LinuxQuestions.org - Failed SSH login attempts

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Failed SSH login attempts (https://www.linuxquestions.org/questions/linux-security-4/failed-ssh-login-attempts-340366/)

this seems to be a nice little script for those that are really paranoid about there ssh port.

http://www.undersea.net/seanm/softwa...-access.tar.gz

take a look at the README in it. it tells you how to set the whole thing up.

you might have to wget it.

In case anyone is interested, I have created the following script that adds ip subnets to both the hosts.deny file and the iptables.

It actually adds an entire /24 subdomain (###.###.###.0/255.255.255.0). This is so people with dynamic ip addresses are more likely to be blocked when they renew the lease.

IT DOES NOT BLOCK INVALID LOCAL USERS THAT ARE ON THE SAME CLASS C (/24) SUBNET AS THE SERVER AS DETERMINED BY COMMAND "hostname -i"

Its limitations are as follows:-

o It only compares "host.deny" and log file "secure" for new entries.
o It updates a file with the iptables, which should be restored on reboot using iptables-restore
o It has only been tested on RH ES linux and uses commands such as hostname, egrep etc. Some of these aren't fully qualified, so you should either edit the script accordingly, or make sure the PATH envronment variable includes the directories for these programs.

It could do with being more efficient, but I just wanted something quick.

Don't ask for support and use at your own risk.

Code:

#!/bin/bash



# Update ban list: Useful as a cron task.

# This script updates the hosts.deny file and adds an iptable deny entry with 

# all those IP subdomains that attempted to connect using an invalid user ID. 

# If a hacker attempts to use the same IP subnet ###.###.###.* (/24), they will 

# be blocked.

# Note: IP Addresses that match the subnet of the server are not banned



# By Antony Booth, March 2005



declare -a inList;

declare -a outArray;





outFile="/etc/hosts.deny";

logFile="/var/log/secure";

iptables="/sbin/iptables";

save="/sbin/iptables-save";



# This should be used with 'iptables-restore' in a startup script in /etc/init.d

# E.G: iptables-restore -n /etc/sysconfig/iptables

dataFile="/etc/sysconfig/iptables";



# For getting first 3 parts (/24) of the dotted quad 255.255.255.*

regExp="^(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]

|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0

-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.";



# Get Local /24 domain

localDomain=`hostname -i | egrep -o ${regExp}`;



# Add the ip addresses in list inList to outArray if they're not

# already there.

function groupAddresses()

{

    # iterate the list of addresses found

    for i in "${inList[@]}"; do

        found=0;

        thisIp=`echo "${i}" | egrep -o "${regExp}"`;

        if [ "${thisIp}" != "" ]; then



          # Exclude local domain

            if [ "${thisIp}" = "${localDomain}" ]; then

              found=1;

            fi;

            # Check to see if current IP subdomain is already in the list

            if [ "`echo ${outArray[@]} | egrep -o ${thisIp}`" != "" ]; then

              found=1;

            fi;

            # Not found in list, so add it

            if [ $found -ne 1 ]; then

                outArray[${#outArray[@]}]="${thisIp}";

            fi;

        fi;

    done;

}



# get all the ip addresses using invalid user accounts

inList=(`cat ${logFile} | gawk '/illegal user/ {printf("%s ", $13)}'`);

groupAddresses;

logArray=(${outArray[@]});



unset outArray;

declare -a outArray;



# get the existing subnets from the deny list

inList=(`cat ${outFile} | gawk -F":" '/ALL/ {printf("%s ", $2)}'`);

groupAddresses;



declare -a newDomains;

for i in "${logArray[@]}"; do

    if [ "`echo ${outArray[@]} | egrep -o ${i}`" = "" ]; then

        newDomains[${#newDomains[@]}]="${i}";

    fi;

done;



# set this to 1 if you don't want a date stamp added to the hosts.deny file

label=0;



# Append the list of new banned domains to deny file and IPtables

for i in "${newDomains[@]}"; do

    if [ $label -ne 1 ]; then

        echo "# `date`" >> ${outFile};

        label=1;

    fi;

    echo "ALL:${i}" >> ${outFile};

    rule="-A INPUT -s ${i}0/24 -j DROP";

