Quantcast

Bruteforce...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Bruteforce...

Júnior Maia Júnior

 Bom dia a todos, venho aqui novamente pedir uma ajuda...
 
# Normalizar Pacotes #
scrub all reassemble tcp
scrub out all no-df max-mss 1492 random-id
 
# Engana ataques fingerprint #
set require-order yes
#set optimization normal
#set fingerprints etc/pf.os
 
# Roteamento #
nat on fxp0 from 192.168.0.0/24 to any -> xxx.xx.xxx.xxx
 
# Macros dos Adaptadores #
externa = "fxp0"
interna = "vr0"
placa = "{fxp0,vr0}"
 
# Redirecionamento #
rdr on $externa proto tcp from any to XXX.XX.XXX.XXX port 10150 -> 192.168.0.150 port 5900
 
# Tabelas #
table <bruteforce> persist
 
# FTP #
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $interna proto tcp from any to any port 21 -> 127.0.0.1 port 8021
pass in quick proto tcp from any to XXX.XX.XXX.XXX port 22 flags S/SA \keep state (max-src-states 1)

# Quebra Scan NMAP #
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF
block drop in quick on $placa from any os {NMAP}
 
# Serviços TCP e UDP #
tcp_services = "{ssh, smtp, domain, www, pop3, pop3s, auth, http, https}"
udp_services = "{domain}"
icmp_types="echoreq"
pass out proto tcp to any port $tcp_services
pass proto udp to any port $udp_services
pass inet proto tcp from any to $interna
 
# Loopback #
set skip on lo0
 
# Antispoof #
antispoof for vr0 inet
 
# Bloquear Brute Force #
block log quick from <bruteforce>
pass inet proto tcp from any to $interna port $tcp_services keep state (max-src-conn 50, max-src-conn-rate 5/5, overload <bruteforce> flush global)

e continuo vendo esses log´s...
 
May 20 19:42:06 firewall254 sshd[23749]: Invalid user aabakken from 200.69.47.105
May 20 19:42:06 firewall254 sshd[8642]: input_userauth_request: invalid user aabakken
May 20 19:42:06 firewall254 sshd[23749]: Failed password for invalid user aabakken from 200.69.47.105 port 52186 ssh2
May 20 19:42:07 firewall254 sshd[8642]: Received disconnect from 200.69.47.105: 11: Bye Bye
May 21 06:18:38 firewall254 sshd[6205]: Did not receive identification string from 202.108.59.118
May 21 06:25:18 firewall254 sshd[6027]: Invalid user quarchioni from 202.108.59.118
May 21 06:25:18 firewall254 sshd[22579]: input_userauth_request: invalid user quarchioni
May 21 06:25:18 firewall254 sshd[22579]: Connection closed by 202.108.59.118
May 21 06:25:18 firewall254 sshd[6027]: Failed password for invalid user quarchioni from 202.108.59.118 port 29701 ssh2
May 21 06:28:16 firewall254 sshd[10469]: Connection closed by 202.108.59.118
May 21 07:35:30 firewall254 sshd[13045]: Did not receive identification string from 61.132.145.247
May 21 07:38:51 firewall254 sshd[18941]: Invalid user globus from 61.132.145.247
May 21 07:38:51 firewall254 sshd[4603]: input_userauth_request: invalid user globus
May 21 07:38:51 firewall254 sshd[18941]: Failed password for invalid user globus from 61.132.145.247 port 62713 ssh2
May 21 07:38:51 firewall254 sshd[4603]: Received disconnect from 61.132.145.247: 11: Bye Bye
May 21 07:40:26 firewall254 sshd[16495]: Connection closed by 61.132.145.247

Uso OpenBSD 4.6 e esse firewall é só pra NAT para quase 50 computadores
Oq falta na minha conf pra parar com essas tentativas de bruteforce?
 
Atenciosamente... Júnior Maia!!!


QUER NAVERGAR COM MAIS SEGURANÇA? VEJA AS DICAS DO INTERNET EXPLORER 8.
_______________________________________________
OpenBSD mailing list
[hidden email]
http://neei.uevora.pt/mailman/listinfo/openbsd
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bruteforce...

Marcus V Morais
with pf firewall:

pass quick proto { tcp, udp } from any to any port ssh \
        flags S/SA keep state \
        (max-src-conn 15, max-src-conn-rate 5/3, \
        overload <bruteforce> flush global)

and install expiretable:

/usr/local/sbin/expiretable -v -d -t 24h bruteforce


see why here:

http://www.bgnett.no/~peter/pf/en/bruteforce.html#FTN.AEN1142


with sshd:

Port 65533   # \o/
AllowUsers yourUser
LoginGraceTime 10s
PermitRootLogin no
StrictModes yes
MaxAuthTries 3


tip: strong passwords of course.

bye!

