what to do when a stranger is trying to ssh into your machine
So, what can one do when you find that somebody is repeatedly attempting to access your machine via ssh? I keep getting root (and various other) login attempts from various IP addresses, and it's making me really wish I knew how to "hack them back" or at least send them a message so they know I see them. I'm also concerned about making darn sure my security is tight enough to stop them from happening across a "way in"...
I have my root and user passwords set pretty tight - they're both long and have letters, numbers, and spaces. What else can I check to make sure I don't have any holes? Oh, and is there a way to set this up so that once they try to log in and get it wrong, they can't try anymore? Perhaps after three tries, in case I brain fart my own password some day. I need ssh running so that I can access my machine while I'm at work, so turning it off is not an option. What else can I do to secure myself? Thanks, as always, for all the help, Jeff |
well, you can use iptables to block certain source addresses...about the way to make ssh fail after 3 attempts, I'm not sure. but iptables as a firewall can handle the source address if that doesn't change..
|
Thanks for the quickness there...
I like that iptables will block out certain addresses. Can you give me the example command to, for instance, block IP address <edit>xxx.xxx.xxx.xxx</edit> (yeah, that's right punk, I posted your IP on the internet ;-) ), while keeping my open ports open and my close ports closed? Now, unfortunately, I get these attempts from a different address every day, and sometimes different addresses in the same day. So, hopefully there is another way to block the repeated attempts without the manual iptables edits, but I'll use that until somebody suggests something better. Thanks again, |
Quote:
You can also contact his ISP - punch the IP into http://www.arin.net to do a search on it. |
Sorry, I guess I didn't, but probably should have, realize that was frowned upon. It has been edited...
Now, is there a way to block those IP addresses from entering while still allowing entry on port 80, for my website? Please advise...and thank you... |
what I would recommed doing is taking the IP addresses that are tryign to break into your system, go look at the whois database and see who owns them. It's probbaly an ISP who's using DHCP so you can tell them the IPs and the times they occurred, and tell them they need to speak with that person or you contact law enforcment. Might work, might not work. Maybe, it'll be just enough to scare them into leaving you the "F" alone...
EDIT: removed per trickykids request... |
You can try to set up your iptables firewall by allowing all conections on port 80 for your website. For the ssh port [22] make the default policy to drop all packages from all IP's and then let packages just from the IP from your PC at work. So a connection trought ssh can be established only from one PC...your's.
I don't know how to make this one, but I heard it's possible, you can also make your ssh server to allow connection only for a special user, only after this you can switch to root. So a possible cracker has to work more, once for the normal user password and then for root's password. Boby |
Please see my Post above as I ahve edited it.
|
Re: what to do when a stranger is trying to ssh into your machine
Quote:
Quote:
Quote:
But I wouldn't go so far as to trying to find out who they are, most likely their using spoofed IP addresses, etc. I think in one week I got 273 root login attempts to my own server. Do I worry, no, because I have root login via ssh disabled and I never login directly as root. I setup sudo when its necessary to be root.. and so on. And halo14, Even with your little disclaimer, we don't look lightly telling others to resort to such measures against unknown crack attempts on systems to any individual. If it is a true crack attempt, contact the authorities but do not tell others to take matters in their own hands for any reason. I don't care if your joking or not, its not funny to me and its totally against our rules, your post for that matter. I SUGGEST YOU EDIT it immediately. This is your only warning in such posts. If you don't agree with this modding, feel free to contact me or the Site Admin. Regards. |
wow, the whois command is pretty cool. I did a
whois xx.xx.xxx.xxx and it gave me all sorts of info regarding the ISP (in Korea), as well as the contact info for network abuse. So, I just fired them a politely demanding email askign that they see to it that this is stopped immediately. Thanks for that suggestion, very cool. I'm currently waiting for the traceroute command to return it's info, it's on hop 18 (I guess?) right now. Excited to see what that tells me... Anyways, can anybody give me the example command for iptables? I really hesitate to play around with that as I have no idea what I'm doing there.... Thanks again, Oh, just saw your post trickykid... I know, I wasn't wanting to hack into them to do whatever kinds of nasties they're trying to do, I jsut wanted some way to let them know I saw them and perhaps scare them off. Sorry, not trying to set any bad examples here, this just got my feathers temporarily ruffled... Thanks, |
Quote:
|
Okay, I'm just going to make sure ssh isn't allowing root login, and then I'm going to create a new user just for ssh, and in the sshd.conf I'll make sure this new user is the only one allowed in. Then I'll make THAT user's password ridiculously tight, and then I'll consider myself safe enough to disregard these annoying attempts. I understand what you're saying regarding it likely being a random scan, and also on a spoofed IP, so I'll not bother attempting to use iptables to manuallu block these. I'd just be updating iptables every darn day, and since I occassionally like to ssh into home from a friends house or the like, I don't want to inadvertantly block out a buddies ISP because one of these random scans used it.
So thanks for the run-down. I'll try to mind my manners in my future posts ;-) Jeff |
Moved to Linux-Security as it seems to be a better forum for this question.
|
Quote:
iptables -I INPUT -s X.X.X.X -j DROP (where X.X.X.X is offenders IP address) Also take a look at the thread on "SSH login attempts" at the top of the forum for more options you can take, some of the better options are:
|
Firstly, I agree with Trickykid, most of the ssh hacks are virus / worm / trojan based that as infected some poor machine with weak passwords (for eksample user test, password test), so attacking them back won't do much, except leaving maybe your fingerprint on their crashed server... (which would be good for them if they want to take legal action against someone for ruining their business. Chances are that they find you before whoever made that worm. That they "hacked" you first might not help you much in court). Anyway. This tread as also been discussed at http://www.linuxquestions.org/questi...5&pagenumber=5
Also agree that root should never be in the .allow file. Now, instead of critising, some help (well... sort of). Following script was displayed somewhere (not sure who to credit for it): Quote:
I am trying to modifiy it so it first checks if some of the usernames are one of the common hacking script names, like test, root, nobody etc (Usernames that would never be on my machine). If so, it does a "whois <ip address> | grep abuse@" command to find abuse email(s) of the owner of the IP addresses. If it exists, it automatically sends an email with following: Subject: Please stop hacking my server IP <ip address> Body: Please stop hacking my server IP <ip address>. Please refer to below logs: If it is not stopped legal action etc etc. Then it paste following into email body under heading Security log: linux command "cat /var/log/secure | grep <ip address>" then: Messages log: linux command "cat /var/log/messages | grep <ip address>" and then this "whois <ip address>" Then, hopefully the guy in charge of the IP's does something... (I do this manually now (sometimes), and have in fact gotten replies back saying "Thanks for letting us now, we will fix the infected server at once etc etc") But I am hopeless at scripting, so it will take a while before it can get up and running. |
All times are GMT -5. The time now is 07:33 AM. |