Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-14-2007, 06:01 AM
|
#1
|
LQ Newbie
Registered: Apr 2006
Posts: 10
Rep:
|
Punishing users for SSH attack
Hello,
I would like to ask you for suggestion. I have a server, which gets regularly attack via ssh. Of course, I block the user after several unsuccessful logins via fail2ban but I would like to go further.
Usually, I can't track the IP. Traceroute ends somewhere in China or stops after hitting 30 or 40 hops leading nowhere. However, from time to time I can easily track the user, last example was a static IP from Italy (probably script kiddie, because he/she tried it two times in two weeks, not typical for a botnet). I contacted the ISP (one of the Italian biggest), they said they are going to investigate the situation and didn't reply any more.
I believe users are responsible for their computers, especially that they have to deploy a certain level of minimal security. It's is similar to having a lock-and-loaded assault rifle lying in front of your door all the time without any security - you will be investigated by the police if somebody commits a murder with that gun.
So, I would like to ban these users, not just from my server, but on a global scale. If the ISP doesn't react, let's ban whole subnet. Why not? There are far to many computers to loose too many visitors or clients.
Is there any such 'global' blacklist for ssh, or possibly including all those ********* in botnets sending spam?
|
|
|
08-14-2007, 07:31 AM
|
#2
|
Senior Member
Registered: Feb 2002
Distribution: t2 - trying to anyway
Posts: 2,541
Rep:
|
The ISP wont do anything.After all they are not responsible for that.Would be a different business if it was spam or a phishing website.I reported one of those the other day and it was down within 1 hour.
Stuff like that is going on all the time - no reason to get excited.
|
|
|
08-14-2007, 08:10 AM
|
#3
|
Senior Member
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088
Rep:
|
I don't think it is the responsibility of the ISP to manage what users do and do not do. Blocking a whole subnet is a problem, because what about innocent users.
I would suggest using public / private key authentication to improve security. Alternatively, use your firewall to limit SSH access to only those IP addresses that require it.
--Ian
|
|
|
08-14-2007, 01:18 PM
|
#4
|
LQ Newbie
Registered: Apr 2006
Posts: 10
Original Poster
Rep:
|
Security is not a problem, attackers are banned after three wrong passwords / usernames.
However, I think there is no way to make users secure their computers in first place, so making their life harder by forcing their ISP to send them emails / letters is much better (and if ISP's don't do anything - let's ban whole subnet, all of their customers won't have access to the server - why not?)
|
|
|
08-14-2007, 01:57 PM
|
#5
|
Member
Registered: Apr 2006
Location: Sweden
Distribution: CentOS, RHEL, SourceMage, OpenBSD
Posts: 40
Rep:
|
Yeah, real clever. Then I can just borrow a computer (like at a library), ssh three times and BAM! The entire subnet can't access tons of sites (assuming someone would actually go through with this).
And honestly, you want to go after someone for sshing twice to your server? I, for one, think continuous attacks actually improves security in the long run.
|
|
|
08-16-2007, 12:37 PM
|
#6
|
Member
Registered: Apr 2005
Location: Fargo, ND
Distribution: Slackware, CentOS
Posts: 87
Rep:
|
try hosts.allow...
block all sshd and any other service that you want protected from everywhere except from where you specify.
|
|
|
08-16-2007, 02:02 PM
|
#7
|
LQ Newbie
Registered: Apr 2006
Posts: 10
Original Poster
Rep:
|
Quote:
Originally Posted by ArcLinux
try hosts.allow...
block all sshd and any other service that you want protected from everywhere except from where you specify.
|
Great. Now I can log to my server from an internet café when I'm hundreds of kilometres away and something bad happens (always when you don't need it) :-D
|
|
|
08-16-2007, 04:05 PM
|
#8
|
Member
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Rep:
|
Quote:
Originally Posted by crashmeister
The ISP wont do anything.After all they are not responsible for that.Would be a different business if it was spam or a phishing website.I reported one of those the other day and it was down within 1 hour.
Stuff like that is going on all the time - no reason to get excited.
|
SOME ISPs won't. Some will. I've actually seen responses, but the situations were different, as the attackers weren't just scanning port 22...they were attempting broad scans or even attempting exploits.
The OP has a point. The IP block owners have some responsibility in ensuring people they sell services to adhere to the TOS that every company has. It's either that, or nothing ever gets cleaned from being infected or trojaned...or no one ever gets their hands smacked for doing something that isn't condoned on the network. But where the OP gets a bit lost is the fact that its really not good to ban whole ranges of IPs. I believe someone in this thread mentioned attacking via a public library machine. Imagine if library netblocks were banned at a global level...people can't learn or conduct legitimate research, and all because of one user doing something bad and getting the whole library IP space banned. Not good.
Use SSH key authentication...that'll stop a majority of the scans right off the bat. Configure your firewall to only allow certain traffic from certain IPs. Use tcp-wrappers if you want, or fail2ban or something similar (bruteforceblocker or sshguard). There are other ways to harden your machines.
|
|
|
08-17-2007, 12:36 AM
|
#9
|
Member
Registered: Jul 2003
Location: NY
Distribution: Slackware, Termux
Posts: 922
|
Quote:
I have a server, which gets regularly attack via ssh. Of course, I block the user after several unsuccessful logins via fail2ban but I would like to go further.
|
Use Telnet. No one ever looks there anymore.
Move it off port #22 and don't allow passwords for network logins and no one can attempt passwords for network logins.
I used to tarpit scans to tcp/22, but since they calmed down alot now tarpit is busy with that SAV worm thingy on 2967/tcp.
Years ago, before I did the above, I had this guy connect to sshd and sit there trying passwords. I think it was something like 12 minutes from start to finish, and he filled pages and pages of logs with dumb logins like 'www' and 'god' and 'John'. When I sent the logs to his ISP, they replied back and said they terminated his account...
@OP: if you really are set on allowing passworded ssh to everywhere on the default port, at least put a port-knock sequence in front of it.
|
|
|
All times are GMT -5. The time now is 10:07 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|