LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-12-2006, 11:04 AM   #1
Mad Mike
LQ Newbie
 
Registered: Oct 2006
Posts: 4

Rep: Reputation: 0
Question on Brute Force Attacks


Quick info. Have a managed VPS. Security was installed, I setup to send me brute force attempt emails. Below is a short example:


Oct 11 03:09:03 host sshd[27797]: Invalid user test from 58.177.250.178
Oct 11 07:09:05 host sshd[27803]: Failed password for invalid user test from
58.177.250.178 port 50471 ssh2
Oct 11 03:09:05 host sshd[27797]: Failed password for invalid user test from
58.177.250.178 port 50471 ssh2
Oct 11 07:09:06 host sshd[27803]: Received disconnect from 58.177.250.178: 11:
Bye Bye
Oct 11 03:09:07 host sshd[27847]: Invalid user test from 58.177.250.178
Oct 11 03:09:10 host sshd[27847]: Failed password for invalid user test from
58.177.250.178 port 50544 ssh2
Oct 11 07:09:10 host sshd[27849]: Failed password for invalid user test from
58.177.250.178 port 50544 ssh2
Oct 11 07:09:10 host sshd[27849]: Received disconnect from 58.177.250.178: 11:
Bye Bye


Now I'm pretty new to the Admin side of linux so I don't fully understand something and hope someone can explain. Unless I'm mistaken sshd[27797], sshd[27803], and sshd[27849] for example are three different SSH ports this person tried to connect to for SSH.

My Host and others say for Brute force the best thing to do is change the port from 22 to something else. I know how to do that and can...

What I don't understand is how that would help. Unless I'm reading something wrong in all the logs I don't see where they tried to connect to 22.

Feedback appreciated.
 
Old 10-12-2006, 11:49 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,492
Blog Entries: 54

Rep: Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904
Hello there and welcome to LQ. Hope you like it here.

Have a managed VPS. Security was installed
What exactly was installed that enhances security?


sshd[27797], sshd[27803], and sshd[27849] for example are three different SSH ports this person tried to connect to for SSH.
No, the [27797] is a notation for a process ID or short "PID" of the child of sshd (the SSH daemon).


My Host and others say for Brute force the best thing to do is change the port from 22 to something else. I know how to do that and can... What I don't understand is how that would help. Unless I'm reading something wrong in all the logs I don't see where they tried to connect to 22.
Just disregard people that tell you to change ports: it does not enhance security one bit (or maybe it does in some parallel universe where statistics overrule reality). Start by tightening your sshd_config (no root, passphrases instead of passwords, only Protocol 2, only allowed users). If SSH is only used for admin purposes you can put in firewall rules + tcp_wrappers so it's only accessable from your management IP addresses or ranges. With that in place read the sticky Failed SSH login attempts thread and pick one method to implement.
 
Old 10-12-2006, 12:24 PM   #3
Mad Mike
LQ Newbie
 
Registered: Oct 2006
Posts: 4

Original Poster
Rep: Reputation: 0
Ah, thanks for the info. Thought that "sshd[27797]" was a random port they were trying.

For purposes I only use for admin / some site management and all accounts are mine so only I need access. I briefly looked over that thread before posting this, but will look into it further. Not sure on how to do a few things you mentioned but 9/10 it was already posted so I'll check first.

As far as security this is what was done by default:

Quote:
1. Upgrade Apache/PHP, openssh, openssl, mysql etc.

2. Firewall Installation.

APF BFD SIM PRM LES NSIV SPRI

3. Rkhunter Installation.

4. Mod_Security Installation.

5. /tmp hardening.

6. Disable non-root access to unsafe binaries.
Going to look into that thread. Thanks for the site welceom. Lots of info here
 
Old 10-12-2006, 07:42 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,492
Blog Entries: 54

Rep: Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904Reputation: 2904
APF BFD SIM PRM LES NSIV SPRI
For those with low TLA/FLA-fu:
APF (Advanced Policy Firewall)
BFD (Brute Force Detection)
SIM (System Integrity Monitor)
PRM (Process Resource Monitor)
LES (Linux Environment Security)
NSIV (Network Socket Inode Validation)
SPRI (System Priority)

* I suggest installing a file integrity checker like Aide or Samhain RSN since your install is still relatively "fresh".
Next to that Monit could replace (way more configurable, faster) SIM, PRM and NSIV. GRSecurity or SELinux overrule LES and NSIV by a mile w/o making a system non-standard wrt DAC rights and extended attributes (easier troubleshooting, easier on updates). If you're an RFX Fan for Life just disregard it but you can't miss the main portion of the code was written between 2002 and 2005 (AFAIK) and maybe you already have been told: "please be aware this is not a silver bullet, and these do not prevent exploits of services you do run." before you signed up for installing those. While I agree OTS tools can do a great job in quickly providing (a sense of) security, you *do* have to configure and maintain them periodically to be effective (for instance LES by default knows wget but doesn't know Perl-libwww's GET).
It's a continuous process, no Fire and Forget here.


5. /tmp hardening.
Mounting it "noexec,nosuid,nodev" is good but won't spare you if you run vulnerable or obsolete versions of PHP-based apps. Spam piggybacking on LAMP does no longer seem to require root account privileges (check out those "I got hacked" threads here). Enhancing security for /tmp could be done by adding 1) SELinux, 2) GRSecurity (TPE), 3) some kind of Dnotify, FAM or other syscall interception gizmo or 4) a wickedly fast malware-seeking cronjob ;-p


Just my thoughts.
 
Old 10-16-2006, 10:25 PM   #5
Mad Mike
LQ Newbie
 
Registered: Oct 2006
Posts: 4

Original Poster
Rep: Reputation: 0
Was able to get this fixed with the help given. Thanks for that. Was away for a lil.

Will look into the other things that you mentioned
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Brute Force... Cottsay Linux - Software 1 03-02-2006 03:58 PM
someone trying to brute force me stitchman Slackware 8 12-16-2005 02:02 PM
Nessus Brute Force Gerardoj Linux - General 0 12-27-2003 04:07 PM
Brute force DHCP SSBN Linux - Networking 10 10-21-2003 10:34 AM
Brute Force kwigibo Linux - General 2 08-01-2002 12:42 AM


All times are GMT -5. The time now is 11:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration