plisten
目次- 1.0.0 Brute force attack
- 1.1.0 attacks to POP3 server
- 1.2.0 attacks to ssh server
- 2.0.0 Protected Listner
- 2.1.0 How To Protect
- 2.2.0 pop3 before connection
2014/07/20
plisten is a protected listen for Plan9 that is designed to protect server from brute force attack.plisten is available in http://plan9.aichi-u.ac.jp/netlib/plisten/
Brute force attack
2013/11/14
attacks to POP3 server
The IPs in the following list have attempted to steal passwords by brute force attack to my POP3 server.
They are taken from log file starting from 2013/06/03 to 2013/11/14.
DNS names of some of these IPs are unknown (unregistered).
Others are listed below:
Some of them are web servers that does "software download service"!
attacks to ssh server
Of cource, we observe much more attacks to tcp22 (ssh port).
My log shows 2535 unique IPs that tried this port during the period from 2013/03/14 to the present(2013/11/23).
So many IPs to list up!
Protected Listner
2014/07/20
We have plisten (protected listen) and plisten1 (protected listen1).
Both listen and listen1 are listeners for Plan9.
How To Protect
Both plisten and plisten1 check the IP of requester.
The steps are as follows:
(1) if it is burst access then reject
(2) if (it is not in accept_database) and (it is in reject_database) then reject
(3) start a subprocess for the connection
That is, step (1) and (2) are added in Plan9 official listen and listen1.
The definition of burst access:
trials more than maxconnect in a given time (10 seconds).
the maxconnect is given in command option.
For simplicity, directories /sys/log/accept and /sys/log/reject are used in place of accept_database and reject_database.
File names in these directories are the IPs to accept or reject.
Therefore you can register 202.250.160.40 to accept_database by
touch /sys/log/accept/202.250.160.40
pop3 before connection
Pop3 is the only way for a remote (non Plan9) user to register himself to accept_database.
Many authentication failures will let him to be registered in reject_database.
The code below is tcp110:
#!/bin/rc
ifs='!
' r=`{cat $3/remote} l=`{cat $3/local} {ip_local=$l(1) ip=$r(1) p=$l(2)}
if(test -e /sys/log/reject/$ip){
/usr/local/bin/386/logit -l pop3 Rejected $ip
echo '-ERR Rejected'
exit
}
if(test -e /sys/log/accept/$ip){
/$cputype/bin/upas/pop3
exit
}
w=`{tail -10 /sys/log/pop3 | grep 'Fail '$ip | wc}
if(test $w(1) -gt 5){
touch /sys/log/reject/$ip
/usr/local/bin/386/logit -l pop3 List $ip
echo '-ERR Rejected'
exit
}
/$cputype/bin/alarm 60 /$cputype/bin/upas/pop3
# /sys/log/pop3 is something like:
# old pop3 message:
# ar Apr 8 14:56:50 user arisawa logged in
# new pop3 message:
# ar Apr 8 14:56:50 user arisawa OK 202.250.160.166
a=`{tail -1 /sys/log/pop3}
if(~ $a(7) OK && ~ $a(8) $ip){
touch /sys/log/accept/$ip
exit
}
/usr/local/bin/386/logit -l pop3 Fail $ip
/rc/bin/service/tcp110
Other services are rejected unless the requesting IP is in accept_database.
#!/bin/rc
ifs='!
' r=`{cat $3/remote} l=`{cat $3/local} {ip=$r(1) p=$l(2)}
if(test -e /sys/log/accept/$ip){
exec /bin/aux/sshserve -A 'tis password' `{cat $3/remote} >>[2]/sys/log/ssh
}
echo Rejected
/usr/local/bin/386/logit -l honeypot $p $ip
/rc/bin/service/tcp22
You need to change pop3.c so that the script tcp110 can work.
if(newns(user, 0) < 0){
senderr("newns failed: %r; server exiting");
exits(nil);
}
- syslog(0, "pop3", "user %s logged in", user);
+ syslog(0, "pop3", "user %s OK %s", user, peeraddr);
enableaddr();
/sys/src/cmd/upas/pop3/pop3.c