OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: "ssh" attacks

From: Jason Stubbs (jstubbswork-at.co.jp)
Date: Thu Jun 01 2006 - 01:36:33 CDT

Matthias Kilian wrote:
> On Wed, May 31, 2006 at 03:15:34PM -0400, Peter Fraser wrote:
>> Expect I was not clear.
>>
>> Someone is attacking address 1, address 2, address 3, those
>> address are all blocked with respect to ssh. , but because he
>> is attacking those addresses, I want to stop an expected attack
>> on address 4. I never want to pass ssh on address 1, address 2
>> or address 3 ever, I want to use the information that someone
>> was trying to ssh to those address to identify person as
>> an attacker.
>
> Oh, sorry for not reading exactly.
>
> So your problem is that you want to get state for ssh connection
> attempts to addresses 1, 2 and 3 but at the same time want to block
> those connections. This isn't possible (no connection - no state).
>
> (QUICK HACK ALERT)
>
> But it may be possible to redirect those connections to some unused
> port on localhost (i.e. the firewall) let something listen on this
> port, accept everything but immediately closing the connection.
> Then use a simple pass rule with overload and max-src-conn options
> to add offending addresses to your table.
>
> Ciao,
> Kili
>
> ps: I didn't test the above, so if it's complete nonsense, feel
> free to flame me.

I've done this and it works quite well. Source is as follows. My first
attempt at POSIX network programming so feel free to correct/shoot me.

--

#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int main() {
         int s;
         struct sockaddr_in sa;

         s = socket(AF_INET, SOCK_STREAM, 0);
         bzero(&sa, sizeof(struct sockaddr_in));
         sa.sin_family = AF_INET;
         sa.sin_port = htons(2048);

         if (bind(s, (struct sockaddr*)&sa, sizeof(struct sockaddr)) !=
0 || listen(s, 64) != 0 || daemon(0, 0) != 0) {
                 exit(1);
         }

         int c;
         struct sockaddr_in ca;
         int csize;

         while (1) {
                 bzero(&ca, sizeof(struct sockaddr_in));
                 csize = sizeof(struct sockaddr_in);
                 c = accept(s, (struct sockaddr*)&ca, &csize);
                 if (c <= 0) {
                         sleep(1);
                 } else {
                         close(c);
                 }
         }

         return 0;
}

--
Jason Stubbs