plisten
目次- 1.0.0 Brute force attack
- 1.1.0 attacks to POP3 server
- 1.2.0 attacks to ssh server
- 2.0.0 Protected Listner
- 2.1.0 How To Protect
- 2.2.0 pop3 before connection
2014/07/20
plisten
is a protected listen
for Plan9 that is designed to protect server from brute force attack.plisten
is available in http://plan9.aichi-u.ac.jp/netlib/plisten/
Brute force attack
2013/11/14
attacks to POP3 server
The IPs in the following list have attempted to steal passwords by brute force attack to my POP3 server.
They are taken from log file starting from 2013/06/03 to 2013/11/14.
DNS names of some of these IPs are unknown (unregistered).
Others are listed below:
Some of them are web servers that does "software download service"!
attacks to ssh server
Of cource, we observe much more attacks to tcp22 (ssh port).
My log shows 2535 unique IPs that tried this port during the period from 2013/03/14 to the present(2013/11/23).
So many IPs to list up!
get list of these IPs
The observation shows that some of them tried a hundred password and then went away without looking "Reject" message from my server.
We have
Both
The definition of burst access:
For simplicity, directories
File names in these directories are the IPs to accept or reject.
Pop3 is the only way for a remote (non Plan9) user to register himself to
The code below is
Other services are rejected unless the requesting IP is in
You need to change
Protected Listner
2014/07/20
plisten
(protected listen
) and plisten1
(protected listen1
).
Both listen
and listen1
are listeners for Plan9.
How To Protect
plisten
and plisten1
check the IP of requester.
The steps are as follows:
(1) if it is burst access then reject
(2) if (it is not in accept_database
) and (it is in reject_database
) then reject
(3) start a subprocess for the connection
That is, step (1) and (2) are added in Plan9 official listen
and listen1
.
trials more than maxconnect
in a given time (10 seconds).
the maxconnect
is given in command option.
/sys/log/accept
and /sys/log/reject
are used in place of accept_database
and reject_database
.
Therefore you can register 202.250.160.40
to accept_database
by
touch /sys/log/accept/202.250.160.40
pop3 before connection
accept_database
.
Many authentication failures will let him to be registered in reject_database
.
tcp110
:
#!/bin/rc
ifs='!
' r=`{cat $3/remote} l=`{cat $3/local} {ip_local=$l(1) ip=$r(1) p=$l(2)}
if(test -e /sys/log/reject/$ip){
/usr/local/bin/386/logit -l pop3 Rejected $ip
echo '-ERR Rejected'
exit
}
if(test -e /sys/log/accept/$ip){
/$cputype/bin/upas/pop3
exit
}
w=`{tail -10 /sys/log/pop3 | grep 'Fail '$ip | wc}
if(test $w(1) -gt 5){
touch /sys/log/reject/$ip
/usr/local/bin/386/logit -l pop3 List $ip
echo '-ERR Rejected'
exit
}
/$cputype/bin/alarm 60 /$cputype/bin/upas/pop3
# /sys/log/pop3 is something like:
# old pop3 message:
# ar Apr 8 14:56:50 user arisawa logged in
# new pop3 message:
# ar Apr 8 14:56:50 user arisawa OK 202.250.160.166
a=`{tail -1 /sys/log/pop3}
if(~ $a(7) OK && ~ $a(8) $ip){
touch /sys/log/accept/$ip
exit
}
/usr/local/bin/386/logit -l pop3 Fail $ip
/rc/bin/service/tcp110
accept_database
.
#!/bin/rc
ifs='!
' r=`{cat $3/remote} l=`{cat $3/local} {ip=$r(1) p=$l(2)}
if(test -e /sys/log/accept/$ip){
exec /bin/aux/sshserve -A 'tis password' `{cat $3/remote} >>[2]/sys/log/ssh
}
echo Rejected
/usr/local/bin/386/logit -l honeypot $p $ip
/rc/bin/service/tcp22
pop3.c
so that the script tcp110
can work.
if(newns(user, 0) < 0){
senderr("newns failed: %r; server exiting");
exits(nil);
}
- syslog(0, "pop3", "user %s logged in", user);
+ syslog(0, "pop3", "user %s OK %s", user, peeraddr);
enableaddr();
/sys/src/cmd/upas/pop3/pop3.c