Selasa, 6 Oktober 2009

Menangkis brute force dengan iptables

Oct 6 08:11:10 jeruk sshd(pam_unix)[21960]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.167.49.106
Oct 6 08:11:15 jeruk sshd(pam_unix)[21963]: check pass; user unknown
Oct 6 08:11:15 jeruk sshd(pam_unix)[21963]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.167.49.106
Oct 6 08:11:20 jeruk sshd(pam_unix)[21966]: check pass; user unknown
Oct 6 08:11:20 jeruk sshd(pam_unix)[21966]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.167.49.106
Oct 6 08:11:25 jeruk sshd(pam_unix)[21968]: check pass; user unknown
Oct 6 08:11:25 jeruk sshd(pam_unix)[21968]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.167.49.106
Oct 6 08:11:30 jeruk sshd(pam_unix)[21971]: check pass; user unknown
Oct 6 08:11:30 jeruk sshd(pam_unix)[21971]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.167.49.106
Oct 6 08:11:33 jeruk kernel: Blocked: IN=eth1 OUT= MAC=00:10:18:2f:78:31:00:d0:d0:36:d3:42:08:00 SRC=61.167.49.106 DST=60.52.204.6 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=34905 DF PROTO=TCP SPT=37951 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

serangan diatas telah berjaya ditangkis dan diletakkan didalam senarai hitam.. maka kepada sesiapa penjahat yang telah gagal menceroboh kebun saya anda bakal berdepan dengan masalah. berikut adalah comand iptables bagi menangkis si penjahat2 dia alam maya ini.

/sbin/iptables -N SSH
/sbin/iptables -N SSH_BLACKLIST
/sbin/iptables -A SSH_BLACKLIST -m recent --name SSH_COUNTER --set -j LOG --log-level warn --log-prefix "Blocked: "
/sbin/iptables -A SSH_BLACKLIST -j REJECT
/sbin/iptables -A SSH -m recent --name SSH_COUNTER --update --seconds 300 -j REJECT
/sbin/iptables -A SSH -m recent --name SSH --rcheck --seconds 60 --hitcount 5 -j SSH_BLACKLIST
/sbin/iptables -A SSH -m recent --name SSH --rcheck --seconds 2 -j LOG --log-level warn --log-prefix "Added: "
/sbin/iptables -A SSH -m recent --name SSH --update --seconds 2 -j REJECT
/sbin/iptables -A SSH -m recent --name SSH_COUNTER --remove -j LOG --log-level warn --log-prefix "Removed: "
/sbin/iptables -A SSH -m recent --name SSH --set -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 22 -j SSH
disiarkan oleh pada Tiada ulasan:
Labels: , ,

Ahad, 4 Oktober 2009

openswan-2.4.4-1.i386

gateway server saya dioffice telah corrupted kelmarin.. dari message skrin meminta saya membuat fsck secara manual.. dari pengalaman saya dan teman-teman.. saya dapati fcsk ini tidak akan membantu lansung dalam proses recovering.. maka saya mount kan saja data dlm HD saya dan format kembali server gateway yang menggunakan fedore core 4 (agak ketinggalankan?)


# rpm -iUvh openswan-2.4.4-1.i386.rpm
warning: openswan-2.4.4-1.i386.rpm: V3 RSA/MD5 signature: NOKEY, key ID b5cc27e1
Preparing... ########################################### [100%]
package openswan-2.4.4-1 is already installed
# cchkconfig ipsec on
bash: cchkconfig: command not found
# chkconfig ipsec on
# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.4.4...
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/net/ipv4/ah4.ko
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/net/ipv4/esp4.ko
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/net/ipv4/ipcomp.ko
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/net/ipv4/xfrm4_tunnel.ko
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/crypto/des.ko
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/arch/i386/crypto/aes-i586.ko
# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...
# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec does not appear to be running!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting Openswan IPsec 2.4.4...
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/net/ipv4/xfrm4_tunnel.ko
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K2.6.11-1.1369_FC4smp (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support [DISABLED]

## kemudian masukkan command "ipsec showhostkey --right"
## copy semua key yang dipaparkan kedalam /etc/ipsec.conf
## selepas selesai edit kedua-dua server gateway anda.. masukkan command berikut "service ipsec restart"
## selesai
disiarkan oleh pada Tiada ulasan:
Langgan: Catatan (Atom)