Block port 22 when not in use

JustMe · April 21, 2006, 12:44pm

Hello. In the last few days I have received several attack attempts through ssh, the system will not let them in but they keep trying and trying to the point they manage to take down the server, I have blocked more than 20000 IPs but then they start from a new IP, at this moment I cannot afford a proper dedicated firewall, so I was wondering if I could just block port 22 for all when not in use, obviously this could let me out completely in case interworx fails or whatever, I know it is not the cleanest solution but I am desperate right now since the server is taken down every 4 to six hours and I need to sleep :o.
So my question is: Can I block port 22 without any issues apart from let myself out?
Does iworx use this port?

Does anyone have any suggestion towards a cleaner solution to this problem?

Thank you.

IWorx-Paul · April 21, 2006, 1:27pm

This won’t be a problem. I know many folks that run SSH on a non-standard port to thwart these kind of attempts.

Paul

Justec · April 21, 2006, 1:53pm

I leave SSH on port 22 and just firewall off the port. I then whitelist the few static IPs I normally connect from to manage the server. If I ever need to get it from a different location I could log in NodeWorx and add that IP or unblock it.

Got tired of having 10 MB of text emails in my daily logwatch with hack attempts :rolleyes:

JustMe · April 21, 2006, 1:54pm

Uhhhm, thanks Paul, that would mean a temporary solution till they start atacking all ports, but I like it, at least I?ll get some time to think what else could I do. I?ve been thinking while reviewing the logs, it does not matter very much really blocking port 22, though this is the most attacked port, it is not the only one, I guess I am going to need that firewall

JustMe · April 21, 2006, 2:06pm

Sorry Justec, I was posting at the same time, that?s a nice solution, I thought about it, the problem is my ISP does not like me and will not assign a static IP though I was planning to whitelist the whole IP range, but I do not think so, it?s like playing the lottery.

Fr3d · April 22, 2006, 8:21am

Have you tried a brute force detection script/app? They block an IP that fails SSH login after X attempts for Y minutes.

I’ve had no experience with anything like this, I’ve just hearad of it

EverythingWeb · April 22, 2006, 2:50pm

BFD integrates nicely with APF (the firewall used by Iworx) as they are written by the same person.

Nice little program!

JustMe · April 22, 2006, 3:39pm

Thanks for the tip. BFD looks like the best solution, I found it here in case someone is interested. It would be a nice feature for interworx.
This forum thread discusses several brute force detection systems.

system · April 22, 2006, 3:58pm

Hi

About BFD we use it for 2 uears now as a lot of others great tools from rf-x

We didn’t have time yet to hack it to fully work with an interworx-cp box. Today only ssh and proftp will work.

Promise we’ll try to quickly change the rules set for mail as well.

Something like

grep -iwf /usr/local/bfd/pattern.auth /var/log/maillog

with the good awk should do the trick

Of course if somebody has already done it, do not hesitate to share it with us

Pascal

system · April 22, 2006, 5:15pm

Ok a rule like this one should also ban all false connexion to vpopmail

REQ=“/usr/local/interworx”

if [ -d “$REQ” ]; then
LP=“/var/log/maillog”

if [ -f “$LP” ]; then
TLOG_TF=“iworxpop3”
TRIG=“15”

Vpopmail iworx

ARG_VAL=$TLOGP $LP $TLOG_TF | grep vchkpw-pop3 | grep -iwf $PATTERN_FILE | tr ':' ' ' | awk '{print$14":"$13}' | grep -E '[0-9]+'
fi

fi

Basicly ARG_VAL returns a list of IP:User

just try this to have a look of what arg_vam might look

cat /var/log/maillog | grep vchkpw-pop3 | grep -iwf /usr/local/bfd/pattern.auth | tr ‘:’ ’ ’ | awk ‘{print$14":"$13}’ | grep -E ‘[0-9]+’

for example for me it’s returning this

86.203.255.84:quizz
etc… 25 mores
83.114.165.165:quizz
etc… 40 mores

In fact BFD use his own LOG reader (pgm TLOG) to read only the last lines in /var/log/maillog (or whatever other log files) which have not already been read. This improve performance of course.

So BFD will receive IP:user and if there is more than n times the same IP adress then will do a apf -b IP comment

BE CARREFUL !!!

I give this just as a pist to explore, and as the begin of a what i could be rule
I DIDN’T TEST IT so much. It works for me on my box, but it doesn’t mean it will work on yours (lol don’t see why it should not but…)

It was only to show here that we may create others rules in BFD that might be more INTERWORX relevant

Pascal