LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-17-2008, 07:06 AM   #1
fst495
LQ Newbie
 
Registered: Nov 2008
Posts: 7

Rep: Reputation: 0
Angry SSH 'attack'. How to avoid?


Hello,

This morning my BSD box emailed regular security output which contained the following:
Nov 16 15:42:01 server1 sshd[29691]: error: PAM: authentication error for illegal user admin from 76.255.174.78
Nov 16 15:42:01 server1 sshd[29691]: Failed keyboard-interactive/pam for invalid user admin from 76.255.174.78 port 53806 ssh2
Nov 16 16:35:10 server1 sshd[29823]: error: PAM: authentication error for illegal user admin from 213-163-19-158.pool.invitel.hu
Nov 16 16:35:10 server1 sshd[29823]: Failed keyboard-interactive/pam for invalid user admin from 213.163.19.158 port 25034 ssh2
Nov 16 17:28:02 server1 sshd[29926]: error: PAM: authentication error for illegal user admin from 218.148.240.18
Nov 16 17:28:02 server1 sshd[29926]: Failed keyboard-interactive/pam for invalid user admin from 218.148.240.18 port 4584 ssh2
Nov 16 18:22:12 server1 sshd[30046]: error: PAM: authentication error for illegal user admin from 212.163.168.19
Nov 16 18:22:12 server1 sshd[30046]: Failed keyboard-interactive/pam for invalid user admin from 212.163.168.19 port 7735 ssh2
....
The log goes on and on until the end of that day so I will get more today probably.

Any known way of preventing this 'password matching'? I can't obviously block the IPs in the firewall as there are many and all probably anonymous proxies so what are my options? Obviously I don't want to block port 22 as I use SSH every now and then.

Thanks
 
Old 11-17-2008, 07:19 AM   #2
colucix
Moderator
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,488

Rep: Reputation: 1956Reputation: 1956Reputation: 1956Reputation: 1956Reputation: 1956Reputation: 1956Reputation: 1956Reputation: 1956Reputation: 1956Reputation: 1956Reputation: 1956
One way is to limit the number of consecutive login attempts and temporarily ban the source IPs. I used tcp wrappers do this, following directions from Samhain Labs. You will find plenty of useful information, here.
 
Old 11-17-2008, 09:16 AM   #3
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,094
Blog Entries: 2

Rep: Reputation: 111Reputation: 111
You could also use an SPA port knock to have the port unavailable until you want to use it.
 
Old 11-17-2008, 10:24 AM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Read:
 
Old 11-17-2008, 10:30 AM   #5
dive
Senior Member
 
Registered: Aug 2003
Location: UK
Distribution: Slackware
Posts: 3,203

Rep: Reputation: 292Reputation: 292Reputation: 292
If you just want to cut down on login attempts you could run the ssh demon with a different port than 22.
 
Old 11-17-2008, 05:48 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by fst495 View Post
Any known way of preventing this 'password matching'?
Yes, several. Please read the sticky at the top of this forum for pointers.

Last edited by win32sux; 11-17-2008 at 05:49 PM.
 
Old 11-17-2008, 05:53 PM   #7
johnson_steve
Senior Member
 
Registered: Apr 2005
Location: BrewCity, USA (Milwaukee, WI)
Distribution: Xubuntu 9.10, Gentoo 2.6.27 (AMD64), Darwin 9.0.0 (arm)
Posts: 1,152

Rep: Reputation: 46
Dissable password logins and pam authentication for ssh in your sshd.conf then set up rsa keys so that you can still log in, but no one else will even have the option of trying to guess your password.
 
Old 11-18-2008, 03:16 AM   #8
fst495
LQ Newbie
 
Registered: Nov 2008
Posts: 7

Original Poster
Rep: Reputation: 0
thanks guys, after reading all links RSA seems like the way to go for me.

On a side note if I could suggest renaming sticky to something more obvious like 'illegal SSH login attempts' to better describe the subject it would be not so easy to miss.

Great forum many thanks.
 
Old 11-18-2008, 08:10 AM   #9
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by fst495 View Post
On a side note if I could suggest renaming sticky to something more obvious like 'illegal SSH login attempts' to better describe the subject it would be not so easy to miss.
It already says "Failed SSH Login Attempts", which should be explanatory enough, IMO. One should always be in the habit of checking sticky threads also (JMO).
 
Old 11-19-2008, 12:34 AM   #10
pwalden
Member
 
Registered: Jun 2003
Location: Washington
Distribution: Fedora FC19, Raspbian
Posts: 253

Rep: Reputation: 35
Try installing denyhosts. This will add the culprit to /etc/hosts.deny and stop them after 5 or attempts.

Your distro likely has it as a package already.

http://denyhosts.sourceforge.net/
 
Old 11-19-2008, 05:25 AM   #11
kapal
LQ Newbie
 
Registered: Jan 2008
Location: Poland
Distribution: Debian testing/Lenny
Posts: 18

Rep: Reputation: 0
I also stand for denyhosts in general for brute force script attacks.

You may also consider changing the default 22 port to sth else as written above, since most of the attacking scripts relay on that port. Of course it will not eliminate the risk of breaking in but it'll greatly reduce the number of brake in attempts.

Port knocking is also a good technique, but in my opinion is applicable only for systems with not many shell users.

Changing the default sshd options will also do the trick. For example you may want to set shorter LoginGraceTimeout (default 120s) or MaxStartups(10) MaxAuthTries etc, and of course disable root login(!) which should be default.

Last edited by kapal; 11-19-2008 at 05:27 AM. Reason: typos
 
Old 11-19-2008, 05:40 AM   #12
pwc101
Senior Member
 
Registered: Oct 2005
Location: UK
Distribution: Slackware
Posts: 1,847

Rep: Reputation: 128Reputation: 128
I found this page which seems to list some issues with various log parsing programs: http://www.ossec.net/en/attacking-loganalysis.html. Might be worth bearing in mind.

disclaimer: I'm not a security guru, but the arguments seemed to make sense.
 
Old 11-19-2008, 05:40 AM   #13
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
If you are the only user who logs in via ssh, you can also add the line "AllowUsers <yourusername>". This will deny all other users from logging in. You can do this in addition to using public key encryption. Doing this will deny system login attempts, which are common targets.

Also, protect your private key (on your client) with a passphrase. Changing the port from 22, while in itself won't do much for a determined cracker, will reduce the "noise" from script kiddie brute force attacks.

Last edited by jschiwal; 11-19-2008 at 05:42 AM.
 
Old 11-19-2008, 05:58 AM   #14
comm2k
LQ Newbie
 
Registered: Jul 2008
Posts: 28

Rep: Reputation: 16
You can also install fail2ban. Too many failed logins = temp/perma-ban for this user or user details.
 
Old 11-20-2008, 03:15 AM   #15
kapal
LQ Newbie
 
Registered: Jan 2008
Location: Poland
Distribution: Debian testing/Lenny
Posts: 18

Rep: Reputation: 0
Quote:
Originally Posted by pwc101 View Post
I found this page which seems to list some issues with various log parsing programs: http://www.ossec.net/en/attacking-loganalysis.html. Might be worth bearing in mind.

disclaimer: I'm not a security guru, but the arguments seemed to make sense.
Thanks for pointing this out. I'll try to find out if the version of denyhosts I'm using is vurnable to log injection.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
brute-force-ssh-attack saavik Linux - Security 6 09-05-2008 01:01 AM
Help with SSH attack..DNS Spoofing laucian Linux - Newbie 1 10-15-2007 06:17 AM
Punishing users for SSH attack _kure_ Linux - Security 8 08-16-2007 11:36 PM
Dos Attack on SSH Tunnel SPEEDEX Linux - Networking 3 04-08-2007 11:58 AM
avoid been ask password by ssh with script? Chowroc Programming 6 02-14-2006 05:17 AM


All times are GMT -5. The time now is 11:12 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration