LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 01-09-2005, 12:07 PM   #31
emetib
Member
 
Registered: Feb 2003
Posts: 484

Rep: Reputation: 33

this seems to be a nice little script for those that are really paranoid about there ssh port.

http://www.undersea.net/seanm/softwa...-access.tar.gz

take a look at the README in it. it tells you how to set the whole thing up.

you might have to wget it.
 
Old 03-21-2005, 09:25 AM   #32
antony.booth
LQ Newbie
 
Registered: Oct 2004
Location: UK
Distribution: Fedora
Posts: 23

Rep: Reputation: 15
A script

In case anyone is interested, I have created the following script that adds ip subnets to both the hosts.deny file and the iptables.

It actually adds an entire /24 subdomain (###.###.###.0/255.255.255.0). This is so people with dynamic ip addresses are more likely to be blocked when they renew the lease.

IT DOES NOT BLOCK INVALID LOCAL USERS THAT ARE ON THE SAME CLASS C (/24) SUBNET AS THE SERVER AS DETERMINED BY COMMAND "hostname -i"

Its limitations are as follows:-

o It only compares "host.deny" and log file "secure" for new entries.
o It updates a file with the iptables, which should be restored on reboot using iptables-restore
o It has only been tested on RH ES linux and uses commands such as hostname, egrep etc. Some of these aren't fully qualified, so you should either edit the script accordingly, or make sure the PATH envronment variable includes the directories for these programs.

It could do with being more efficient, but I just wanted something quick.

Don't ask for support and use at your own risk.

Code:
#!/bin/bash

# Update ban list: Useful as a cron task.
# This script updates the hosts.deny file and adds an iptable deny entry with 
# all those IP subdomains that attempted to connect using an invalid user ID. 
# If a hacker attempts to use the same IP subnet ###.###.###.* (/24), they will 
# be blocked.
# Note: IP Addresses that match the subnet of the server are not banned

# By Antony Booth, March 2005

declare -a inList;
declare -a outArray;


outFile="/etc/hosts.deny";
logFile="/var/log/secure";
iptables="/sbin/iptables";
save="/sbin/iptables-save";

# This should be used with 'iptables-restore' in a startup script in /etc/init.d
# E.G: iptables-restore -n /etc/sysconfig/iptables
dataFile="/etc/sysconfig/iptables";

# For getting first 3 parts (/24) of the dotted quad 255.255.255.*
regExp="^(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]
|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0
-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.";

# Get Local /24 domain
localDomain=`hostname -i | egrep -o ${regExp}`;

# Add the ip addresses in list inList to outArray if they're not
# already there.
function groupAddresses()
{
    # iterate the list of addresses found
    for i in "${inList[@]}"; do
        found=0;
        thisIp=`echo "${i}" | egrep -o "${regExp}"`;
        if [ "${thisIp}" != "" ]; then

           # Exclude local domain
            if [ "${thisIp}" = "${localDomain}" ]; then
               found=1;
            fi;
            # Check to see if current IP subdomain is already in the list
            if [ "`echo ${outArray[@]} | egrep -o ${thisIp}`" != "" ]; then
               found=1;
            fi;
            # Not found in list, so add it
            if [ $found -ne 1 ]; then
                outArray[${#outArray[@]}]="${thisIp}";
            fi;
        fi;
    done;
}

# get all the ip addresses using invalid user accounts
inList=(`cat ${logFile} | gawk '/illegal user/ {printf("%s ", $13)}'`);
groupAddresses;
logArray=(${outArray[@]});

unset outArray;
declare -a outArray;

# get the existing subnets from the deny list
inList=(`cat ${outFile} | gawk -F":" '/ALL/ {printf("%s ", $2)}'`);
groupAddresses;

declare -a newDomains;
for i in "${logArray[@]}"; do
    if [ "`echo ${outArray[@]} | egrep -o ${i}`" = "" ]; then
        newDomains[${#newDomains[@]}]="${i}";
    fi;
done;

# set this to 1 if you don't want a date stamp added to the hosts.deny file
label=0;

# Append the list of new banned domains to deny file and IPtables
for i in "${newDomains[@]}"; do
    if [ $label -ne 1 ]; then
        echo "# `date`" >> ${outFile};
        label=1;
    fi;
    echo "ALL:${i}" >> ${outFile};
    rule="-A INPUT -s ${i}0/24 -j DROP";
    # save rule to file and apply now
    $iptables ${rule};
    $save > ${dataFile};
done;

Last edited by antony.booth; 03-22-2005 at 05:38 AM.
 
Old 03-27-2005, 12:43 PM   #33
emetib
Member
 
Registered: Feb 2003
Posts: 484

Rep: Reputation: 33
from looking at all of the scripts that have been wrote for updating the iptables and just blocking these attempts, i figured that i would share my script that actually tells someone (the isp) about these attempts.

you can get it here. this will ask you to save it. it's a 444 file, so you don't have to worry about it.

other than that, do what others have suggested-
sshd_config- AllowUsers - set this up properly it will disallow anyone not there
set up usernames to more than just a first name
set up good passwds
set up dsa/rsa keys
check your logs

systems should be tightened up from the config files. if people aren't being proactive in their concerns about attempted break ins, they will keep happening. that is, if people are just configing their server, then these kids will keep spreading the scripts, and keep trying others and succeeding.

i feel, it's an opinion, that if the isp doesn't know that this is happening from their blocks, even if it's an infected host, then nothing will change. we have a responsibility, as server operators, to keep the web safe for others and ourselves. when people are only focusing on their own systems security, and not helping others, then we might as well be running a bought os.

Last edited by emetib; 03-27-2005 at 12:48 PM.
 
Old 04-02-2005, 04:33 PM   #34
Gibsonist
Member
 
Registered: Mar 2004
Location: Meersburg (GER)
Distribution: Cygwin,RH 7.2 7.3, SuSe 6.4 8.2 9.1,TinyLinux, Debian Sarge, Knoppix 3.*, Knoppicilin, Knoppix STD
Posts: 191

Rep: Reputation: 30
Quote:
Originally posted by johnnydangerous
well if you may pls tell about ssh-agent and ssh-add
the ssh-agent takes care of your keys for you once you add it and if necessary entered the pass phrase. after this you only need to connect via ssh and no further pass phrase is asked.

you can run the agent by
Code:
ssh-agent /bin/bash
(could be ssh-agent2)
instead of /bin/bash you can use your shell you feel comfortable with,
personally I invoke bash with a different .bashrc so I know when I am in a shell running the agent

after the agent is running you run ssh-add
Code:
ssh-add
(ssh-add2) to add the keys to the agent, it will ask you the pass phrase for any key loaded, there is a way to specify which key (identity) you want to load, but lets keep things simple.

if you now establish a ssh connection you should connect without any further authentication.

to be on the secure side you can unload the keys out of the agent by running
Code:
ssh-add -D
also it is possible to lock the agent by running
Code:
ssh-add -L
it can be unlocked using
Code:
ssh-add -U
I hope this helps.
Code:
ssh-add -l
lists all loaded keys.

It is good practice to unload the keys before quiting the agent with exit.
Here is my .bashrc which I use with ssh-agent

Code:
export PS1="SSH-\u:\w>"
alias keys='ssh-add2 -l'
alias keysOn='ssh-add2'
alias keysOff='ssh-add2 -D"
alias quit='ssh-add2 -D;exit'
I simply invoke it by running
Code:
ssh-agent /bin/bash -rcfile .bashsshrc
Please note that the use of ssh-agent(2),ssh-add(2) and ssh(2) depends of your version of ssh (OpenSSH or SSH2)
 
Old 06-16-2005, 01:18 AM   #35
AAnarchYY
Member
 
Registered: Sep 2004
Location: Carlisle, MA
Distribution: Debian 8
Posts: 419

Rep: Reputation: 30
authfail

I've been getting this crap for quite a while, I origionaly just changed the ssh port to a non-standard port but that only fended off some of them. I still came home to a flooded log. I found this program called authfail http://www.bmk.bz/?p=33 that worked great for me. It by default logs 4 failed ssh login attempts from the same ip then puts the ip into iptables -j DROP all realtime. I had to hack the hell out of it to make it work(it read the ip wrong, started kinda crummy, and a few other things, and i made it add the ip to hosts.deny also), but looking at the website it appears that its been updated since i got it so maybe that stuff is fixed. Anyway, it's made my logs a whole lot smaller and keeps people from continualy hammering away at my sshd while allowing real traffic in(even with a few failed logins).
 
Old 07-05-2005, 05:46 PM   #36
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 69
//Moderator note: This thread is the abreviated version of a much larger original thread that can be found here. Only the most relevent post have been included in this version.
 
Old 07-17-2005, 12:12 AM   #37
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 69
A recent Slashdot article discussed this issue and included a number of links to apps that looked interesting:

http://denyhosts.sourceforge.net/
http://www.csc.liv.ac.uk/~greg/sshdfilter/
http://www.hexten.net/sw/pam_abl/index.mhtml
http://fail2ban.sourceforge.net/

Obviously use at your own risk.
 
Old 08-10-2005, 11:15 PM   #38
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 69
Our very own LQ mod Tinkster pointed out this tool that looks usefull as well:

http://www.aczoom.com/cms/blockhosts/

Thanks Tink!
 
Old 01-03-2006, 03:22 PM   #39
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
A quite complete summary of options from the makers of Samhain: Defending against brute force ssh attacks.
 
3 members found this post helpful.
  


Closed Thread

Tags
ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH login attempts Capt_Caveman Linux - Security 225 11-07-2009 09:55 AM
SSH tricks -- any way to block failed attempts by IP address tensigh Linux - Security 10 06-06-2008 03:46 PM
ssh login attempts from localhost?! sovietpower Linux - Security 2 05-29-2005 01:19 AM
SSH login attempts - how to get rid of the automated malware? alexberk Linux - Security 1 05-24-2005 04:57 AM
/var/log/messages shows failed login attempts... plan9 Linux - Security 8 08-08-2004 12:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration