pre-hack warnings (sshd)
Posted: 02 Nov 2009, 18:14
Hi Jonathan,
Back in the APF/BFD days, I had added an SSH block rule for /var/log/secure matching:-
eg:-
Nov 1 09:36:27 mail sshd[30573]: Did not receive identification string from 61.185.130.226
That was always followed by invalid login attempts.
More recently, I have noticed that the following short term repeated disconnects also appear to warn of impending attack:-
Nov 1 11:18:11 mail sshd[12900]: Received disconnect from 72.1.143.130: 11: Bye Bye
Nov 1 11:18:12 mail sshd[12904]: Received disconnect from 72.1.143.130: 11: Bye Bye
Nov 1 11:18:13 mail sshd[12906]: Received disconnect from 72.1.143.130: 11: Bye Bye
Nov 1 11:18:14 mail sshd[12909]: Received disconnect from 72.1.143.130: 11: Bye Bye
Nov 1 11:18:15 mail sshd[12917]: Received disconnect from 72.1.143.130: 11: Bye Bye
...
Nov 1 11:18:26 mail sshd[12965]: Invalid user PlcmSpIp from 72.1.143.130
Nov 1 11:18:26 mail sshd[12966]: input_userauth_request: invalid user PlcmSpIp
Nov 1 11:18:26 mail sshd[12966]: Received disconnect from 72.1.143.130: 11: Bye Bye
Nov 1 11:18:27 mail sshd[12972]: Invalid user PlcmSpIp from 72.1.143.130
Nov 1 11:18:27 mail sshd[12973]: input_userauth_request: invalid user PlcmSpIp
Nov 1 11:18:27 mail sshd[12973]: Received disconnect from 72.1.143.130: 11: Bye Bye
Nov 1 11:18:27 mail sshd[12975]: Invalid user abcs from 72.1.143.130
Nov 1 11:18:27 mail sshd[12976]: input_userauth_request: invalid user abcs
Nov 1 11:18:27 mail sshd[12976]: Received disconnect from 72.1.143.130: 11: Bye Bye
Nov 1 11:18:28 mail sshd[12983]: Invalid user cgi-bin from 72.1.143.130
Nov 1 11:18:28 mail sshd[12985]: input_userauth_request: invalid user cgi-bin
I like the idea of proactive blocking. Could they be added to regex.pm ?
(I would add them to regex.custom.pm) but (a) I admit to being regexpically challenged, (b) I think that would increase the load time parsing the same file again, and (c) I believe that others might benefit.
Cheers!
Marty
eta: cPanel 11.24.5-R38506 - WHM 11.24.2 - X 3.9
CENTOS 5.4 i686 standard on mail
Back in the APF/BFD days, I had added an SSH block rule for /var/log/secure matching:-
eg:-
Nov 1 09:36:27 mail sshd[30573]: Did not receive identification string from 61.185.130.226
That was always followed by invalid login attempts.
More recently, I have noticed that the following short term repeated disconnects also appear to warn of impending attack:-
Nov 1 11:18:11 mail sshd[12900]: Received disconnect from 72.1.143.130: 11: Bye Bye
Nov 1 11:18:12 mail sshd[12904]: Received disconnect from 72.1.143.130: 11: Bye Bye
Nov 1 11:18:13 mail sshd[12906]: Received disconnect from 72.1.143.130: 11: Bye Bye
Nov 1 11:18:14 mail sshd[12909]: Received disconnect from 72.1.143.130: 11: Bye Bye
Nov 1 11:18:15 mail sshd[12917]: Received disconnect from 72.1.143.130: 11: Bye Bye
...
Nov 1 11:18:26 mail sshd[12965]: Invalid user PlcmSpIp from 72.1.143.130
Nov 1 11:18:26 mail sshd[12966]: input_userauth_request: invalid user PlcmSpIp
Nov 1 11:18:26 mail sshd[12966]: Received disconnect from 72.1.143.130: 11: Bye Bye
Nov 1 11:18:27 mail sshd[12972]: Invalid user PlcmSpIp from 72.1.143.130
Nov 1 11:18:27 mail sshd[12973]: input_userauth_request: invalid user PlcmSpIp
Nov 1 11:18:27 mail sshd[12973]: Received disconnect from 72.1.143.130: 11: Bye Bye
Nov 1 11:18:27 mail sshd[12975]: Invalid user abcs from 72.1.143.130
Nov 1 11:18:27 mail sshd[12976]: input_userauth_request: invalid user abcs
Nov 1 11:18:27 mail sshd[12976]: Received disconnect from 72.1.143.130: 11: Bye Bye
Nov 1 11:18:28 mail sshd[12983]: Invalid user cgi-bin from 72.1.143.130
Nov 1 11:18:28 mail sshd[12985]: input_userauth_request: invalid user cgi-bin
I like the idea of proactive blocking. Could they be added to regex.pm ?
(I would add them to regex.custom.pm) but (a) I admit to being regexpically challenged, (b) I think that would increase the load time parsing the same file again, and (c) I believe that others might benefit.
Cheers!
Marty
eta: cPanel 11.24.5-R38506 - WHM 11.24.2 - X 3.9
CENTOS 5.4 i686 standard on mail