Linux: sshd auto blacklisting. Consigli?

[loric]

Questo dopo circa un'ora dall'installazione di pam_hblist sul mio server esposto ad Internet:

# pam_hblist -f /etc/pam_hblist/ssh.conf -lb
rhost: 222.186.56.XXX; num. of attempts: -; status: blocked; age: 0 days, 0 hours, 7 minutes, 50 seconds;
rhost: 58.218.204.XXX; num. of attempts: -; status: blocked; age: 0 days, 1 hours, 0 minutes, 59 seconds;
rhost: 58.218.204.YYY; num. of attempts: -; status: blocked; age: 0 days, 1 hours, 2 minutes, 45 seconds;
rhost: 61.160.212.XX; num. of attempts: -; status: blocked; age: 0 days, 0 hours, 17 minutes, 14 seconds;
rhost: 61.160.213.XXX; num. of attempts: -; status: blocked; age: 0 days, 0 hours, 44 minutes, 11 seconds;

Gli IP "cattivi", come da file di configurazione (vedi sotto), vengono bloccati su sshd per 3 giorni ed inseriti nella blacklist di iptables per 30 minuti:

debug=0
db_home=/var/lib/pam_hblist/sshd/
db_file=theblacklist
rules=  *:*:10/10m  *:root:10/6h *:*:50/2d
purge_time=3d
dry_run=0
user_whitelist=
user_blacklist=*:!lorenzo
exec_on_ban= for IP in ${PAMHBL_IPS}; do /usr/sbin/ipset add blacklist $IP -exist; logger "Added IP $IP to the iptables blacklist"   ;done; printf "Added the following host to PAM blacklist:\n%s\n%s\n\n----------------------------------------------" "${PAMHBL_RHOST}" "(${PAMHBL_IPS})" | mailx -r  "XXXXXXXXX@fastwebnet.it" -s "PAM Host Blacklist (${PAMHBL_SERVICE})" "XXXXXXX@fastwebnet.it" "XXXXXXXX@gmail.com" 
ip_blacklist=  
ip_whitelist=127.0.0.1 ::1 192.168.2.0/24

L'inserimento di un nuovo IP (recte hostname) in blacklist mi viene segnalato per email.

Niente vieta di inserire in "exec_on_ban=" percorso e nome di uno script bash (o un eseguibile di altro tipo), invece di ficcare tutti quei comandi in quella linea.

Modificato 13 Aprile 2015 da loric

[loric]

Aggiornamento dopo qualche giorno.

# pam_hblist -f /etc/pam_hblist/ssh.conf -lb 
rhost: 104.151.10.9; num. of attempts: -; status: blocked; age: 2 days, 1 hours, 28 minutes, 37 seconds; 
rhost: 117.21.191.196; num. of attempts: -; status: blocked; age: 2 days, 18 hours, 53 minutes, 39 seconds; 
rhost: 118.244.151.39; num. of attempts: -; status: blocked; age: 3 days, 1 hours, 1 minutes, 47 seconds; 
rhost: 118.34.104.204; num. of attempts: -; status: blocked; age: 2 days, 3 hours, 19 minutes, 38 seconds; 
rhost: 195-154-56-57.ggsmarket.net; num. of attempts: -; status: blocked; age: 2 days, 17 hours, 35 minutes, 8 seconds; 
rhost: 195.154.56.57; num. of attempts: -; status: blocked; age: 3 days, 17 hours, 50 minutes, 40 seconds; 
rhost: 202.120.163.144; num. of attempts: -; status: blocked; age: 1 days, 17 hours, 27 minutes, 24 seconds; 
rhost: 218.200.188.213; num. of attempts: -; status: blocked; age: 1 days, 22 hours, 58 minutes, 35 seconds; 
rhost: 221.229.160.223; num. of attempts: -; status: blocked; age: 1 days, 4 hours, 5 minutes, 16 seconds; 
rhost: 221.229.160.230; num. of attempts: -; status: blocked; age: 0 days, 1 hours, 54 minutes, 47 seconds; 
rhost: 221.229.160.241; num. of attempts: -; status: blocked; age: 2 days, 23 hours, 55 minutes, 12 seconds; 
rhost: 221.229.166.254; num. of attempts: -; status: blocked; age: 3 days, 19 hours, 26 minutes, 10 seconds; 
rhost: 221.229.166.27; num. of attempts: -; status: blocked; age: 3 days, 21 hours, 10 minutes, 24 seconds; 
rhost: 221.229.166.28; num. of attempts: -; status: blocked; age: 3 days, 12 hours, 40 minutes, 28 seconds; 
rhost: 221.229.166.29; num. of attempts: -; status: blocked; age: 4 days, 0 hours, 12 minutes, 51 seconds; 
rhost: 222.186.21.198; num. of attempts: -; status: blocked; age: 3 days, 12 hours, 14 minutes, 19 seconds; 
rhost: 222.186.21.209; num. of attempts: -; status: blocked; age: 1 days, 4 hours, 43 minutes, 58 seconds; 
rhost: 222.186.21.215; num. of attempts: -; status: blocked; age: 2 days, 13 hours, 26 minutes, 43 seconds; 
rhost: 222.186.21.217; num. of attempts: -; status: blocked; age: 2 days, 19 hours, 16 minutes, 48 seconds; 
rhost: 222.186.21.251; num. of attempts: -; status: blocked; age: 1 days, 15 hours, 17 minutes, 36 seconds; 
rhost: 222.186.51.228; num. of attempts: -; status: blocked; age: 3 days, 7 hours, 14 minutes, 29 seconds; 
rhost: 222.186.56.138; num. of attempts: -; status: blocked; age: 3 days, 20 hours, 44 minutes, 8 seconds; 
rhost: 222.186.58.131; num. of attempts: -; status: blocked; age: 3 days, 14 hours, 27 minutes, 18 seconds; 
rhost: 5.141.204.54; num. of attempts: -; status: blocked; age: 2 days, 3 hours, 20 minutes, 2 seconds; 
rhost: 5.56.24.5; num. of attempts: -; status: blocked; age: 3 days, 14 hours, 31 minutes, 49 seconds; 
rhost: 58.215.56.239; num. of attempts: -; status: blocked; age: 3 days, 15 hours, 38 minutes, 41 seconds; 
rhost: 58.218.199.49; num. of attempts: -; status: blocked; age: 3 days, 23 hours, 46 minutes, 35 seconds; 
rhost: 58.218.201.19; num. of attempts: -; status: blocked; age: 2 days, 20 hours, 26 minutes, 47 seconds; 
rhost: 58.218.201.22; num. of attempts: -; status: blocked; age: 3 days, 1 hours, 5 minutes, 47 seconds; 
rhost: 58.218.204.226; num. of attempts: -; status: blocked; age: 1 days, 7 hours, 36 minutes, 42 seconds; 
rhost: 58.218.204.241; num. of attempts: -; status: blocked; age: 1 days, 7 hours, 36 minutes, 42 seconds; 
rhost: 58.218.204.245; num. of attempts: -; status: blocked; age: 1 days, 7 hours, 36 minutes, 42 seconds; 
rhost: 58.218.204.248; num. of attempts: -; status: blocked; age: 1 days, 7 hours, 36 minutes, 42 seconds; 
rhost: 58.218.211.190; num. of attempts: -; status: blocked; age: 1 days, 2 hours, 9 minutes, 19 seconds; 
rhost: 58.218.213.212; num. of attempts: -; status: blocked; age: 3 days, 1 hours, 43 minutes, 26 seconds; 
