From The Hacker News

24 points

Surprised this isn’t a better known / prevented vector. I remember experimenting with variant IPs like this in IE6 over 20 years ago.

Checking now with Firefox and it auto-translates on the line below as I type one in. (Tried both 0x7f000001 and 2130706433 because they’re both variants of 127.0.0.1, and if there’s something bad running on that address you have other problems.)

Irrelevant nerd fact: 2130706433 is a prime number.

permalink
report
reply
4 points

So is 127

permalink
report
parent
reply
3 points
*

It’s not

permalink
report
parent
reply
8 points
*

I just plugged factor(2130706433); into Maxima and it says that it has no factors. Pretty sure that it’s prime.

permalink
report
parent
reply
9 points

Sorry, i said it was a mersenne prime, then realized it wasnt, so edited it and deleted it. It was a mess

permalink
report
parent
reply
16 points

Does anyone know of a linux tool that can immediately ban an IP address if they try to log in to ssh with specific user names? I see a ton of attempts in my logs for names like fax, mysql, admin, and of course root. Fail2ban only works if the same IP makes repeated attempts but I’m betting if I could generate a list from these failed attempts it would probably correlate with standard blocklists of compromised hosts. For that matter, is there a way to use an RBL to limit addresses that ssh will even accept? Of course none of these attempts have a chance of logging in, but it would still be nice to further limit my exposure for any future attacks.

permalink
report
reply
12 points
*

Sounds like a job for crowdsec. Basically fail2ban on steroids. They already have a ban scenario for attempts to exploit web application CVEs. While the default ssh scenario does not ban specific usernames, I’m pretty sure writing a custom one would be trivial (writing a custom parser+scenario for ghost cvs from no knowledge to fully deployed took me just one afternoon)

Another thing I like about crowdsec is the crowd sourced ban IPs. It’s super nice you can preemptively ban IPs that are port-scanning/probing other people’s servers.

It’s also MIT licensed and uses less ram than fail2ban.

permalink
report
parent
reply
1 point

Hmm I keep hearing about it but haven’t looked into it. One thing I have set up between my systems if they share the blocked IPs with each other so every server drops a blocked address at the same time… I assume crowdsec has something similar for local sharing so I don’t have to wait for a blocked IP to be sent to them, added to the database, and sent back to my local machines again?

permalink
report
parent
reply
2 points
*

One way to do this would be set up crowdsec bouncers on each server but only run a single instance of the crowdsec daemon. Send all logs to the daemon and let it communicate with all the bouncers.

permalink
report
parent
reply
11 points

I think is better to not use an standard port and using fail2ban at the same time to avoid automated attacks. If you manage to implent what you are looking for, you are potentially telling an stacker which accounts exist and which not, allowing him to do an easier brute force attack. A typical attacker using a botnet will not be stopped by a single IP being baned, and as son as an IP is banned he will know that this account doesn’t exists. Another option is enabling port knocking.

permalink
report
parent
reply
4 points

Normally when an ssh login fails, it does so after the password attempt so no clue is given about which step failed. I would assume any type of RBL blocking would do the same, along with any available plugins that would ban based on a given username attempt?

One good thing though… I just realized fail2ban actually has a rule for blocking based on invalid user names, so I need to update my settings to make use of that filter. That will likely take care of the large number of attempts I’m seeing since I do see a number of IPs being used over and over.

permalink
report
parent
reply
5 points

Eh, those attempts are just noise anyway. Use proper pubkey auth instead of normal passwords and you’ll be fine. Any key size is probably enough to prevent successful bruteforce attacks. Anything above 2048 and there’s basically no chance for them to guess right within several years of constant trying. Most bots move along quickly as well, they try their predefined list of (common usernames) x (common passwords) and that’s it.

Install endlessh, an ssh tar pit, if you want to make their lives a little more annoying. Use a non-standard port if your OCD can’t stand the slowly filling auth attempt logs.

permalink
report
parent
reply
1 point

If I’m bruteforcing a server and each time that I try an username/password my IP gets banned but suddenly one combination allows me to do 4-5 test ( any bigger number than previously) you are potentially telling me that this user is different (it exists) than the previous ones. Therefore you are doing the attack easier for me because now I know which users actually exist in the machine. It doesn’t matter if you are locking the attacker after the password was given.

As others told you, using public key auth, non standard ports or even port knocking will be much more useful.

permalink
report
parent
reply
15 points

Interesting, I didn’t know IPv4 addresses converted to hex could be used for anything.

permalink
report
reply
25 points

It’s all 1s and 0s at the end of the day

permalink
report
parent
reply
8 points

You can use a decimal number as well. It’s rare to see that form of URL though.

permalink
report
parent
reply
7 points
*

Dotted Decimal is just a human convention. IPs are just 32 bit numbers meaning binary digit, and octal, dotted decimal and Hex are all valid representations of that same number. Subnet masks work via binary math.

Almost every single thing you would use an IP address for, you can substitute dotted decimal for octal or hex representations.

permalink
report
parent
reply
1 point

We have PABXes that use VxWorks and it uses hex IPs to identify each ethernet port

Might be easier to use with lower-level stuff like pure C?

permalink
report
parent
reply
4 points
*

Nah, it’s easier in pretty much every language. It’s just a 32 bit number that can be compared with a standard “<=” or “=” comparison operator in pretty much every language out there and a single ASM instruction. Writing it as four smaller numbers joined with dots is just how it’s easy to display for humans.

Many make the mistake of thinking that IPv4 addressess are always encoded like that. The address “127.0.0.1” is just 2130706433 in decimal. Some tools even accept misformed addresses like “0.0.0.2130706433”. Security concerns come in to play when a program checks for local addresses by comparing the individual “127”, “0”, “0”, “1” parts (or eg. “192”, “168”, ““, ,””) and allow or deny access based on that for example. Another part of the software will likely just accept a misformed address and a malicious actor can circumvent the filtering from earlier.

permalink
report
parent
reply
1 point

Some tools even accept misformed addresses like “0.0.0.2130706433”

Is that because it’s just three octets of zero bits? What tools do this?

permalink
report
parent
reply
1 point

I use a ssh server on my notebook to sync files. is having public key authentification enough to mitigate this attack? are only ssh servers attacked which use password auth. ?

permalink
report
reply

Linux

!linux@lemmy.ml

Create post

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

  • Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
  • No misinformation
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

Community stats

  • 6.7K

    Monthly active users

  • 6.6K

    Posts

  • 180K

    Comments