Constant failed login attempts...
 

Someone please help. I have my own (crappy) website running out of my basement. It's DMZ'd off my router and, of course, open on all ports. I have someone or a group of people trying to break into my machine every day. /etc/hosts.deny has upwards of 80 banned IP's. I'm mostly wondering if there is a way to get my machine to automatically ban someone's IP that has failed to login 5 times. I don't have a chance to check auth.log as often as I would like, so I know I'm probably missing a few IP's due to logrotate.

A sample of my auth.log:

Nov 5 16:13:22 webserver sshd[30993]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.22.241.202 user=uucp
Nov 5 16:13:24 webserver sshd[30994]: Failed password for uucp from 125.22.241.202 port 47137 ssh2
Nov 5 16:13:24 webserver sshd[30993]: Failed password for uucp from 125.22.241.202 port 47137 ssh2

It seems like they try one username over and over, then try different ports. It's really getting annoying. Moreso, I'm worried that they may actually get in and be able to destroy my other machines on the network with samba somehow. Thank you for any help you can give!

Pentium III 550mHz 384ram running Debian Etch 2.6.15-1-686 kernel


--Sean

Somebody is using an automated tool to do a "dictionary attack" to gain access to your computer. The attacker will use a script and a dictionary of commonly used passwords. Unless your passwords are good and strong, they WILL get in. The fact that they're still hitting you is a good sign - it means that they probably haven't already cracked you.

After checking your passwords for strength, I'd recommend

Step #1: Unless you REALLY NEED ssh support from "outside", turn it off - at least firewall it off with iptables or ipchains as appropriate. Enable it only from addresses you are likely to work from. EG: your office. Something similar to:

iptables -I INPUT -p tcp --dport 22 -j REJECT;

Step #2: Disable logins by password. Edit your sshd_config (typically /etc/ssh/sshd_config on a Redhat system, I dunno for Debian but it's probably similar) and look for keys with the word "password" in them. Restart sshd so it takes effect.

Step #3: Move SSH to a "funky" port. I use something in the high port (>1024) range. Look for "port" in sshd_config.

DO A BASIC LOCKDOWN OF YOUR COMPUTER.

Step #4: NMAP your computer from outside. (I do this by logging in to other servers I control from various points on the Internet) nmap will do a scan of your computer. Do a "nasty" scan. EG:

nmap -sS -sU -p1-65535 yourhostname.com

This does a full tcp/udp stealth scan on all ports of your server. It will take a few hours, but will give a really good idea of what other services you have open to the public. DISABLE OR FIREWALL ANYTHING THAT ISN'T CRITICAL.

Step #5: disable all accounts that aren't critical. Edit /etc/password and change the shell for anything that isn't absolutely required to /bin/false (look for /bin/bash and replace with this)

I use OSSEC HIDS and I think its 'active-response' is pretty good and you may like it since it does what you have asked viz.
OSSEC lets you automatically blacklist IP in your firewall and hosts.deny based on how many failed login attempts there was. I hope this helps.

I'm using denyhosts to do the job. You can check it out here: http://denyhosts.sourceforge.net/
It does the same as OSSEC i guess. Adds the IP to hosts.deny after X number of failed logins.

You can also specify IP adresses that shouldnt be put in hosts.deny (like your own IP and your internal IP for example).
Read the FAQ on the site. It has all the information you need.

Wow! Thanks for all the replies. I am now using denyhosts and it's seeming to work well. No offense to OSSEC, but I had sources for denyhosts and it was easy to setup. I checked my password and it's relatively strong according to http://www.microsoft.com/athome/secu...d_checker.mspx . I also got a little paranoid and changed the router from DMZ to only forwarding port 80 because it's hosting my web site. I'm not sure if this is the best course of action though. I'm afraid that they will, in time, discover port 80 is the only one open and directly attack that port instead of randomly checking 1-45000 or whatever limit they're using. I know that my username isn't in a dictionary and I have removed all non-essential users from the system.

mcrbids, for steps 1-3, can't they just ssh mymachine@111.11.11.1:80 or :funkyport#? And I do like to ssh into the machine while I'm traveling so I don't always know the IP I will have. I also don't understand the disabling of password logins, how would I get in then? SSH keys, I guess?

Thanks to all for your help!

--Sean

Yes, when you disable passwordlogins you use either RSA or DSA keys on the client computer to be able to login to the SSH server.
If you want to be able to login from SSH from anywhere though, it is not so convenient to do so.

One thing you can do is to add an "AllowUsers" line to sshd_config, like this for example:
Then, only user1, user2 and user3 can login on SSH.

And, you should never permit rootlogin on SSH. Add this line to sshd_config if it isnt already there:
And also, they cant login on SSH using port 80 if SSH is not running on port 80.

That's a very wise step to take. Never give any more access than the absolute minimum that is necessary. If the only thing you want to host for outsiders to look at is a web site, then all you need is port 80/tcp open and nothing else. They can still try Apache/Apache model/PHP exploits, but it really narrows down the possibilities. They won't be able to guess a weak SSH password, for instance. Now it's time to make sure your Apache installation (and all the loaded modules) have all the latest security patches!

Right
 

Moving the port is a form of "security by obscurity" but it also stops automated attacks that target port 22. In my case, I've not seen or caught a single example of a problem after the port number was changed.

So, I consider this to be just one of a number of layers in self defense, which include:

1) All non-essential accounts CLOSED.

2) Any essential accounts set up to have no shell if it can be made to work.

3) Those that require a shell inside a chroot jail if possible.

4) Those that require a shell account on the primary F/S can only login with a certificate + password. (both required)

5) Only allow access to the ssh port from approved IP addresses with firewall rules.

6) SSHD on a non-standard port address.

Yes, I am probably paranoid.

=)

Uh oh... I got some new ssh activity. Only three failed attempts before a ban this time, but they still got through. I checked my ssh_config file and the port line was commented. Does that mean it was open on any port? Either way, I changed it to a higher port number and I tried to test it locally to no avail. Well.... as I'm writing this I discover sshd_config, which does have an uncommented port line. /*I changed it to the same port number as the ssh_config file and tried to ssh locally, with the same results. Could this be because my local IP is in hosts.allow?*/ .. forgot to restart ssh.

What is a chroot jail and how do you set one up?

EDIT: How do you enable password AND certificate??

Thanks again for all your replies!

--Sean