ignoring max retries; 6 > 3
Dec 31 16:52:00 firewall sshd[27468]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
Dec 31 16:52:02 firewall sshd[27468]: Failed password for root from 176.53.22.147 port 45394 ssh2
Dec 31 16:52:05 firewall sshd[27468]: Failed password for root from 176.53.22.147 port 45394 ssh2
Dec 31 16:52:07 firewall sshd[27468]: Failed password for root from 176.53.22.147 port 45394 ssh2
Dec 31 16:52:09 firewall sshd[27468]: Failed password for root from 176.53.22.147 port 45394 ssh2
Dec 31 16:52:11 firewall sshd[27468]: Failed password for root from 176.53.22.147 port 45394 ssh2
Dec 31 16:52:13 firewall sshd[27469]: Disconnecting: Too many authentication failures for root
Dec 31 16:52:13 firewall sshd[27468]: Failed password for root from 176.53.22.147 port 45394 ssh2
Dec 31 16:52:13 firewall sshd[27468]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
Dec 31 16:52:13 firewall sshd[27468]: PAM service(sshd) ignoring max retries; 6 > 3
Dec 31 16:52:14 firewall sshd[27526]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
Dec 31 16:52:16 firewall sshd[27526]: Failed password for root from 176.53.22.147 port 47993 ssh2
Dec 31 16:52:18 firewall sshd[27526]: Failed password for root from 176.53.22.147 port 47993 ssh2
Dec 31 16:52:20 firewall sshd[27526]: Failed password for root from 176.53.22.147 port 47993 ssh2
Dec 31 16:52:21 firewall sshd[27526]: Failed password for root from 176.53.22.147 port 47993 ssh2
Dec 31 16:52:24 firewall sshd[27526]: Failed password for root from 176.53.22.147 port 47993 ssh2
Dec 31 16:52:27 firewall sshd[27526]: Failed password for root from 176.53.22.147 port 47993 ssh2
Dec 31 16:52:27 firewall sshd[27527]: Disconnecting: Too many authentication failures for root
Dec 31 16:52:27 firewall sshd[27526]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
Dec 31 16:52:27 firewall sshd[27526]: PAM service(sshd) ignoring max retries; 6 > 3
Dec 31 16:52:28 firewall sshd[27601]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
Dec 31 16:52:29 firewall sshd[27601]: Failed password for root from 176.53.22.147 port 50539 ssh2
Dec 31 16:52:31 firewall sshd[27601]: Failed password for root from 176.53.22.147 port 50539 ssh2
Dec 31 16:52:33 firewall sshd[27601]: Failed password for root from 176.53.22.147 port 50539 ssh2
Dec 31 16:52:36 firewall sshd[27601]: Failed password for root from 176.53.22.147 port 50539 ssh2
Dec 31 16:52:38 firewall sshd[27601]: Failed password for root from 176.53.22.147 port 50539 ssh2
Dec 31 16:52:40 firewall sshd[27602]: Disconnecting: Too many authentication failures for root
Dec 31 16:52:40 firewall sshd[27601]: Failed password for root from 176.53.22.147 port 50539 ssh2
Dec 31 16:52:40 firewall sshd[27601]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
Dec 31 16:52:40 firewall sshd[27601]: PAM service(sshd) ignoring max retries; 6 > 3
Dec 31 16:52:41 firewall sshd[27658]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176-53-22-147.turkrdns.com user=root
Snort is running and give some responses, but is definitely not looking for the above attacks.
Snortsam is blocking for sure:
Blocked List
Show entriesSearch:
IP Address
Security ID
Block Time
39.68.249.217 3100001 Wed Dec 31 15:54:44 2014
White List
Delete
49.89.253.78 3100001 Wed Dec 31 06:28:16 2014
White List
Delete
58.18.86.94 3100001 Wed Dec 31 16:22:16 2014
White List
Delete
61.174.50.140 5000001 Tue Dec 30 17:30:56 2014
White List
Delete
61.174.51.200 5000001 Tue Dec 30 23:14:47 2014
White List
Delete
61.174.51.211 5000001 Wed Dec 31 11:09:17 2014
White List
Delete
61.240.144.64 3100001 Tue Dec 30 19:43:48 2014
White List
Delete
62.210.136.203 3100001 Wed Dec 31 05:16:33 2014
White List
Delete
78.160.218.148 3100001 Tue Dec 30 23:14:11 2014
White List
Delete
79.117.188.99 3100001 Wed Dec 31 06:45:37 2014
White List
Delete
85.102.23.39 3100001 Wed Dec 31 08:10:53 2014
White List
PS. The 5000001 rule is my own attempt to block those ssh attacks:
alert tcp any any -> any 22 ( msg:"SSH potential brute force attack"; flow:to_server; flags:S; threshold:type threshold, track by_src, count 6, seconds 30; classtype:suspicious-login; sid:5000001; rev:5; fwsam:src, 86400 seconds; )
Hope someone can help me out.
Br,
Wiljon -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »