block tons of login attempts

wispnewbie · Wed Sep 13, 2006 10:42 pm

My routers are getting hammered with a ton of login requests every day. The IP addresses the attempts are coming from change regularly. Is there a way to add an IP address to a blocked IP list after X number of bad login attempts?

GotNet · Thu Sep 14, 2006 2:24 am

Think the other way around - who do you want to have access?

Mike

wispnewbie · Thu Sep 14, 2006 6:22 am

You know, that seems really obvious now that you mention it. Explicitly accept traffic on the input chain from IP blocks we use when we administrate the routers and drop everything else. This wasn't a scripting application at all. Trust me to complicate things. :-)

Thanks

dancuofzhills · Wed Sep 20, 2006 11:30 pm

lately i also have been thinking about figuring out a way to block an ip address after repeated failed login attempts.
I do not want to use an exclusive accesslist because i never know where i'm gonna be when i need to login and get access.
I havent been able to figure out a way.

pedja · Thu Sep 21, 2006 12:58 am

I use pptp for that. Whenever I can I can connect to MT using pptp and then I have access to everything.

ArtIvanov · Fri Sep 22, 2006 8:16 pm

Change ports for ssh and web. All will be ok.

dancuofzhills · Fri Sep 22, 2006 8:48 pm

That is definately a good preventative measure, thanks!

I would still like a rule to add the offending addresses to a list that i can drop with the firewall, but some ideas take time to become reality.

savagedavid · Mon Sep 25, 2006 8:56 pm

An easy way would be to add the offending address to a dynamic address list and set a timeout value

dancuofzhills · Tue Sep 26, 2006 12:38 am

That is a good idea, but the problem with setting this up is figuring out how to make a rule somewhere that counts failed logins, if i could figure that out i would just need to have it set to add src address to list.
That is the part i'm not sure how to do..

Freman · Tue Sep 26, 2006 2:16 am

There are two ways to do this.

One is have firewall chains that progressively change list that an ip address is in - it works reasonably well, but I believe this results in a CF disk write for every change (works out 3-4 writes per ip) - Unfortunatly this one only counts rapid succession of reconnects on port 22, not specificly login failures

If you're interested, I'll post this solution.

The other way (and for those who use CF cards, this is probably the better way) is to set up a remote syslog, use syslog-ng on the box and a little perl script. syslog-ng can pipe entry's that match a pattern to a program/script.

Example syslog configuration

source s_remote { udp(); tcp(); };
filter f_sshworm { facility(user) and level(notice) and match("login failure for user"); };
destination d_sshworm {
        program("/sshworm.pl"
        template("$SOURCEIP $MESSAGE\n") );
};
log {
        source(remote);
        filter(f_sshworm);
        destination(d_sshworm);
};

now for me /sshworm.pl puts an entry into my scheduler database (I already have a script on another machine that routinely does things on the mikrotiks - like kicking users off, changing their speeds, checking the ip accounting and ip accounting web-access settings (they sometimes disable...)

My scheduler logs in with ssh and adds the ip address to the 'SSHWorms' address list, which has input and forward port 22 reject with tcp-reset (better to reset then just drop, it's the proper way to do it)

#!/usr/bin/perl

use Net::IP::Match::Regexp qw( create_iprange_regexp match_ip );
use strict;

# These addresses have been changed...
my $whitelist = create_iprange_regexp(
        "192.168.47.0/24",
        "172.16.0.0/16",
        "10.254.2.242/32"
);

$SIG{CHLD} = sub { wait };

# It's a constant pipe open from syslog-ng so we just read indefinitely
while (<>) {
        if (/^((?:\d+.){3}\d+).*?((?:\d+.){3}\d+)/) {
                # Match against our whitelist
                next if (match_ip($2,$whitelist));
                # Because many requests might come in at once, we want to get back to reading stdin as soon as possible or we'll miss something, so we fork here
                if (fork() == 0) {
                        # Sumbit to the scheduler
                        exec('/usr/bin/wget',"--post-data=ac=$1&ip=$2",'-q','-o/dev/null','-O/dev/null','http://scheduler.host/sshworm.php');
                        exit;
                }

        }
}

You don't need a scheduler, but you might have concurrency issues if you don't use one (You could use lockfiles to get around this)

If anyone wants a full solution, feel free to pm me, I can knock something up - having said that, there's a great detail of information already on this forum

GotNet · Tue Sep 26, 2006 3:36 am

lately i also have been thinking about figuring out a way to block an ip address after repeated failed login attempts.
I do not want to use an exclusive accesslist because i never know where i'm gonna be when i need to login and get access.
I havent been able to figure out a way.

My log is "clean". I always vpn or vnc or whatever to a machine on the trusted network. Even use PTvnc on my phone (Moto Q) to manage MTs.

Two cents... Mike

block tons of login attempts

block tons of login attempts

obvious

I would like the solution too

Good idea

but how...

Re: I would like the solution too

Who is online