Menangkis brute force dengan iptables

Oct 6 08:11:10 jeruk sshd(pam_unix)[21960]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.167.49.106
Oct 6 08:11:15 jeruk sshd(pam_unix)[21963]: check pass; user unknown
Oct 6 08:11:15 jeruk sshd(pam_unix)[21963]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.167.49.106
Oct 6 08:11:20 jeruk sshd(pam_unix)[21966]: check pass; user unknown
Oct 6 08:11:20 jeruk sshd(pam_unix)[21966]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.167.49.106
Oct 6 08:11:25 jeruk sshd(pam_unix)[21968]: check pass; user unknown
Oct 6 08:11:25 jeruk sshd(pam_unix)[21968]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.167.49.106
Oct 6 08:11:30 jeruk sshd(pam_unix)[21971]: check pass; user unknown
Oct 6 08:11:30 jeruk sshd(pam_unix)[21971]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.167.49.106
Oct 6 08:11:33 jeruk kernel: Blocked: IN=eth1 OUT= MAC=00:10:18:2f:78:31:00:d0:d0:36:d3:42:08:00 SRC=61.167.49.106 DST=60.52.204.6 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=34905 DF PROTO=TCP SPT=37951 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

serangan diatas telah berjaya ditangkis dan diletakkan didalam senarai hitam.. maka kepada sesiapa penjahat yang telah gagal menceroboh kebun saya anda bakal berdepan dengan masalah. berikut adalah comand iptables bagi menangkis si penjahat2 dia alam maya ini.

/sbin/iptables -N SSH
/sbin/iptables -N SSH_BLACKLIST
/sbin/iptables -A SSH_BLACKLIST -m recent --name SSH_COUNTER --set -j LOG --log-level warn --log-prefix "Blocked: "
/sbin/iptables -A SSH_BLACKLIST -j REJECT
/sbin/iptables -A SSH -m recent --name SSH_COUNTER --update --seconds 300 -j REJECT
/sbin/iptables -A SSH -m recent --name SSH --rcheck --seconds 60 --hitcount 5 -j SSH_BLACKLIST
/sbin/iptables -A SSH -m recent --name SSH --rcheck --seconds 2 -j LOG --log-level warn --log-prefix "Added: "
/sbin/iptables -A SSH -m recent --name SSH --update --seconds 2 -j REJECT
/sbin/iptables -A SSH -m recent --name SSH_COUNTER --remove -j LOG --log-level warn --log-prefix "Removed: "
/sbin/iptables -A SSH -m recent --name SSH --set -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 22 -j SSH

openswan-2.4.4-1.i386

gateway server saya dioffice telah corrupted kelmarin.. dari message skrin meminta saya membuat fsck secara manual.. dari pengalaman saya dan teman-teman.. saya dapati fcsk ini tidak akan membantu lansung dalam proses recovering.. maka saya mount kan saja data dlm HD saya dan format kembali server gateway yang menggunakan fedore core 4 (agak ketinggalankan?)


# rpm -iUvh openswan-2.4.4-1.i386.rpm
warning: openswan-2.4.4-1.i386.rpm: V3 RSA/MD5 signature: NOKEY, key ID b5cc27e1
Preparing... ########################################### [100%]
package openswan-2.4.4-1 is already installed
# cchkconfig ipsec on
bash: cchkconfig: command not found
# chkconfig ipsec on
# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.4.4...
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/net/ipv4/ah4.ko
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/net/ipv4/esp4.ko
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/net/ipv4/ipcomp.ko
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/net/ipv4/xfrm4_tunnel.ko
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/crypto/des.ko
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/arch/i386/crypto/aes-i586.ko
# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...
# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec does not appear to be running!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting Openswan IPsec 2.4.4...
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.11-1.1369_FC4smp/kernel/net/ipv4/xfrm4_tunnel.ko
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K2.6.11-1.1369_FC4smp (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support [DISABLED]

## kemudian masukkan command "ipsec showhostkey --right"
## copy semua key yang dipaparkan kedalam /etc/ipsec.conf
## selepas selesai edit kedua-dua server gateway anda.. masukkan command berikut "service ipsec restart"
## selesai

not infected?

Saya tidak berapa yakin dgn tools chkrootkit yang saya gunakan untuk mengesan aktiviti godam pada pelayan-pelayan saya. Oleh itu sebagai langkah lain saya juga memasang rkhunter pada setiap pelayan saya dan ternyata saya lebih senang menggunakan rkhunter berbanding chkrootkit kerana rkhunter mengimbas dengan lebih detail dan siap dengan report.


ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
eth0:1: not promisc and no PF_PACKET sockets
eth1: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted