+ Responder ao Tópico



  1. 24-01-2008, 08:44 #1
    Dedao
    Dedao está desconectado
    Avatar de Dedao
    Ingresso
    Jan 2006
    Posts
    375

    Padrão denyhosts não está bloqueando ataques

    Ola.

    Notei uma certa falha no funcionamento do denyhosts. Mesmo que o denyhosts bloqueie uma tentativa de invasão do ip 200.200.200.200 com usuario "abobrinha" eu continuo recebendo atacques do ip 200.200.200.200 por qu ele tenta com usuários diferentes. O que eu posso fazer nesse caso ? Vou postar um pedaço do meu messages pra voces terem uma idéia:

    tac /var/log/messages |grep sshd |more
    Jan 23 19:10:25 gia sshd[9705]: Failed password for invalid user test from 3Com VCX Connect port 22872 ssh2
    Jan 23 19:10:25 gia sshd[9705]: error: Could not get shadow information for NOUSER
    Jan 23 19:10:25 gia sshd[9705]: Invalid user test from 3Com VCX Connect
    Jan 23 19:10:23 gia sshd[9703]: Failed password for invalid user test from 3Com VCX Connect port 21722 ssh2
    Jan 23 19:10:23 gia sshd[9703]: error: Could not get shadow information for NOUSER
    Jan 23 19:10:23 gia sshd[9703]: Invalid user test from 3Com VCX Connect
    Jan 23 19:10:20 gia sshd[9701]: Failed password for invalid user hermes from 3Com VCX Connect port 21487 ssh2
    Jan 23 19:10:20 gia sshd[9701]: error: Could not get shadow information for NOUSER
    Jan 23 19:10:20 gia sshd[9701]: Invalid user hermes from 3Com VCX Connect
    Jan 23 19:10:18 gia sshd[9698]: Failed password for invalid user cyrus from 3Com VCX Connect port 20149 ssh2
    Jan 23 19:10:18 gia sshd[9698]: error: Could not get shadow information for NOUSER
    Jan 23 19:10:18 gia sshd[9698]: Invalid user cyrus from 3Com VCX Connect
    Jan 23 19:10:16 gia sshd[9696]: Failed password for invalid user carlos from 3Com VCX Connect port 19962 ssh2
    Jan 23 19:10:16 gia sshd[9696]: error: Could not get shadow information for NOUSER
    Jan 23 19:10:16 gia sshd[9696]: Invalid user carlos from 3Com VCX Connect
    Jan 23 19:10:13 gia sshd[9694]: Failed password for root from 3Com VCX Connect port 19251 ssh2
    Jan 23 19:10:11 gia sshd[9692]: Failed password for invalid user admin from 3Com VCX Connect port 18510 ssh2
    Jan 23 19:10:11 gia sshd[9692]: error: Could not get shadow information for NOUSER
    Jan 23 19:10:11 gia sshd[9692]: Invalid user admin from 3Com VCX Connect
    Jan 23 19:10:08 gia sshd[9690]: Failed password for invalid user toto from 3Com VCX Connect port 17136 ssh2
    Jan 23 19:10:08 gia sshd[9690]: error: Could not get shadow information for NOUSER
    Jan 23 19:10:08 gia sshd[9690]: Invalid user toto from 3Com VCX Connect
    Jan 23 19:10:06 gia sshd[9684]: Failed password for invalid user wrestling from 3Com VCX Connect port 17021 ssh2
    Jan 23 19:10:06 gia sshd[9684]: error: Could not get shadow information for NOUSER
    Jan 23 19:10:06 gia sshd[9684]: Invalid user wrestling from 3Com VCX Connect
    Jan 23 19:10:04 gia sshd[9679]: Failed password for invalid user admin from 3Com VCX Connect port 16896 ssh2
    Jan 23 19:10:04 gia sshd[9679]: error: Could not get shadow information for NOUSER
    Jan 23 19:10:04 gia sshd[9679]: Invalid user admin from 3Com VCX Connect
    Jan 23 19:10:01 gia sshd[9661]: Failed password for invalid user admin from 3Com VCX Connect port 16194 ssh2
    Jan 23 19:10:01 gia sshd[9661]: error: Could not get shadow information for NOUSER
    Jan 23 19:10:01 gia sshd[9661]: Invalid user admin from 3Com VCX Connect
    Jan 23 19:09:59 gia sshd[9659]: Failed password for root from 3Com VCX Connect port 15457 ssh2
    Jan 23 19:09:57 gia sshd[9657]: Failed password for invalid user moshutzu from 3Com VCX Connect port 14731 ssh2
    Jan 23 19:09:57 gia sshd[9657]: error: Could not get shadow information for NOUSER
    Jan 23 19:09:57 gia sshd[9657]: Invalid user moshutzu from 3Com VCX Connect
    Jan 23 19:09:54 gia sshd[9655]: Failed password for invalid user valas from 3Com VCX Connect port 13984 ssh2
    Jan 23 19:09:54 gia sshd[9655]: error: Could not get shadow information for NOUSER
    Jan 23 19:09:54 gia sshd[9655]: Invalid user valas from 3Com VCX Connect
    Jan 23 19:09:52 gia sshd[9653]: Failed password for root from 3Com VCX Connect port 13265 ssh2
    Jan 23 19:09:50 gia sshd[9651]: Failed password for root from 3Com VCX Connect port 12550 ssh2
    Jan 23 19:09:47 gia sshd[9649]: Failed password for invalid user test from 3Com VCX Connect port 11824 ssh2
    Jan 23 19:09:47 gia sshd[9649]: error: Could not get shadow information for NOUSER
    Jan 23 19:09:47 gia sshd[9649]: Invalid user test from 3Com VCX Connect
    Jan 23 19:09:45 gia sshd[9647]: Failed password for invalid user test from 3Com VCX Connect port 11099 ssh2


