Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In case anyone is interested, I have created the following script that adds ip subnets to both the hosts.deny file and the iptables.
It actually adds an entire /24 subdomain (###.###.###.0/255.255.255.0). This is so people with dynamic ip addresses are more likely to be blocked when they renew the lease.
IT DOES NOT BLOCK INVALID LOCAL USERS THAT ARE ON THE SAME CLASS C (/24) SUBNET AS THE SERVER AS DETERMINED BY COMMAND "hostname -i"
Its limitations are as follows:-
o It only compares "host.deny" and log file "secure" for new entries.
o It updates a file with the iptables, which should be restored on reboot using iptables-restore
o It has only been tested on RH ES linux and uses commands such as hostname, egrep etc. Some of these aren't fully qualified, so you should either edit the script accordingly, or make sure the PATH envronment variable includes the directories for these programs.
It could do with being more efficient, but I just wanted something quick.
Don't ask for support and use at your own risk.
Code:
#!/bin/bash
# Update ban list: Useful as a cron task.
# This script updates the hosts.deny file and adds an iptable deny entry with
# all those IP subdomains that attempted to connect using an invalid user ID.
# If a hacker attempts to use the same IP subnet ###.###.###.* (/24), they will
# be blocked.
# Note: IP Addresses that match the subnet of the server are not banned
# By Antony Booth, March 2005
declare -a inList;
declare -a outArray;
outFile="/etc/hosts.deny";
logFile="/var/log/secure";
iptables="/sbin/iptables";
save="/sbin/iptables-save";
# This should be used with 'iptables-restore' in a startup script in /etc/init.d
# E.G: iptables-restore -n /etc/sysconfig/iptables
dataFile="/etc/sysconfig/iptables";
# For getting first 3 parts (/24) of the dotted quad 255.255.255.*
regExp="^(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]
|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0
-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.";
# Get Local /24 domain
localDomain=`hostname -i | egrep -o ${regExp}`;
# Add the ip addresses in list inList to outArray if they're not
# already there.
function groupAddresses()
{
# iterate the list of addresses found
for i in "${inList[@]}"; do
found=0;
thisIp=`echo "${i}" | egrep -o "${regExp}"`;
if [ "${thisIp}" != "" ]; then
# Exclude local domain
if [ "${thisIp}" = "${localDomain}" ]; then
found=1;
fi;
# Check to see if current IP subdomain is already in the list
if [ "`echo ${outArray[@]} | egrep -o ${thisIp}`" != "" ]; then
found=1;
fi;
# Not found in list, so add it
if [ $found -ne 1 ]; then
outArray[${#outArray[@]}]="${thisIp}";
fi;
fi;
done;
}
# get all the ip addresses using invalid user accounts
inList=(`cat ${logFile} | gawk '/illegal user/ {printf("%s ", $13)}'`);
groupAddresses;
logArray=(${outArray[@]});
unset outArray;
declare -a outArray;
# get the existing subnets from the deny list
inList=(`cat ${outFile} | gawk -F":" '/ALL/ {printf("%s ", $2)}'`);
groupAddresses;
declare -a newDomains;
for i in "${logArray[@]}"; do
if [ "`echo ${outArray[@]} | egrep -o ${i}`" = "" ]; then
newDomains[${#newDomains[@]}]="${i}";
fi;
done;
# set this to 1 if you don't want a date stamp added to the hosts.deny file
label=0;
# Append the list of new banned domains to deny file and IPtables
for i in "${newDomains[@]}"; do
if [ $label -ne 1 ]; then
echo "# `date`" >> ${outFile};
label=1;
fi;
echo "ALL:${i}" >> ${outFile};
rule="-A INPUT -s ${i}0/24 -j DROP";
# save rule to file and apply now
$iptables ${rule};
$save > ${dataFile};
done;
Last edited by antony.booth; 03-22-2005 at 05:38 AM.
from looking at all of the scripts that have been wrote for updating the iptables and just blocking these attempts, i figured that i would share my script that actually tells someone (the isp) about these attempts.
you can get it here. this will ask you to save it. it's a 444 file, so you don't have to worry about it.
other than that, do what others have suggested-
sshd_config- AllowUsers - set this up properly it will disallow anyone not there
set up usernames to more than just a first name
set up good passwds
set up dsa/rsa keys
check your logs
systems should be tightened up from the config files. if people aren't being proactive in their concerns about attempted break ins, they will keep happening. that is, if people are just configing their server, then these kids will keep spreading the scripts, and keep trying others and succeeding.
i feel, it's an opinion, that if the isp doesn't know that this is happening from their blocks, even if it's an infected host, then nothing will change. we have a responsibility, as server operators, to keep the web safe for others and ourselves. when people are only focusing on their own systems security, and not helping others, then we might as well be running a bought os.
Originally posted by johnnydangerous well if you may pls tell about ssh-agent and ssh-add
the ssh-agent takes care of your keys for you once you add it and if necessary entered the pass phrase. after this you only need to connect via ssh and no further pass phrase is asked.
you can run the agent by
Code:
ssh-agent /bin/bash
(could be ssh-agent2)
instead of /bin/bash you can use your shell you feel comfortable with,
personally I invoke bash with a different .bashrc so I know when I am in a shell running the agent
after the agent is running you run ssh-add
Code:
ssh-add
(ssh-add2) to add the keys to the agent, it will ask you the pass phrase for any key loaded, there is a way to specify which key (identity) you want to load, but lets keep things simple.
if you now establish a ssh connection you should connect without any further authentication.
to be on the secure side you can unload the keys out of the agent by running
Code:
ssh-add -D
also it is possible to lock the agent by running
Code:
ssh-add -L
it can be unlocked using
Code:
ssh-add -U
I hope this helps.
Code:
ssh-add -l
lists all loaded keys.
It is good practice to unload the keys before quiting the agent with exit.
Here is my .bashrc which I use with ssh-agent
Code:
export PS1="SSH-\u:\w>"
alias keys='ssh-add2 -l'
alias keysOn='ssh-add2'
alias keysOff='ssh-add2 -D"
alias quit='ssh-add2 -D;exit'
I simply invoke it by running
Code:
ssh-agent /bin/bash -rcfile .bashsshrc
Please note that the use of ssh-agent(2),ssh-add(2) and ssh(2) depends of your version of ssh (OpenSSH or SSH2)
I've been getting this crap for quite a while, I origionaly just changed the ssh port to a non-standard port but that only fended off some of them. I still came home to a flooded log. I found this program called authfail http://www.bmk.bz/?p=33 that worked great for me. It by default logs 4 failed ssh login attempts from the same ip then puts the ip into iptables -j DROP all realtime. I had to hack the hell out of it to make it work(it read the ip wrong, started kinda crummy, and a few other things, and i made it add the ip to hosts.deny also), but looking at the website it appears that its been updated since i got it so maybe that stuff is fixed. Anyway, it's made my logs a whole lot smaller and keeps people from continualy hammering away at my sshd while allowing real traffic in(even with a few failed logins).
//Moderator note: This thread is the abreviated version of a much larger original thread that can be found here. Only the most relevent post have been included in this version.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.