Nekonecne dlouhy auth.log

Jan Dusatko jan at dusatko.org
Wed Dec 10 23:58:58 CET 2008


Pro omezeni utoku na SSH pouzivam na radu Dana, Gabriela a dalsich nekolik
zalezitosti:

1) na urovni paketoveho filtru /etc/pf.conf
table <ABUSIVE_HOSTS> persist file "/var/db/abusive"
pass in quick on $ext_if proto tcp to port { 22 } modulate state
(source-track, max-src-states 16, max-src-conn-rate 3/30, overload
<ABUSIVE_HOSTS> flush global)

2) na urovni SSH v souboru /etc/pam.d/sshd pomoci pam_af
# auth
auth            requisite       /usr/local/lib/pam_af.so

dale pak pomoci nastaveni pravidel
pam_af_tool ruleadd -h localhost -a unlimited -t 0
pam_af_tool ruleadd -h 10.0.0.0/8 -a 7 -t 1H
pam_af_tool ruleadd -h 172.16.0.0/12 -a 7 -t 1H
pam_af_tool ruleadd -h 192.168.0.0/16 -a 7 -t 1H
pam_af_tool ruleadd -h '*' -a 5 -t 3H -l '/sbin/pfctl -t bruteforce -T add
$PAM_RHOST' -u '/sbin/pfctl -t bruteforce -T delete $PAM_RHOST'

3) pouzitim bruteforceblocker analyzujici log /var/log/auth.log. Nastaveny
je tak, ze po 15 pokusech se adresa zablokuje a prida do /var/log/bruteforce
(v pf.conf tabulka stejneho jmena, persistent)

4) monitorovanim pomoci OSSEC (jenom pro klid duse)

Nevim, zda to splni vse co chcete ....

Honza




More information about the Users-l mailing list