Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-13-2007, 12:13 PM
|
#1
|
Member
Registered: Feb 2005
Location: Southampton (UK)
Distribution: Debian, RHEL and SuSE
Posts: 69
Rep:
|
DenyHosts - false /etc/hosts.deny entries
Hi,
I'm configuring DenyHosts to protect myself from brute force ssh attacks after noticing my machine sat on the web had some attempts from an IP in china.
I've installed and configured and its running fine after some initial .lock file problems.
The wierd thing is it puts the IP address of my main desktop machine (which I use to connect via public key) straight into the /etc/hosts.deny file. Even wierder is that I can still connect despite this!
If I manually remove the false entry from /etc/hosts.deny, denyhosts will shove it back in there within 10 seconds.
Any ideas? I'm totally stumped why it is doing this, and more important perhaps, why /etc/hosts.deny isn't denying access from my desktop machine.
The entry looks like;
sshd : x.x.x.x
The only thing may be causing a problem is that my ssh port is off 22.
Thanks
|
|
|
04-13-2007, 01:09 PM
|
#2
|
Senior Member
Registered: Mar 2002
Location: Los Angeles, CA
Distribution: Debian, Ubuntu
Posts: 1,334
Rep:
|
Quote:
Originally Posted by Firebar
Hi,
I'm configuring DenyHosts to protect myself from brute force ssh attacks after noticing my machine sat on the web had some attempts from an IP in china.
I've installed and configured and its running fine after some initial .lock file problems.
The wierd thing is it puts the IP address of my main desktop machine (which I use to connect via public key) straight into the /etc/hosts.deny file. Even wierder is that I can still connect despite this!
If I manually remove the false entry from /etc/hosts.deny, denyhosts will shove it back in there within 10 seconds.
Any ideas? I'm totally stumped why it is doing this, and more important perhaps, why /etc/hosts.deny isn't denying access from my desktop machine.
The entry looks like;
sshd : x.x.x.x
The only thing may be causing a problem is that my ssh port is off 22.
Thanks
|
Is there a reason why you have some deamon running to handle this rather than just manually editing your hosts.allow & hosts.deny?
I deny everything then allow certain entries through hosts.allow. Works great. No "denyhosts" program needed. I can see all the thwarted login attempts /var/log/auth.log so I know it's working.
fyi, my hosts.deny looks like so:
ALL: PARANOID
... and hosts.allow has a bunch of:
sshd: x.x.x.x
entries for explicitly allowed ips.
|
|
|
04-13-2007, 01:49 PM
|
#3
|
Member
Registered: Feb 2005
Location: Southampton (UK)
Distribution: Debian, RHEL and SuSE
Posts: 69
Original Poster
Rep:
|
Adding entries for each user would be very hard in my case. They log on remotely from home, from other sites etc etc.
I think I might have nailed the problem though, and blindingly obvious it was. I had a previous failed attempt from my desktop IP when I was messing around earlier. Of course thats in /var/log/messages and when the daemon parses the log file (I presume it does the entire file when first started up), it finds that IP and adds it to hosts.deny.
|
|
|
04-13-2007, 02:22 PM
|
#4
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
I would recommend adding the users who are allowed to use ssh to a group that you create for that purpose. For example, let's say you call the group "sshusers".
Then add the line:
AllowGroups sshusers
to your sshd_config file. This will deny all other groups including system groups which are subject to brute force attacks. I think in your case this would be easier to manage than adding each user to "AllowUsers".
Moving the port that ssh listens to will help reduce the number of brute force attacks as well. A determined hacker will still be able to scan for the ssh port being used, but most will move on to another computer.
Since the attack is coming from a single IP address, consider blocking it in the firewall. You may even be able to block it in your NAT router to protect all of your hosts. Also consider blocking the group of IPs that are assigned to China, since that country is so active in hacking. Many companies who don't do business with China will do that to protect their mail servers.
If you use PAM for ssh, then read through the "man 5 access.conf" for the syntax of /etc/security/access.conf.
There is also a "man 5 hosts_access" manpage.
It may be better to instead not use PAM and instead rely on keys as the only form of authentication. Using search on this site for "ssh" should provide plenty of posts with examples. Also check this sites wiki. If you have a user with a common user name like "God" or "bob" and a weak password, then you could still be vulnerable. You probably want to have your system reject weak passwords to protect other services as well.
