Category: CleanTalk

Today I was interested in the survey whether it is necessary to move SSH to a nonstandard port. The survey is not as interesting as the way the author @zivot_je_cudo to protect SSH from brute-force password: after wrong connection attempts to block new attempts within 20 seconds. The delay apparently chosen empirically on the basis of two opposite requests: to not lock yourself in case of misspelling a long time, and at the same time, make life difficult for the picker. I want to share my way to resist brute-force, which is used for several years. It has two advantages:

• it gives me more attempts to set the correct password
• but at the same time blocks the brute force “forever”.

How can I achieve these two opposite goals?

I use module iptables called hashlimit, which is able to count the number of packets in a certain period of time and after a while to reset the counter.
Everything is done by three rules:

iptables -A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -m hashlimit –hashlimit 1/hour –hashlimit-burst 2 –hashlimit-mode srcip –hashlimit-name SSH –hashlimit-htable-expire 60000 -j ACCEPT

iptables -A INPUT -p tcp -m tcp –dport 22 –tcp-flags SYN,RST,ACK SYN -j DROP

iptables -A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT

What makes the second and the third rule is clear. The most interesting in the first: it allows two connection attempts for an hour. Once you exceed 2 attempts for a specified time, rule with -j ACCEPT stops working, the user instead of this goes into the following rule with -j DROP (exactly the same way you can put TARPIT).

After that, you will not be able to connect, and starts the countdown 60,000 milliseconds, after which information about your attempt to “become rotten” (parameter –hashlimit-htable-expire). That is you really are not come to wait 1 hour, and just only 1 minute. The whole ruse is that if you cannot wait this time and try again to connect, the packet will be killed, and the counter is again reset back to is  initial state –  1 minute! Thus, if you are impatient and stupid bruteforcer and will hammer away the port after blocking, you’ll prolong your ban with each attempt! That is, you will ban yourself forever!

Good user on the contrary has multiple connection attempts without waiting between them, before he get into the “bath”.

hashlimit module saves its state in the / proc – initially it’s empty:

# cat /proc/net/ipt_hashlimit/SSH

after the first connection attempt information gets there:

# cat /proc/net/ipt_hashlimit/SSH
55 ХХ.ХХ.ХХ.ХХ:0->0.0.0.0:0 11533000 230400000 115000000

the first number is the number of seconds remaining, you can see how it evenly ticking:

# cat /proc/net/ipt_hashlimit/SSH
20 ХХ.ХХ.ХХ.ХХ:0->0.0.0.0:0 117429000 230400000 115000000

After I did it, I really wanted to check it out. And wow! The ball comes to the player! I immediately began to brute-force by some Chinese. The first four attempts passed, and further he stupidly knocked the closed door within the hour (!). During this entire hour he managed to check only four passwords! Then, apparently, he tired.

Thus solved two problems:

— if the user suddenly sealed, he didn’t have to wait long for new attempts

— bruteforcer themselves driven into an “eternal” ban.

What if you suddenly with a few attempts were not able to enter your password? Do not fuss – wait a minute, and calmly try a few more times.

And if you again failed – it is better to go to sleep, in this state it is better not to go into the console :))

Good luck.

P.S. And yes, I almost forgot — I have SSH on non-standard port 🙂

UPD: A little about setting hashlimit.

UPD2: How to achieve the same with a more recent common module: one, two.

UPD3: Of course the method is suitable not only for protection from password guessing on SSH, but can be used for various other services, where too often the connection indicates something is wrong.

UPD4: The connections limit using the SSHD.

This text is a translation of the article “Защищаем SSH от брутфорса на любом порту”  published by Евгений Лисицкий on habrahabr.ru.

About the CleanTalk service

CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).

We are pleased to announce the launch of check the availability of backlinks to domain in spam comments/messages.

CleanTalk keeps track of the links in spam comments/messages; this will help you to learn about the incorrect SEO techniques in promoting the website and to maintain the reputation of the website. The presence of the domain in the links of spam messages it is a reason to contact your SEO company and clarify which methods they use for SEO. If you have an affiliate program, you can check their domain and IP to check the reputation.

Many people know that if you send spam, your IP address will be blacklisted. But not all people know that your domain name can be listed in various black lists. If this happens, no matter where you send the message, various spam filters can find your domain name in the content and block the message.

The presence of links to the domain in spam messages could have a negative impact on SEO, because search engines can identify a comment on the site as spam.

You can check domain here.

For cloud services, email marketing is an important tool that should be used for maximum impact. Email remains one of the main driving forces in the marketing and is the basis for creating customer relationships. Properly configured email marketing can provide significant growth in the customer base. We want to tell about our developments used in the service of spam protection CleanTalk.

Step one. The letter with the details

Nothing extra, nothing distracts the user from the main goal – to use the service to solve their problems, only the functionality and minimalism. A letter is sent immediately after registration.

Step two. The email anti-spam report

Letter is sent on the 5th day of using the service at 10 am at the user’s time. Until 10 am, many users have time to see all the mail; there are no unread messages already, and the probability that our letter will be lost in the mass decreases.

Title immediately attracts attention, the numbers of spam attacks and mention of the website arouse great interest the user to open the letter and read the contents. The content of the letter is the statistics of the work of the service, and users become familiar with ability to control the service, there is an understanding that the blocked messages will not be lost even in case of errors.

Each number is a link, clicking on which the user gets to the page of detail of the queries, where you can view the IP/email and the contents of the message and the reason for blocking.

Because other solutions could not provide such statistics, it arouses interest from users: to see the filtering accuracy and just out of curiosity to know what is written in the spam. After going to the dashboard, they are continuing familiarity with the service.

This mailing is primarily intended for new users, to show them the utility of the service and convenience, so the percentage of opening of the report 30-35%, experienced users look at the statistics without notice.

Step Three. The notice of the imminent end of the trial period

The letter is sent the same day that the anti-spam report, but already at 3 pm the user’s time. After lunch, users again have time to view all the mail and the probability of lost of the letter less.

Title letter «This email is about donuts and coffee» attracts interest and is consistent with the text of the letter without causing irritation. The header defines the expectations of the letter of the text, and it is justified.

The letter is intended to inform the user of the imminent end of the trial period and remind the need to pay the service for future use. The title and text are intended to mitigate the irritation from having to pay and cause positive emotions. In the letter we write that as a result the user gets their money’s worth. Spam protection? But there are other options; we give to understand that CleanTalk saves time that can be spent on more useful things.

Purchase put off for later, it reduced conversions. Therefore, in the letter there is an element of urgency to induce the user to make a decision. It’s a bonus +3 free months when you pay before the end of the trial period, prompts the user for a decision.

About the service CleanTalk

CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).

General information

This article describes how to create simple chat-bots of services Telegram and Slack on the example checks the IP|Email for spam using antispam service CleanTalk.

Telegram

The first step is the creation of your bot (in our case @CleanTalkBot) – for this purpose there is a bot Telegram @BotFather. Add it to your Telegram account and set the command /newbot. The bot will ask you to enter the name of the bot – enter the name. After that enter the user name of the bot – we have made the name of the bot and the bot user name is the same – the user name must end with bot or Bot – for example HabrArticleBot or CleanTalkBot. After entering the username the bot will be created and you will be given a token that will be used later for identification.

The second step is to install a webhook — in other words, a request handler, coming into the chat-bot from users. When the user sets a command to your chat-bot, Telegram refers to the address that was specified as a webhook, and transmits a user message and service information, your handler generates response and sends back a Telegram, after that Telegram gives the answer to the user. This can be done using the command curl in the terminal –

curl -d "url=https://example.com/telegramwaiter.php" https://api.telegram.org/botYOUR_TELEGRAM_TOKEN/setWebhook

where YOUR_TELEGRAM_TOKEN – the same token that was given to you before the bot @BotFather and https://example.com/telegramwaiter.php – this is the address to which will handle requests Telegram. In response Telegram should return json string type

{"ok":true,"result":true,"description":"Webhook is set"}

that means the handler for your chat-bot successfully installed.

Here it is necessary to add that the Telegram works only on the https – if you have a certificate issued by special organizations (not self-signed), then everything is fine, but if you want to use self-signed certificates – see the documentation here https://core.telegram.org/ bots / self-signed.

The third step is to write the queries handler itself from the Telegram telegramwaiter.php — a sample script in PHP looks like this

<?php

set_time_limit(0);

// Installing the token

$botToken = "YOUR_TELEGRAM_TOKEN";

$website = "https://api.telegram.org/bot".$botToken;

// Received a request from Telegram

$content = file_get_contents("php://input");

$update = json_decode($content, TRUE);

$message = $update["message"];

// Get internal number of the chat Telegram and command entered by the user in the chat

$chatId = $message["chat"]["id"];

$text = $message["text"];

// Example of processing the command /start

if ($text == '/start') { $welcomemessage = 'Welcome!!! Check IP/Email for spam giving "check IP/Email" command';

// Send the generated message back to the Telegram user

file_get_contents($website."/sendmessage?chat_id=".$chatId."&text=".$welcomemessage);

} ?>

The procedure is – get in the variable $text command from the user in the chat, form according to the desired logic the message, and give back to the user using the function file_get_contents().

How it works you can see by adding @CleanTalkBot bot in Telegram – enter the command check IP|Email and get the information about is the specified IP|Email spam.

Example of a response

Email st********@*****le.com is BLACKLISTED. Frequency 999. Updated Apr 24 2019. https://cleantalk.org/blacklists/st********@*****le.com.

Slack

The service Slack has a little different approach to creation of chat bots.

Go here — https://api.slack.com/apps/new and create a new application Slack.

In the app list https://api.slack.com/apps choose our app and go to the menu on the right for the link Slash Commands and click Create new command.

In the form that appears the following fields

Command – enter the command, beginning with / – for example /cdcheck.

Request URL – URL commands request handler – similar webhook Telegram (eg https://cleantalk.org/slackwaiter.php).

Short description — a brief description of what you can do with the created command.

Save command. Note – your site must be running on the https – in this case self-signed certificates are NOT SUPPORTED by the service Slack.

The token for identification can be found on the page a list of commands – under the list of commands is the field Verification token – then it appears as YOUR_SLACK_TOKEN.

Write handler slackwaiter.php in PHP

<?php

set_time_limit(0);

// Check input from Slack token for compliance with issued by the dashboard Slack

if ($_POST['token'] == 'YOUR_SLACK_TOKEN') {

// $param - this is the text that goes after command

// for example if the command /ctcheck 127.0.0.1

// then $param = 127.0.0.1

$param = $_POST['text'];

// Then according to the internal logic the answer is formed

$slackresponse = ‘Here is the response to the command’;

} else $slackresponse = ‘Error’;

$response = array();

$response['text'] = $slackresponse;

header('Content-Type: application/json');

echo json_encode($response);

?>

Then go here https://api.slack.com/docs/slack-button and in the section Add the Slack button check mark incoming webhook and commands – Slack generates html-code of button by clicking on which other commands will be able to integrate your application in account Slack.

The above button is placed on your site – by clicking on button opens next picture

To login you need to select a channel, where you can use the application.

By clicking on the button Authorize Slack redirects the user to a page Redirect URI (s), which is defined by you (the developer) here – https://api.slack.com/apps, select your application and go to the link App Credentials – see the following picture

Slack not simply redirects the user to a given page, and adds a GET-variable code with the value that would later be processed by the script, for example

https://cleantalk.org/authscript.php?code=Slack_Code

Next, we give an example script code authscript.php. CLIENT_ID CLIENT_SECRET take from the corresponding fields in the previous image.

<?php

if (isset($_GET['code'])) { $client_id = 'CLIENT_ID';

$client_secret = 'CLIENT_SECRET';

$code = $_GET['code'];

$response = file_get_contents("https://slack.com/api/oauth.access?client_id=".$client_id."& client_secret=".$client_secret."&code=".$code);

$responsearr = json_decode($response, true);

if (isset($responsearr['team_name'])){ header('Location: https://'.$responsearr['team_name'].'.slack.com');

exit();

} else { echo 'Error.';

exit();

} } else exit();

?>

The procedure is – get from Slack GET variable code and another with two parameters – the client_id and client_secret – send a GET request to the page https://slack.com/api/oauth.access. In response, Slack will send the json-string with a lot of fields – something like this

{‘ok’: true, ‘team_name’: ‘your_team_name’}

then just get the name of the command and redirect the user to the main page of his command https://your_team_name.slack.com team – the application is authorized, you can use the application commands.

The team of service Cleantalk hopes that this information will be useful for anyone interested in the development of chat-bots.

We inform you that we have developed apps for Slack and Telegram, which allow you to check the blacklisted IPs/emails directly in the chat.

To do this, you need to add the application to your chat and send IP/email command to do the checking. The application makes a request to our database and returns the result in the chat “Spam” or “Not Spam.”

Instructions can be found here https://cleantalk.org/help/bots

If you use Slack or Telegram chat frequently, you will be comfortable to use our application as well, so you won’t have to go to our website to check whether the IP/email is blacklisted or not.

Dear users!

We are pleased to announce the launch of an anti-spam filter for subnets.

Now you can add to your personal black list not only the certain IP addresses, but also a separate subnet. You can add entries to your personal black list in Black&White lists section of your CleanTalk Dashboard.

The instruction of how to add entries to your personal blacklists can be found here:https://cleantalk.org/help/sfw-blocks-networks.

Dear Customers,

We are pleased to announce the launch of a new option in the CleanTalk dashboard.

This option allows you to delegate access rights to other users in CleanTalk dashboard.

This option is useful for web studios and web masters serving the customer sites and allows you to provide access to view or give full access to manage settings for each site.

Read access: allows the user to view all sections of the dashboard.

Full access: allows you to change the service settings for a specific site, to make changes in the personal black lists, connect with extended options.

For each of the websites, you can delegate different access rights to one user to assign read access, and for others to provide full access.

Instructions for use can be found here https://cleantalk.org/help/delegation

Please note that this option will be included in the advanced package from 15 July 2016.