Category Archives: Network

Brute force SSH attacks.

Posted on by
Reply

I have spoken to a good few people and on the matter and one thing they consistantly ask is “How do I know my server is under attack?”, its simple really… if you keep a close eye (in Ubuntu at least) on /var/log/auth.log, you can see all login attempts on the system. Here is an example log of a brute force attack on my very own server…

Dec 7 01:30:02 phonebox sshd[14378]: Invalid user aleph from 60.19.28.27
Dec 7 01:30:02 phonebox sshd[14378]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:30:02 phonebox sshd[14378]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:30:04 phonebox sshd[14378]: Failed password for invalid user aleph from 60.19.28.27 port 16699 ssh2
Dec 7 01:30:08 phonebox sshd[14461]: Invalid user pechantal from 60.19.28.27
Dec 7 01:30:08 phonebox sshd[14461]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:30:08 phonebox sshd[14461]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:30:10 phonebox sshd[14461]: Failed password for invalid user pechantal from 60.19.28.27 port 17732 ssh2
Dec 7 01:30:14 phonebox sshd[14464]: Invalid user komtemp from 60.19.28.27
Dec 7 01:30:14 phonebox sshd[14464]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:30:14 phonebox sshd[14464]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:30:16 phonebox sshd[14464]: Failed password for invalid user komtemp from 60.19.28.27 port 18807 ssh2
Dec 7 01:30:20 phonebox sshd[14466]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27 user=root
Dec 7 01:30:22 phonebox sshd[14466]: Failed password for root from 60.19.28.27 port 19764 ssh2
Dec 7 01:30:54 phonebox sshd[14470]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27 user=root
Dec 7 01:30:56 phonebox sshd[14470]: Failed password for root from 60.19.28.27 port 26354 ssh2
Dec 7 01:30:59 phonebox sshd[14473]: Invalid user test from 60.19.28.27
Dec 7 01:31:00 phonebox sshd[14473]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:00 phonebox sshd[14473]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:01 phonebox sshd[14473]: Failed password for invalid user test from 60.19.28.27 port 27410 ssh2
Dec 7 01:31:05 phonebox sshd[14475]: Invalid user teste from 60.19.28.27
Dec 7 01:31:05 phonebox sshd[14475]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:05 phonebox sshd[14475]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:07 phonebox sshd[14475]: Failed password for invalid user teste from 60.19.28.27 port 28724 ssh2
Dec 7 01:31:10 phonebox sshd[14477]: Invalid user teste from 60.19.28.27
Dec 7 01:31:10 phonebox sshd[14477]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:10 phonebox sshd[14477]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:12 phonebox sshd[14477]: Failed password for invalid user teste from 60.19.28.27 port 29661 ssh2
Dec 7 01:31:15 phonebox sshd[14479]: Invalid user teste from 60.19.28.27
Dec 7 01:31:16 phonebox sshd[14479]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:16 phonebox sshd[14479]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:18 phonebox sshd[14479]: Failed password for invalid user teste from 60.19.28.27 port 30627 ssh2
Dec 7 01:31:21 phonebox sshd[14482]: Invalid user pa$$w0rd from 60.19.28.27
Dec 7 01:31:22 phonebox sshd[14482]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:22 phonebox sshd[14482]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:23 phonebox sshd[14482]: Failed password for invalid user pa$$w0rd from 60.19.28.27 port 31753 ssh2
Dec 7 01:31:26 phonebox sshd[14484]: Invalid user testing from 60.19.28.27
Dec 7 01:31:27 phonebox sshd[14484]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:27 phonebox sshd[14484]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:28 phonebox sshd[14484]: Failed password for invalid user testing from 60.19.28.27 port 32702 ssh2
Dec 7 01:31:32 phonebox sshd[14486]: Invalid user tst from 60.19.28.27
Dec 7 01:31:32 phonebox sshd[14486]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:32 phonebox sshd[14486]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:35 phonebox sshd[14486]: Failed password for invalid user tst from 60.19.28.27 port 33652 ssh2
Dec 7 01:31:38 phonebox sshd[14489]: Invalid user spam from 60.19.28.27
Dec 7 01:31:38 phonebox sshd[14489]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:38 phonebox sshd[14489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:40 phonebox sshd[14489]: Failed password for invalid user spam from 60.19.28.27 port 34704 ssh2

Now, there is a lot more activity in the log than this, however this should give the general idea of what to look out for… If you happen to be lucky enough to have a MikroTik router, you can help slow or prevent this with some creative firewall rules, here are the rules I am using for this, as provided in the MikroTik WiKi.

/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment=”drop ssh brute forcers” disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment=”" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment=”" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment=”" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=adadd chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment=”drop ssh brute downstream” disabled=nod-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment=”" disabled=no

Roll your Own: Wide Area Network (WAN) pt.2

Posted on by
Reply

Ok, so there hasn’t been all that much movement on this project as of yet, but I do have a lot of ideas for it and I am in the proccess of aquiring parts. At the minute, I have the following embedded boards to use,

  • PC Engines Alix .3C
  • PC Engines Wrap .1D
  • PC Engines Wrap .2C
  • PC Engines Wrap .1C
  • RB-532 (Routerboard running MicroTik firmware)
  • RB-564 (Routerboard Expansion Module)

For storage, I have 5x 128mb CF cards and 1x 2GB CF card. I also have 3x PoE injectors (the quick and dirty kind), 3x CM9 radio cards, and 1x 27dBi omni-directional antenna for 2.4GHz (which by the way, is awesome)

For servers, I still have PhoneBox, a 1.6GHz Intel Atom mini-ITX machine, I am working on getting a new, shiny rackmount dual core 1.6GHz machine too so that will be two servers for a start. I have also managed to aquire a racking case thats 600mm deep and has the capacity for around 12u, although it is missing its front bezel rails – I’m fairly confident I can find them somewhere in work. Im working on getting a new (2nd hand) patch pannel to keep everything neat and tidy too. Next on my list of things to do is to get a PSU built that can run all of this equipment with UPS functionality, I do have a 3A power plex box here that I also got from FWI, however it is not working at the moment, I beleive it is the power FET thats gone and it should be a simple chop & change replacement. Failing that, I will design a SLA charging circuit and feed the 12v supply from the transformer, and the 12v supply from the SLA bank into a comparator for fast switching on a power cut. I would like to have a UPS that can maintin the routing infrastructure during an outage for 16-24 hours. As the (soon to be) two Mini-ITX servers also run off 12v, I would like to have these included in the UPS scheme for a few reasons,

  1. A transformer at max-efficiency can only be around 85%, less transformers (power blocks etc…) means less power lost and a smaller electricity bill.
  2. The servers will be running Linux, which in some (lots of) cases, it doesnt like just having its power yanked.
  3. Everthing will be in a centralised location (at least at my station) so it will mean less wiring.
  4. Everything can then be rackmounted, and there would only be a single mains feed.

I am currently trying to draw a sufficient network topology plan including wiring and subnetting for my station to allow for easy management & high security. This also involves selecting what services will be provided on the network here – more on this later.

Roll your Own: Wide Area Network (WAN)

Posted on by
Reply

Thanks to my friends over at Fast Wireless Internet, I now have my own ISP grade wireless equipment. I will be using this (hopefully) to build a wireless link from my house in Dublin, to my parents (and my mates) house in Laois. this is a wireless link of over 50km so proper preparation is paramount. The main idea is to have two directional antennae on each site, one for TX and one for RX, coupled with this will be a standard (high gain) omni-directional for spread coverage of the surrounding area.

The main equipment that is going to be used is RouterBoards running the Micro-Tik (Linux based) operating system, 5.8Ghz Wireless cards and some high gain, narrow beam (~7°) dish style antennae. The house in Dublin will have an extended mounting post fixed to the roof, while the house in Laois already has access to a nice big shiny mast (and a wind turbine)

I’m also in the middle of working on some security features for this, y’know wireless isn’t all that secure… so I will be using MAC filtering, WPA2, Radius and possibly passive IDS & Network monitoring. The Micro-Tik will take care of the first two, but I’ll be implementing a PFSense system on a PC Engines Wrap.1D too.

In order to house all of this equipment, I will be building a small(ish) NOC or Network Operations Centre in my attic, an more than likely my mate will just add the new equipment to the NOC thats already on his end. As a part of this NOC build, I will be making (meh, repairing) a 12V UPS and fitting it with some high AH batteries, moving my mini-itx to it, and building a custom P0E power distribution system.

All in all, its going to be a big, interesting project… I’ll keep you posted!