See man pam_pwcheck for a possible solution. Your distro may have a convenient gui config to enforce this as well.
Last edited by jschiwal; 04-13-2007 at 02:36 PM.
|
|
|
04-13-2007, 04:13 PM
|
#5
|
Member
Registered: Feb 2005
Location: Southampton (UK)
Distribution: Debian, RHEL and SuSE
Posts: 69
Original Poster
Rep:
|
Thanks for your ideas
The group make particular sense tbh.
|
|
|
07-07-2007, 02:47 PM
|
#6
|
LQ Newbie
Registered: Jul 2006
Posts: 2
Rep:
|
Another option:
1. edit denyhosts.conf and find PURGE_DENY, change to 1m (1 minute)
2. stop denyhosts
3. start denyhosts with --purge option
after your IP clear from hosts.deny, put back PURGE_DENY time to your taste then restart denyhosts.
Last edited by gr3g; 07-07-2007 at 02:51 PM.
|
|
|
07-08-2007, 11:18 AM
|
#7
|
Member
Registered: May 2005
Location: USA
Distribution: Ubuntu, CentOS
Posts: 37
Rep:
|
Quote:
Originally Posted by Firebar
Hi,
The wierd thing is it puts the IP address of my main desktop machine (which I use to connect via public key) straight into the /etc/hosts.deny file. Even wierder is that I can still connect despite this!
If I manually remove the false entry from /etc/hosts.deny, denyhosts will shove it back in there within 10 seconds.
|
I'll bet you have an entry in hosts.allow that is overriding the entry in hosts.deny.
DenyHosts works by scanning syslog files looking for sshd login failure messages. Just removing the entry from hosts.deny won't work. You have to edit the configured syslog file (check denyhosts.cfg), remove all your own login failures and bounce the denyhosts daemon to get it to not re-add the IP address you want to re-allow.
|
|
|
07-08-2007, 11:26 AM
|
#8
|
Senior Member
Registered: Sep 2003
Posts: 3,171
Rep:
|
I have found this script to be very helpful:
http://www.aczoom.com/cms/blockhosts
It halts the brute force attempts on ssh by blocking them (in hosts.allow and optionally in the iptables firewall) after a user configurable number of tries (I allow 5 tries). This does two things; first, it stops anyone who is really determined and might get lucky from actually making a connection, and second it cuts way down on the size of the auth.log file.
|
|
|
07-08-2007, 01:13 PM
|
#9
|
Member
Registered: May 2005
Location: USA
Distribution: Ubuntu, CentOS
Posts: 37
Rep:
|
Quote:
Originally Posted by jiml8
I have found this script to be very helpful:
http://www.aczoom.com/cms/blockhosts
It halts the brute force attempts on ssh by blocking them (in hosts.allow and optionally in the iptables firewall) after a user configurable number of tries (I allow 5 tries). This does two things; first, it stops anyone who is really determined and might get lucky from actually making a connection, and second it cuts way down on the size of the auth.log file.
|
Ummm, that's exactly what denyhosts does too.
|
|
|
07-08-2007, 02:09 PM
|
#10
|
Senior Member
Registered: Sep 2003
Posts: 3,171
Rep:
|
Quote:
Originally Posted by whistl
Ummm, that's exactly what denyhosts does too.
|
Yes, I figured that out when I googled denyhosts after posting. However the way they do it is a bit different.
Blockhosts expects to get run from tcpwrappers, as a spawn from hosts.allow, while denyhosts is a daemon. Having not studied denyhosts in any detail, I won't offer an opinion on the advantages or disadvantages of each method, but blockhosts only runs when needed, and doesn't routinely clean up old blocked entries until it runs. Also, denyhosts has its mechanism for reporting blocked hosts to a central database which is shared. This may or may not be an advantage, but it is certainly something that blockhosts does not do.
|
|
|
07-10-2007, 04:38 PM
|
#11
|
LQ Newbie
Registered: Apr 2005
Location: San Francisco, California
Posts: 12
Rep:
|
Edit /usr/share/denyhosts/data/allowed-hosts and put a list of IPs there that are NEVER to be denied access, no matter how many times they fail their login.
|
|
|
All times are GMT -5. The time now is 03:01 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|