masking out invalid root logins with logcheck?

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

masking out invalid root logins with logcheck?

martin f krafft
I use logcheck on almost all machines. With the increased SSH brute
force attacks of the last 2-3 years, I am now at a point where
almost 95% of all logcheck messages are login attempts as root to my
machines. On all these machines, sshd root login is restricted to
password-less login (RSA/DSA keys), so brute force attacks are never
going to succeed.

Thus, I am considering to mask out entries of the following sort
with logcheck:

  sshd[5998]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=160.29.165.133 user=root
  sshd[5998]: Failed password for root from 160.29.165.133 port 47130 ssh2

but somehow am not comfortable to just do it, which is why I am
asking for opinions, advice, and feedback from you guys. Would you
be able to think of reasons why I would *not* want to do that?

I don't really care being informed that my servers are being
brute-forced, which is what fail2ban takes care of anyway...

Cheers,

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
"... and so he killed Miguel in a rit of fealous jage."
                                               -- inspector clouseau

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: masking out invalid root logins with logcheck?

Stefano Salvi-2
martin f krafft wrote:
> I don't really care being informed that my servers are being
> brute-forced, which is what fail2ban takes care of anyway...
Unfortunately Fail2Ban doesn't block the attackers on this attack, as
the Log line doesn't contain the IP of the attacker (the IP is only
listed if the login doesn't exist).
However, having the attempted attack listed in LogCheck mails doesn't
block it...I also ask is there any use however in having it listed?

Ceers
        Stefano Salvi


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: masking out invalid root logins with logcheck?

martin f krafft
also sprach Stefano Salvi <[hidden email]> [2006.05.07.0926 +0200]:
> Unfortunately Fail2Ban doesn't block the attackers on this attack, as
> the Log line doesn't contain the IP of the attacker (the IP is only
> listed if the login doesn't exist).

Sure it blocks it. That would be a pretty bad bug if it didn't. At
least version 0.6.1 does.

> However, having the attempted attack listed in LogCheck mails
> doesn't block it...I also ask is there any use however in having
> it listed?

Not really. My theory is that I don't need to know when someone
tries a password login for the root account, since password logins
are not possible anyway.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
"when zarathustra was alone... he said to his heart: 'could it be
 possible! this old saint in the forest hath not yet heard of it, that
 god is dead!'"
                                                 - friedrich nietzsche

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: masking out invalid root logins with logcheck?

paddy-9
In reply to this post by martin f krafft
On Sun, May 07, 2006 at 09:11:53AM +0200, martin f krafft wrote:

> I use logcheck on almost all machines. With the increased SSH brute
> force attacks of the last 2-3 years, I am now at a point where
> almost 95% of all logcheck messages are login attempts as root to my
> machines. On all these machines, sshd root login is restricted to
> password-less login (RSA/DSA keys), so brute force attacks are never
> going to succeed.
>
> Thus, I am considering to mask out entries of the following sort
> with logcheck:
>
>   sshd[5998]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=160.29.165.133 user=root
>   sshd[5998]: Failed password for root from 160.29.165.133 port 47130 ssh2
>
> but somehow am not comfortable to just do it, which is why I am
> asking for opinions, advice, and feedback from you guys. Would you
> be able to think of reasons why I would *not* want to do that?

I too would be interested to hear reasons why *not*.

IMHO logcheck is not so much a way of monitoring and analysing what's
going on on your systems as a way of filtering out what you already
have better covered by other systems.  

If you are confident that you have all the bases covered without those
lines, then they're just noise, and noise removal is what logcheck is
for.

So ask yourself: is there any variation of a logcheck report in which
seeing lines like that you would actually learn something useful or
be prompted to do something that you wouldn't get better from your
other systems.

But I've said the same thing three times :-)

I suppose, more constructively, it might be useful to hear about
what people think constitutes a better system than reading such
logs and why.

> I don't really care being informed that my servers are being
> brute-forced, which is what fail2ban takes care of anyway...

If there were a dramatic change in the pattern of such attacks,
would you know, would you care ?

Are there specific IPs and/or networks that you care more or care
less about ?

Is there any worthwhile analysis of such traffic beyond "there are
these attacks and we don't care about them" ? do you need it ?
do you already have it ?

Regards,
Paddy
--
Perl 6 will give you the big knob. -- Larry Wall


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: masking out invalid root logins with logcheck?

martin f krafft
also sprach paddy <[hidden email]> [2006.05.07.1159 +0200]:
> IMHO logcheck is not so much a way of monitoring and analysing
> what's going on on your systems as a way of filtering out what you
> already have better covered by other systems.  

This is a nice way of putting it. Thanks for your feedback.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
obviously i was either onto something, or on something.
                                 -- larry wall on the creation of perl

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: masking out invalid root logins with logcheck?

Michael Stone-2
In reply to this post by martin f krafft
On Sun, May 07, 2006 at 09:11:53AM +0200, martin f krafft wrote:
>machines. On all these machines, sshd root login is restricted to
>password-less login (RSA/DSA keys), so brute force attacks are never
>going to succeed.

Probably what you want to highlight, then, is a *successful* login.

Mike Stone


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: masking out invalid root logins with logcheck?

martin f krafft
also sprach Michael Stone <[hidden email]> [2006.05.07.1606 +0200]:
> >machines. On all these machines, sshd root login is restricted to
> >password-less login (RSA/DSA keys), so brute force attacks are never
> >going to succeed.
>
> Probably what you want to highlight, then, is a *successful* login.

Sure, those get logged anyway, as cracking attempts, because our
policy is never to log in as root. However, we leave
without-password in there and keep a separate root DSA key, just in
case.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
"i am not in favor of long engagements. they give people the
 opportunity of finding out each other's character before marriage,
 which i think is never advisable."
                                                        -- oscar wilde

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: masking out invalid root logins with logcheck?

Jeff Coppock
In reply to this post by martin f krafft
> From: martin f krafft
>
> but somehow am not comfortable to just do it, which is why I am
> asking for opinions, advice, and feedback from you guys. Would you
> be able to think of reasons why I would *not* want to do that?

I came up against the same issue some time ago and decided to move my sshd to
a non-standard port.  This dramatically reduced the number of log entries,
and I see hardly any login attempts logged.  I also updated my snort rules
with the new port.  This works for me.  I'm also considering setting up a
specific iptables rule to log the ssh hits separately, but there aren't
enough to bother with that so far.

I figure this setup eliminates the automated ssh exploits, which is the bulk
of it.  This won't keep someone enterprising cracker from scanning for the
actual port and then attempting exploits, but this should leave more evidence
to the effect.  

my 2 cents,
jc

--
Jeff Coppock            Systems Engineer
Diggin' Debian          Admin and User


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: masking out invalid root logins with logcheck?

martin f krafft
also sprach Jeff Coppock <[hidden email]> [2006.05.07.1836 +0200]:
> I came up against the same issue some time ago and decided to move my sshd to
> a non-standard port.  This dramatically reduced the number of log entries,
> and I see hardly any login attempts logged.  I also updated my snort rules
> with the new port.  This works for me.  I'm also considering setting up a
> specific iptables rule to log the ssh hits separately, but there aren't
> enough to bother with that so far.

This can work in small-scale scenarios, but not in large-scale ones
with a number of different clients. I do not want to go down this
path; instead, I prefer to enforce a strong password policy.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
linux: because a pc is a terrible thing to waste

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: masking out invalid root logins with logcheck?

Máté Soós
In reply to this post by Jeff Coppock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeff Coppock wrote:

>> From: martin f krafft
>>
>> but somehow am not comfortable to just do it, which is why I am
>> asking for opinions, advice, and feedback from you guys. Would you
>> be able to think of reasons why I would *not* want to do that?
>
> I came up against the same issue some time ago and decided to move my sshd to
> a non-standard port.  This dramatically reduced the number of log entries,
> and I see hardly any login attempts logged.  I also updated my snort rules
> with the new port.  This works for me.  I'm also considering setting up a
> specific iptables rule to log the ssh hits separately, but there aren't
> enough to bother with that so far.
>
> I figure this setup eliminates the automated ssh exploits, which is the bulk
> of it.  This won't keep someone enterprising cracker from scanning for the
> actual port and then attempting exploits, but this should leave more evidence
> to the effect.  

I disabled the ping service. Since most automated exploits check if the
IP is up-and-running by pinging it, this eliminates a lot of stress -
and it is not unusual in that all normal applications will run smoothly,
default settings (i.e. port, etc) will work.

my 2 cents :)

Máté Soós

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEXwMMuXopCweTRxMRAvy/AJ9S171CgRGdIgZIdkFB6Y5sgu3M/QCfX1TX
E4dmKi8C7ATbLIBHSURDcec=
=njsT
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: masking out invalid root logins with logcheck?

Emanuele Rocca
In reply to this post by martin f krafft
Hello Martin,

* martin f krafft <[hidden email]>, [2006-05-07  9:11 +0200]:
>  Thus, I am considering to mask out entries of the following sort
>  with logcheck:
>  
>    sshd[5998]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=160.29.165.133 user=root
>    sshd[5998]: Failed password for root from 160.29.165.133 port 47130 ssh2
>  
>  but somehow am not comfortable to just do it, which is why I am
>  asking for opinions, advice, and feedback from you guys. Would you
>  be able to think of reasons why I would *not* want to do that?

The only situation I've been able to imagine is a human error leading to
a change to your security policy.

For instance, a co-worker which temporary allows remote root logins, god
knows why. I'd be sad of my choice of filtering out root login attempts
in that case.

ciao,
    ema

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: masking out invalid root logins with logcheck?

martin f krafft
also sprach Emanuele Rocca <[hidden email]> [2006.05.08.2106 +0200]:
> For instance, a co-worker which temporary allows remote root
> logins, god knows why. I'd be sad of my choice of filtering out
> root login attempts in that case.

I'd have such a co-worker immediately shot. :)

But yes, you are right. To be on the safe side, I added a comment to
sshd_config.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
"nothing can cure the soul but the senses,
 just as nothing can cure the senses but the soul."
                                                        -- oscar wilde

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: masking out invalid root logins with logcheck?

Michael Stone-2
In reply to this post by Emanuele Rocca
On Mon, May 08, 2006 at 09:06:37PM +0200, Emanuele Rocca wrote:
>The only situation I've been able to imagine is a human error leading to
>a change to your security policy.
>
>For instance, a co-worker which temporary allows remote root logins, god
>knows why. I'd be sad of my choice of filtering out root login attempts
>in that case.

If this configuration error happened and root logins were suddenly
allowed, it would be less effective to focus on a reduction in failed
root logins than on the sudden presence of successful root logins.

Mike Stone


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]