How to get PF and sshguard to stop this guy?

max21 · Mar 22, 2018

aurora72, I use to use everything here to try to get rid of persistence IP’s but there are occasions where nothing what-so-ever will work. Yesterday while thinking about your post, I was trying to Close Connection for an IP using XP TCPView. Then I notice that it was in TIME_WAIT and I could not close it. Ten years and I never thought that deep about it. We have no choice but to bring the interface down, THEN wait, OR drop the connection immediately using pfctl double –k. I think scrub or sysctl.conf setting can help. Other than that I’m all ears.

max21 · Mar 22, 2018

After one measly comment, here they come again. Bottom-line: changing port number is the first and/or final option. Everything else seems to be a matter of taste but blacklistd rides deeper however I found no log-file with the list of blocked IP's.

Lamia said:
. . . And for the bruteforceblocker, it is the only agent among the three (sshguard, blacklisted & bruteforceblocker), as far as I know for now, that has a list of blacklisted IP addresses that exploit/attack other machines. ....

There it is. Logging. If I were working in the field I would have been fired. How did I miss that? I think blacklistd spoil me, but it has no logging, and after reboot it seems whatever was there is now gone it seems. But something somewhere it still seem to be working.

Anyway, one or more of them GOT to be in-place. Now that I seen it all except death to the node itself it time to get my ssh keys working. I realize that all I can ever do is to keep an eye on the logs and rotate the ssh port-number when needed. That’s cool by me, maybe I can tell it to call me or something before crunch time using a script.

Code:

Mar 21 22:26:02 order sshd[6586]: Did not receive identification string from 77.72.83.21
Mar 21 22:26:03 order sshd[6587]: Bad protocol version identification '\003' from 77.72.
Mar 21 22:26:05 order sshd[6588]: Bad protocol version identification '\003' from 77.72.
Mar 22 07:10:03 order sshd[7315]: Did not receive identification string from 71.6.146.18
Mar 22 07:10:03 order sshd[7316]: Connection closed by 71.6.146.185 port 41236 [preauth]
Mar 22 07:10:03 order sshd[7318]: Connection closed by 71.6.146.185 port 41348 [preauth]
Mar 22 07:44:02 order sshd[7344]: Address 191.102.120.201 maps to azteca-comunicaciones.
Mar 22 07:44:02 order sshd[7344]: User root from 191.102.120.201 not allowed because not
Mar 22 07:44:02 order sshd[7344]: user NOUSER login class  [preauth]
Mar 22 07:44:03 order last message repeated 5 times
Mar 22 07:44:03 order sshd[7344]: error: maximum authentication attempts exceeded for in
Mar 22 07:44:03 order sshd[7344]: Disconnecting invalid user root 191.102.120.201 port 9
Mar 22 11:49:58 order sshd[7554]: Invalid user admin from 123.59.182.194 port 37803
Mar 22 11:49:58 order sshd[7554]: user NOUSER login class  [preauth]
Mar 22 11:49:59 order last message repeated 5 times
Mar 22 11:49:59 order sshd[7554]: error: maximum authentication attempts exceeded for in
Mar 22 11:49:59 order sshd[7554]: Disconnecting invalid user admin 123.59.182.194 port 3

I flush the log then they gone. No more attempts for the rest of the day at minimum i get.

Thanks for all

Eric A. Borisch · Mar 22, 2018

aurora72 said:
Hello

I run sshd and to keep intruders off I activated the PF like:

pf.conf:

Code:

anchor "emerging-threats" load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats"

/etc/pf.anchors/emerging-threats:

Code:

table <emerging_threats> persist file "/etc/emerging-block-ips.txt" block log from <emerging_threats> to any

Whenever a new intruder comes up I add its IP to the .txt and so far so good but today the IP of 59.63.166.104 defeated the PF i.e. though it's on the block ips .txt file, it still keeps on intruding the server like so:

20.03.2018 16:01:12,879 sshd: error: PAM: authentication error for root from 59.63.166.104 via 192.168.1.120

What should I do in that case?

You should be able to do something like this.

Code:

#!/bin/sh
pfctl -t emerging_threads -T add $1 && pfctl -k $1

and run ./add_threat 59.63.166.104 to add it to the table and kill states (no reload required.)

Add something like 0 2 * * * root /sbin/pfctl -q -t emerging-threats -T show > /etc/emerging-block-ips.txt to your crontab to save off the table nightly. You can also do an expiration via crontab if you have any desire to age them out.

If you go this route, you don't need to have the separate anchor file; just put those directives into pf.conf (unless you like the separation for other reasons.)

SirDice · Mar 27, 2018

max21 said:
Everything else seems to be a matter of taste but blacklistd rides deeper however I found no log-file with the list of blocked IP's.

blacklistctl dump -d:

Code:

root@maelcum:~ # blacklistctl dump -d
        address/ma:port id      nfail   last access
  45.40.138.145/32:22           1/3     2018/03/26 15:47:04
    68.34.7.131/32:22           1/3     2018/03/27 02:12:19
   5.196.65.134/32:22           1/3     2018/03/27 09:52:50
 80.254.122.201/32:22           1/3     2018/03/26 13:27:59
  97.74.232.159/32:22           1/3     2018/03/26 10:52:08
 220.245.146.47/32:22           1/3     2018/03/26 16:07:17
 124.124.99.216/32:22           1/3     2018/03/27 07:12:49
 114.241.199.75/32:22           1/3     2018/03/26 11:21:40
 49.156.148.212/32:22           1/3     2018/03/26 15:27:06
 131.72.216.146/32:22           1/3     2018/03/26 17:12:18
 75.136.156.134/32:22           1/3     2018/03/27 00:41:16
 103.200.22.113/32:22           2/3     2018/03/26 11:21:59
  123.21.107.27/32:22           1/3     2018/03/26 15:33:47
  46.105.20.171/32:22           1/3     2018/03/27 01:48:56
 161.139.115.25/32:22           1/3     2018/03/27 08:39:15
   13.124.92.51/32:22           1/3     2018/03/27 09:06:32
 210.121.196.10/32:22           1/3     2018/03/26 17:02:24
  82.211.44.200/32:22           1/3     2018/03/26 21:06:10
 110.10.174.179/32:22           1/3     2018/03/27 08:01:42
 14.207.167.214/32:22           1/3     2018/03/26 15:34:00
167.249.224.154/32:22           1/3     2018/03/27 03:44:58
125.212.228.165/32:22           1/3     2018/03/27 10:08:41
   89.27.251.12/32:22           1/3     2018/03/26 21:10:43
  193.70.90.250/32:22           1/3     2018/03/27 01:06:08
 202.54.249.131/32:22           1/3     2018/03/26 20:38:49
125.212.249.115/32:22           1/3     2018/03/26 16:31:31
 219.148.149.90/32:22           1/3     2018/03/26 20:57:31
  193.70.46.201/32:22           1/3     2018/03/27 08:04:12
   54.37.17.179/32:22           1/3     2018/03/26 13:41:32
 195.53.115.116/32:22           1/3     2018/03/27 08:01:51
 109.92.176.135/32:22           1/3     2018/03/26 12:39:00
181.111.193.251/32:22           1/3     2018/03/26 15:16:58
 162.105.92.153/32:22           1/3     2018/03/26 19:09:09
 211.72.203.250/32:22           1/3     2018/03/27 05:34:11
 180.101.145.87/32:22           1/3     2018/03/26 22:42:44
 180.250.19.128/32:22           1/3     2018/03/27 08:16:22
 217.112.91.190/32:22           1/3     2018/03/27 02:42:07
203.198.158.147/32:22           1/3     2018/03/27 06:46:46
   187.64.128.7/32:22           1/3     2018/03/27 08:01:15
 114.221.101.15/32:22           1/3     2018/03/26 15:34:13
175.117.145.239/32:22           1/3     2018/03/26 17:21:17
   43.242.84.52/32:22           1/3     2018/03/26 18:03:16
   221.146.5.81/32:22           1/3     2018/03/26 18:42:27
128.199.138.212/32:22           1/3     2018/03/27 00:32:30
 61.220.209.219/32:22           1/3     2018/03/27 02:29:41
 35.160.134.253/32:22           1/3     2018/03/26 13:09:32
 60.250.168.200/32:22           1/3     2018/03/27 03:37:16
103.231.218.254/32:22           1/3     2018/03/27 04:08:23
 216.245.215.98/32:22           1/3     2018/03/27 08:20:07
   138.68.7.146/32:22           1/3     2018/03/26 21:30:48
   139.99.119.2/32:22           1/3     2018/03/27 02:19:35
  94.102.60.135/32:22           1/3     2018/03/27 08:12:54
183.203.220.234/32:22           1/3     2018/03/26 17:42:08
  46.32.104.210/32:22           1/3     2018/03/26 22:37:04
   85.199.232.4/32:22           1/3     2018/03/27 06:48:55
 41.223.142.211/32:22           1/3     2018/03/26 19:50:28
  182.61.42.204/32:22           1/3     2018/03/27 02:33:35
 120.92.142.135/32:22           2/3     2018/03/27 03:20:23
 201.147.183.55/32:22           1/3     2018/03/26 10:50:56
  193.70.85.206/32:22           1/3     2018/03/26 17:44:53
 180.168.36.170/32:22           1/3     2018/03/26 17:57:45
  218.38.121.17/32:22           1/3     2018/03/27 08:44:07
  61.82.251.224/32:22           1/3     2018/03/27 08:51:53
 210.187.25.165/32:22           1/3     2018/03/26 11:38:44
   103.26.14.92/32:22           1/3     2018/03/26 16:39:52
   41.138.51.69/32:22           1/3     2018/03/26 18:39:41
   5.135.161.94/32:22           1/3     2018/03/26 18:50:59
 110.10.189.182/32:22           1/3     2018/03/26 23:16:12
   14.23.77.154/32:22           1/3     2018/03/26 12:05:17
 218.147.99.252/32:22           1/3     2018/03/26 14:21:49
  54.37.139.198/32:22           1/3     2018/03/26 18:30:28
  123.20.53.104/32:22           1/3     2018/03/27 03:44:51
  103.27.239.27/32:22           1/3     2018/03/27 05:45:14
 188.165.68.135/32:22           1/3     2018/03/27 09:37:50
   93.99.147.90/32:22           1/3     2018/03/27 10:30:17
 175.139.146.66/32:22           1/3     2018/03/26 11:37:21
  82.200.205.71/32:22           1/3     2018/03/26 14:00:04
   45.65.140.20/32:22           1/3     2018/03/26 15:07:23
 203.217.56.210/32:22           1/3     2018/03/26 15:57:11
 125.212.248.37/32:22           1/3     2018/03/26 20:18:44
 138.68.149.171/32:22           1/3     2018/03/27 01:27:35
113.162.168.211/32:22           1/3     2018/03/27 03:45:08
  121.28.142.44/32:22           1/3     2018/03/26 10:34:26
  211.23.154.14/32:22           1/3     2018/03/26 17:02:02
159.203.191.201/32:22           1/3     2018/03/27 02:42:08
  69.162.101.38/32:22           1/3     2018/03/27 07:42:27
  213.58.172.26/32:22           1/3     2018/03/26 20:16:36
  91.121.77.149/32:22           1/3     2018/03/26 17:57:03
  81.149.95.177/32:22           1/3     2018/03/26 22:31:34

SirDice · Mar 27, 2018

Oops, it should be blacklistctl dump -b, not -d.

Lamia · Mar 27, 2018

Here is a non-exhaustive list of blacklisted IP addresses by bruteforceblocker.

max21 · Mar 28, 2018

SirDice, I know how to use the blacklistd dump command, I just like to know where is that list kelp. It seems that it’s inside the kernel because I can’t find it anywhere. SSHGuard has his in /var/db/sshguard. According to the docs the way FreeBSD blacklistd works got the be the strongest of them all, however here is a part of my list that show where something went wrong – it missed. It make me think that although SSHGuard works at a higher level it don't miss. I also notice that I only been running blacklistd, I forgot to include SSHGuard but thought I had it running. Question: Is it possible to run both blacklistd and sshguard?

Code:

192.169.155.230/32:22           1/3     2018/03/21 20:47:57
92.222.119.202/32:22           1/3     2018/03/21 18:35:53
  103.26.99.120/32:22           1/3     2018/03/21 17:49:03
   14.23.77.154/32
211.72.203.250/32:22           1/3     2018/03/21 02:55:32
190.147.88.247/32:22           1/3     2018/03/21 22:45:08
  178.22.48.137/32:22           1/3     2018/03/21 13:28:53

About something else; since those last few hits I posted above I never got hit again … so I commented out this line the same day and iirc I still did not get hit or if I did it was few and far between, like 36 hours for one. The reason I remove this rule is that I was asked why would I even want to open up the ssh port to the world. Even today, it’s still commented-out.

I'm guessing that this solved that problem? If so, that could be the reason why I didn’t get any more hits. I should have wrote something down as a reminder, I did that for everything else.

Code:

# # # pass in quick on $_nic proto tcp from any to any port 22

Anyway, I figure I’ll keep everything in place just incase I want to peep in on it in the future for some reason such as rechecking those moves. THEN what I did was to change the port number and now I know for sure . . . me and my auth.log are so lonely. I get board of seeing nothing everyday. I forgot the reason of ordering the VPS in the first place.

So for contentment until I get fired up again I’m reading SSH(1) until I can recite it. Right now it’s scary! Until I know why to tamper with or disable hosts.equiv, rhosts and rlogin/rsh protocol, I’m going to stick with using a super strong password until I know how to divide and use keys at home and use password at the library. I see now SSH(1) is no play toy. You have to read it at least 15x to get it half-right and that is what I’m going to do.

So to sum it all up changing ports WON .. but blacklistd without the pass out rule seem to keep on working or ssh just got shutdown in the foreground or something. Maybe they all are working together because I have TOTAL silence to date. Not even a port-scan.

Here is a non-exhaustive list of blacklisted IP addresses by bruteforceblocker.

Lamia, I ended up with more then half of that list. It's not as large as I thought. No offence but I heard about all of those oriental countries trying to hack the world, but Vietnam? That takes the cake. Maybe we doing the same to them, but how am I suppose to know. Or maybe not because no one can ... Ahaa, they got the Great Firewall.

SirDice · Mar 28, 2018

max21 said:
No offence but I heard about all of those oriental countries trying to hack the world, but Vietnam?

Most of these aren't "hackers" trying to break in. They've been infected with malware and it's the malware that does the scanning. The owners of those systems are most likely not even aware of it.

max21 said:
Or maybe not because no one can ... Ahaa, they got the Great Firewall.

Looking at the huge list of IP ranges belonging to ChinaNet I block that Great Firewall isn't doing much.
If you're interested, this is the list, I don't have Chinese visitors on my site so it's not an issue for me to block them preemptively.

Code:

chinanet="{119.28.0.0/16,117.21.0.0/16,202.109.128.0/28,183.0.0.0/18,222.186.0.0/10,111.72.0.0/12,220.175.0.0/16,220.176.0.0/16,220.177.0.0/16,115.239.248.0/24,218.56.0.0/14,61.153.104.0/24,61.153.105.0/24,1.93.0.0/16,211.142.128.0/17,144.0.0.0/16,111.0.0.0/10,221.228.0.0/14,116.52.0.0-116.55.255.255,59.44.0.0-59.47.255.255,221.192.0.0/14}"

max21 · Mar 28, 2018

Thanks SirDice, the quicker I get off my ridiculous theories the better, but now I know the facts. I just checked top and I notice that pflogd and blacklistd are as active as he*l. Exchanging chances to hit the top of the list pretty darn fast. Something going on, and syslogd is in the mix too. I better reboot so I can monitor resource usages for the next few days. It good to have two nodes to play with. I got enough faith to turn-off pf and/or blacklistd logging if need be because I know darn well it’s working.

edit: I'll take that back. PF and blacklistd is empty. It's just expecting. Port change must be in control.

max21 · Apr 2, 2018

ShelLuser said:
In addition to what gkontos said: do you really need your SSH port to be publically open?

I also can't help wonder what authentication method you're using, don't tell me you rely on username / passwords? Because that's basically a kiddie magnet in itself, it gives the kiddiots the idea that all they have to do is put in enough guesses in order to eventually get somewhere. Authenticate by keys and the whole thing becomes much less appealing.

See, there's another problem with your current setup: you're also opening yourself up for a rather easy DoS attack. If they poke often enough then they could even put some extra unwanted pressure on your system because SSHGuard might be doing its best to keep up.

All in all it's not worth the effort, and only a nuisance best removed. If you only log onto the server from specific locations then block the whole thing and open it up for only those IP's. If you need public access, follow gkontos' advise and most of all: don't rely on username / passwords.

In my last few post I been trying to figure out what was actually blocking ssh attacks since I was trying nearly everything here at once. Yesterday, it hit me. When to use? What to use? And why?. ShelLuser already told me! OK, I’ll get ssh-keygen working latter.

For home access only; you HAVE to or should change the port-number .. then add the THIRD well-known pf rule below. Since I don’t yet own a static-ip for home this command is using my provider IP Comcast. I thought I had to make my local IP work. Now I wonder if this could be another security issue for being inside the providers pool and not fully direct? Pure PF to the rescue.

Code:

_nic   =  "em0"
## anchor "blacklistd/*" in on $_nic

# ########################################################################################
pass in quick on $_nic inet proto tcp from 11.22.33.44 to $_nic port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 11.22.33.44"
# ########################################################################################

  pass in quick on $_nic inet proto icmp all icmp-type echoreq
# pass in quick on $_nic proto tcp from any to $_nic port 2222

Thanks for this super crash-course into networking +.

Over and out!

How to get PF and sshguard to stop this guy?

max21

max21

Eric A. Borisch

SirDice

Administrator

SirDice

Administrator

Lamia

max21

SirDice

Administrator

max21

max21