plisten
目次- 1.0.0 Brute force attack
- 1.1.0 attacks to POP3 server
- 1.2.0 attacks to ssh server
- 2.0.0 Protected Listner
- 2.1.0 How To Protect
- 2.2.0 pop3 before connection
plisten is a protected listen for Plan9 that is designed to protect server from brute force attack.plisten is available in http://plan9.aichi-u.ac.jp/netlib/plisten/
The IPs in the following list have attempted to steal passwords by brute force attack to my POP3 server.
They are taken from log file starting from 2013/06/03 to 2013/11/14.
DNS names of some of these IPs are unknown (unregistered).
Others are listed below:
Some of them are web servers that does "software download service"!
Of cource, we observe much more attacks to tcp22 (ssh port).
My log shows 2535 unique IPs that tried this port during the period from 2013/03/14 to the present(2013/11/23).
So many IPs to list up!
get list of these IPs
The observation shows that some of them tried a hundred password and then went away without looking "Reject" message from my server.
We have
Both
The definition of burst access:
For simplicity, directories
File names in these directories are the IPs to accept or reject.
Pop3 is the only way for a remote (non Plan9) user to register himself to
The code below is
Other services are rejected unless the requesting IP is in
You need to change
Protected Listner
2014/07/20
plisten (protected listen) and plisten1 (protected listen1).
Both listen and listen1 are listeners for Plan9.
How To Protect
plisten and plisten1 check the IP of requester.
The steps are as follows:
(1) if it is burst access then reject
(2) if (it is not in accept_database) and (it is in reject_database) then reject
(3) start a subprocess for the connection
That is, step (1) and (2) are added in Plan9 official listen and listen1.
trials more than maxconnect in a given time (10 seconds).
the maxconnect is given in command option.
/sys/log/accept and /sys/log/reject are used in place of accept_database and reject_database.
Therefore you can register 202.250.160.40 to accept_database by
touch /sys/log/accept/202.250.160.40
pop3 before connection
accept_database.
Many authentication failures will let him to be registered in reject_database.
tcp110:
#!/bin/rc
ifs='!
' r=`{cat $3/remote} l=`{cat $3/local} {ip_local=$l(1) ip=$r(1) p=$l(2)}
if(test -e /sys/log/reject/$ip){
/usr/local/bin/386/logit -l pop3 Rejected $ip
echo '-ERR Rejected'
exit
}
if(test -e /sys/log/accept/$ip){
/$cputype/bin/upas/pop3
exit
}
w=`{tail -10 /sys/log/pop3 | grep 'Fail '$ip | wc}
if(test $w(1) -gt 5){
touch /sys/log/reject/$ip
/usr/local/bin/386/logit -l pop3 List $ip
echo '-ERR Rejected'
exit
}
/$cputype/bin/alarm 60 /$cputype/bin/upas/pop3
# /sys/log/pop3 is something like:
# old pop3 message:
# ar Apr 8 14:56:50 user arisawa logged in
# new pop3 message:
# ar Apr 8 14:56:50 user arisawa OK 202.250.160.166
a=`{tail -1 /sys/log/pop3}
if(~ $a(7) OK && ~ $a(8) $ip){
touch /sys/log/accept/$ip
exit
}
/usr/local/bin/386/logit -l pop3 Fail $ip
/rc/bin/service/tcp110accept_database.
#!/bin/rc
ifs='!
' r=`{cat $3/remote} l=`{cat $3/local} {ip=$r(1) p=$l(2)}
if(test -e /sys/log/accept/$ip){
exec /bin/aux/sshserve -A 'tis password' `{cat $3/remote} >>[2]/sys/log/ssh
}
echo Rejected
/usr/local/bin/386/logit -l honeypot $p $ip
/rc/bin/service/tcp22pop3.c so that the script tcp110 can work.
if(newns(user, 0) < 0){
senderr("newns failed: %r; server exiting");
exits(nil);
}
- syslog(0, "pop3", "user %s logged in", user);
+ syslog(0, "pop3", "user %s OK %s", user, peeraddr);
enableaddr();
/sys/src/cmd/upas/pop3/pop3.c