    Sendo que o ip 3Com VCX Connect ja foi "bloqueado" pelo denyhosts e já consta no /etc/hosts.deny, porém, ele foi bloqueado com um outro usuário. Tem alguma maneira de eu bloquear o ip 3Com VCX Connect já na segunda tentativa de ataque, mesmo que esse host tente me atacar com usuários diferentes ?


    []'s, Renato
    Citação Citação
  2. 24-01-2008, 09:47 #2
    andersoneduardo
    andersoneduardo está desconectado
    Hack 'n Roll Avatar de andersoneduardo
    Ingresso
    Jun 2007
    Posts
    217

    Padrão

    Amigo!

    Posta ae seu hosts.deny pq pelo q eu sabia ele bloqueava acesso de vez a porta nao sabia disso por usuario!
    Citação Citação
  3. 24-01-2008, 10:28 #3
    Dedao
    Dedao está desconectado
    Avatar de Dedao
    Ingresso
    Jan 2006
    Posts
    375

    Padrão

    Abaixo segue meu hosts.deny e mais abaixo meu denyhosts.cfg

    hosts.deny

    ALL:ALL EXCEPT 127.0.0.1ENY
    # DenyHosts: Thu Jan 24 02:28:02 2008 | ALL: 190.2.29.181
    ALL: 190.2.29.181
    # DenyHosts: Thu Jan 24 03:52:02 2008 | ALL: 194.250.47.30
    ALL: 194.250.47.30
    # DenyHosts: Thu Jan 24 04:16:02 2008 | ALL: 150.183.249.96
    ALL: 150.183.249.96
    # DenyHosts: Thu Jan 24 06:52:01 2008 | ALL: 201.48.249.23
    ALL: 201.48.249.23
    # DenyHosts: Thu Jan 24 07:30:04 2008 | ALL: 202.70.86.69
    ALL: 202.70.86.69
    # DenyHosts: Thu Jan 24 09:56:03 2008 | ALL: 195.19.151.8
    ALL: 195.19.151.8



    denyhosts.cfg
    # Mandrake, FreeBSD or OpenBSD:
    SECURE_LOG = /var/log/denyhosts

    HOSTS_DENY = /etc/hosts.deny

    PURGE_DENY = 4w

    PURGE_THRESHOLD = 0

    DENY_THRESHOLD_INVALID = 1

    DENY_THRESHOLD_VALID = 2

    BLOCK_SERVICE = ALL

    DENY_THRESHOLD_ROOT = 1

    DENY_THRESHOLD_RESTRICTED = 1

    WORK_DIR = /usr/share/denyhosts/data

    SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES

    HOSTNAME_LOOKUP=YES

    LOCK_FILE = /var/lock/subsys/denyhosts

    ADMIN_EMAIL = [email protected]

    SMTP_HOST = localhost
    SMTP_PORT = 25

    SMTP_FROM = DenyHosts < nobody@localhost>

    SMTP_SUBJECT = DenyHosts Report

    ALLOWED_HOSTS_HOSTNAME_LOOKUP=yes

    AGE_RESET_VALID=5d

    AGE_RESET_ROOT=25d

    AGE_RESET_RESTRICTED=25d

    AGE_RESET_INVALID=10d

    DAEMON_LOG = /var/log/denyhosts

    DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S

    DAEMON_SLEEP = 30s

    DAEMON_PURGE = 3d

    SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

    SYNC_INTERVAL = 1d

    SYNC_UPLOAD = yes
    Citação Citação
  4. 24-01-2008, 10:40 #4
    andersoneduardo
    andersoneduardo está desconectado
    Hack 'n Roll Avatar de andersoneduardo
    Ingresso
    Jun 2007
    Posts
    217

    Padrão

    nao vi ae onde vc estava bloqueando por usuario.
    olha seu hosts.allow para ver se nao está liberando.

    vc nao acha melhor fazer isso por firewall não?

    e nao é melhor bloquear tudo pelo hosts.deny e depois sair liberando no hosts.allow?
    Última edição por andersoneduardo; 24-01-2008 às 10:42.
    Citação Citação



« Tópico Anterior | Próximo Tópico »