[XCSSA] Logging & dynamic firewall program(s)

xcssa@xcssa.org xcssa@xcssa.org
22 Oct 2007 13:13:48 -0500 

--=-SXFcVvntpHgI3ZUd3RLH
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Yea,

I thought about using DenyHosts.  But that program is only for SSH.  And
I'm not having a problem with SSH.

About a year or so ago - I got tired of all the SSH hack attempts on all
our servers (well over 20 Linux boxes).  Since I control the routers too
-- I put in a block for TCP port 22.  Now, NOTHING gets in on that port
unless its from my home IP.  

I use my network monitoring server and run SSH on a weird, high port. 
That allows me to get into the network from anywhere on the net, and I
just jump to the box I need from that server.

Most of the hacks I'm dealing with these days are FTP and POP3.  The
same authentication module controls them as SSH and it breaks with a
sustained hack attempt.  So, I'd like to put some dynamic firewall
package in place while waiting on the fix to the authentication module.

Thanks for the suggestion.


Chuck



On Mon, 2007-10-22 at 12:43, xcssa-admin@xcssa.org wrote:

    Chuck, on our outward facing servers for the dictionary SSH attacks, I
    use DenyHosts.
    
    
    On 22 Oct 2007 12:26:57 -0500, xcssa-admin@xcssa.org
    <xcssa-admin@xcssa.org> wrote:
    >
    >  Hi everyone,
    >
    >  I believe I remember some people on this list talking about a program that
    > monitors the logs and dynamically configures the IPTables firewall to stop
    > attacks.  But I don't remember what programs were in the discussion.
    >
    >  I've got about a dozen linux servers I'm responsible for that have a bug in
    > an overlay authentication module.  Any heavy attack (like a dictionary
    > attack) on any service breaks the  module.  After that, no one can POP their
    > mail, FTP in, or do anything else.  And since this is a overlay
    > authentication program (on top of Centos), I can't find a way to restart
    > it/fix it.  The only repair I've found that works reliably is to reboot the
    > server.  Its gotten to be a real PIA with all these script-kiddies running
    > hack attempts these days.
    >
    >  Can anyone suggest a dynamic blocking program to put an end to hacking
    > attempts and crashes in the authentication module.  At least, it will put an
    > end to this until the coders fix the authentication module...
    >
    >  Thanks everyone.
    >
    >
    >
    >  Chuck
    >
    >
    >
    >
    >
    
    
    -- 
    Jeremy Mann
    jeremy@biochem.uthscsa.edu
    
    University of Texas Health Science Center
    Bioinformatics Core Facility
    http://www.bioinformatics.uthscsa.edu
    Phone: (210) 567-2672
    _______________________________________________
    XCSSA mailing list
    XCSSA@xcssa.org
    http://xcssa.org/mailman/listinfo/xcssa
    
    -- 
    This message has been scanned for viruses and
    dangerous content by MailScanner, and is
    believed to be clean.
    
    

--=-SXFcVvntpHgI3ZUd3RLH
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/1.0.4">
</HEAD>
<BODY>
Yea,
<BR>

<BR>
I thought about using DenyHosts.&nbsp; But that program is only for SSH.&nbsp; And I'm not having a problem with SSH.
<BR>

<BR>
About a year or so ago - I got tired of all the SSH hack attempts on all our servers (well over 20 Linux boxes).&nbsp; Since I control the routers too -- I put in a block for TCP port 22.&nbsp; Now, NOTHING gets in on that port unless its from my home IP.&nbsp; 
<BR>

<BR>
I use my network monitoring server and run SSH on a weird, high port.&nbsp; That allows me to get into the network from anywhere on the net, and I just jump to the box I need from that server.
<BR>

<BR>
Most of the hacks I'm dealing with these days are FTP and POP3.&nbsp; The same authentication module controls them as SSH and it breaks with a sustained hack attempt.&nbsp; So, I'd like to put some dynamic firewall package in place while waiting on the fix to the authentication module.
<BR>

<BR>
Thanks for the suggestion.
<BR>

<BR>

<BR>
Chuck
<BR>

<BR>

<BR>

<BR>
On Mon, 2007-10-22 at 12:43, xcssa-admin@xcssa.org wrote:
    <BLOCKQUOTE>
<PRE><FONT COLOR="#737373"><FONT SIZE="3"><I>Chuck, on our outward facing servers for the dictionary SSH attacks, I</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>use DenyHosts.</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>On 22 Oct 2007 12:26:57 -0500, xcssa-admin@xcssa.org</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&lt;xcssa-admin@xcssa.org&gt; wrote:</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;  Hi everyone,</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;  I believe I remember some people on this list talking about a program that</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt; monitors the logs and dynamically configures the IPTables firewall to stop</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt; attacks.  But I don't remember what programs were in the discussion.</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;  I've got about a dozen linux servers I'm responsible for that have a bug in</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt; an overlay authentication module.  Any heavy attack (like a dictionary</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt; attack) on any service breaks the  module.  After that, no one can POP their</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt; mail, FTP in, or do anything else.  And since this is a overlay</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt; authentication program (on top of Centos), I can't find a way to restart</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt; it/fix it.  The only repair I've found that works reliably is to reboot the</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt; server.  Its gotten to be a real PIA with all these script-kiddies running</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt; hack attempts these days.</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;  Can anyone suggest a dynamic blocking program to put an end to hacking</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt; attempts and crashes in the authentication module.  At least, it will put an</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt; end to this until the coders fix the authentication module...</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;  Thanks everyone.</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;  Chuck</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>&gt;</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>-- </FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>Jeremy Mann</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>jeremy@biochem.uthscsa.edu</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>University of Texas Health Science Center</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>Bioinformatics Core Facility</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>http://www.bioinformatics.uthscsa.edu</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>Phone: (210) 567-2672</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>_______________________________________________</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>XCSSA mailing list</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>XCSSA@xcssa.org</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>http://xcssa.org/mailman/listinfo/xcssa</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>-- </FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>This message has been scanned for viruses and</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>dangerous content by MailScanner, and is</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>believed to be clean.</FONT></FONT></I>

</PRE>
    </BLOCKQUOTE>
</BODY>
</HTML>

--=-SXFcVvntpHgI3ZUd3RLH--