We are pleased to announce the launch of a new API method.
Now you can get a country code to identify the country by IP address by one API call.
The API method returns a 2 letters country code (US, UK, CN and etc) or full country name (Germany, Canada) for an IP address. Limit to the number of data is 1000.
The instruction of how to use this method you can find here.
https://cleantalk.org/help/api-ip-info-country-code
CleanTalk launches a major project to create a cloud service for the safety of websites. The project will include several functions: protect the site against brute force attacks, vulnerability scanner and virus removal.
Each function will have a number of features which help you easily keep the website safe from hackers.
Those who visit our headquarters in San Jose (Cisco Systems) always amazes large video wall that displays a picture of attacks in real time with the ability to drill after touching certain areas of the screen.
However, like any map attacks, and I have collection of already 34, any such visualization is ineffective in real life. Show to superiors, show to journalists, to include in any movie… It’s all useful, but not very applicable in practice. Usually you have your own data sets that are generated by your protection. And you wonder what is happening in your network or directed at your network, but certainly not the beautiful card with the “ballistic missile attacks”, which are drawn by the absolute majority of companies offering visualization services attacks.
“… you come to me, and you ask something, but you don’t ask with respect …”
Vito Corleone
Phishing is still the most popular and most successful type of hacker attacks. It’s simple, attacked is not the software, not servers, not networks, and the most vulnerable components of information systems – users. I often meet with phishing, as a single, to personal addresses, and mass attacks. In most cases, it is awkwardly composed letters and clumsily made phishing pages. Until recently most of these attacks frustrated at the user level: letters or just ignored (as the signs of phishing was very obvious) or in the worst case, the letters are forwarded to customer support with the question “is it safe to enter your password on this page?”. Of course, some part of users still underway, but in percentage terms, it was really low. But just last week I was faced with a phishing attack, which surprised me. I did some analysis and found out how it was organized and what tools were used.
Online shopping has always attracted intruders: it is a source of credit card data (now almost irrelevant); user data; data about orders and market trends (consumer demand); a traffic source; manipulation with the discount coupons, etc. An e-commerce site may be attacked as intruders in “free hunting” (non-targeted attack) and by the request of unfair competition. Recently are popular different kinds of DoS/DDoS attacks, as to disable a competitor and as a tool for blackmail.
In this topic, I will describe best practices for the protection of e-commerce sites.
Today I was interested in the survey whether it is necessary to move SSH to a nonstandard port. The survey is not as interesting as the way the author @zivot_je_cudo to protect SSH from brute-force password: after wrong connection attempts to block new attempts within 20 seconds. The delay apparently chosen empirically on the basis of two opposite requests: to not lock yourself in case of misspelling a long time, and at the same time, make life difficult for the picker. I want to share my way to resist brute-force, which is used for several years. It has two advantages:
How can I achieve these two opposite goals?
I use module iptables called hashlimit, which is able to count the number of packets in a certain period of time and after a while to reset the counter.
Everything is done by three rules:
iptables -A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -m hashlimit –hashlimit 1/hour –hashlimit-burst 2 –hashlimit-mode srcip –hashlimit-name SSH –hashlimit-htable-expire 60000 -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 22 –tcp-flags SYN,RST,ACK SYN -j DROP
iptables -A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
What makes the second and the third rule is clear. The most interesting in the first: it allows two connection attempts for an hour. Once you exceed 2 attempts for a specified time, rule with -j ACCEPT stops working, the user instead of this goes into the following rule with -j DROP (exactly the same way you can put TARPIT).
After that, you will not be able to connect, and starts the countdown 60,000 milliseconds, after which information about your attempt to “become rotten” (parameter –hashlimit-htable-expire). That is you really are not come to wait 1 hour, and just only 1 minute. The whole ruse is that if you cannot wait this time and try again to connect, the packet will be killed, and the counter is again reset back to is initial state – 1 minute! Thus, if you are impatient and stupid bruteforcer and will hammer away the port after blocking, you’ll prolong your ban with each attempt! That is, you will ban yourself forever!
Good user on the contrary has multiple connection attempts without waiting between them, before he get into the “bath”.
hashlimit module saves its state in the / proc – initially it’s empty:
# cat /proc/net/ipt_hashlimit/SSH
after the first connection attempt information gets there:
# cat /proc/net/ipt_hashlimit/SSH
55 ХХ.ХХ.ХХ.ХХ:0->0.0.0.0:0 11533000 230400000 115000000
the first number is the number of seconds remaining, you can see how it evenly ticking:
# cat /proc/net/ipt_hashlimit/SSH
20 ХХ.ХХ.ХХ.ХХ:0->0.0.0.0:0 117429000 230400000 115000000
After I did it, I really wanted to check it out. And wow! The ball comes to the player! I immediately began to brute-force by some Chinese. The first four attempts passed, and further he stupidly knocked the closed door within the hour (!). During this entire hour he managed to check only four passwords! Then, apparently, he tired.
Thus solved two problems:
— if the user suddenly sealed, he didn’t have to wait long for new attempts
— bruteforcer themselves driven into an “eternal” ban.
What if you suddenly with a few attempts were not able to enter your password? Do not fuss – wait a minute, and calmly try a few more times.
And if you again failed – it is better to go to sleep, in this state it is better not to go into the console :))
Good luck.
P.S. And yes, I almost forgot — I have SSH on non-standard port 🙂
UPD: A little about setting hashlimit.
UPD2: How to achieve the same with a more recent common module: one, two.
UPD3: Of course the method is suitable not only for protection from password guessing on SSH, but can be used for various other services, where too often the connection indicates something is wrong.
UPD4: The connections limit using the SSHD.
This text is a translation of the article “Защищаем SSH от брутфорса на любом порту” published by Евгений Лисицкий on habrahabr.ru.
About the CleanTalk service
CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).
Object: Web login form.
Given task: to strengthen the protection of the user’s account from the selection of a simple password to his account, using a minimum of resources.
What is the minimum of resources? It does not use a table-reference to block by IP-address and User-Agent. Do not use unnecessary requests to the system; do not clutter up the system with unnecessary authorization cycles.
And, to do the magic requirement — even if the bot will enter the required username and password… do not let him enter, but the real user to let.
Is it possible to do that? In theory, of course not. But in practice, and in private, under certain conditions, it proved to be quite possible.
Welcome under cut for details.
So, let’s assume that our user has login “test” and password “12345”. Vile bot has connected dictionary-generated passwords and are ready to work at a speed of 700 passwords per second. It knows that the login user is “test”. Situation breath-taking: the password “12345” will be calculated over very small time. The user, meanwhile, opened the website and started to enter the username and password in a web form login.
Let’s make changes in the authorization system, while none of them has started its work, and the trouble has not yet happened.
Magic will be in the third variable to be “glued” to the login-password pair. I called her touch.
Every time someone gets (attention: gets, not ask!) the login and password, the date “touch” for user “test” is updated to the current date-time:
login/password/touch: 'test', '12345', '2014-12-13 14:00:00'.Suppose that the bot is started the first iteration and was offered the password “1” for login “test” ‘2014-12-13 15:00:00’. Triggered the login_check controller that reads from the database a couple of login and password that no one “touched” as much as 2 seconds! Where do these 2 seconds?! About it further.
Such a pair of login and password is found. The difference between the last «touch» and the current time – 1 hour. So record successfully returned to our request.
First login-password pair are matched and login_check concludes that «test / 12345″ is not equal to «test / 1.” The controller returns «auth error». And then the date «touch» for user «test» is updated to the current: “13/12/2014 15:00:00”.
The bot proceeds to the next iteration: tries the password “2”.
The speed of a bot is measured by microseconds. It tries to log in immediately: in the ’13/12/2014 15:00:00 “.
And here comes into play our algorithm – a condition for the parameter «touch» is not already running. 2 seconds have not yet passed. Fail.
Modified by our logic controller «login_check» cannot get a couple of login and password.
The record exists, but its date of “touch,” is too “fresh”.
And it is not part of the sample. And if such pair of login and password is not present, then the controller will respond to the bot “auth error”.
The bot does not give up, continues to guess, and finally comes to a correct password “12345”.
The probability that it is current attempt will return success – and is extremely small. 1/700 for each login attempt! That is, if earlier it was 1:1, now 1:700. And the faster bot is, the more likely that it is waiting for fail.
As a result, only a very small part of the password will be really checked. The rest will get false positives, even if they are correct.
What about the user?
Let’s start with the user. The user, in contrast to the bot enters data into a web form by hands across the keyboard and watching the visual organs on the monitor. And the flexibility of its algorithmic abilities much better than the bot. In fact, the user in some way artificial intelligence. So, part of the logic is already in it. And we’re going to use it!
When the user sees the authorization error, he often rewrites the password again. Even if he just enter the password himself. Even if the password is filled automatically from password manager. I did this even before I applied system of protection of simple passwords.
Yes, I promised to tell you about two seconds. I am telling:
Two seconds is the optimum time for which the user carries out operations on data correction and makes the following login attempt. In those two seconds the user completely fits. If the user does not have time – he can always try again and this time the operation touch is probably already canceled.
In conclusion.
What happens if the bot will know about a 2-second delay? If we apply our test data, this means that the efficiency of the bot will decrease: only 1 attempt to crack the password instead of 1400.
P. S. I’d like to hear the criticism because the system is already implemented in one project and have not yet created any ticket with the problem of access to the system.
Thanks in advance.
The main disadvantage of this method is the ability to block the bot authorization for the user whose account is trying to crack. In the activity of the bot the user will see the same error log and the author assumes the user is accessing tech support with the question of authorization.
About the CleanTalk service
CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).