rhost: 58.218.213.230; num. of attempts: -; status: blocked; age: 2 days, 3 hours, 20 minutes, 26 seconds; 
rhost: 60.173.26.16; num. of attempts: -; status: blocked; age: 1 days, 13 hours, 28 minutes, 18 seconds; 
rhost: 60.173.26.163; num. of attempts: -; status: blocked; age: 2 days, 20 hours, 12 minutes, 44 seconds; 
rhost: 61.132.161.130; num. of attempts: -; status: blocked; age: 0 days, 17 hours, 12 minutes, 34 seconds; 
rhost: 61.160.212.27; num. of attempts: -; status: blocked; age: 3 days, 17 hours, 42 minutes, 35 seconds; 
rhost: 61.160.213.190; num. of attempts: -; status: blocked; age: 3 days, 19 hours, 52 minutes, 38 seconds; 
rhost: 61.160.222.76; num. of attempts: -; status: blocked; age: 3 days, 18 hours, 34 minutes, 38 seconds; 
rhost: 77.241.93.81.static.hosted.by.combell.com; num. of attempts: -; status: blocked; age: 0 days, 9 hours, 58 minutes, 39 seconds; 
rhost: 78.153.211.168; num. of attempts: -; status: blocked; age: 0 days, 10 hours, 0 minutes, 17 seconds; 
rhost: 80.242.123.194; num. of attempts: -; status: blocked; age: 1 days, 7 hours, 31 minutes, 58 seconds; 
rhost: 95.211.45.68; num. of attempts: -; status: blocked; age: 0 days, 12 hours, 12 minutes, 48 seconds; 
rhost: bzq-222-186.red.bezeqint.net; num. of attempts: -; status: blocked; age: 0 days, 0 hours, 13 minutes, 17 seconds; 
rhost: host-194-183-86-150-static.telecomitalia.sm; num. of attempts: -; status: blocked; age: 2 days, 3 hours, 20 minutes, 51 seconds; 
rhost: ip-208-109-198-213.ip.secureserver.net; num. of attempts: -; status: blocked; age: 0 days, 3 hours, 13 minutes, 59 seconds; 
rhost: ip-50-63-129-219.ip.secureserver.net; num. of attempts: -; status: blocked; age: 0 days, 5 hours, 39 minutes, 11 seconds; 
rhost: ip-50-63-176-19.ip.secureserver.net; num. of attempts: -; status: blocked; age: 0 days, 17 hours, 39 minutes, 7 seconds; 
rhost: ip-50-63-52-82.ip.secureserver.net; num. of attempts: -; status: blocked; age: 0 days, 13 hours, 4 minutes, 43 seconds; 
rhost: ip-50-63-56-84.ip.secureserver.net; num. of attempts: -; status: blocked; age: 0 days, 3 hours, 41 minutes, 28 seconds; 
rhost: ip-72-167-167-55.ip.secureserver.net; num. of attempts: -; status: blocked; age: 0 days, 5 hours, 43 minutes, 14 seconds; 
rhost: ip-72-167-32-209.ip.secureserver.net; num. of attempts: -; status: blocked; age: 0 days, 17 hours, 15 minutes, 12 seconds; 
rhost: ip-72-167-55-110.ip.secureserver.net; num. of attempts: -; status: blocked; age: 0 days, 1 hours, 4 minutes, 17 seconds; 
rhost: p3nlwpweb202.prod.phx3.secureserver.net; num. of attempts: -; status: blocked; age: 2 days, 3 hours, 20 minutes, 37 seconds; 
rhost: s102.n242.n6.n64.static.myhostcenter.com; num. of attempts: -; status: blocked; age: 0 days, 18 hours, 33 minutes, 28 seconds; 
rhost: s16381211.onlinehome-server.info; num. of attempts: -; status: blocked; age: 2 days, 10 hours, 34 minutes, 4 seconds; 

Tutti i tentativi di accesso hanno avuto come bersaglio la canonica porta 22. Ho un altro processo di sshd in ascolto sulla porta 22222 ma non se lo filano neanche di striscio.

Una buona percentuale di script che sono il cuore di questi attacchi si aspetta che sshd sia impostato con "PasswordAuthentication yes". Se lo si sostituisce con "ChallengeResponseAuthentication yes" vanno in crisi e chiudono la connessione prima ancora di forzare le credenziali di accesso. Ho avuto un unico caso di script che ha tentato di forzare la chiave pubblica, ma in maniera rozza e poco efficiente.

Il mio modulo protegge anche la porta 25 (SMTP) e 587 (Submission). Pur avendo registrato in questi giorni diversi tentativi di testare se il mio server di posta è configurato come open relay (ovviamente non lo è), non ho visto neanche un tentativo di autenticazione, per cui la blacklist relativa alla posta elettronica è ancora vuota.