Snort and Chinese attackers



  • Hi all!

    Just a few quick questions regarding Snort, if someone can shed some light on what happened to me I would be very ghappy and appreciate a LOT!

    So Since last july, my pfsense router was running as a plain vanilla pfsense install, that is, no packages whatsoever, and except some custom settings, everything else was stock from a new pfSense install…

    Yesterday I decided that I had to install the packages I use the most (Squid, SG, Snort, HAVP, ntop), and immediately after installing snort, I uploaded my general config file and after about 20 minutes, the router rebooted with my new settings.

    Good!

    Then I went in the snort alerts page, only to see that for about 15 to 20 minutes, several SSH bruteforce attempts were done on the port 22, all IP's from China according to Google...

    Several of these IP's were also reported on anti-hacker websites.

    Also in the Snort blocked hosts page, I saw onwe entry that Snort created.  A few minutes later, it dissapeared.

    So my questions:

    Between last july and yesterday, would a plain vanilla pfsense install have protected me?

    If not, how could I determine if I have been successfully attacked?  Logs in my linux machines?  Logs in the pfsense router??

    Why has the blocked entry been removed in snort?

    Finally, what to do in order to further protect my network against this??

    Thanks!



  • @lpallard:

    Hi all!

    So my questions:

    Between last july and yesterday, would a plain vanilla pfsense install have protected me?

    If not, how could I determine if I have been successfully attacked?  Logs in my linux machines?  Logs in the pfsense router??

    If your pfSense is configured for NAT (that is, your LAN is in private non-routable IP space), then the answer is most likely "yes you were adequately protected" providing you had no port forwarding rule configured for SSH.  If you had a port forwarding rule, then the port forwarding target should be checked out by looking in the Linux logs for any suspicious SSH logins or any other unusual activity.  Depending on your distro, look in var/log/messages or /var/log/secure or var/log/system.

    @lpallard:

    Why has the blocked entry been removed in snort?

    If the pfSense firewall packet filter table is reloaded by any of several internal "triggers", then the Snort blocking is cleared.  This behavior appeared in the last 2.1 release of pfSense.  It's not a really big issue, though, because on the next offending packet from the "bad host" a new block will be instated.

    @lpallard:

    Finally, what to do in order to further protect my network against this??

    Obviously run Snort… ;D

    After that, if you need SSH available from outside of your LAN, use the digital certificate mode (that is, generate a public/private key pair and use them instead of just password-protected logins).  You can Google how to set this up.

    Bill



  • Thanks Bill for your kind reply!

    About an hour ago, I looked in Snort's blocked list, there was an entry.  I just looked, the list is empty, and Im worried about that.  The older versions of Snort were not doing that.

    Is there a way to find out which command had snort flush its blocked list?



  • @lpallard:

    Thanks Bill for your kind reply!

    About an hour ago, I looked in Snort's blocked list, there was an entry.  I just looked, the list is empty, and Im worried about that.  The older versions of Snort were not doing that.

    Is there a way to find out which command had snort flush its blocked list?

    Do not fret about the block list getting periodically cleared.  It's not something users can currently fix without recoding the internals of pfSense.  It is not a Snort issue.  The problem is buried deeper within the new 2.1 code of pfSense (and possibly related to the update to FreeBSD 8.3 from 8.1).  As I have said here on the forum about a hundred times… ;)...bad hosts will get blocked again when they send another bad packet.  In other words, just like they got blocked the very first time they sent a bad packet, so will they get blocked again when they send another bad packet even after being cleared from the block list.  Clearing a host from the block list DOES NOT whitelist the host.

    The recommended setting for Snort has always been to let it automatically clear the block list anyway after one hour.  This is done via a cron job.  There is a bug in the new 2.1 code of pfSense (or unintended "feature", depending on your point of view) where anything that causes a filter reload in pfSense will clear Snort's block table in the process.

    Bill



  • You can also try pfblocker package(without removing snort  :)) and deny access from any ip from china to your network.



  • Helo Marcello,

    I did that a while ago..  Not sure why the "attacks" are being picked up by snort …  Is it because pfblocker did not see them?  Or is it because Snort comes first and stopped them before pfBlocker had a chance to pick them up??

    Im being hit every 10 minutes or so by waves of SSH bruteforce attempts... All IP's from China..



  • Maybe pfblocker lists are old and not 100% accurate


  • Banned

    Where to get the new ones?

    I had to uninstall pfblocker because a Chinese IP got caught belonging to a client based in Denmark….

    @marcelloc:

    Maybe pfblocker lists are old and not 100% accurate



  • @lpallard:

    Helo Marcello,

    I did that a while ago..  Not sure why the "attacks" are being picked up by snort …  Is it because pfblocker did not see them?  Or is it because Snort comes first and stopped them before pfBlocker had a chance to pick them up??

    Im being hit every 10 minutes or so by waves of SSH bruteforce attempts... All IP's from China..

    To lpallard:
    Snort comes first, they might be blocked by pfblocker lists already, but snort will still alert, since it's "closer" to the network. It gets complicated quite fast from there on, but to keep things simple it's network > snort (passthrough, capture copy,analyze copy) > pfblocker > pf > out the other side.

    To others:
    As Bill (and me) has already said don't use ssh password logins, Any admin running ssh password based logins should be taken out in the woods, and a bullet should be arranged to go through his head (it works best if you aim just an inch higher than where the spine is connected, less splutter). I say arranged, because it does hold up in a court of law, You did not execute him. The bullet just happened to go through his head. One is 25 years, one is 3.

    It's 2013. Everybody reading this, drop what you are doing and go set up 4096bit keys NOW. Forget about passwords. They vanished 10 years ago.

    To check for signs of successful attacks, check logs, if running a distro other than Debian get rid of it (no arguments, just do it), install fail2ban, install rkhunter and run checks. That's the first paragraph, there's plenty more to do from there on. If logs and rkhunter come clean it means 2 things: 1) they were not Chinese hackers (they don't know how to clear logs, oh well, I guess they will start reading about it now, looks around no they won't, nobody takes me seriously) or 2) your box is clean.
    A note on log clearing. You'll see log rotation detected in fail2ban logs (nobody (that's actually NOBODY) bothers with that log, the adrenaline rush gets to them) at irregular times (ie, you (or the system) has set up log rotation at 12:01 (military time) and you see a rotation at 17:00).

    I am a bit blunt, but I'm tired of stating the same facts again and again. Don't expose servers to the internet and you are safe. Expose them only after properly preparing them.



  • ON this note….  is it just me or have the Chinese been overly active the last week or so?

    Is our Black this or Cyber someday and the push to do online shopping for Christmas allowing them to find even more ways to exploit systems?  And I'm not even a business... just a home system up on a mountain side.

    Anyway, my thanks (again) to the folks who bring us psSense, Snort and pfBlocker!!
    I wish someone in our government would WAKE THE F**K UP!!

    Rick



  • Unless there are 5 zeros after a number, no government will bother with it. If tomorrow (or next week, since it's a weekend) pfsense starts selling for a 6 digit number, every single government on the entire planet will write laws requiring its use.
    Then there will be the "Security Experts" that studied "Information Systems Security" and took a couple of "Security in an Inter-connected World" seminars. Those insert a not-so-flattering comment here will come along, sign a contract for "Systems Support and Maintenance" and will take 3 years to install a patch. During those years every (as the saying here goes) dog will piss on the systems. Disclaimer: This paragraph has been an actual fact. A well known middle-East ISP, whose name shall not be mentioned, in order to protect the guilty, took 3 years to patch a damned system. In the meantime, every single username and password of every single customer was leaked on the internet. Anyone with a computer that knew how to download an exploit (ie most "hackers") was granted free access to it. Last time I checked, the list is still there.
    You can now understand why I sound so angry on these forums (usually) because I have to deal with the "Security Experts" that studied "Information Systems Security" and took a couple of "Security in an Inter-connected World" seminars, daily.
    For example last week I called a guy, which I'm sure has 20 years experience in IT. I can actually vouch,without ever talking to him before, that he is the best there is in this country. "Hi, this is ….. you talked with ..... to get a domain transfered. Have you prepared the domain for the transfer?" The 20-years-of-experience guy's response was "I don't need to prepare anything, you just initiate the transfer and I get an email to accept it." My response "no, actually the transfer will fail, unless the domain status is ACTIVE or OK. You can check it with a whois on the domain. Right now it says...clickety-click Registrar-lock. Can you please remove the transfer lock and get back to me?"
    A week later, and I'm still waiting for the "Expert" to remove a domain's transfer lock. A process which takes exactly 17 seconds to complete. sigh
    Nobody bothers with security or learning something new each day to be honest. Most "Experts" are happy to know how to turn on a system and get on fb and that's it. That actually makes them the very best there is in multiple countries, the geek-elite.
    I could go on all day, but it's getting off-topic. My apologies to the OP for going off-topic.