LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-09-2009, 11:41 AM   #1
the182guy
Member
 
Registered: Jan 2009
Posts: 40

Rep: Reputation: 15
Server receiving a lot of brute force SSH attacks


Hi all,

I have a CentOS server running SSHd, I monitor the /var/log/secure logfile which is showing a lot of brute force activity on my SSHd.

Is there any way I can see the passwords that the attackers are trying? It would be interesting to see.

The server is configured so that the root user cannot login directly by SSH. There is only one user allowed which is a non standard, non generic username with a strong password.

Is it possible to see if anyone has used the correct password for the root user - or any other user, but was denied access because of the user filter?

At the moment I am manually blocking each offensive IP Address at the kernel level using iptables, which is getting a bit tedious after a while.

Is it worth moving my SSHd to a different port? I imagine this would prevent most of the attacks unless someone executed a port scan to reveal the new port.

I understand I can configure iptables to only accept a list of predefined IP Addresses but this isn't ideal for my circumstances, so is a last resort.

Thanks in advance.
 
Old 10-09-2009, 11:48 AM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by the182guy
I have a CentOS server running SSHd, I monitor the /var/log/secure logfile which is showing a lot of brute force activity on my SSHd.
I noticed a huge uptick in distributed brute force sshd attacks starting about a week ago -- on one of my VPS hosts, anyway.

Quote:
Originally Posted by the182guy
Is there any way I can see the passwords that the attackers are trying? It would be interesting to see.
I'm not sure, but you might experiment with some of the chattier sshd debug levels on a test system. (You don't want to turn this on for a system that is getting hammered with access attempts.)

Quote:
Originally Posted by the182guy
The server is configured so that the root user cannot login directly by SSH. There is only one user allowed which is a non standard, non generic username with a strong password.
Good. Don't sweat it then.

Quote:
Originally Posted by the182guy
Is it possible to see if anyone has used the correct password for the root user - or any other user, but was denied access because of the user filter?
Maybe not. If you have PermitRootLogin no in place, logging just indicates that root authentication failed. If you have AllowUsers foo in place, logging indicates that root was not found as an allowed user.

Quote:
Originally Posted by the182guy
At the moment I am manually blocking each offensive IP Address at the kernel level using iptables, which is getting a bit tedious after a while.
I wrote a "web knocking" (variation of port knocking) application that you might be interested in checking out. I have it in place on one production FreeBSD host and one Fedora host.

TIP: implement web knocking to protect your sshd service

Quote:
Originally Posted by the182guy
Is it worth moving my SSHd to a different port?
IMO, nope. Just learn to deal with the log noise.
 
Old 10-09-2009, 12:01 PM   #3
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,527

Rep: Reputation: 898Reputation: 898Reputation: 898Reputation: 898Reputation: 898Reputation: 898Reputation: 898
Most of these attacks are from script kiddies
You can change the port, to avoid these attacks
Also you can use fail2ban or iptables to block the IP for x minutes, after x wrong attempts.
 
Old 10-09-2009, 12:09 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
@repo: Nice idea about "rate/attempt limiting", but that trick doesn't work in a distributed attack. Each IP only tries 1 - 4 times.
 
Old 10-09-2009, 12:15 PM   #5
uteck
Member
 
Registered: Oct 2003
Location: Elgin,IL,USA
Distribution: Sidux, LinHES, and Mythbuntu
Posts: 209

Rep: Reputation: 32
When I noticed this problem I installed DenyHosts which will auto block an IP after 5 failed login attempts. You can also enable the distributed mode so it will download know offending IP's and upload new ones you discover.

Of course this does slow down the ssh login as your IP is scaned, so be prepared for that.

http://denyhosts.sourceforge.net/
 
Old 10-09-2009, 12:59 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
For a listing and discussion of common SSH protection measures see http://www.linuxquestions.org/questi...tempts-340366/.
 
Old 10-16-2009, 09:27 AM   #7
the182guy
Member
 
Registered: Jan 2009
Posts: 40

Original Poster
Rep: Reputation: 15
Thanks for the info all, that helps a lot.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Prevent brute force attacks on SSH servers with DenyHosts LXer Syndicated Linux News 0 07-07-2009 09:20 AM
Does anyone know if guardian can be set to block brute force attacks and only brute f abefroman Linux - Software 2 06-05-2008 11:55 AM
isc.sans.org -- Brute-force SSH Attacks on the Rise unixfool Linux - Security 3 05-17-2008 10:43 PM
LXer: Protect SSH from brute force attacks with pam_abl LXer Syndicated Linux News 0 03-26-2007 08:32 PM
Question on Brute Force Attacks Mad Mike Linux - Security 4 10-16-2006 11:25 PM


All times are GMT -5. The time now is 06:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration