For some background you may want to read the Original Story leading to this write up.
The first thing that caught my attention was the fact Logwatch was reported login failures in the order of 1000′s from unassigned.psychz.net without an accompanying fail2ban email notifying me the offender had been banned.
And this as it would turn out was because the attack was clearly intended to defeat such protection methods, this is due to the logged host being unassigned.psychz.net, when the authentication failure is logged, a reverse lookup is made within vsftpd to resolve the host this PTR record returns unassigned.psychz.net, and as such is written into the log.
fail2ban no uses regex to extract the host from the logs, and attempts to make a forward lookup on unassigned.psychz.net (A/CNAME records required) to resolve the ip address, and ban the offending ip, this is where things go awry.
psychz.net maintains their own DNS servers,
- DNS1.PSYCHZ.NET
- DNS2.PSYCHZ.NET
These provide a PTR but no A/CNAME record, as such fail2ban can not resolve an IP and the attacking ip is left to run their attack unhindered, see this log file: fail2ban name resolution failure log
The only way therefor to gain the attacking ip was to match the ftp connection times to those of the reported login failures using iptables to log all accesses to ftp, quickly get a count of connecting ip’s using:
1 | grep kernel /var/log/messages | awk '{print $9}' | sed 's/SRC=//' | uniq -c | sort |
1 | 390 173.224.217.41 |
A complete log can be found here: iptables.log, and a whois can be found here: whois.txt
Disclosure steps taken:
- 26/07/10 psychz support informed given deadline of 09/08/10 for resolution
- Same day standard reply of “thanks for contacting support we are looking into this” …
- 27/07/0 Attacks continue 173.224.208.0/20 network black holed as a result
1iptables -A INPUT -s 173.224.208.0/20 -j DROP
- 09/08/10 deadline passes without update
- 25/08/10 this blog post published
Entries (RSS)
Wow. That seems like a major oversight on fail2ban’s part. Do you know if that behavior (which I consider a bug) still exists in the current release?
Also, have you ever looked into/heard of OSSEC? It is like fail2ban and logwatch and some other stuff all rolled in to one. I can see where, for some, it might seem overwhelming to configure but it has really allowed me to sleep more easily.
.
More info here:
http://www.ossec.net/
Also, have you ever looked at the advantages of logcheck over logwatch? I use both and am OK with that but strong opinions are held on both sides.
–
Brie
HI Brie,
Technically it could be considered a bug in syslog, fail2ban does nothing but “watch” the logs regexing out relevant data, if said data in the log contains a host name with no forward A, fail2ban isn’t at fault as it’s correctly parsed the data.
fail2ban couldn’t account for this, this would need to be fixed at the syslog level.
_
Buzz
Stumbled over this post after having trouble with unassigned.psychz.net being the source of poorly written blog spam. Seems security is not top of Psychz’s priorities.
I have repeatedly been attacked by a user(s) coming from psychz.net, who have been attempting to brute-force one of our servers. I have reported every incident to n...@psychz.net, as well as their other “abuse” handlers, and I get the same, cut-and-paste response:
- begin –
HI,
We have sent warning to client so he will activity in 24 hrs. If client will not listen then we will terminate his services.
Thank you
——————–
Jeff
Level 1 Engineer
- end –
Obviously, the people at psychz.net absolutely DO NOT CARE what kind of illegal activity is going on on their systems. I have blocked all of their subnets from all of my sites, and turned this over to the proper authorities. I would recommend avoiding psychz.net at all costs.
At the risk of turning this into a Psychz discussion; Psychz is renown for bad netizen hosting. More problematic is their failure to curb this abuse. They actually hold the record of allowing the same abusive website to appear on their servers: http://forum.aa419.org/viewtopic.php?t=27556