LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-01-2015, 10:27 PM   #1
nickajeglin
LQ Newbie
 
Registered: Apr 2015
Posts: 6

Rep: Reputation: Disabled
iptables question


Hello everyone,

I recently set up a debian wheezy home media server sort of deal. I configured SSH as I usually do: Only a single (non-root) user allowed, key-pair auth only, with separate key pairs for each device that I use the ssh client on.

Generally I also have sshd listen on a different port than 22 as well, but I decided to see what would happen if I left it default this time.

Within a few days, $sudo grep Invalid /var/log/auth.log | less shows this:
Code:
Apr  1 13:42:57 server sshd[7979]: Invalid user oracle from 31.199.3.187
Apr  1 13:42:58 server sshd[7981]: Invalid user oracle from 31.199.3.187
Apr  1 13:43:00 server sshd[7983]: Invalid user pi from 31.199.3.187
Apr  1 13:43:02 server sshd[7985]: Invalid user vnc from 31.199.3.187
Apr  1 13:43:03 server sshd[7987]: Invalid user ftpguest from 31.199.3.187
Apr  1 13:43:05 server sshd[7989]: Invalid user catadmin from 31.199.3.187
Apr  1 13:43:06 server sshd[7991]: Invalid user tomcat from 31.199.3.187
Apr  1 13:43:07 server sshd[7993]: Invalid user oracle11 from 31.199.3.187
Apr  1 13:43:10 server sshd[7997]: Invalid user manager from 31.199.3.187
Apr  1 13:43:12 server sshd[7999]: Invalid user nms from 31.199.3.187
Apr  1 13:43:13 server sshd[8001]: Invalid user webapp from 31.199.3.187
Apr  1 13:43:16 server sshd[8005]: Invalid user redmine from 31.199.3.187
Apr  1 13:43:18 server sshd[8007]: Invalid user pos from 31.199.3.187
Apr  1 13:43:19 server sshd[8009]: Invalid user dev from 31.199.3.187
Apr  1 13:43:21 server sshd[8011]: Invalid user webbox from 31.199.3.187
Apr  1 16:35:49 server sshd[8232]: Invalid user ubnt from 82.200.168.66
Apr  1 16:35:53 server sshd[8236]: Invalid user admin from 82.200.168.66
Apr  1 17:11:10 server sshd[8292]: Invalid user postgres from 80.242.123.194
Apr  1 18:49:04 server sshd[8454]: Invalid user support from 62.4.9.192
Apr  1 19:48:29 server sshd[8726]: Invalid user admin from 183.91.16.80
Which I see from the sticky is to be expected

I decided to learn how to use iptables rules instead of just installing fail2ban, so I used the ruleset from here: http://olivier.sessink.nl/publicatio...ing/index.html

My question is: how will I know if it is working? I understand that the ruleset should add ip's to a the blacklist chain and then drop packets from them, but where exactly is that blacklist stored? Will $iptables -L show new rules for each blacklisted IP? Or are they added to a different table of some kind? In either case, is the blacklist table persistent, or would rebooting the system set the blacklist back to empty? (assuming that I kept the iptables rules in place)

I also see that one of the rules should do some logging. Does this go to /var/log/syslog, or to /var/log/auth.log? Because then I should be able to grep for the prefix to see if anyone has been blacklisted.


p.s. Interestingly the login attempts stopped completely when I started working on this, even though I didn't have any rules in place for most of the time. I don't see any attempts for the last couple hours, and the frequency dropped off to about 1/hour, and from a different IP each time.
 
Old 04-02-2015, 12:44 AM   #2
hunter86_bg
LQ Newbie
 
Registered: Jan 2012
Posts: 6

Rep: Reputation: Disabled
It seems to be a kind of brute force attack.
You can block ssh access by 2 ways.Either Iptable's INPUT chain or by using tcp wrappers.
To use tcp wrappers edit /etc/hosts.allow :
vim /etc/hosts.allow
sshd : "ip or domain u will log from"
Note: for ip range use dot like this "192.168.1." and domain ".example.com" or "*.example.com"
edit /etc/hosts.deny
vim /etc/hosts.deny
"ALL : ALL"
Note: The last line in the files hosts.allow and hosts.deny must be a new line character. Or else the rule will fail.
Linux first reads hosts.allow - if it doesnt find our ip , it checks hosts.deny.In the example above ALL : ALL means all services /supporting tcp wrappers/ to block all source - so if ip is not in hosts.allow - it will get blocked.
Editing these files doesn't require any service to be reloaded or restarted.Don't forget to use "at" command to restore hosts.allow and deny files if you log in remotely. /It won't be nice to get yourself locked out/.

Last edited by hunter86_bg; 04-02-2015 at 12:46 AM. Reason: spelling correction
 
Old 04-02-2015, 04:23 AM   #3
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
As the iptables use the recent modules which in turn writes some files under the /proc directory. Guess the man page has some info else check out the /proc/net directory somewhere there it should be

find /proc -name "recent"

iptables -L will not show any sings of it. And yes you will loose the info on reboot. But you can save the entries and readd them. This way you can also add hosts on your own. Check the man page again for know how to do it.

Where iptables logs goes depends on the setings of your syslog daemon. Guess /var/log/syslog or /var/log/kernel are good places. But depends on distro and such.
 
Old 04-02-2015, 04:38 AM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896
Probably, you should read this (including the little note at the bottom).

Quote:
Which I see from the sticky is to be expected
That's probably the important point; expect bad stuff, because bad stuff happens, and more or less determined attempts occur on ssh all the time.
 
Old 04-02-2015, 12:20 PM   #5
nickajeglin
LQ Newbie
 
Registered: Apr 2015
Posts: 6

Original Poster
Rep: Reputation: Disabled
I know that using hosts.deny and blocking all, then explicitly allowing the IP I'm logging in from is the safest way. The issue is that I'm often using a mobile device to log in, so my IP will change depending on where I am at.

I will eventually move to a port other than 22 to cut down on these attacks, but I wanted to find a good solution to automatically ban brute force attackers before I did that. It's also interesting to me to watch how the attacks progress: First they brute force to find an allowable user name, then after that they start trying to brute force a password, which I see in the logs as "received disconnect from ##.##.##.##", since I only allow pubkey auth. My understanding is that sshd drops their connection as soon as they attempt password auth, so I see the disconnect message in the logs. This doesn't look very sophisticated, but I assume that a dragnet brute force compromises enough systems that they don't need to expend the effort to make a sophisticated attack.

Anyways, it sounds like fail2ban effectively does what was attempting to do manually with iptables, so I will probably start using that.

Is it correct that requiring pubkey auth is an effective defense? My thinking is that these brute force attacks are basically an annoyance as long as I keep my keys safe.

I think my next steps are to lock up every port, and then only open the ones I use (ssh, http for web browsing, etc), Although, the only port I'm forwarding through the router is 22 for ssh. I also need to double check to make sure I'm not running any outward facing services I'm unaware of (I may have an http server from the original install etc). Are there any other basic steps I can take after that to improve my security?
 
Old 04-02-2015, 12:49 PM   #6
nickajeglin
LQ Newbie
 
Registered: Apr 2015
Posts: 6

Original Poster
Rep: Reputation: Disabled
I found these resources:

https://www.debian.org/doc/manuals/s....html#contents
http://www.tldp.org/HOWTO/Security-Quickstart-HOWTO/

Plenty of material here to get me started! I could still use input on exactly how effective I can expect pubkey auth to be though. Can I assume that my ssh service is basically locked down as long as pubkey is the only allowed auth method and I keep my keys safe? If so, I'll move on to securing other things, but if not, I still have work to do on sshd.
 
Old 04-02-2015, 05:04 PM   #7
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896
There are many ways to skin this particular cat; see this, for example.

If you can do ssh key distribution securely, then pubkey ought to be safe, today. My feeling is that at some time, someone will find a way to make pubkey less safe, so it is probably best if pubkey is only one layer in your security picture, but maybe I'm being conservative, here.

Quote:
I will eventually move to a port other than 22 to cut down on these attacks...
That's probably reasonable; changing the port number probably cuts down on the dumbest of the dumb 'script kiddie' type attacks, but may not do much about the more competent attackers. But, it does enable you to see the serious attacks more clearly.

Here is another resource on iptables, if you are in that kind of mood.
 
Old 04-07-2015, 04:29 AM   #8
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
To see which process are up and running on your machine use netstat -tulpn this lists all listening sockets.
And definitely have a default DROP at your firewall chains. Then only allow those ports that you want to.

You can do some fancy stuff with the recent module of iptables. I have a three tier blocking attempt.
First only ban for like 5 seconds. If the ip returns move it into a 1 minute ban recent list. If it still keeps coming back put it in half an hour ban recent list. While the other lists gets cleared once in a while through cron the ban list does not. So ever returning bad guys have to face the beholder each and everytime they pass by.
Using -m state --state NEW -m limit 3/s -j BLOCK to put offending ips into the BLOCK chain where it gets banned for like 5 seconds.
Just make sure that you have your sshd config so it only allows one login attempt per new connection (MaxAuthTries). Else a attacker might have 18 (6 default value * 3) guesses. If MaxAuthTries is set to 1 I had some trouble getting through to the key login. But dont remember correctly. Just follow sshd logs. Start it directly with sshd -ddd (might need to use absolute path on sshd binary).

Regarding to your non static ip. Create some port knocking with the recent module. (Though it does not help with tcpwrappers)
Quote:
iptables -A INPUT -p tcp --dport 5000 -m recent --name KNOCK --set
iptables -A INPUT -p tcp --dport 5010 -m recent --name KNOCK --second 1 rcheck -j ALLOWSSH
iptables -N ALLOWSSH
iptables -A ALLOWSSH -m recent --name KNOCK --remove
iptables -A ALLOWSSH -p tcp --dport SSH -m state --state NEW -j ACCEPT
I like that better than any knocking daemon. Just use ssh -p 5000 -o ConnectionTimeout 1; ssh -p 5010 -o ConnectionTimeout 1; ssh -p SSH. Or telnet or some other thing. Might want to put in some -j REJECT rules here and there.

Coming to think of fail2ban have in mind that it searches your log files and bans ips due to that. Its no fast accting tool.
 
Old 04-07-2015, 09:35 AM   #9
nickajeglin
LQ Newbie
 
Registered: Apr 2015
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Coming to think of fail2ban have in mind that it searches your log files and bans ips due to that. Its no fast accting tool.
I think that's the primary criticism of fail2ban. It's not really "realtime". It's certainly better than nothing, and is as close to zero configuration as you can get.

Thanks for the tip on port knocking. I've heard the term a few times, but didn't really understand the application. That's extremely cool, and I'll set it up tonight.

Do you have any thoughts on my router? It's the router that actually is exposed to the internet, and my thoughts is that if I only have port 22 forwarded, then it's effectively limiting inbound connections to that port. Is this correct? Would it be a good idea to build a dedicated firewall between the router and the internet?
 
Old 04-08-2015, 04:19 AM   #10
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by nickajeglin View Post
Do you have any thoughts on my router? It's the router that actually is exposed to the internet, and my thoughts is that if I only have port 22 forwarded, then it's effectively limiting inbound connections to that port. Is this correct? Would it be a good idea to build a dedicated firewall between the router and the internet?
With a dedicated firewall between router an the inet you definitely have more control and might do some fancy stuff but i doubt that its needed. Make sure your route does not provide any "services" himself to the outward world. Like "external serviceing" or the like. Depending on what router you have you could even use it as a firewall itself.
With some sane settings you not need to worry.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables question. bluewire Linux - Security 15 11-09-2011 12:21 PM
iptables question sang_froid Linux - Security 5 10-09-2009 03:17 AM
iptables question enrique_arong Linux - Networking 4 09-28-2004 01:51 PM
Iptables Question? unixfreak Linux - Security 1 09-01-2004 08:23 PM
IPTABLES question berserker_b2k Linux - Networking 0 02-04-2004 04:08 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration