Debian defaults March 22, 2015 06:19PM |
Registered: 9 years ago Posts: 63 |
root@debian:~# man man: can't set the locale; make sure $LC_* and $LANG are correct What manual page do you want? root@debian:~# perl -v perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_PAPER = "de_DE.UTF-8", LC_ADDRESS = "de_DE.UTF-8", LC_MONETARY = "de_DE.UTF-8", LC_NUMERIC = "de_DE.UTF-8", LC_TELEPHONE = "de_DE.UTF-8", LC_IDENTIFICATION = "de_DE.UTF-8", LC_MEASUREMENT = "de_DE.UTF-8", LC_TIME = "de_DE.UTF-8", LC_NAME = "de_DE.UTF-8", LANG = "C" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). This is perl 5, version 14, subversion 2 (v5.14.2) built for arm-linux-gnueabi-thread-multi-64int (with 88 registered patches, see perl -V for more detail)
Mar 23 00:03:01 debian auth.info sshd[5465]: Address 192.168.2.101 maps to localhost, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT![/quote] Edited 2 time(s). Last edit at 03/25/2015 03:16PM by TEN.
Re: Debian defaults March 22, 2015 06:48PM |
Admin Registered: 13 years ago Posts: 18,994 |
Re: Debian defaults March 22, 2015 07:59PM |
Registered: 9 years ago Posts: 63 |
Congratulations on the well-deserved following. :) So whatever the solution (e.g. just what you do first yourself for your locales&TZ), will make it easier for many...Quote
bodhiThis one is hard to decide. My rootfs has been used by users worldwide (I'm very honored), so I'm hesitate to add any locale to it. I could add more suggestion in the instruction about what to do about this after the system running the firstQuote
TEN
Neither /usr/bin/tzselect nor dpkg-reconfigure tzdata, even when they have been found, say they set the TZ for more than the current user (even recommending to add exports to the ~/.profile) - this could be prompted for system-wide, have one recommended way of setting it (possibly as simple as echo 'Continent/Capital' >/etc/timezone ?),
or be preset to a usable default for root (all the more since ntpdate seems to be installed already) - which one is the intended "standard approach"?
Several key components (incl. Perl needed all the time as part of package management) complain with respect to locale/lang settings - not sure how this is best avoided (not by setting everything I guess, as LC_ALL for instance is discouraged)
time.
Quote
bodhiIt should. See /etc/init.d/halt. It turns off the LED, not just going dark. And it turns on Green in /etc/rc.local.Quote
TEN
Shouldn't the LED go dark (echo 0 >/sys/class/leds/status:green:health/brightness) on halt, to signal when it's safe to pull the plug (or light up then if it was off during normal operation?)
echo none > /sys/class/leds/status:green:health/trigger...seems instantaneous in normal operation, but could it take a few ms for the trigger to be picked up before the halt (and could brightness as above be faster) ?
I recall it had already gone missing around kernel 3.14 as I reported last year.Quote
bodhiI'll take a look at this one. I thought it's there.Quote
TEN
Curiously there is no default /etc/crontab nor an apparent process that would use it, according to ps aux|grep cron - but per http://forum.doozan.com/read.php?2,12096,16414#msg-16414 it should be there?
root@debian:~# cat /etc/apt/sources.list deb http://ftp.us.debian.org/debian wheezy main deb http://security.debian.org/ wheezy/updates main contrib non-free
Re: Debian defaults March 22, 2015 11:28PM |
Admin Registered: 13 years ago Posts: 18,994 |
Re: Debian defaults: /etc/crontab, nftables? March 23, 2015 02:20PM |
Registered: 9 years ago Posts: 63 |
Probably changes to the file (after which the script proceeds to halt) aren't directly mapped to the GPIO pins, but need some process (with too little time to still run) to pick them up.Quote
TENQuote
bodhiIt should. See /etc/init.d/halt. It turns off the LED, not just going dark. And it turns on Green in /etc/rc.local.Quote
TEN
Shouldn't the LED go dark
(echo 0 >/sys/class/leds/status:green:health/brightness)
on halt, to signal when it's safe to pull the plug (or light up then if it was off during normal operation?)echo none > /sys/class/leds/status:green:health/trigger...seems instantaneous in normal operation, but could it take a few ms for the trigger to be picked up before the halt (and could brightness as above be faster) ?
I'll test with a sleep 5 inserted, as it always stayed on here.
Quote
TENI recall it had already gone missing around kernel 3.14 as I reported last year.Quote
bodhiI'll take a look at this one. I thought it's there.Quote
TEN
Curiously there is no default /etc/crontab nor an apparent process that would use it, according to ps aux|grep cron - but per http://forum.doozan.com/read.php?2,12096,16414#msg-16414 it should be there?
root@debian:/# ps aux|grep systemd root 2196 0.0 0.5 2020 1376 pts/0 S+ 18:58 0:00 grep systemd root@debian:/# ps aux|grep cron root 2193 0.0 0.5 2020 1372 pts/0 S+ 18:55 0:00 grep cron root@debian:/# find -name *cron* ./etc/cron.weekly ./etc/cron.daily ./usr/share/doc/passwd/examples/passwd.expire.cron ./lib/modules/3.16.0-kirkwood-tld-2/kernel/drivers/hid/hid-zydacron.koI.e. no anacron etc. either, q.e.d., but it doesn't seem to be running systemd instead either though /etc/systemd/system has a definition for avahi.
Re: Debian defaults: /etc/crontab, nftables? March 23, 2015 03:42PM |
Admin Registered: 13 years ago Posts: 18,994 |
echo none > /sys/class/leds/status:green:health/trigger halt -d -f $netdown $poweroff $hddown
dmesg | grep -i machine | cut -c16-120 fw_printenv arcNumber fw_printenv machid
Re: Debian defaults: /etc/crontab, nftables? March 23, 2015 03:50PM |
Admin Registered: 13 years ago Posts: 18,994 |
Quote
I.e. no anacron etc. either, q.e.d., but it doesn't seem to be running systemd instead either though /etc/systemd/system has a definition for avahi.
usb_set_bootargs=setenv bootargs console=$console root=$usb_root rootdelay=$usb_rootdelay rootfstype=$usb_rootfstype $mtdparts init=/bin/systemd
Re: Debian defaults: LED on halt, LIRC@mceusb, /etc/crontab March 23, 2015 08:34PM |
Registered: 9 years ago Posts: 63 |
Machine: Pogoplug E02 arcNumber=3542 machid=dd6
root@debian:~# lsmod|grep mceusb mceusb 8283 0 rc_core 13793 13 ir_sharp_decoder,lirc_dev,ir_lirc_codec,ir_rc5_decoder,ir_nec_decoder,ir_sony_decoder,mceusb,ir_mce_kbd_decoder,ir_jvc_decoder,ir_rc6_decoder,ir_sanyo_decoder,rc_rc6_mce root@debian:~# rmmod mceusb root@debian:~# modprobe mceusbI've found it could also be made work again by unloading and reloading the driver through the last 2 lines and will be detected more reliably (i.e. both irw and irsend working "OOTB") on reboot if the following line 24 is added to /etc/init.d/lirc before the modprobe:
rmmod $mod 2> /dev/null
Re: Debian defaults: LED on halt, LIRC@mceusb, /etc/crontab March 24, 2015 04:40PM |
Admin Registered: 13 years ago Posts: 18,994 |
Re: Debian defaults: nft, LED on halt, LIRC@mceusb, /etc/crontab March 25, 2015 03:15PM |
Registered: 9 years ago Posts: 63 |
Now there we have it; you've exposed a Secret Agency skunkworks project building a Beowulf cluster of nitrogen-cooled Pogoplugs overclocked to 4+GHz each, computing for World Domination. ;)Quote
bodhi
Something is not right. The halt command can't be executed that fast. I've never seen my boxes fail to turn off the LED while shuttingdown! But if it works with a few extra seconds shutting down, so be it :)
Re: Debian defaults: nft, LED on halt, LIRC@mceusb, /etc/crontab March 26, 2015 12:38AM |
Admin Registered: 13 years ago Posts: 18,994 |
Re: Debian defaults: Netfilter, cron/systemd March 26, 2015 02:14AM |
Registered: 9 years ago Posts: 63 |
It seems https://wiki.debian.org/nftables has been retracted even on jessie.Quote
bodhi
I'd guess there were changes in the default setup for latest versions ... I did not explicitly change the defaults at all in the basic rootfs (I left it up to individuals to tailor their rootfs).
Re: Debian defaults: Netfilter, cron/systemd March 26, 2015 02:36AM |
Admin Registered: 13 years ago Posts: 18,994 |
Quote
- Installed packages: nano, avahi, ntp, busybox-syslogd (log to RAM), htop, isc-dhcp-client, dialog, bzip2, nfs server/client, iperf, ethtool, sysvinit-core, sysvinit, and sysvinit-utils.
lcdproc fixable, LIRC broken on jessie 3.18.5 for now March 29, 2015 04:26AM |
Registered: 9 years ago Posts: 63 |
So that's what we'll have to do for TZ since most of us can't be in California.Quote
Preparing to unpack .../tzdata_2015b-1_all.deb ...
Unpacking tzdata (2015b-1) over (2015a-1) ...
Setting up tzdata (2015b-1) ...
locale: Cannot set LC_ALL to default locale: No such file or directory
Current default time zone: 'SystemV/PST8PDT'
Local time is now: Sat Mar 28 14:38:05 PDT 2015.
Universal Time is now: Sat Mar 28 21:38:05 UTC 2015.
Run 'dpkg-reconfigure tzdata' if you wish to change it.
Just don't you believe it: service LCDd starts without error to console, but won't work for reasons visible via logread instead (and "start and stop actions are no longer supported" may indicate a move to systemd stuck midway):Quote
lcdproc configuration can be merged automatically by cme during package upgrade. This process will keep your configuration customization, apply maintainer's changes
and write back the configuration files.
You can later edit lcdproc configuration with the command 'sudo cme edit lcdproc'.
If you decline this option, your configuration file will not be managed by the package manager.
Perform automatic configuration upgrade ?
< Yes > < No >
Selecting previously unselected package libgpm2:armel.
(Reading database ... 12473 files and directories currently installed.)
Preparing to unpack .../libgpm2_1.20.4-6.1+b2_armel.deb ...
Unpacking libgpm2:armel (1.20.4-6.1+b2) ...
Setting up mc (3:4.8.13-3) ...
update-alternatives: using /usr/bin/mcview to provide /usr/bin/view (view) in auto mode
Setting up lcdproc (0.5.7-2) ...
locale: Cannot set LC_ALL to default locale: No such file or directory
Fixing lcdproc configuration...
Can't exec "/usr/bin/dpkg-architecture": No such file or directory at (eval 122) line 1, <F> line 5.
cannot run dpkg-architecture at (eval 122) line 2, <F> line 5.
Use of uninitialized value $triplet in scalar chomp at (eval 122) line 3, <F> line 5.
Use of uninitialized value $triplet in concatenation (.) or string at (eval 122) line 4, <F> line 5.
Warning in 'server DriverPath' value '/usr/lib//lcdproc/': missing DriverPath dir (code is: ' defined $_ ? -d : 1')
Can't exec "/usr/bin/dpkg-architecture": No such file or directory at (eval 126) line 1, <F> line 5.
cannot run dpkg-architecture at (eval 126) line 2, <F> line 5.
Use of uninitialized value $triplet in scalar chomp at (eval 126) line 3, <F> line 5.
Use of uninitialized value $triplet in concatenation (.) or string at (eval 126) line 4, <F> line 5.
Can't exec "/usr/bin/dpkg-architecture": No such file or directory at (eval 128) line 1, <F> line 5.
cannot run dpkg-architecture at (eval 128) line 2, <F> line 5.
Use of uninitialized value $triplet in scalar chomp at (eval 128) line 3, <F> line 5.
Use of uninitialized value $triplet in concatenation (.) or string at (eval 128) line 4, <F> line 5.
Can't exec "/usr/bin/dpkg-architecture": No such file or directory at (eval 131) line 1, <F> line 5.
cannot run dpkg-architecture at (eval 131) line 2, <F> line 5.
Use of uninitialized value $triplet in scalar chomp at (eval 131) line 3, <F> line 5.
Use of uninitialized value $triplet in concatenation (.) or string at (eval 131) line 4, <F> line 5.
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Starting LCDd: LCDd.
Setting up lirc (0.9.0~pre1-1.2) ...
[ ok ] No valid /etc/lirc/lircd.conf has been found..
[ ok ] Remote control support has been disabled..
[ ok ] Reconfigure LIRC or manually replace /etc/lirc/lircd.conf to enable..
Setting up mtd-utils (1:1.5.1-1) ...
Processing triggers for libc-bin (2.19-15) ...
First, in jessie there has been a change not reflected by the above, to DriverPath=/usr/lib/arm-linux-gnueabi/lcdproc/ that needs to be adjusted manually - and the file's minimal contents can't drive any display there is, so google for a good one, be sure to change Custom-Characters from a comment to the display's physical properties, and Bind from 127.0.0.1 to the NIC IP as PogoPlug is probably supposed to expose the display to other machines on the LAN, then service LCDd restart into some usable configuration.Quote
## This file was written by cme command.
## You can run 'cme edit <application>' to modify this file.
## Run 'cme list' to get the list of applications available on your system
## You may also modify the content of this file with your favorite editor.
[server]
DriverPath=/usr/lib/lcdproc/
NextScreenKey=Right
PrevScreenKey=Left
ReportToSyslog=yes
ToggleRotateKey=Enter
[menu]
DownKey=Down
EnterKey=Enter
MenuKey=Escape
UpKey=Up
Mar 29 09:19:51 debian user.err kernel: [30960.293473] INFO: task lircd:1713 blocked for more than 120 seconds. Mar 29 09:19:51 debian user.err kernel: [30960.299866] Not tainted 3.18.5-kirkwood-tld-1 #1 Mar 29 09:19:51 debian user.err kernel: [30960.305362] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Mar 29 09:19:51 debian user.info kernel: [30960.313232] lircd D c0553a4c 0 1713 1 0x00000001 Mar 29 09:19:51 debian user.warn kernel: [30960.319858] [<c0553a4c>] (__schedule) from [<c0553ec4>] (schedule_preempt_disabled+0x14/0x20) Mar 29 09:19:51 debian user.warn kernel: [30960.328686] [<c0553ec4>] (schedule_preempt_disabled) from [<c055575c>] (__mutex_lock_slowpath+0xd4/0x180) Mar 29 09:19:51 debian user.warn kernel: [30960.338345] [<c055575c>] (__mutex_lock_slowpath) from [<bf0d008c>] (rc_close+0x18/0x50 [rc_core]) Mar 29 09:19:51 debian user.warn kernel: [30960.347525] [<bf0d008c>] (rc_close [rc_core]) from [<bf10e778>] (lirc_dev_fop_close+0x64/0xe8 [lirc_dev]) Mar 29 09:19:51 debian user.warn kernel: [30960.357177] [<bf10e778>] (lirc_dev_fop_close [lirc_dev]) from [<c00fe8c4>] (__fput+0xd4/0x1f0) Mar 29 09:19:51 debian user.warn kernel: [30960.366087] [<c00fe8c4>] (__fput) from [<c0034aa0>] (task_work_run+0x94/0xac) Mar 29 09:19:51 debian user.warn kernel: [30960.373293] [<c0034aa0>] (task_work_run) from [<c0010b14>] (do_work_pending+0xc4/0xe0) Mar 29 09:19:51 debian user.warn kernel: [30960.381500] [<c0010b14>] (do_work_pending) from [<c000e2bc>] (work_pending+0xc/0x20) Mar 29 09:19:51 debian user.err kernel: [30960.389307] INFO: task rmmod:1824 blocked for more than 120 seconds. Mar 29 09:19:51 debian user.err kernel: [30960.395920] Not tainted 3.18.5-kirkwood-tld-1 #1 Mar 29 09:19:51 debian user.err kernel: [30960.401085] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Mar 29 09:19:51 debian user.info kernel: [30960.409182] rmmod D c0553a4c 0 1824 1647 0x00000001 Mar 29 09:19:51 debian user.warn kernel: [30960.415617] [<c0553a4c>] (__schedule) from [<c0553ec4>] (schedule_preempt_disabled+0x14/0x20) Mar 29 09:19:51 debian user.warn kernel: [30960.424422] [<c0553ec4>] (schedule_preempt_disabled) from [<c055575c>] (__mutex_lock_slowpath+0xd4/0x180) Mar 29 09:19:51 debian user.warn kernel: [30960.434071] [<c055575c>] (__mutex_lock_slowpath) from [<bf10ea10>] (lirc_unregister_driver+0x5c/0x138 [lirc_dev]) Mar 29 09:19:51 debian user.warn kernel: [30960.444634] [<bf10ea10>] (lirc_unregister_driver [lirc_dev]) from [<bf114020>] (ir_lirc_unregister+0x14/0x6c [ir_lirc_codec]) Mar 29 09:19:51 debian user.warn kernel: [30960.456042] [<bf114020>] (ir_lirc_unregister [ir_lirc_codec]) from [<bf0d2420>] (ir_raw_event_unregister+0x64/0xa4 [rc_core]) Mar 29 09:19:51 debian user.warn kernel: [30960.467660] [<bf0d2420>] (ir_raw_event_unregister [rc_core]) from [<bf0d0788>] (rc_unregister_device+0x34/0x94 [rc_core]) Mar 29 09:19:51 debian user.warn kernel: [30960.478717] [<bf0d0788>] (rc_unregister_device [rc_core]) from [<bf1820b0>] (mceusb_dev_disconnect+0x28/0x68 [mceusb]) Mar 29 09:19:51 debian user.warn kernel: [30960.489723] [<bf1820b0>] (mceusb_dev_disconnect [mceusb]) from [<c04302e4>] (usb_unbind_interface+0x70/0x250) Mar 29 09:19:51 debian user.warn kernel: [30960.499727] [<c04302e4>] (usb_unbind_interface) from [<c03c5288>] (__device_release_driver+0x7c/0xc4) Mar 29 09:19:51 debian user.warn kernel: [30960.509239] [<c03c5288>] (__device_release_driver) from [<c03c5a74>] (driver_detach+0xec/0x118) Mar 29 09:19:51 debian user.warn kernel: [30960.518011] [<c03c5a74>] (driver_detach) from [<c03c5128>] (bus_remove_driver+0x64/0x90) Mar 29 09:19:51 debian user.warn kernel: [30960.526385] [<c03c5128>] (bus_remove_driver) from [<c042f528>] (usb_deregister+0x58/0xfc) Mar 29 09:19:51 debian user.warn kernel: [30960.534632] [<c042f528>] (usb_deregister) from [<c0077f5c>] (SyS_delete_module+0x124/0x18c) Mar 29 09:19:51 debian user.warn kernel: [30960.543030] [<c0077f5c>] (SyS_delete_module) from [<c000e280>] (ret_fast_syscall+0x0/0x2c)Also the E02 can't be rebooted after this: It only does terminate sshd but then gets stuck somewhere on the way down and has to be power-cycled.
Re: lcdproc fixable, LIRC broken on jessie 3.18.5 for now March 29, 2015 05:04AM |
Admin Registered: 13 years ago Posts: 18,994 |
Re: lcdproc fixable, LIRC broken on jessie 3.18.5 for now March 29, 2015 05:39AM |
Admin Registered: 13 years ago Posts: 18,994 |
apt-get install locales - change locale.gen cat /etc/locale.gen | grep ‘en_US.UTF-8 UTF-8’ en_US.UTF-8 UTF-8 - generate locale locale-gen cat ~/.utf8 export LANG=en_US.UTF-8
Re: LIRC broken on jessie 3.18.5 for now March 29, 2015 05:51AM |
Registered: 9 years ago Posts: 63 |
Re: locale(s) March 29, 2015 07:14AM |
Registered: 9 years ago Posts: 63 |
Re: LIRC broken on jessie 3.18.5 for now March 29, 2015 03:32PM |
Admin Registered: 13 years ago Posts: 18,994 |
Re: Debian defaults: netfilter / iptables: Limit the impact of 2000+ attacks per day to 5% approx. on your sshd & logs March 31, 2015 08:34AM |
Registered: 9 years ago Posts: 63 |
#!/bin/sh iptables-restore < /etc/iptables/rules.v4with the contents below for the latter file
*filter :INPUT ACCEPT [52:3440] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [36:5048] :SSHbrute - [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m recent --update --seconds 7200 --reap --name SSHbrute --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSHknown --rsource -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 15 --hitcount 2 --name SSHknown --rsource -j SSHbrute -A SSHbrute -m recent --set --name SSHbrute --rsource -j LOG --log-prefix "SSHbrute " COMMITor via apt-get install iptables-persistent. Commands below won't just work in startup script (then setting no ACCEPT rules).
To keep the onslaught of botnets from saturating our little ARMs (especially where irresponsible mobile providers obstruct SSH ports than 22, that would put these assaults at least a portscan further out of reach), which can reach the point of getting the legitimate admin locked out by sheer load, we'll need apt-get install iptables in both wheezy and jessie.Quote
bodhiQuote
TENIt seems https://wiki.debian.org/nftables has been retracted even on jessie.Quote
bodhi
I'd guess there were changes in the default setup for latest versions ... I did not explicitly change the defaults at all in the basic rootfs (I left it up to individuals to tailor their rootfs).
Not sure what is firewalling actually in your 3.16 release, as there's no iptables binary either.That's exactly what were installed on top of a Debian debootstrap rootfs from mainline.Quote
release thread
- Installed packages: nano, avahi, ntp, busybox-syslogd (log to RAM), htop, isc-dhcp-client, dialog, bzip2, nfs server/client, iperf, ethtool, sysvinit-core, sysvinit, and sysvinit-utils.
iptables -N SSHbrute iptables -A SSHbrute -m recent --set --name SSHbrute -j LOG --log-prefix "SSHbrute " iptables -I INPUT 1 -p tcp --dport ssh -i eth0 -m recent --update --seconds 7200 --reap --name SSHbrute -j DROP iptables -I INPUT 2 -p tcp --dport ssh -i eth0 -m state --state NEW -m recent --set --name SSHknown iptables -I INPUT 3 -p tcp --dport ssh -i eth0 -m state --state NEW -m recent --update --seconds 15 --hitcount 2 --name SSHknown -j SSHbruteInspiration comes from the above URL as well as http://www.netfilter.org/documentation/HOWTO/de/netfilter-extensions-HOWTO-3.html#ss3.14, http://serverfault.com/questions/273324/how-to-make-iptables-rules-expire#537382, https://www.tty1.net/blog/2007/iptables-firewall_en.html#brutessh and http://www.thegeekstuff.com/2012/08/iptables-log-packets/.
Mar 31 12:04:28 debian authpriv.notice sshd[26533]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.3 user=root Mar 31 12:04:30 debian auth.info sshd[26533]: Failed password for root from 183.136.216.3 port 45036 ssh2 Mar 31 12:04:33 debian auth.info sshd[26533]: Failed password for root from 183.136.216.3 port 45036 ssh2 Mar 31 12:04:40 debian auth.info sshd[26533]: Failed password for root from 183.136.216.3 port 45036 ssh2 Mar 31 12:04:41 debian auth.info sshd[26533]: Received disconnect from 183.136.216.3: 11: [preauth] Mar 31 12:04:41 debian authpriv.notice sshd[26533]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.3 user=root Mar 31 12:04:47 debian authpriv.notice sshd[26565]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.3 user=root Mar 31 12:04:49 debian auth.info sshd[26565]: Failed password for root from 183.136.216.3 port 55608 ssh2 Mar 31 12:04:52 debian auth.info sshd[26565]: Failed password for root from 183.136.216.3 port 55608 ssh2 Mar 31 12:04:57 debian auth.info sshd[26565]: Failed password for root from 183.136.216.3 port 55608 ssh2 Mar 31 12:04:57 debian auth.info sshd[26565]: Received disconnect from 183.136.216.3: 11: [preauth] Mar 31 12:04:57 debian authpriv.notice sshd[26565]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.3 user=root Mar 31 12:05:05 debian authpriv.notice sshd[26594]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.3 user=root Mar 31 12:05:07 debian auth.info sshd[26594]: Failed password for root from 183.136.216.3 port 53447 ssh2 Mar 31 12:05:09 debian auth.info sshd[26594]: Failed password for root from 183.136.216.3 port 53447 ssh2 Mar 31 12:05:12 debian auth.info sshd[26594]: Failed password for root from 183.136.216.3 port 53447 ssh2 Mar 31 12:05:12 debian user.warn kernel: [165869.765757] SSHbrute IN=eth0 OUT= MAC=00:..:..:..:..:ce:00:..:..:..:..:..:08:00 SRC=183.136.216.3 DST=192.168.2.94 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=42814 DF PROTO=TCP SPT=44322 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 Mar 31 12:05:12 debian auth.info sshd[26594]: Received disconnect from 183.136.216.3: 11: [preauth] Mar 31 12:05:12 debian authpriv.notice sshd[26594]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.3 user=root Mar 31 12:05:25 debian auth.info sshd[26617]: Received disconnect from 183.136.216.3: 11: [preauth]
Every 2,0s: iptables -nvL Tue Mar 31 15:32:46 2015 Chain INPUT (policy ACCEPT 9303 packets, 648K bytes) pkts bytes target prot opt in out source destination 309 20756 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 recent: UPDATE seconds: 7200 reap name: SSHbrute side: source 138 8096 tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: SET name: SSHknown side: source 16 960 SSHbrute tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: UPDATE seconds: 15 hit_count: 2 name: SSHknown side: source Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 8401 packets, 3790K bytes) pkts bytes target prot opt in out source destination Chain SSHbrute (1 references) pkts bytes target prot opt in out source destination 49 2940 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: SSHbrute side: source LOG flags 0 level 4 prefix "SSHbrute "
Re: Debian defaults: netfilter / iptables: Limit the impact of 2000+ attacks per day to 5% approx. on your sshd & logs March 31, 2015 10:47PM |
Registered: 13 years ago Posts: 264 |
Re: Debian defaults: netfilter / iptables: Limit the impact of 2000+ attacks per day to 5% approx. on your sshd & logs April 01, 2015 04:23AM |
Registered: 9 years ago Posts: 63 |
Apr 1 11:08:01 debian auth.info sshd[4467]: Disconnecting: Too many authentication failures for root [preauth]Curiously unlike the other options this wasn't on file even as a comment line, and seems to default to 3 while for some reason the logs suggest bots get more attempts (not sure how, even after setting max. 2):
Mar 31 12:04:57 debian authpriv.notice sshd[26565]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.3 user=root Apr 1 14:33:33 debian authpriv.notice sshd[23017]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.6 user=root Apr 1 14:33:35 debian auth.info sshd[23017]: Failed password for root from 183.136.216.6 port 46855 ssh2 Apr 1 14:33:38 debian auth.info sshd[23017]: Failed password for root from 183.136.216.6 port 46855 ssh2 Apr 1 14:33:38 debian auth.info sshd[23017]: Disconnecting: Too many authentication failures for root [preauth] Apr 1 14:33:38 debian authpriv.notice sshd[23017]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.6 user=root Apr 1 14:33:39 debian user.warn kernel: [56751.659641] SSHbrute IN=eth0 OUT= MAC=00:..:..:..:..:ce:00:..:..:..:..:..:08:00 SRC=183.136.216.6 DST=192.168.2.94 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=56397 DF PROTO=TCP SPT=52667 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0I should also add that before intense work with scp etc. within the (W)LAN one can temporarily (or permanently if one trusts all systems potentially ever on it and can be sure that no NAT rewrites external requests to apparently originate from internal IPs) exempt one's own subnet (or rather than CIDR an individual external IP one is servicing from), e.g. in the above example:
Re: Debian defaults: netfilter / iptables: Limit the impact of 2000+ attacks per day to 5% approx. on your sshd & logs April 01, 2015 08:24AM |
Registered: 10 years ago Posts: 70 |
Re: Debian defaults: netfilter / iptables: Limit the impact of 2000+ attacks per day to 5% approx. on your sshd & logs April 01, 2015 08:54AM |
Registered: 9 years ago Posts: 63 |
Sure, quite a useful /etc/hosts.deny IPS approach (requiring Python which is no default either) like the aforementioned http://la-samhna.de/library/brutessh.html#4 - but besides sharing options like yours, the purpose of these posts has been to illustrate how to create customizable, slightly automated defenses & reporting at very minimal resource usage (<1% CPU, and keeping logs short) with simple rules (adjustable even from a cellphone if need be, also when ports & services other than ssh's 22 are affected) for the in-kernel netfilter.Quote
Frederick Grayson
I find the denyhosts package more than adequate for dealing with ssh brute force abuse.
Re: Debian defaults: netfilter / iptables: Limit the impact of 2000+ attacks per day to 5% approx. on your sshd & logs April 10, 2015 05:14AM |
Admin Registered: 13 years ago Posts: 18,994 |
Re: Debian defaults: netfilter / iptables: Limit the impact of 2000+ attacks per day to 5% approx. on your sshd & logs April 10, 2015 07:27AM |
Registered: 9 years ago Posts: 63 |
Re: Debian defaults: netfilter / iptables: Limit the impact of 2000+ attacks per day to 5% approx. on your sshd & logs April 18, 2015 08:12AM |
Registered: 9 years ago Posts: 63 |
Quote
Talos and Level 3 started the process to take down... Level 3 worked to notify the appropriate providers regarding the change. On March 30th SSHPsychos suddenly pivoted. The original /23 network went from a huge volume of SSH brute force attempts to almost no activity and a new /23 network began large amounts of SSH brute forcing following the exact same behavior associated with SSHPsychos. The new network is 43.255.190.0/23 and its traffic was more than 99% SSH immediately after starting communication. The host serving the malware also changed
Time & timers May 25, 2015 10:55AM |
Registered: 9 years ago Posts: 63 |
30 3 * * * root ntpdate ptbtime1.ptb.deChange server if you're not in Central Europe of course.
55 3 * * * root sunwait wait rise 48N 11E;echo 255 > /sys/class/leds/status\:green\:health/brightnessCompiled from http://sourceforge.net/projects/sunwait4windows/ as in http://forum.doozan.com/read.php?2,21050,21084#msg-21084 for home automation, of which the LEDs are simple indicators.
Re: Debian defaults: netfilter / iptables: Limit the impact of 2000+ attacks per day to 5% approx. on your sshd & logs January 02, 2017 04:42PM |
Registered: 9 years ago Posts: 63 |
Re: Debian defaults: netfilter / iptables: Limit the impact of 2000+ attacks per day to 5% approx. on your sshd & logs January 03, 2017 04:46PM |
Admin Registered: 13 years ago Posts: 18,994 |