Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


sshcheck.php - Blocking SSH bruteforce attempts against client VPS containers - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

sshcheck.php - Blocking SSH bruteforce attempts against client VPS containers

2»

Comments

  • When you send the Logs to http://www.blocklist.de the Attack will be automatically reported:
    http://www.blocklist.de/en/download.html#ohnefail2ban
    You have stats and more.

  • Nice idea

  • KuJoeKuJoe Member, Host Rep

    We use a honeypot method which works extremely well. We assign a handful of IPs that are scattered throughout our /22 to a single VPS with DenyHosts installed, after X attempted connects to that VPS within XX seconds the IP is blackholed on our routers so no traffic can pass to any of our nodes (the attacker will not see any of the network and hopefully move on). After XX minutes the blackhole is lifted to prevent blocking legitimate traffic in case the IP is given to a new user in the future.

  • joepie91joepie91 Member, Patron Provider

    @Damian I think it would be a good idea if you defined a clear license for the script, for this reason.

  • as a developer I would have some sort of front end to remove rules via link in email, this tkes it away from lightend checker though.. More user friendly could mean less tickets. many situations where id set this script off against self. Perhaps the only one? (only skimmed post soz if way off lol)

  • @joepie91 said: @Damian I think it would be a good idea if you defined a clear license for the script, for this reason.

    Consider it released under http://sam.zoy.org/wtfpl/ . I can't edit the original post to reflect this.

    @kro said: many situations where id set this script off against self.

    So far the only time we've had a user locked out is when his nagios setup somehow managed to make more than 15 concurrent connections. He changed his setup to.. not do that... and so far haven't had any more false positives.

  • risharderisharde Patron Provider, Veteran

    @Damian Thanks for making this public. Nice one! ;)

  • postcdpostcd Member
    edited December 2017

    thanks for the script, i wanted to mention that another possibility to protect OpenVZ VPSs might be fail2ban as it may be configured to watch openvz VPS log files and block bruteforcers on the node in ipset. https://internetlifeforum.com/virtualisation/9478-how-protect-openvz-vpss-host-node-server-using-fail2ban-ipset/

  • Bookmark it.

  • WSSWSS Member
    edited December 2017

    Since

    @postcd said:

    ↑ THIS ASSHOLE..

    ..bumped a 5+ year old thread, let me continue my habit of being helpful, even if @Taz has been gone for that long!

    @Taz said:
    Question /suggestion /note : this script by default will only work for port 22. Is there any way to make it dynamic ? Something like (since this is ovz) find sshd _config, get the SSH port info and dynamically update your script?

    change ':22' in the netstat to ".escapeshellcmd(argv[1]).", and pass the port number in your query (php clownpenisfart.php 2202)

    @postcd said:
    thanks for the script

    May you be discovered under 5 pounds of rubble, ten years from now.

    Thanked by 2Clouvider pike
  • NeoonNeoon Community Contributor, Veteran

  • Is that the new imgur logo?

  • NeoonNeoon Community Contributor, Veteran

    @WSS said:
    Is that the new imgur logo?

    nah, just a bookmark.gif

  • @Neoon said:

    @WSS said:
    Is that the new imgur logo?

    nah, just a bookmark.gif

  • WSS said: Since

    @postcd said:

    ↑ THIS ASSHOLE..

    ..bumped a 5+ year old thread,

    I know there's two ways to get to the opposite corner of a square, but I'm not sure why you'd want to do something to scan the logs of your client VPS's when you can determine at the node level via netstat. Run time by walking through logs in VMs is likely going to be much slower. Also, nothing about this communicates between nodes: scanner skids are going to scan entire IP ranges, so this is going to be replicated on every node.

    Run time with my method is a couple of seconds. Also, the current iteration communicates with other nodes to immediately enter rules, blacking out all servers from the skids immediately.

    Goooooooooooooooooooooooooodbye moooooooooooonmen

    Thanked by 1gisadik
  • @Damian I wasn't actually concerned about a shell around netstat still being the best way to check for this in 2017. I was just answering, so it wouldn't be completely a shitpost. :D

    Also, it helps quite well to ensure your clients' root ssh is disabled after the first login, and yeah, enforce decent keys.. but, then again, half this forum would be bare if that happened!

  • DamianDamian Member
    edited December 2017

    WSS said: @Damian I wasn't actually concerned about a shell around netstat still being the best way to check for this in 2017. I was just answering, so it wouldn't be completely a shitpost. :D

    Also, it helps quite well to ensure your clients' root ssh is disabled after the first login, and yeah, enforce decent keys.. but, then again, half this forum would be bare if that happened!

    By quoting, I was trying to pull in this "this asshole" part, but it's not bolded in the quote :(

    I'd really like to do randomized SSH ports on installation, but it's not in the cards yet. I'd much prefer to respond to "omfg y u no ssh port on default port" tickets instead of "omfg y my server got 'rm -rf /' because I use the same password on everything" tickets. Maybe in The Future this will be implemented and when this post gets bumped in another 5 years, that will be my new response.

    Thanked by 1WSS
  • I feel like the old LET crew used to be more serious and stayed on topics, now a days you have a band of trolls from middle-earth. Indeed, LET has changed dramatically, not sure if for better or for worst.

    Thanked by 1hostdare
  • @IAlwaysBeCoding said:
    I feel like the old LET crew used to be more serious and stayed on topics, now a days you have a band of trolls from middle-earth. Indeed, LET has changed dramatically, not sure if for better or for worst.

    That's the second time you admitted to being a rereg this month, Spike.

  • edited December 2017

    @WSS said:

    @IAlwaysBeCoding said:
    I feel like the old LET crew used to be more serious and stayed on topics, now a days you have a band of trolls from middle-earth. Indeed, LET has changed dramatically, not sure if for better or for worst.

    That's the second time you admitted to being a rereg this month, Spike.

    @WSS I consider you like a brother from another mommy, but your beef with me is still hurting me deep in side. Even if your accusations run pretty hollow, seeing as you clearly have not a single ounce of idea what you are even talking about. I will always embrace you as my friend and dear adviser to LET.

    Rest assure dear old pal that you will always have a cozy welcoming place somewhere in my heart. Best wishes!

  • @IAlwaysBeCoding said:

    @WSS said:

    @IAlwaysBeCoding said:
    I feel like the old LET crew used to be more serious and stayed on topics, now a days you have a band of trolls from middle-earth. Indeed, LET has changed dramatically, not sure if for better or for worst.

    That's the second time you admitted to being a rereg this month, Spike.

    @WSS I consider you like a brother from another mommy, but your beef with me is still hurting me deep in side.

    C'mon, Spike. 'fess up.

  • KuJoeKuJoe Member, Host Rep

    Damian said: I'd really like to do randomized SSH ports on installation

    This is my single favorite feature in Wyvern, giving clients the ability to click a button and randomize their SSH port has decreased the brute force attacks and compromises (although not letting the clients pick their own passwords on sign-up has also helped a lot).

Sign In or Register to comment.