what to do when a stranger is trying to ssh into your machine
 

So, what can one do when you find that somebody is repeatedly attempting to access your machine via ssh? I keep getting root (and various other) login attempts from various IP addresses, and it's making me really wish I knew how to "hack them back" or at least send them a message so they know I see them. I'm also concerned about making darn sure my security is tight enough to stop them from happening across a "way in"...

I have my root and user passwords set pretty tight - they're both long and have letters, numbers, and spaces. What else can I check to make sure I don't have any holes?

Oh, and is there a way to set this up so that once they try to log in and get it wrong, they can't try anymore? Perhaps after three tries, in case I brain fart my own password some day.

I need ssh running so that I can access my machine while I'm at work, so turning it off is not an option. What else can I do to secure myself?

Thanks, as always, for all the help,

Jeff

well, you can use iptables to block certain source addresses...about the way to make ssh fail after 3 attempts, I'm not sure. but iptables as a firewall can handle the source address if that doesn't change..

Thanks for the quickness there...

I like that iptables will block out certain addresses. Can you give me the example command to, for instance, block IP address <edit>xxx.xxx.xxx.xxx</edit> (yeah, that's right punk, I posted your IP on the internet ;-) ), while keeping my open ports open and my close ports closed?

Now, unfortunately, I get these attempts from a different address every day, and sometimes different addresses in the same day. So, hopefully there is another way to block the repeated attempts without the manual iptables edits, but I'll use that until somebody suggests something better.

Thanks again,

You really shouldn't post IP's and this will probably be removed. That aside, I believe you can use a site-ban of sorts to keep ti from happening. Let's assume the IP of the offender is 192.168.4.2. you can block 192.168.*.* and this should block his entier ISP from accessing your computer by dropping all packets coming from it.
You can also contact his ISP - punch the IP into http://www.arin.net to do a search on it.

Sorry, I guess I didn't, but probably should have, realize that was frowned upon. It has been edited...

Now, is there a way to block those IP addresses from entering while still allowing entry on port 80, for my website?

Please advise...and thank you...

what I would recommed doing is taking the IP addresses that are tryign to break into your system, go look at the whois database and see who owns them. It's probbaly an ISP who's using DHCP so you can tell them the IPs and the times they occurred, and tell them they need to speak with that person or you contact law enforcment. Might work, might not work. Maybe, it'll be just enough to scare them into leaving you the "F" alone...

EDIT: removed per trickykids request...

You can try to set up your iptables firewall by allowing all conections on port 80 for your website. For the ssh port [22] make the default policy to drop all packages from all IP's and then let packages just from the IP from your PC at work. So a connection trought ssh can be established only from one PC...your's.
I don't know how to make this one, but I heard it's possible, you can also make your ssh server to allow connection only for a special user, only after this you can switch to root. So a possible cracker has to work more, once for the normal user password and then for root's password.

Boby

Please see my Post above as I ahve edited it.

Re: what to do when a stranger is trying to ssh into your machine
 

First of all, don't be on their level and "want to hack them back" type attitude. That's not the answer to the problem at hand. There is always going to be people scanning for vulnerabilities, most likely scanning IP blocks one at a time to find anything that's open, etc.

My recommendation is to change your passwords regularly and go ahead and just disable root login access via ssh. You should eliminate that need and only su or setup sudo when you need root access on whatever system your on. That will ensure your security as your root accounts information will never be passed over open lines, even if it is ssh and encrypted.

Most of the time by default 3 times will disconnect them. You can always setup a firewall and for repeat offenders from your logs just start blocking their IP, etc.

But I wouldn't go so far as to trying to find out who they are, most likely their using spoofed IP addresses, etc. I think in one week I got 273 root login attempts to my own server. Do I worry, no, because I have root login via ssh disabled and I never login directly as root. I setup sudo when its necessary to be root.. and so on.



And halo14,

Even with your little disclaimer, we don't look lightly telling others to resort to such measures against unknown crack attempts on systems to any individual. If it is a true crack attempt, contact the authorities but do not tell others to take matters in their own hands for any reason. I don't care if your joking or not, its not funny to me and its totally against our rules, your post for that matter. I SUGGEST YOU EDIT it immediately. This is your only warning in such posts. If you don't agree with this modding, feel free to contact me or the Site Admin.

