we havea few linux servers at an isp running ssh and other open ports.
hrowever we are being charged with extra bandwidth which i believe is due to
network scans on ssh unsucessful logon attempts. is there a way to prevent
this or is there some software that will give me info on who is scanning and
for how long etc...

[ Post a follow-up to this message ]

nobody wrote:

> we havea few linux servers at an isp running ssh and other open ports.
> hrowever we are being charged with extra bandwidth which i believe is due
> to network scans on ssh unsucessful logon attempts. is there a way to
> prevent this or is there some software that will give me info on who is
> scanning and for how long etc...

Usually you're scanned by some $scriptkiddies hacked server, your ssh
logfile should tell you the scanners ip:

Aug 31 18:23:08 www-19 sshd[24024]: Invalid user aptproxy from 210.0.196
.235
Aug 31 18:23:11 www-19 sshd[12770]: Invalid user desktop from 210.0.196.
235
Aug 31 18:23:15 www-19 sshd[20662]: Invalid user workshop from 210.0.196
.235
Aug 31 18:23:18 www-19 sshd[29095]: Invalid user mailnull from 210.0.196
.235
Aug 31 18:23:22 www-19 sshd[16925]: Invalid user nobody from 210.0.196.2
35
Aug 31 18:23:25 www-19 sshd[11658]: Invalid user rpcuser from 210.0.196.
235

I've placed some OpenBSD systems with pf enabled to directly drop too many
new connections on port 22 in a specified time. Since you're running linux
you could use fail2ban (www.fail2ban.org). fail2ban will parse your
logfiles and will then add a drop rule to iptables if someone produces too
many login failures. This will at least save you a part of the charged
bandwitdh.

--
Greetings
Chris

[ Post a follow-up to this message ]

So I will have to haqve iptables enabled first? What kind of rules does
iptables enable by default?
"Chris Cohen" <kildau-ml@gmx.de> wrote in message
news:fbqr2o$mlk$02$1@news.t-online.com...
> nobody wrote:
> 
>
> Usually you're scanned by some $scriptkiddies hacked server, your ssh
> logfile should tell you the scanners ip:
>
> Aug 31 18:23:08 www-19 sshd[24024]: Invalid user aptproxy from
> 210.0.196.235
> Aug 31 18:23:11 www-19 sshd[12770]: Invalid user desktop from
> 210.0.196.235
> Aug 31 18:23:15 www-19 sshd[20662]: Invalid user workshop from
> 210.0.196.235
> Aug 31 18:23:18 www-19 sshd[29095]: Invalid user mailnull from
> 210.0.196.235
> Aug 31 18:23:22 www-19 sshd[16925]: Invalid user nobody from 210.0.196
.235
> Aug 31 18:23:25 www-19 sshd[11658]: Invalid user rpcuser from
> 210.0.196.235
>
> I've placed some OpenBSD systems with pf enabled to directly drop too many
> new connections on port 22 in a specified time. Since you're running linux
> you could use fail2ban (www.fail2ban.org). fail2ban will parse your
> logfiles and will then add a drop rule to iptables if someone produces too
> many login failures. This will at least save you a part of the charged
> bandwitdh.
>
> --
> Greetings
> Chris

[ Post a follow-up to this message ]

nobody wrote:
> "Chris Cohen" <kildau-ml@gmx.de> wrote in message
> news:fbqr2o$mlk$02$1@news.t-online.com... 
> So I will have to haqve iptables enabled first? What kind of rules does
> iptables enable by default?

Iptables doesn't have any default rules and will just pass all traffic,
but your distribution may have some pre-configured settings (like SuSE,
Redhat...)

--
Greetings
Chris

[ Post a follow-up to this message ]

On Thu, 2007-09-06 at 20:22 -0700, nobody wrote:
> we havea few linux servers at an isp running ssh and other open ports.
> hrowever we are being charged with extra bandwidth which i believe is due 
to
> network scans on ssh unsucessful logon attempts. is there a way to prevent
> this or is there some software that will give me info on who is scanning a
nd
> for how long etc...

I'm using DenyHosts which has cut the traffic in my logs tremendously.  Work
s a treat.

http://denyhosts.sourceforge.net/
--
S. Anthony Sequeira
++
For a young man, not yet: for an old man, never at all.
-- Diogenes, asked when a man should marry

When should a man marry?  A young man, not yet; an elder man, not at all.
-- Sir Francis Bacon, "Of Marriage and Single Life"
++

[ Post a follow-up to this message ]

is there some software that can give me connection statistics - source ip
destination ip etc with graphs .


"Tony Sequeira" <tony@sequeira.org.uk> wrote in message
news:1189187040.2974.0.camel@comet.sequestor.lan...
> On Thu, 2007-09-06 at 20:22 -0700, nobody wrote: 
>
> I'm using DenyHosts which has cut the traffic in my logs tremendously.
> Works a treat.
>
> http://denyhosts.sourceforge.net/
> --
> S. Anthony Sequeira
> ++
> For a young man, not yet: for an old man, never at all.
> -- Diogenes, asked when a man should marry
>
> When should a man marry?  A young man, not yet; an elder man, not at all.
> -- Sir Francis Bacon, "Of Marriage and Single Life"
> ++
>
>

[ Post a follow-up to this message ]

On Thu, 6 Sep 2007, in the Usenet newsgroup comp.unix.admin, in article
<fbqg6g$sba$1@news.Stanford.EDU>, nobody wrote:

>we havea few linux servers at an isp running ssh and other open ports.
>hrowever we are being charged with extra bandwidth which i believe is
>due to network scans on ssh unsucessful logon attempts.

Welcome to the Internet - where there are 700 million r00ted windoze
boxes being used to scan systems for vulnerabilities.   SSH is a very
popular port for skript kiddiez to be scanning, looking for open
proxies and systems configured by congenital idiots like themselves.

>is there a way to prevent this

Do all ports of your systems need to be accessible from every IP address
on the planet (about 2.53 billion IPv4 addresses, and perhaps several
orders of magnitude more IPv6 addresses), or do you think you might be
able to narrow the allowed ranges down a bit?

Who are your users?  Do they have the intelligence to be able to use
an alternative port number instead of 22, or are they just clicking on
some icon that is preconfigured?  Most of the skript kiddiez and bots
have a similar skill level, and if you move your SSH server to a non-
standard port number...

>Date: Thu, 6 Sep 2007 20:22:56 -0700

yeah - port 2256 looks like s good alternative, or is remembering
unusual numbers beyond the skills of your users?  It's not "security
through obscurity" if you have the same _authentication_ requirements
that you had when the SSH daemon was listening on port 22.

>is there some software that will give me info on who is scanning and
>for how long etc...

[compton ~]$ whatis grep less more
grep                 (1)  - print lines matching a pattern
less                 (1)  - opposite of more
more                 (1)  - file perusal filter for crt viewing
[compton ~]$

although the information in your logs won't tell you who they are. Most
of the SSH scans are from r00ted windoze boxes and zombies, and the
IP addresses will merely suggest ranges of IP addresses to permanently
block.  There was a piece of crap called "PortSentry" that was available
for several years that could be set to automagically block addresses
that were causing failed logins, or were perceived to be port-scanning.
Most people decided to stop using it after shooting themselves in the
naughty bits by auto-blocking. See the Security-Quickstart-HOWTO for
details if you are interested, and even shows you how to configure both
IPCHAINS (2.4.x kernel) and iptables (21.6.x kernel).

Old guy

[ Post a follow-up to this message ]