Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-05-2006, 10:09 PM
|
#1
|
LQ Newbie
Registered: Feb 2006
Distribution: Debian Wheezy
Posts: 13
Rep:
|
Constant failed login attempts...
Someone please help. I have my own (crappy) website running out of my basement. It's DMZ'd off my router and, of course, open on all ports. I have someone or a group of people trying to break into my machine every day. /etc/hosts.deny has upwards of 80 banned IP's. I'm mostly wondering if there is a way to get my machine to automatically ban someone's IP that has failed to login 5 times. I don't have a chance to check auth.log as often as I would like, so I know I'm probably missing a few IP's due to logrotate.
A sample of my auth.log:
Nov 5 16:13:22 webserver sshd[30993]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.22.241.202 user=uucp
Nov 5 16:13:24 webserver sshd[30994]: Failed password for uucp from 125.22.241.202 port 47137 ssh2
Nov 5 16:13:24 webserver sshd[30993]: Failed password for uucp from 125.22.241.202 port 47137 ssh2
It seems like they try one username over and over, then try different ports. It's really getting annoying. Moreso, I'm worried that they may actually get in and be able to destroy my other machines on the network with samba somehow. Thank you for any help you can give!
Pentium III 550mHz 384ram running Debian Etch 2.6.15-1-686 kernel
--Sean
|
|
|
11-05-2006, 11:55 PM
|
#2
|
LQ Newbie
Registered: Jan 2006
Posts: 9
Rep:
|
Quote:
Originally Posted by seanferd
Someone please help. I have my own (crappy) website running out of my basement. It's DMZ'd off my router and, of course, open on all ports. I have someone or a group of people trying to break into my machine every day. /etc/hosts.deny has upwards of 80 banned IP's. I'm mostly wondering if there is a way to get my machine to automatically ban someone's IP that has failed to login 5 times. I don't have a chance to check auth.log as often as I would like, so I know I'm probably missing a few IP's due to logrotate.
A sample of my auth.log:
Nov 5 16:13:22 webserver sshd[30993]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.22.241.202 user=uucp
Nov 5 16:13:24 webserver sshd[30994]: Failed password for uucp from 125.22.241.202 port 47137 ssh2
Nov 5 16:13:24 webserver sshd[30993]: Failed password for uucp from 125.22.241.202 port 47137 ssh2
It seems like they try one username over and over, then try different ports. It's really getting annoying. Moreso, I'm worried that they may actually get in and be able to destroy my other machines on the network with samba somehow. Thank you for any help you can give!
Pentium III 550mHz 384ram running Debian Etch 2.6.15-1-686 kernel
--Sean
|
Somebody is using an automated tool to do a "dictionary attack" to gain access to your computer. The attacker will use a script and a dictionary of commonly used passwords. Unless your passwords are good and strong, they WILL get in. The fact that they're still hitting you is a good sign - it means that they probably haven't already cracked you.
After checking your passwords for strength, I'd recommend
Step #1: Unless you REALLY NEED ssh support from "outside", turn it off - at least firewall it off with iptables or ipchains as appropriate. Enable it only from addresses you are likely to work from. EG: your office. Something similar to:
iptables -I INPUT -p tcp --dport 22 -j REJECT;
Step #2: Disable logins by password. Edit your sshd_config (typically /etc/ssh/sshd_config on a Redhat system, I dunno for Debian but it's probably similar) and look for keys with the word "password" in them. Restart sshd so it takes effect.
Step #3: Move SSH to a "funky" port. I use something in the high port (>1024) range. Look for "port" in sshd_config.
DO A BASIC LOCKDOWN OF YOUR COMPUTER.
Step #4: NMAP your computer from outside. (I do this by logging in to other servers I control from various points on the Internet) nmap will do a scan of your computer. Do a "nasty" scan. EG:
nmap -sS -sU -p1-65535 yourhostname.com
This does a full tcp/udp stealth scan on all ports of your server. It will take a few hours, but will give a really good idea of what other services you have open to the public. DISABLE OR FIREWALL ANYTHING THAT ISN'T CRITICAL.
Step #5: disable all accounts that aren't critical. Edit /etc/password and change the shell for anything that isn't absolutely required to /bin/false (look for /bin/bash and replace with this)
|
|
|
11-06-2006, 12:42 AM
|
#3
|
Member
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753
Rep:
|
I use OSSEC HIDS and I think its 'active-response' is pretty good and you may like it since it does what you have asked viz.
Quote:
I'm mostly wondering if there is a way to get my machine to automatically ban someone's IP that has failed to login 5 times.
|
OSSEC lets you automatically blacklist IP in your firewall and hosts.deny based on how many failed login attempts there was. I hope this helps.
|
|
|
11-06-2006, 02:20 AM
|
#4
|
Member
Registered: Nov 2005
Location: Sweden
Distribution: Arch Linux 64bit with Gnome
Posts: 138
Rep:
|
I'm using denyhosts to do the job. You can check it out here: http://denyhosts.sourceforge.net/
It does the same as OSSEC i guess. Adds the IP to hosts.deny after X number of failed logins.
