Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I recently set up a debian wheezy home media server sort of deal. I configured SSH as I usually do: Only a single (non-root) user allowed, key-pair auth only, with separate key pairs for each device that I use the ssh client on.
Generally I also have sshd listen on a different port than 22 as well, but I decided to see what would happen if I left it default this time.
Within a few days, $sudo grep Invalid /var/log/auth.log | less shows this:
Code:
Apr 1 13:42:57 server sshd[7979]: Invalid user oracle from 31.199.3.187
Apr 1 13:42:58 server sshd[7981]: Invalid user oracle from 31.199.3.187
Apr 1 13:43:00 server sshd[7983]: Invalid user pi from 31.199.3.187
Apr 1 13:43:02 server sshd[7985]: Invalid user vnc from 31.199.3.187
Apr 1 13:43:03 server sshd[7987]: Invalid user ftpguest from 31.199.3.187
Apr 1 13:43:05 server sshd[7989]: Invalid user catadmin from 31.199.3.187
Apr 1 13:43:06 server sshd[7991]: Invalid user tomcat from 31.199.3.187
Apr 1 13:43:07 server sshd[7993]: Invalid user oracle11 from 31.199.3.187
Apr 1 13:43:10 server sshd[7997]: Invalid user manager from 31.199.3.187
Apr 1 13:43:12 server sshd[7999]: Invalid user nms from 31.199.3.187
Apr 1 13:43:13 server sshd[8001]: Invalid user webapp from 31.199.3.187
Apr 1 13:43:16 server sshd[8005]: Invalid user redmine from 31.199.3.187
Apr 1 13:43:18 server sshd[8007]: Invalid user pos from 31.199.3.187
Apr 1 13:43:19 server sshd[8009]: Invalid user dev from 31.199.3.187
Apr 1 13:43:21 server sshd[8011]: Invalid user webbox from 31.199.3.187
Apr 1 16:35:49 server sshd[8232]: Invalid user ubnt from 82.200.168.66
Apr 1 16:35:53 server sshd[8236]: Invalid user admin from 82.200.168.66
Apr 1 17:11:10 server sshd[8292]: Invalid user postgres from 80.242.123.194
Apr 1 18:49:04 server sshd[8454]: Invalid user support from 62.4.9.192
Apr 1 19:48:29 server sshd[8726]: Invalid user admin from 183.91.16.80
My question is: how will I know if it is working? I understand that the ruleset should add ip's to a the blacklist chain and then drop packets from them, but where exactly is that blacklist stored? Will $iptables -L show new rules for each blacklisted IP? Or are they added to a different table of some kind? In either case, is the blacklist table persistent, or would rebooting the system set the blacklist back to empty? (assuming that I kept the iptables rules in place)
I also see that one of the rules should do some logging. Does this go to /var/log/syslog, or to /var/log/auth.log? Because then I should be able to grep for the prefix to see if anyone has been blacklisted.
p.s. Interestingly the login attempts stopped completely when I started working on this, even though I didn't have any rules in place for most of the time. I don't see any attempts for the last couple hours, and the frequency dropped off to about 1/hour, and from a different IP each time.
It seems to be a kind of brute force attack.
You can block ssh access by 2 ways.Either Iptable's INPUT chain or by using tcp wrappers.
To use tcp wrappers edit /etc/hosts.allow :
vim /etc/hosts.allow
sshd : "ip or domain u will log from"
Note: for ip range use dot like this "192.168.1." and domain ".example.com" or "*.example.com"
edit /etc/hosts.deny
vim /etc/hosts.deny
"ALL : ALL"
Note: The last line in the files hosts.allow and hosts.deny must be a new line character. Or else the rule will fail.
Linux first reads hosts.allow - if it doesnt find our ip , it checks hosts.deny.In the example above ALL : ALL means all services /supporting tcp wrappers/ to block all source - so if ip is not in hosts.allow - it will get blocked.
Editing these files doesn't require any service to be reloaded or restarted.Don't forget to use "at" command to restore hosts.allow and deny files if you log in remotely. /It won't be nice to get yourself locked out/.
Last edited by hunter86_bg; 04-02-2015 at 12:46 AM.
Reason: spelling correction
As the iptables use the recent modules which in turn writes some files under the /proc directory. Guess the man page has some info else check out the /proc/net directory somewhere there it should be
find /proc -name "recent"
iptables -L will not show any sings of it. And yes you will loose the info on reboot. But you can save the entries and readd them. This way you can also add hosts on your own. Check the man page again for know how to do it.
Where iptables logs goes depends on the setings of your syslog daemon. Guess /var/log/syslog or /var/log/kernel are good places. But depends on distro and such.
I know that using hosts.deny and blocking all, then explicitly allowing the IP I'm logging in from is the safest way. The issue is that I'm often using a mobile device to log in, so my IP will change depending on where I am at.
I will eventually move to a port other than 22 to cut down on these attacks, but I wanted to find a good solution to automatically ban brute force attackers before I did that. It's also interesting to me to watch how the attacks progress: First they brute force to find an allowable user name, then after that they start trying to brute force a password, which I see in the logs as "received disconnect from ##.##.##.##", since I only allow pubkey auth. My understanding is that sshd drops their connection as soon as they attempt password auth, so I see the disconnect message in the logs. This doesn't look very sophisticated, but I assume that a dragnet brute force compromises enough systems that they don't need to expend the effort to make a sophisticated attack.
Anyways, it sounds like fail2ban effectively does what was attempting to do manually with iptables, so I will probably start using that.
Is it correct that requiring pubkey auth is an effective defense? My thinking is that these brute force attacks are basically an annoyance as long as I keep my keys safe.
I think my next steps are to lock up every port, and then only open the ones I use (ssh, http for web browsing, etc), Although, the only port I'm forwarding through the router is 22 for ssh. I also need to double check to make sure I'm not running any outward facing services I'm unaware of (I may have an http server from the original install etc). Are there any other basic steps I can take after that to improve my security?
Plenty of material here to get me started! I could still use input on exactly how effective I can expect pubkey auth to be though. Can I assume that my ssh service is basically locked down as long as pubkey is the only allowed auth method and I keep my keys safe? If so, I'll move on to securing other things, but if not, I still have work to do on sshd.
There are many ways to skin this particular cat; see this, for example.
If you can do ssh key distribution securely, then pubkey ought to be safe, today. My feeling is that at some time, someone will find a way to make pubkey less safe, so it is probably best if pubkey is only one layer in your security picture, but maybe I'm being conservative, here.
Quote:
I will eventually move to a port other than 22 to cut down on these attacks...
That's probably reasonable; changing the port number probably cuts down on the dumbest of the dumb 'script kiddie' type attacks, but may not do much about the more competent attackers. But, it does enable you to see the serious attacks more clearly.
Here is another resource on iptables, if you are in that kind of mood.
To see which process are up and running on your machine use netstat -tulpn this lists all listening sockets.
And definitely have a default DROP at your firewall chains. Then only allow those ports that you want to.
You can do some fancy stuff with the recent module of iptables. I have a three tier blocking attempt.
First only ban for like 5 seconds. If the ip returns move it into a 1 minute ban recent list. If it still keeps coming back put it in half an hour ban recent list. While the other lists gets cleared once in a while through cron the ban list does not. So ever returning bad guys have to face the beholder each and everytime they pass by.
Using -m state --state NEW -m limit 3/s -j BLOCK to put offending ips into the BLOCK chain where it gets banned for like 5 seconds.
Just make sure that you have your sshd config so it only allows one login attempt per new connection (MaxAuthTries). Else a attacker might have 18 (6 default value * 3) guesses. If MaxAuthTries is set to 1 I had some trouble getting through to the key login. But dont remember correctly. Just follow sshd logs. Start it directly with sshd -ddd (might need to use absolute path on sshd binary).
Regarding to your non static ip. Create some port knocking with the recent module. (Though it does not help with tcpwrappers)
Quote:
iptables -A INPUT -p tcp --dport 5000 -m recent --name KNOCK --set
iptables -A INPUT -p tcp --dport 5010 -m recent --name KNOCK --second 1 rcheck -j ALLOWSSH
iptables -N ALLOWSSH
iptables -A ALLOWSSH -m recent --name KNOCK --remove
iptables -A ALLOWSSH -p tcp --dport SSH -m state --state NEW -j ACCEPT
I like that better than any knocking daemon. Just use ssh -p 5000 -o ConnectionTimeout 1; ssh -p 5010 -o ConnectionTimeout 1; ssh -p SSH. Or telnet or some other thing. Might want to put in some -j REJECT rules here and there.
Coming to think of fail2ban have in mind that it searches your log files and bans ips due to that. Its no fast accting tool.
Coming to think of fail2ban have in mind that it searches your log files and bans ips due to that. Its no fast accting tool.
I think that's the primary criticism of fail2ban. It's not really "realtime". It's certainly better than nothing, and is as close to zero configuration as you can get.
Thanks for the tip on port knocking. I've heard the term a few times, but didn't really understand the application. That's extremely cool, and I'll set it up tonight.
Do you have any thoughts on my router? It's the router that actually is exposed to the internet, and my thoughts is that if I only have port 22 forwarded, then it's effectively limiting inbound connections to that port. Is this correct? Would it be a good idea to build a dedicated firewall between the router and the internet?
Do you have any thoughts on my router? It's the router that actually is exposed to the internet, and my thoughts is that if I only have port 22 forwarded, then it's effectively limiting inbound connections to that port. Is this correct? Would it be a good idea to build a dedicated firewall between the router and the internet?
With a dedicated firewall between router an the inet you definitely have more control and might do some fancy stuff but i doubt that its needed. Make sure your route does not provide any "services" himself to the outward world. Like "external serviceing" or the like. Depending on what router you have you could even use it as a firewall itself.
With some sane settings you not need to worry.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.