Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
10-12-2006, 12:04 PM
|
#1
|
LQ Newbie
Registered: Oct 2006
Posts: 4
Rep:
|
Question on Brute Force Attacks
Quick info. Have a managed VPS. Security was installed, I setup to send me brute force attempt emails. Below is a short example:
Oct 11 03:09:03 host sshd[27797]: Invalid user test from 58.177.250.178
Oct 11 07:09:05 host sshd[27803]: Failed password for invalid user test from
58.177.250.178 port 50471 ssh2
Oct 11 03:09:05 host sshd[27797]: Failed password for invalid user test from
58.177.250.178 port 50471 ssh2
Oct 11 07:09:06 host sshd[27803]: Received disconnect from 58.177.250.178: 11:
Bye Bye
Oct 11 03:09:07 host sshd[27847]: Invalid user test from 58.177.250.178
Oct 11 03:09:10 host sshd[27847]: Failed password for invalid user test from
58.177.250.178 port 50544 ssh2
Oct 11 07:09:10 host sshd[27849]: Failed password for invalid user test from
58.177.250.178 port 50544 ssh2
Oct 11 07:09:10 host sshd[27849]: Received disconnect from 58.177.250.178: 11:
Bye Bye
Now I'm pretty new to the Admin side of linux so I don't fully understand something and hope someone can explain. Unless I'm mistaken sshd[27797], sshd[27803], and sshd[27849] for example are three different SSH ports this person tried to connect to for SSH.
My Host and others say for Brute force the best thing to do is change the port from 22 to something else. I know how to do that and can...
What I don't understand is how that would help. Unless I'm reading something wrong in all the logs I don't see where they tried to connect to 22.
Feedback appreciated.
|
|
|
10-12-2006, 12:49 PM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
Hello there and welcome to LQ. Hope you like it here.
Have a managed VPS. Security was installed
What exactly was installed that enhances security?
sshd[27797], sshd[27803], and sshd[27849] for example are three different SSH ports this person tried to connect to for SSH.
No, the [27797] is a notation for a process ID or short "PID" of the child of sshd (the SSH daemon).
My Host and others say for Brute force the best thing to do is change the port from 22 to something else. I know how to do that and can... What I don't understand is how that would help. Unless I'm reading something wrong in all the logs I don't see where they tried to connect to 22.
Just disregard people that tell you to change ports: it does not enhance security one bit (or maybe it does in some parallel universe where statistics overrule reality). Start by tightening your sshd_config (no root, passphrases instead of passwords, only Protocol 2, only allowed users). If SSH is only used for admin purposes you can put in firewall rules + tcp_wrappers so it's only accessable from your management IP addresses or ranges. With that in place read the sticky Failed SSH login attempts thread and pick one method to implement.
|
|
|
10-12-2006, 01:24 PM
|
#3
|
LQ Newbie
Registered: Oct 2006
Posts: 4
Original Poster
Rep:
|
Ah, thanks for the info. Thought that "sshd[27797]" was a random port they were trying.
For purposes I only use for admin / some site management and all accounts are mine so only I need access. I briefly looked over that thread before posting this, but will look into it further. Not sure on how to do a few things you mentioned but 9/10 it was already posted so I'll check first.
As far as security this is what was done by default:
Quote:
1. Upgrade Apache/PHP, openssh, openssl, mysql etc.
2. Firewall Installation.
APF BFD SIM PRM LES NSIV SPRI
3. Rkhunter Installation.
4. Mod_Security Installation.
5. /tmp hardening.
6. Disable non-root access to unsafe binaries.
|
Going to look into that thread. Thanks for the site welceom. Lots of info here
|
|
|
10-12-2006, 08:42 PM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
APF BFD SIM PRM LES NSIV SPRI
For those with low TLA/FLA-fu:
APF (Advanced Policy Firewall)
BFD (Brute Force Detection)
SIM (System Integrity Monitor)
PRM (Process Resource Monitor)
LES (Linux Environment Security)
NSIV (Network Socket Inode Validation)
SPRI (System Priority)
* I suggest installing a file integrity checker like Aide or Samhain RSN since your install is still relatively "fresh".
Next to that Monit could replace (way more configurable, faster) SIM, PRM and NSIV. GRSecurity or SELinux overrule LES and NSIV by a mile w/o making a system non-standard wrt DAC rights and extended attributes (easier troubleshooting, easier on updates). If you're an RFX Fan for Life just disregard it but you can't miss the main portion of the code was written between 2002 and 2005 (AFAIK) and maybe you already have been told: "please be aware this is not a silver bullet, and these do not prevent exploits of services you do run." before you signed up for installing those. While I agree OTS tools can do a great job in quickly providing (a sense of) security, you *do* have to configure and maintain them periodically to be effective (for instance LES by default knows wget but doesn't know Perl-libwww's GET).
It's a continuous process, no Fire and Forget here.
5. /tmp hardening.
Mounting it "noexec,nosuid,nodev" is good but won't spare you if you run vulnerable or obsolete versions of PHP-based apps. Spam piggybacking on LAMP does no longer seem to require root account privileges (check out those "I got hacked" threads here). Enhancing security for /tmp could be done by adding 1) SELinux, 2) GRSecurity (TPE), 3) some kind of Dnotify, FAM or other syscall interception gizmo or 4) a wickedly fast malware-seeking cronjob ;-p
Just my thoughts.
|
|
|
10-16-2006, 11:25 PM
|
#5
|
LQ Newbie
Registered: Oct 2006
Posts: 4
Original Poster
Rep:
|
Was able to get this fixed with the help given. Thanks for that. Was away for a lil.
Will look into the other things that you mentioned
|
|
|
All times are GMT -5. The time now is 09:47 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|