On 5/21/10, Júnior Maia Júnior <[hidden email]> wrote:

>
>
>  Bom dia a todos, venho aqui novamente pedir uma ajuda...
>
>
>
> # Normalizar Pacotes #
> scrub all reassemble tcp
> scrub out all no-df max-mss 1492 random-id
>
>
>
> # Engana ataques fingerprint #
> set require-order yes
> #set optimization normal
> #set fingerprints etc/pf.os
>
>
>
> # Roteamento #
> nat on fxp0 from 192.168.0.0/24 to any -> xxx.xx.xxx.xxx
>
>
>
> # Macros dos Adaptadores #
> externa = "fxp0"
> interna = "vr0"
> placa = "{fxp0,vr0}"
>
>
>
> # Redirecionamento #
> rdr on $externa proto tcp from any to XXX.XX.XXX.XXX port 10150 ->
> 192.168.0.150 port 5900
>
>
>
> # Tabelas #
> table <bruteforce> persist
>
>
>
> # FTP #
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> rdr on $interna proto tcp from any to any port 21 -> 127.0.0.1 port 8021
>
> pass in quick proto tcp from any to XXX.XX.XXX.XXX port 22 flags S/SA \keep
> state (max-src-states 1)
>
>
> # Quebra Scan NMAP #
> block in quick proto tcp flags FUP/WEUAPRSF
> block in quick proto tcp flags WEUAPRSF/WEUAPRSF
> block in quick proto tcp flags SRAFU/WEUAPRSF
> block in quick proto tcp flags /WEUAPRSF
> block in quick proto tcp flags SR/SR
> block in quick proto tcp flags SF/SF
> block drop in quick on $placa from any os {NMAP}
>
>
>
> # Serviços TCP e UDP #
> tcp_services = "{ssh, smtp, domain, www, pop3, pop3s, auth, http, https}"
> udp_services = "{domain}"
> icmp_types="echoreq"
> pass out proto tcp to any port $tcp_services
> pass proto udp to any port $udp_services
> pass inet proto tcp from any to $interna
>
>
>
> # Loopback #
> set skip on lo0
>
>
>
> # Antispoof #
> antispoof for vr0 inet
>
>
>
> # Bloquear Brute Force #
> block log quick from <bruteforce>
> pass inet proto tcp from any to $interna port $tcp_services keep state
> (max-src-conn 50, max-src-conn-rate 5/5, overload <bruteforce> flush global)
>
>
> e continuo vendo esses log´s...
>
>
>
> May 20 19:42:06 firewall254 sshd[23749]: Invalid user aabakken from
> 200.69.47.105
> May 20 19:42:06 firewall254 sshd[8642]: input_userauth_request: invalid user
> aabakken
> May 20 19:42:06 firewall254 sshd[23749]: Failed password for invalid user
> aabakken from 200.69.47.105 port 52186 ssh2
> May 20 19:42:07 firewall254 sshd[8642]: Received disconnect from
> 200.69.47.105: 11: Bye Bye
> May 21 06:18:38 firewall254 sshd[6205]: Did not receive identification
> string from 202.108.59.118
> May 21 06:25:18 firewall254 sshd[6027]: Invalid user quarchioni from
> 202.108.59.118
> May 21 06:25:18 firewall254 sshd[22579]: input_userauth_request: invalid
> user quarchioni
> May 21 06:25:18 firewall254 sshd[22579]: Connection closed by 202.108.59.118
> May 21 06:25:18 firewall254 sshd[6027]: Failed password for invalid user
> quarchioni from 202.108.59.118 port 29701 ssh2
> May 21 06:28:16 firewall254 sshd[10469]: Connection closed by 202.108.59.118
> May 21 07:35:30 firewall254 sshd[13045]: Did not receive identification
> string from 61.132.145.247
> May 21 07:38:51 firewall254 sshd[18941]: Invalid user globus from
> 61.132.145.247
> May 21 07:38:51 firewall254 sshd[4603]: input_userauth_request: invalid user
> globus
> May 21 07:38:51 firewall254 sshd[18941]: Failed password for invalid user
> globus from 61.132.145.247 port 62713 ssh2
> May 21 07:38:51 firewall254 sshd[4603]: Received disconnect from
> 61.132.145.247: 11: Bye Bye
> May 21 07:40:26 firewall254 sshd[16495]: Connection closed by 61.132.145.247
>
>
> Uso OpenBSD 4.6 e esse firewall é só pra NAT para quase 50 computadores
>
> Oq falta na minha conf pra parar com essas tentativas de bruteforce?
>
>
>
> Atenciosamente... Júnior Maia!!!
>    
> _________________________________________________________________
> DIVIRTA SEUS AMIGOS NO MESSENGER. TRANSFORME AQUI SUAS FOTOS EM EMOTICONS, É
> GRÁTIS.
> http://ilm.windowslive.com.br/?ocid=ILM:ILM:Hotmail:Tagline:1x1:Tagline


--
[*] CCNA Certified
[*] LPIC-1 Certified
[*] Security Enthusiast
_______________________________________________
OpenBSD mailing list
[hidden email]
http://neei.uevora.pt/mailman/listinfo/openbsd
Loading...