    # save rule to file and apply now

    $iptables ${rule};

    $save > ${dataFile};

done;

from looking at all of the scripts that have been wrote for updating the iptables and just blocking these attempts, i figured that i would share my script that actually tells someone (the isp) about these attempts.

you can get it here. this will ask you to save it. it's a 444 file, so you don't have to worry about it.

other than that, do what others have suggested-
sshd_config- AllowUsers - set this up properly it will disallow anyone not there
set up usernames to more than just a first name
set up good passwds
set up dsa/rsa keys
check your logs

systems should be tightened up from the config files. if people aren't being proactive in their concerns about attempted break ins, they will keep happening. that is, if people are just configing their server, then these kids will keep spreading the scripts, and keep trying others and succeeding.

i feel, it's an opinion, that if the isp doesn't know that this is happening from their blocks, even if it's an infected host, then nothing will change. we have a responsibility, as server operators, to keep the web safe for others and ourselves. when people are only focusing on their own systems security, and not helping others, then we might as well be running a bought os.

Quote:

Originally posted by johnnydangerous
well if you may pls tell about ssh-agent and ssh-add

the ssh-agent takes care of your keys for you once you add it and if necessary entered the pass phrase. after this you only need to connect via ssh and no further pass phrase is asked.

you can run the agent by

Code:

ssh-agent /bin/bash

(could be ssh-agent2)
instead of /bin/bash you can use your shell you feel comfortable with,
personally I invoke bash with a different .bashrc so I know when I am in a shell running the agent

after the agent is running you run ssh-add

Code:

ssh-add

(ssh-add2) to add the keys to the agent, it will ask you the pass phrase for any key loaded, there is a way to specify which key (identity) you want to load, but lets keep things simple.

if you now establish a ssh connection you should connect without any further authentication.

to be on the secure side you can unload the keys out of the agent by running

Code:

ssh-add -D

also it is possible to lock the agent by running

Code:

ssh-add -L

it can be unlocked using

Code:

ssh-add -U

I hope this helps.

Code:

ssh-add -l

lists all loaded keys.

It is good practice to unload the keys before quiting the agent with exit.
Here is my .bashrc which I use with ssh-agent

Code:

export PS1="SSH-\u:\w>"

alias keys='ssh-add2 -l'

alias keysOn='ssh-add2'

alias keysOff='ssh-add2 -D"

alias quit='ssh-add2 -D;exit'

I simply invoke it by running

Code:

ssh-agent /bin/bash -rcfile .bashsshrc

Please note that the use of ssh-agent(2),ssh-add(2) and ssh(2) depends of your version of ssh (OpenSSH or SSH2)

I've been getting this crap for quite a while, I origionaly just changed the ssh port to a non-standard port but that only fended off some of them. I still came home to a flooded log. I found this program called authfail http://www.bmk.bz/?p=33 that worked great for me. It by default logs 4 failed ssh login attempts from the same ip then puts the ip into iptables -j DROP all realtime. I had to hack the hell out of it to make it work(it read the ip wrong, started kinda crummy, and a few other things, and i made it add the ip to hosts.deny also), but looking at the website it appears that its been updated since i got it so maybe that stuff is fixed. Anyway, it's made my logs a whole lot smaller and keeps people from continualy hammering away at my sshd while allowing real traffic in(even with a few failed logins).

//Moderator note: This thread is the abreviated version of a much larger original thread that can be found here. Only the most relevent post have been included in this version.

A recent Slashdot article discussed this issue and included a number of links to apps that looked interesting:

http://denyhosts.sourceforge.net/
http://www.csc.liv.ac.uk/~greg/sshdfilter/
http://www.hexten.net/sw/pam_abl/index.mhtml
http://fail2ban.sourceforge.net/

Obviously use at your own risk.

Our very own LQ mod Tinkster pointed out this tool that looks usefull as well:

http://www.aczoom.com/cms/blockhosts/

Thanks Tink!

A quite complete summary of options from the makers of Samhain: Defending against brute force ssh attacks.