Regards.

wow, the whois command is pretty cool. I did a

whois xx.xx.xxx.xxx

and it gave me all sorts of info regarding the ISP (in Korea), as well as the contact info for network abuse. So, I just fired them a politely demanding email askign that they see to it that this is stopped immediately.

Thanks for that suggestion, very cool. I'm currently waiting for the traceroute command to return it's info, it's on hop 18 (I guess?) right now. Excited to see what that tells me...

Anyways, can anybody give me the example command for iptables? I really hesitate to play around with that as I have no idea what I'm doing there....

Thanks again,


Oh, just saw your post trickykid...

I know, I wasn't wanting to hack into them to do whatever kinds of nasties they're trying to do, I jsut wanted some way to let them know I saw them and perhaps scare them off. Sorry, not trying to set any bad examples here, this just got my feathers temporarily ruffled...


Thanks,

Like I said though, its random scans that some idiot who has nothing better to do is looking for any vulnerabilities. In one week I had well over 200 root login attampts on mine from one IP address, not counting the other hundreds from the same IP trying other usernames and passwords. I got curious once and followed mine back to some Chinese website, which was probably not the person doing it, but either spoofed their IP or was using their systems to attack others.

Okay, I'm just going to make sure ssh isn't allowing root login, and then I'm going to create a new user just for ssh, and in the sshd.conf I'll make sure this new user is the only one allowed in. Then I'll make THAT user's password ridiculously tight, and then I'll consider myself safe enough to disregard these annoying attempts. I understand what you're saying regarding it likely being a random scan, and also on a spoofed IP, so I'll not bother attempting to use iptables to manuallu block these. I'd just be updating iptables every darn day, and since I occassionally like to ssh into home from a friends house or the like, I don't want to inadvertantly block out a buddies ISP because one of these random scans used it.

So thanks for the run-down. I'll try to mind my manners in my future posts ;-)

Jeff

Moved to Linux-Security as it seems to be a better forum for this question.

As root:

iptables -I INPUT -s X.X.X.X -j DROP

(where X.X.X.X is offenders IP address)

Also take a look at the thread on "SSH login attempts" at the top of the forum for more options you can take, some of the better options are:

• Limiting ssh access with iptables/tcpwrappers to only those machines that you need
• Switching to public key based authentication
• Running ssh on a different port

Firstly, I agree with Trickykid, most of the ssh hacks are virus / worm / trojan based that as infected some poor machine with weak passwords (for eksample user test, password test), so attacking them back won't do much, except leaving maybe your fingerprint on their crashed server... (which would be good for them if they want to take legal action against someone for ruining their business. Chances are that they find you before whoever made that worm. That they "hacked" you first might not help you much in court). Anyway. This tread as also been discussed at http://www.linuxquestions.org/questi...5&pagenumber=5

Also agree that root should never be in the .allow file.

Now, instead of critising, some help (well... sort of). Following script was displayed somewhere (not sure who to credit for it): This one simply blocks the IP in the firewall rules after one failed login (to bad if you do a typo). These rules must also be emptied after a while so you don't slow down the firewall with thousands of IP's.

I am trying to modifiy it so it first checks if some of the usernames are one of the common hacking script names, like test, root, nobody etc (Usernames that would never be on my machine). If so, it does a "whois <ip address> | grep abuse@" command to find abuse email(s) of the owner of the IP addresses. If it exists, it automatically sends an email with following:

Subject: Please stop hacking my server IP <ip address>
Body: Please stop hacking my server IP <ip address>. Please refer to below logs: If it is not stopped legal action etc etc.

Then it paste following into email body under heading Security log:
linux command "cat /var/log/secure | grep <ip address>"

then: Messages log:
linux command "cat /var/log/messages | grep <ip address>"

and then this "whois <ip address>"

Then, hopefully the guy in charge of the IP's does something...

(I do this manually now (sometimes), and have in fact gotten replies back saying "Thanks for letting us now, we will fix the infected server at once etc etc")

But I am hopeless at scripting, so it will take a while before it can get up and running.