Monday, June 8, 2015

ssh - iptables question




I am currently under an SSH attack.
The attack is very strange in nature, the attacker is using a botnet of computers and using them as individual login attempts (see log snippet):
Dec 11 08:30:51 rhea sshd[16267]: Invalid user maureen from 78.43.82.153
Dec 11 08:35:24 rhea sshd[20012]: Invalid user maurizio from 201.244.188.202
Dec 11 08:44:46 rhea sshd[27711]: Invalid user max from 211.140.12.46
Dec 11 08:49:10 rhea sshd[31383]: Invalid user max from 190.144.47.82
Dec 11 08:58:19 rhea sshd[6659]: Invalid user max from 69.250.227.138
Dec 11 09:07:28 rhea sshd[14249]: Invalid user maxim from 93.63.231.55
Dec 11 09:12:03 rhea sshd[18127]: Invalid user maximus from 79.188.240.210

I am willing to filter all access to port 22 (ie only allow IPs I specify to connect), and what I have done a couple days ago (is block all connections to port 22 but from myself). What I want to do is log ALL connections that don't have an accept rule to log and drop it - this way I can track all the computers in the bot not without giving them the opportunity to attempt to login.



What I have is something like this:
-A INPUT -s my.addr(s) -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP



Update
I have added this to my iptables:
[0:0] -A INPUT -m limit --limit 5/min -p tcp -m tcp --dport 22 -j LOG --log-level 4 --log-prefix "** DoS **"
and used
http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html
To setup a separate file, however, I can only see the logged data in dmesg.


Answer



To setup a separate file, however, I can only see the logged data in dmesg.



Messages from the netfilter subsystem are logged via the kenerl logging mechanism. This shows up in dmesg output, and also usually ends up in your syslog via the services of klogd.




If you're running rsyslog or syslog-ng, these generally read kernel log data natively.



The messages show up in syslog using the 'kern' facility, so in a traditional syslog.conf file you can do something like:



kern.* /var/log/kernel-messages


(But note that will get you all kernel messages, not just netfilter).




Both rsyslog and syslog-ng provide pattern-matching facilities to give you more granular control over where log messages go.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...