Whitelisting An IP Address With “DenyHosts”

Posted in IT Security on July 17, 2010 by blackflag

DenyHosts is an excellent tool that aids in protecting SSH servers that are exposed to the Internet. It’s not at all uncommon for Linux servers that have multiple remote SSH users/administrators to have port 22 open to the Internet at large.

DenyHosts will automatically blacklist an given source IP address by writing that IP to the file ~/hosts.deny, thereby blocking the IP from SSH access.  The downside of such automatic blocking is that a legitimate user who mistypes their password can be added to the hosts.deny list as well.

The solution to this problem is to add known safe IP addresses to the ~/allow-hosts file. On Debian¬† 4/5 it’s located in this directory “/var/lib/denyhosts”.

Edit the ~/allow-hosts file and add the whitelisted IP address then save the file. Go ahead and check the hosts.deny file and see if the IP address you want to whitelist is there as well, if it is (having been blacklisted) go ahead and remove it then save the file.

Problem solved.

And Now For Something Completely Different

Posted in Random on July 30, 2009 by blackflag

“Barbarian” by Electric Wizard.

Electric Wizard

Three Years.

Posted in Daily Rant on January 31, 2009 by blackflag

This blog has been wasting bandwidth on WordPress.com for three years now, imagine that.

Georgian Attacks: Remember Estonia?

Posted in Counter Terror, Daily Rant, IT Security on August 14, 2008 by blackflag

Yet another update regarding the ongoing Georgian cyber attacks. For those that don’t realize the significance of this some botherders and do-it-your-self hacktivists have pretty much succeeded in taking most of Georgia’s government news outlets off line. Most of the gov.ge sites have now regrouped on the Blogspot platform but there are some residing on other providers.

I have been following this very closely and working with others to get a better picture of what is happening. The results of those efforts are being updated over at the Shadowserver news wiki but I’ll repost it below for your convenience.

Here is the latest update:

Georgia and Estonia Have Something New in Common

Since last Friday (August 8, 2008) a large number of Georgian websites, both government and non-government alike, have come under attack. There has been a lot of speculation about whether or not foreign governments were involved in the attacks or if it is just the work of outraged citizens taking the action on their own. While no one could really say for sure who was behind the attacks, one thing was clear–the attacks were having a devastating impact on their targets. Even at this very moment, several Georgian websites are still unreachable.

We have been seeing constant distributed denial of service (DDoS) attacks against Georgian website from various command and control (C&C) servers since last Friday. In fact they were still on going. However, we have not observed an attacks against several of the different websites that are currently offline. While we of course do not have in sight into all DDoS attacks, we were still surprised to see these sites offline and not have observed any traffic destined for them. We were not real sure why this was until today.

Additional Attack Information

Shadowserver has received reliable information that one of the Georgian government websites was being attacked by dozens of Russian computers from several different ISPs throughout the country covering both dialup and broadband users. The traffic destined for the website is overwhelming ICMP traffic. Did we dare say Russian? Yes we did, however, let’s be clear here: we were not pointing fingers and we are absolutely not implicating any government involvement (no reason to suspect this).

What does it mean though? Lots of Russians host and lots of ICMP traffic. Could this be a botnet that instructed all of its hosts to send an ICMP flood to the destination? Possibly. However, usually botnets are widely dispeared in several geographic locations. Why on earth would be see such an overwhelming amount of Russian hosts?

Is it possible the same thing that happened to Estonia is happening to Georgia? To put it quite simply, the answer is yes.

The Grass Roots Effect

Lots of ICMP traffic and Russian hosts sounds a lot more like users firing off the ‘ping’ command and a lot less like some evil government controlled botnet. It did not take us long to find out what is going on. Much like in the attacks against Estonia, several Russian blogs, forums, and websites are spreading a Microsoft Windows batch script that is designed to attack Georgian websites. Basically people are taking matters into their own hands and asking others to join in by continually sending ICMP traffic via the ‘ping’ command to several Georgian websites, of which the vast majority are government.

The following text is a redacted version of the script being posted:

@echo off
@echo Call this file (MSK) 18:00, 20:00
@echo Thanks for support of South Ossetia! Please, transfer this file to the friends!
pause
newsgeorgia.ru
apsny.ge
nukri.org
opentext.org.ge
messenger.com.ge
president.gov.ge
government.gov.ge
parliament.ge
nsc.gov.ge
constcourt.gov.ge
supremecourt.ge
cec.gov.ge
nbg.gov.ge
nplg.gov.ge
police.ge
mod.gov.ge
mes.gov.ge
mfa.gov.ge
iberiapac.ge
mof.ge

We have removed the actual commands and parameters of the script to avoid being a distribution point for it. However, you can see the raw list of targets that are being spread across the websites. This script has been posted on several websites and is even being hosted as “war.rar” which contains “war.bat” within it on one site. It would appear that these cyber attacks have certainly moved into the hands of the average computer using citizen.

Conclusion

It appears evident that the average user is now getting involved and helping to attack Georgian websites. We do not know the size of the attack, but with many most likely sympathetic and the message spreading from blog to blog and forum to forum, it might not slow any time soon. Whether it is through the use of a botnet or a personal machine, it is quite clear what kind of effect these attacks can have on an infrastructure that is unable to fend them off. We will continue to monitor the situation and report back any developments we observe.

Cross Posted at The Jawa Report.

Republic of Georgia Cyber Attacks “Part Deux”

Posted in Counter Terror, Daily Rant on August 14, 2008 by blackflag

I posted about the ongoing attacks against Georgian resources on August 11th. Since that time a lot of the media have been getting on the “lets blame the Russian Business Network and Russian Government” bandwagon without really putting things into context. I mentioned the RBN in the original post as an unverified point of interest (RBN is worth reading up on whether involved in this or not).

To clarify a few points Shadowserver’s “Mike Johnson” has updated the wiki with a post titled “Georgian Websites Under Attack – Don’t Believe the Hype“. It warrants reading as it lays out a bit more historical information on the botnets involved.

An excerpt from that post is below.

We have been tracking these servers for a while now, some for a year or more (and before you ask, yes we’ve tried to get them shut down, but with little co-operation), so we know their history. We have seen many different DDoS attacks from these particular C&C servers, but there doesn’t seem to be any rhyme or reason to it. What does seem apparent is that the targeted sites don’t strike me as being something a government would go after. Without listing the actual targets, they fall into the following broad categories:* Adult video websites
* Prostitution websites
* White supremacy websites
* Carder websites (sites that trade in stolen credit card numbers)
* Online gambling websites
* Virtual currency websites (think PayPal, but not nearly that legitimate)
* Russian news websites
* Random Russian websites
* Many other websites

Read More “Republic of Georgia Cyber Attacks “Part Deux””

The ddos attacks appear to be ongoing as of this morning (13 August 2008) and it is of note that the botnets involved continue to simultaneously attack other web sites that do not belong to the Republic of Georgia.

Update: For more context see Popular Mechanics interview with RBNexploit’s Jart Armin.

Cross Posted at The Jawa Report

Georgian Government Websites Under Cyber Attack

Posted in Daily Rant, IT Security on August 12, 2008 by blackflag

The Georgian Republics Parliament website has been defaced as well:
parliament.ge now shows:

Defaced Georgian Parliament Website

Defaced Georgian Parliament Website

Original post continues below:

Some of the Internet resources of the Georgian government have been the targets of fairly steady DDoS attack’s since early July of 2008. The website of the President of Georgia has been hit fairly heavily over the last few days and is currently going off line randomly as it is overcome by the attack (it was up this morning but has been down for several hours now).

The Threat Expert Blog had an article about similar attacks on president.gov.ge back on 20 July 2008. In that article they credited Steven Adair for the information regarding the botnet involved in the attack, likewise Steven gets credit for bringing the ongoing attacks to my attention this morning. Stevens latest post on this issue can be found at the Shadowserver website later today, I’ll update the link as that info becomes available.

True to form there’s appears to have been a cooperative effort between the cyber attacks and the military attacks on the ground in Georgia. Whether the attacks are the work of the Russian government or that of those sympathetic to their cause remains to be seen. Estonia recently suffered a similar fate less the actual physical invasion forces.

Here’s a sample of what we’re seeing regarding the attacks on Georgian resources, on and off, since mid July (source IP’s removed):

2008-07-20 15:15:14 62.168.168.9 president.gov.ge flood icmp http://www.president.gov.ge
2008-07-20 15:15:12 62.168.168.9 president.gov.ge flood tcp http://www.president.gov.ge
2008-07-20 15:15:08 62.168.168.9 president.gov.ge flood http http://www.president.gov.ge
2008-07-20 14:14:23 62.168.168.9 president.gov.ge flood icmp http://www.president.gov.ge
2008-07-20 14:14:20 62.168.168.9 president.gov.ge flood tcp http://www.president.gov.ge
2008-07-20 14:14:17 62.168.168.9 president.gov.ge flood http http://www.president.gov.ge
2008-07-20 13:13:33 62.168.168.9 president.gov.ge flood icmp http://www.president.gov.ge
2008-07-20 13:13:32 62.168.168.9 president.gov.ge flood tcp http://www.president.gov.ge

The RBNExploit blog claims that Internet routing for the Georgian Internet resources may have been under attack in an effort to stop proper routing to those services. The RBNExploit Blog claims the Russian Business Network is involved, I can’t verify that claim but if you don’t know what the RBN is you need to go find out. RBN is responsible for quite of bit of the nastiness on the Internet as far as cyber crime and fraud goes.

Additionally, the Georgian Office of Foreign Ministry was also defaced with images likening the Georgian President to Hitler, details are available at Interfax.

This article was cross posted at The Jawa Report.

Clutch: A Basket of Eggs (And Wizards, 1977)

Posted in Daily Rant, Video on July 31, 2008 by blackflag

Someone over at YouTube created a video with the Clutch song “Basket of Eggs” and excerpts from Ralph Bakshi’s 1977 animated film “Wizards“. Wizards is a cult classic and a must see for any animation fan. I think the two go together very nicely. If you haven’t seen Wizards, the entire film is available on YouTube in several parts.

Enjoy!

Follow

Get every new post delivered to your Inbox.