You can also specify IP adresses that shouldnt be put in hosts.deny (like your own IP and your internal IP for example).
Read the FAQ on the site. It has all the information you need.
Last edited by Synt4x_3rr0r; 11-06-2006 at 02:24 AM.
|
|
|
11-06-2006, 07:45 PM
|
#5
|
LQ Newbie
Registered: Feb 2006
Distribution: Debian Wheezy
Posts: 13
Original Poster
Rep:
|
Wow! Thanks for all the replies. I am now using denyhosts and it's seeming to work well. No offense to OSSEC, but I had sources for denyhosts and it was easy to setup. I checked my password and it's relatively strong according to http://www.microsoft.com/athome/secu...d_checker.mspx . I also got a little paranoid and changed the router from DMZ to only forwarding port 80 because it's hosting my web site. I'm not sure if this is the best course of action though. I'm afraid that they will, in time, discover port 80 is the only one open and directly attack that port instead of randomly checking 1-45000 or whatever limit they're using. I know that my username isn't in a dictionary and I have removed all non-essential users from the system.
mcrbids, for steps 1-3, can't they just ssh mymachine@111.11.11.1:80 or :funkyport#? And I do like to ssh into the machine while I'm traveling so I don't always know the IP I will have. I also don't understand the disabling of password logins, how would I get in then? SSH keys, I guess?
Thanks to all for your help!
--Sean
|
|
|
11-06-2006, 08:28 PM
|
#6
|
Member
Registered: Nov 2005
Location: Sweden
Distribution: Arch Linux 64bit with Gnome
Posts: 138
Rep:
|
Yes, when you disable passwordlogins you use either RSA or DSA keys on the client computer to be able to login to the SSH server.
If you want to be able to login from SSH from anywhere though, it is not so convenient to do so.
One thing you can do is to add an "AllowUsers" line to sshd_config, like this for example:
Code:
AllowUsers user1 user2 user3
Then, only user1, user2 and user3 can login on SSH.
And, you should never permit rootlogin on SSH. Add this line to sshd_config if it isnt already there:
And also, they cant login on SSH using port 80 if SSH is not running on port 80.
Last edited by Synt4x_3rr0r; 11-06-2006 at 08:29 PM.
|
|
|
11-06-2006, 11:14 PM
|
#7
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
Quote:
Originally Posted by seanferd
I also got a little paranoid and changed the router from DMZ to only forwarding port 80 because it's hosting my web site.
|
That's a very wise step to take. Never give any more access than the absolute minimum that is necessary. If the only thing you want to host for outsiders to look at is a web site, then all you need is port 80/tcp open and nothing else. They can still try Apache/Apache model/PHP exploits, but it really narrows down the possibilities. They won't be able to guess a weak SSH password, for instance. Now it's time to make sure your Apache installation (and all the loaded modules) have all the latest security patches!
|
|
|
11-08-2006, 05:28 PM
|
#8
|
LQ Newbie
Registered: Jan 2006
Posts: 9
Rep:
|
Right
Quote:
Originally Posted by seanferd
mcrbids, for steps 1-3, can't they just ssh mymachine@111.11.11.1:80 or :funkyport#? And I do like to ssh into the machine while I'm traveling so I don't always know the IP I will have. I also don't understand the disabling of password logins, how would I get in then? SSH keys, I guess?
Thanks to all for your help!
--Sean
|
Moving the port is a form of "security by obscurity" but it also stops automated attacks that target port 22. In my case, I've not seen or caught a single example of a problem after the port number was changed.
So, I consider this to be just one of a number of layers in self defense, which include:
1) All non-essential accounts CLOSED.
2) Any essential accounts set up to have no shell if it can be made to work.
3) Those that require a shell inside a chroot jail if possible.
4) Those that require a shell account on the primary F/S can only login with a certificate + password. (both required)
5) Only allow access to the ssh port from approved IP addresses with firewall rules.
6) SSHD on a non-standard port address.
Yes, I am probably paranoid.
=)
|
|
|
11-09-2006, 08:42 AM
|
#9
|
LQ Newbie
Registered: Feb 2006
Distribution: Debian Wheezy
Posts: 13
Original Poster
Rep:
|
Uh oh... I got some new ssh activity. Only three failed attempts before a ban this time, but they still got through. I checked my ssh_config file and the port line was commented. Does that mean it was open on any port? Either way, I changed it to a higher port number and I tried to test it locally to no avail. Well.... as I'm writing this I discover sshd_config, which does have an uncommented port line. /*I changed it to the same port number as the ssh_config file and tried to ssh locally, with the same results. Could this be because my local IP is in hosts.allow?*/ .. forgot to restart ssh.
What is a chroot jail and how do you set one up?
EDIT: How do you enable password AND certificate??
Thanks again for all your replies!
--Sean
Last edited by seanferd; 11-09-2006 at 11:07 AM.
|
|
|
All times are GMT -5. The time now is 12:15 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|