This text is a translation of the article “Как усилить защиту паролей «12345» от brute-force атаки” published by Дмитрий on habrahabr.ru.
CleanTalk started to provide its database of IP addresses for banks, payment services, and the companies, evaluating the risk of fraud that strengthens the existing security system of the organization bringing it to a new level.
Fraud can happen anywhere in the eCommerce world.
It doesn’t matter if you’re running a small online business or are an owner of a retail chain.
It’s hard to estimate the true scale of fraud in business, but it’s a serious issue. Fraud isn’t only related to monetary loss, but can also harm your reputation and brand image. Online business owners need to prepare for fraudulent activities so they can detect and prevent them.
CleanTalk is one of the leaders of the anti-spam protection for websites, has a database of IP addresses involved in spam attacks and in addition to spam, the IP addresses are used by hackers and for other types of attacks, including for fraud.
Every day CleanTalk receives information about spam attacks from 40-60 thousands of IP addresses. The entire base of spam active IP is about 20 000 000 IP addresses.
The presence of IP addresses in the blacklist is one of the risk factors, saying that the transaction can be suspicious and it is worth considering carefully. This helps to eliminate the threat of fraud before it gets realized.
Using database of CleanTalk, you can greatly reduce the risks of online transactions and used as an additional factor in assessing the risks.
Partnership to reduce the risk of fraud is already appreciated and used by a number of large companies.
CleanTalk identifies spam bots, using its own algorithms to estimate the parameters of visitors, on the basis of these tests it formed its own database of spam bots. Checking existing comments is made on the basis of the nearly 2 million of certain spam bots. Detailed statistic allows CleanTalk customers to control the whole process.
“The team CleanTalk has been developing a cloud spam protection system for five years and has created a truly reliable anti-spam service designed for you to guarantee your safety,” For more information visit www.cleantalk.org.
We are pleased to announce the launch of check the availability of backlinks to domain in spam comments/messages.
CleanTalk keeps track of the links in spam comments/messages; this will help you to learn about the incorrect SEO techniques in promoting the website and to maintain the reputation of the website. The presence of the domain in the links of spam messages it is a reason to contact your SEO company and clarify which methods they use for SEO. If you have an affiliate program, you can check their domain and IP to check the reputation.
Many people know that if you send spam, your IP address will be blacklisted. But not all people know that your domain name can be listed in various black lists. If this happens, no matter where you send the message, various spam filters can find your domain name in the content and block the message.
The presence of links to the domain in spam messages could have a negative impact on SEO, because search engines can identify a comment on the site as spam.
You can check domain here.
For cloud services, email marketing is an important tool that should be used for maximum impact. Email remains one of the main driving forces in the marketing and is the basis for creating customer relationships. Properly configured email marketing can provide significant growth in the customer base. We want to tell about our developments used in the service of spam protection CleanTalk.
Step one. The letter with the details
Nothing extra, nothing distracts the user from the main goal – to use the service to solve their problems, only the functionality and minimalism. A letter is sent immediately after registration.
Step two. The email anti-spam report
Letter is sent on the 5th day of using the service at 10 am at the user’s time. Until 10 am, many users have time to see all the mail; there are no unread messages already, and the probability that our letter will be lost in the mass decreases.
Title immediately attracts attention, the numbers of spam attacks and mention of the website arouse great interest the user to open the letter and read the contents. The content of the letter is the statistics of the work of the service, and users become familiar with ability to control the service, there is an understanding that the blocked messages will not be lost even in case of errors.
Each number is a link, clicking on which the user gets to the page of detail of the queries, where you can view the IP/email and the contents of the message and the reason for blocking.
Because other solutions could not provide such statistics, it arouses interest from users: to see the filtering accuracy and just out of curiosity to know what is written in the spam. After going to the dashboard, they are continuing familiarity with the service.
This mailing is primarily intended for new users, to show them the utility of the service and convenience, so the percentage of opening of the report 30-35%, experienced users look at the statistics without notice.
Step Three. The notice of the imminent end of the trial period
The letter is sent the same day that the anti-spam report, but already at 3 pm the user’s time. After lunch, users again have time to view all the mail and the probability of lost of the letter less.
Title letter «This email is about donuts and coffee» attracts interest and is consistent with the text of the letter without causing irritation. The header defines the expectations of the letter of the text, and it is justified.
The letter is intended to inform the user of the imminent end of the trial period and remind the need to pay the service for future use. The title and text are intended to mitigate the irritation from having to pay and cause positive emotions. In the letter we write that as a result the user gets their money’s worth. Spam protection? But there are other options; we give to understand that CleanTalk saves time that can be spent on more useful things.
Purchase put off for later, it reduced conversions. Therefore, in the letter there is an element of urgency to induce the user to make a decision. It’s a bonus +3 free months when you pay before the end of the trial period, prompts the user for a decision.
About the service CleanTalk
CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).
