LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-11-2009, 05:26 AM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Rep: Reputation: 30
SSHD illegal users


Got this in logwatch:
Code:
 Illegal users from:
    190.2.12.113 (customer-static-2-12-113.iplannetworks.net): 36 times
    200.29.234.100 (proxy.rebujia.com.co): 7 times
    218.75.78.86: 1 time
 reverse mapping checking getaddrinfo for customer-static-2-12-113.iplannetworks.net failed - POSSIBLE BREAK-IN ATTEMPT! : 40 time(s
 reverse mapping checking getaddrinfo for proxy.rebujia.com.co failed - POSSIBLE BREAK-IN ATTEMPT! : 7 time(s)
Anything to be worried about?
I have code in my iptables that limits SSH logins to 8 per minute.
)
 
Old 08-11-2009, 07:13 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by qwertyjjj View Post
Anything to be worried about?
In computing something is on or it is off, a condition exists or it doesn't, there's no need for fuzzy human "worrying". If you would say "what is the risk?" then I'd say it depends on you implementing the measures I already offered.


Quote:
Originally Posted by qwertyjjj View Post
I have code in my iptables that limits SSH logins to 8 per minute.
8 p/m is way too lenient IMHO, I'd go for 2.
 
Old 08-11-2009, 07:27 AM   #3
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by qwertyjjj View Post
Got this in logwatch:
Code:
 Illegal users from:
    190.2.12.113 (customer-static-2-12-113.iplannetworks.net): 36 times
    200.29.234.100 (proxy.rebujia.com.co): 7 times
    218.75.78.86: 1 time
 reverse mapping checking getaddrinfo for customer-static-2-12-113.iplannetworks.net failed - POSSIBLE BREAK-IN ATTEMPT! : 40 time(s
 reverse mapping checking getaddrinfo for proxy.rebujia.com.co failed - POSSIBLE BREAK-IN ATTEMPT! : 7 time(s)
Anything to be worried about?
I have code in my iptables that limits SSH logins to 8 per minute.
)
should you worry? yes and no.
these are just attempts to get in....but then no one is ever successful without first attempting

set the AllowUsers keyword.
run sshd on a port different then 22.
allow root login - turn off
use dsa keys
turn off password auth
so many things you can do to lock it down properly..
but it looks like someone has already advised you of all these?

Last edited by centosboy; 08-11-2009 at 07:29 AM.
 
Old 08-11-2009, 08:29 AM   #4
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by centosboy View Post
should you worry? yes and no.
these are just attempts to get in....but then no one is ever successful without first attempting

set the AllowUsers keyword.
run sshd on a port different then 22.
allow root login - turn off
use dsa keys
turn off password auth
so many things you can do to lock it down properly..
but it looks like someone has already advised you of all these?
But for AllowUsers, I'd have t allow root wouldn't I or I couldn't do many of the changes I need to on the server?

Is the SSH listening port in SSH config file?

what are dsa keys and password auth?
 
Old 08-11-2009, 08:34 AM   #5
pwc101
Senior Member
 
Registered: Oct 2005
Location: UK
Distribution: Slackware
Posts: 1,847

Rep: Reputation: 128Reputation: 128
Quote:
Originally Posted by qwertyjjj View Post
But for AllowUsers, I'd have t allow root wouldn't I or I couldn't do many of the changes I need to on the server?
Why not ssh in as an unprivileged user, then su - to root?
Quote:
Originally Posted by qwertyjjj View Post
Is the SSH listening port in SSH config file?
Have you looked?
 
Old 08-11-2009, 08:41 AM   #6
nuwen52
Member
 
Registered: Feb 2009
Distribution: Debian, CentOS 5, Gentoo, FreeBSD, Fedora, Mint, Slackware64
Posts: 208

Rep: Reputation: 46
Quote:
Originally Posted by qwertyjjj View Post
But for AllowUsers, I'd have t allow root wouldn't I or I couldn't do many of the changes I need to on the server?

Is the SSH listening port in SSH config file?

what are dsa keys and password auth?
You do not have to allow root to log in to allow a user to su to root. Disallowing root login makes someone log in as themselves and then become root, which creates an entry in the log files.

ssh port is in the sshd config file.

Disallowing password auth means that the user must log in from a trusted account/machine. They won't need a password, but it will be from a account/machine that you know should only have allowed access, because the user has to have a pre-shared key.

DSA and RSA are the two keys usable in ssh. DSA is generally more secure, last I knew.

Please take a look at the sshd config file to get a better idea of your options.

Last edited by nuwen52; 08-11-2009 at 08:42 AM.
 
Old 08-11-2009, 08:41 AM   #7
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Another thing to read on: http://www.fail2ban.org/wiki/index.php/Main_Page
 
Old 08-11-2009, 09:42 AM   #8
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Brilliant, I've know locked myself out of the server by changing the port and even though I added a firewall rule something has messed.
Argh
 
Old 08-11-2009, 09:55 AM   #9
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Right I got it back using KVM.
Now when I edit the SSH port, do you just put in:
Port 1234
for example?

My kiptables rules were changed to:
Code:
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d 88.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d 88.xxx.xxx.xxx -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT


EDIT: oops, I was chaging the ssh config file not the sshd config file

Last edited by qwertyjjj; 08-11-2009 at 10:00 AM.
 
Old 08-11-2009, 10:12 AM   #10
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
You do not have to allow root to log in to allow a user to su to root. Disallowing root login makes someone log in as themselves and then become root, which creates an entry in the log files.
If I create a new user, what permissions do you give them?
To then login as root is it just su root?
So effectively you have a user login and password and then a 2nd root and password?

ssh port is in the sshd config file.

Disallowing password auth means that the user must log in from a trusted account/machine. They won't need a password, but it will be from a account/machine that you know should only have allowed access, because the user has to have a pre-shared key.
Can't do this as the IP address on my computer is dynamic or am I missing something here? Is a key used instead of the password? Effectively the same process then isn't it?

DSA and RSA are the two keys usable in ssh. DSA is generally more secure, last I knew.

Please take a look at the sshd config file to get a better idea of your options.
 
Old 08-11-2009, 10:15 AM   #11
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by qwertyjjj View Post
Right I got it back using KVM.
Now when I edit the SSH port, do you just put in:
Port 1234
for example?

My kiptables rules were changed to:
Code:
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d 88.xxx.xxx.xxx -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d 88.xxx.xxx.xxx -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT


EDIT: oops, I was chaging the ssh config file not the sshd config file
i would only ever recommend playing with this stuff locally unless you have another way in.

all the directives you need are in sshd_config

man sshd_config.

it is always good that you have some kind of test server to test out how this all works for you before putting it out live on a production server.

Last edited by centosboy; 08-11-2009 at 10:17 AM.
 
Old 08-11-2009, 10:25 AM   #12
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
I created a user testuser with password
then added AllowUsers testuser in the config file
However, whenever I login with this user it says access denied after the password.

?
 
Old 08-11-2009, 10:58 AM   #13
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
I think I am comfortable having a root password of 20 chars & numbers and resrtricting logins to 2 per min.
any hacker attempting to get through that would have to try for years
...and changing the port

Last edited by qwertyjjj; 08-11-2009 at 11:00 AM.
 
Old 08-11-2009, 11:00 AM   #14
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,528

Rep: Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899
Quote:
any hacker attempting to get through that would have to try for years
Or be extremely lucky :-)
 
Old 08-11-2009, 11:15 AM   #15
pwc101
Senior Member
 
Registered: Oct 2005
Location: UK
Distribution: Slackware
Posts: 1,847

Rep: Reputation: 128Reputation: 128
Please use [quote][/quote] tags around the parts of text you are quoting, otherwise it's hard to tell what's your response and what's the original text you're responding to.
Quote:
Originally Posted by qwertyjjj View Post
If I create a new user, what permissions do you give them?
No special permissions needed. Just an ordinary, bog standard user with a real log in shell (not /bin/false, for example).
Quote:
Originally Posted by qwertyjjj View Post
To then login as root is it just su root?
Even better,
Code:
su -
so that you inherit root's environment settings too (see man su).
Quote:
Originally Posted by qwertyjjj View Post
So effectively you have a user login and password and then a 2nd root and password?
Yes.
Quote:
Originally Posted by qwertyjjj View Post
Can't do this as the IP address on my computer is dynamic or am I missing something here?
It's not the machine's IP address that's used to identify the machine, it's the key-pair that are used.
Quote:
Originally Posted by qwertyjjj View Post
Is a key used instead of the password? Effectively the same process then isn't it?
Yes, a key's used. The difference is, the key's tied to the machine, whereas the password can roam independent of the machine, which allows anyone to have a go at guessing the right combination of username and password. At least, that's my understanding of it.

Last edited by pwc101; 08-11-2009 at 11:18 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied sumanc Linux - Server 5 03-28-2008 05:59 AM
HowTo sshd deny all users except for one? mattengland Linux - Security 28 11-04-2007 03:53 PM
default system users (like sshd , nobody, etc) supradrvr Slackware 2 12-22-2006 09:28 AM
SSHD - keeping users in their own directory whitetiger0990 Linux - Software 3 01-02-2005 06:50 PM
sshd blocks users from other machines TommyB Linux - Networking 3 05-18-2004 02:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration