LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-05-2006, 10:09 PM   #1
seanferd
LQ Newbie
 
Registered: Feb 2006
Distribution: Debian Wheezy
Posts: 13

Rep: Reputation: 0
Constant failed login attempts...


Someone please help. I have my own (crappy) website running out of my basement. It's DMZ'd off my router and, of course, open on all ports. I have someone or a group of people trying to break into my machine every day. /etc/hosts.deny has upwards of 80 banned IP's. I'm mostly wondering if there is a way to get my machine to automatically ban someone's IP that has failed to login 5 times. I don't have a chance to check auth.log as often as I would like, so I know I'm probably missing a few IP's due to logrotate.

A sample of my auth.log:

Nov 5 16:13:22 webserver sshd[30993]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.22.241.202 user=uucp
Nov 5 16:13:24 webserver sshd[30994]: Failed password for uucp from 125.22.241.202 port 47137 ssh2
Nov 5 16:13:24 webserver sshd[30993]: Failed password for uucp from 125.22.241.202 port 47137 ssh2

It seems like they try one username over and over, then try different ports. It's really getting annoying. Moreso, I'm worried that they may actually get in and be able to destroy my other machines on the network with samba somehow. Thank you for any help you can give!

Pentium III 550mHz 384ram running Debian Etch 2.6.15-1-686 kernel


--Sean
 
Old 11-05-2006, 11:55 PM   #2
mcrbids
LQ Newbie
 
Registered: Jan 2006
Posts: 9

Rep: Reputation: 0
Quote:
Originally Posted by seanferd
Someone please help. I have my own (crappy) website running out of my basement. It's DMZ'd off my router and, of course, open on all ports. I have someone or a group of people trying to break into my machine every day. /etc/hosts.deny has upwards of 80 banned IP's. I'm mostly wondering if there is a way to get my machine to automatically ban someone's IP that has failed to login 5 times. I don't have a chance to check auth.log as often as I would like, so I know I'm probably missing a few IP's due to logrotate.

A sample of my auth.log:

Nov 5 16:13:22 webserver sshd[30993]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.22.241.202 user=uucp
Nov 5 16:13:24 webserver sshd[30994]: Failed password for uucp from 125.22.241.202 port 47137 ssh2
Nov 5 16:13:24 webserver sshd[30993]: Failed password for uucp from 125.22.241.202 port 47137 ssh2

It seems like they try one username over and over, then try different ports. It's really getting annoying. Moreso, I'm worried that they may actually get in and be able to destroy my other machines on the network with samba somehow. Thank you for any help you can give!

Pentium III 550mHz 384ram running Debian Etch 2.6.15-1-686 kernel


--Sean
Somebody is using an automated tool to do a "dictionary attack" to gain access to your computer. The attacker will use a script and a dictionary of commonly used passwords. Unless your passwords are good and strong, they WILL get in. The fact that they're still hitting you is a good sign - it means that they probably haven't already cracked you.

After checking your passwords for strength, I'd recommend

Step #1: Unless you REALLY NEED ssh support from "outside", turn it off - at least firewall it off with iptables or ipchains as appropriate. Enable it only from addresses you are likely to work from. EG: your office. Something similar to:

iptables -I INPUT -p tcp --dport 22 -j REJECT;

Step #2: Disable logins by password. Edit your sshd_config (typically /etc/ssh/sshd_config on a Redhat system, I dunno for Debian but it's probably similar) and look for keys with the word "password" in them. Restart sshd so it takes effect.

Step #3: Move SSH to a "funky" port. I use something in the high port (>1024) range. Look for "port" in sshd_config.

DO A BASIC LOCKDOWN OF YOUR COMPUTER.

Step #4: NMAP your computer from outside. (I do this by logging in to other servers I control from various points on the Internet) nmap will do a scan of your computer. Do a "nasty" scan. EG:

nmap -sS -sU -p1-65535 yourhostname.com

This does a full tcp/udp stealth scan on all ports of your server. It will take a few hours, but will give a really good idea of what other services you have open to the public. DISABLE OR FIREWALL ANYTHING THAT ISN'T CRITICAL.

Step #5: disable all accounts that aren't critical. Edit /etc/password and change the shell for anything that isn't absolutely required to /bin/false (look for /bin/bash and replace with this)
 
Old 11-06-2006, 12:42 AM   #3
prozac
Member
 
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753

Rep: Reputation: 32
I use OSSEC HIDS and I think its 'active-response' is pretty good and you may like it since it does what you have asked viz.
Quote:
I'm mostly wondering if there is a way to get my machine to automatically ban someone's IP that has failed to login 5 times.
OSSEC lets you automatically blacklist IP in your firewall and hosts.deny based on how many failed login attempts there was. I hope this helps.
 
Old 11-06-2006, 02:20 AM   #4
Synt4x_3rr0r
Member
 
Registered: Nov 2005
Location: Sweden
Distribution: Arch Linux 64bit with Gnome
Posts: 138

Rep: Reputation: 15
I'm using denyhosts to do the job. You can check it out here: http://denyhosts.sourceforge.net/
It does the same as OSSEC i guess. Adds the IP to hosts.deny after X number of failed logins.

You can also specify IP adresses that shouldnt be put in hosts.deny (like your own IP and your internal IP for example).
Read the FAQ on the site. It has all the information you need.

Last edited by Synt4x_3rr0r; 11-06-2006 at 02:24 AM.
 
Old 11-06-2006, 07:45 PM   #5
seanferd
LQ Newbie
 
Registered: Feb 2006
Distribution: Debian Wheezy
Posts: 13

Original Poster
Rep: Reputation: 0
Wow! Thanks for all the replies. I am now using denyhosts and it's seeming to work well. No offense to OSSEC, but I had sources for denyhosts and it was easy to setup. I checked my password and it's relatively strong according to http://www.microsoft.com/athome/secu...d_checker.mspx . I also got a little paranoid and changed the router from DMZ to only forwarding port 80 because it's hosting my web site. I'm not sure if this is the best course of action though. I'm afraid that they will, in time, discover port 80 is the only one open and directly attack that port instead of randomly checking 1-45000 or whatever limit they're using. I know that my username isn't in a dictionary and I have removed all non-essential users from the system.

mcrbids, for steps 1-3, can't they just ssh mymachine@111.11.11.1:80 or :funkyport#? And I do like to ssh into the machine while I'm traveling so I don't always know the IP I will have. I also don't understand the disabling of password logins, how would I get in then? SSH keys, I guess?

Thanks to all for your help!

--Sean
 
Old 11-06-2006, 08:28 PM   #6
Synt4x_3rr0r
Member
 
Registered: Nov 2005
Location: Sweden
Distribution: Arch Linux 64bit with Gnome
Posts: 138

Rep: Reputation: 15
Yes, when you disable passwordlogins you use either RSA or DSA keys on the client computer to be able to login to the SSH server.
If you want to be able to login from SSH from anywhere though, it is not so convenient to do so.

One thing you can do is to add an "AllowUsers" line to sshd_config, like this for example:
Code:
AllowUsers user1 user2 user3
Then, only user1, user2 and user3 can login on SSH.

And, you should never permit rootlogin on SSH. Add this line to sshd_config if it isnt already there:
Code:
PermitRootLogin no
And also, they cant login on SSH using port 80 if SSH is not running on port 80.

Last edited by Synt4x_3rr0r; 11-06-2006 at 08:29 PM.
 
Old 11-06-2006, 11:14 PM   #7
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Quote:
Originally Posted by seanferd
I also got a little paranoid and changed the router from DMZ to only forwarding port 80 because it's hosting my web site.
That's a very wise step to take. Never give any more access than the absolute minimum that is necessary. If the only thing you want to host for outsiders to look at is a web site, then all you need is port 80/tcp open and nothing else. They can still try Apache/Apache model/PHP exploits, but it really narrows down the possibilities. They won't be able to guess a weak SSH password, for instance. Now it's time to make sure your Apache installation (and all the loaded modules) have all the latest security patches!
 
Old 11-08-2006, 05:28 PM   #8
mcrbids
LQ Newbie
 
Registered: Jan 2006
Posts: 9

Rep: Reputation: 0
Right

Quote:
Originally Posted by seanferd

mcrbids, for steps 1-3, can't they just ssh mymachine@111.11.11.1:80 or :funkyport#? And I do like to ssh into the machine while I'm traveling so I don't always know the IP I will have. I also don't understand the disabling of password logins, how would I get in then? SSH keys, I guess?

Thanks to all for your help!

--Sean
Moving the port is a form of "security by obscurity" but it also stops automated attacks that target port 22. In my case, I've not seen or caught a single example of a problem after the port number was changed.

So, I consider this to be just one of a number of layers in self defense, which include:

1) All non-essential accounts CLOSED.

2) Any essential accounts set up to have no shell if it can be made to work.

3) Those that require a shell inside a chroot jail if possible.

4) Those that require a shell account on the primary F/S can only login with a certificate + password. (both required)

5) Only allow access to the ssh port from approved IP addresses with firewall rules.

6) SSHD on a non-standard port address.

Yes, I am probably paranoid.

=)
 
Old 11-09-2006, 08:42 AM   #9
seanferd
LQ Newbie
 
Registered: Feb 2006
Distribution: Debian Wheezy
Posts: 13

Original Poster
Rep: Reputation: 0
Uh oh... I got some new ssh activity. Only three failed attempts before a ban this time, but they still got through. I checked my ssh_config file and the port line was commented. Does that mean it was open on any port? Either way, I changed it to a higher port number and I tried to test it locally to no avail. Well.... as I'm writing this I discover sshd_config, which does have an uncommented port line. /*I changed it to the same port number as the ssh_config file and tried to ssh locally, with the same results. Could this be because my local IP is in hosts.allow?*/ .. forgot to restart ssh.

What is a chroot jail and how do you set one up?

EDIT: How do you enable password AND certificate??

Thanks again for all your replies!

--Sean

Last edited by seanferd; 11-09-2006 at 11:07 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Timeout between failed login attempts wuicci Linux - Security 3 06-01-2006 04:40 AM
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 03:22 PM
lock password after failed attempts... manudath Linux - Security 2 04-28-2005 10:55 AM
/var/log/messages shows failed login attempts... plan9 Linux - Security 8 08-08-2004 12:52 PM
all attempts failed btb103 Linux - General 1 10-23-2001 05:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration