Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am running a squid server at home and I was looking at my /var/log/auth.log file and found a lot of failed authentication. I noticed someone was running a program against my server trying to log in with different usernames:
Jan 20 11:17:41 debian-router sshd[5287]: Failed password for invalid user nagios from 118.143.232.21 port 43688 ssh2
Jan 20 11:17:46 debian-router sshd[5289]: Invalid user oracle from 118.143.232.21
Jan 20 11:17:46 debian-router sshd[5289]: reverse mapping checking getaddrinfo for d1-21-232-143-118-on-nets.com failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 20 15:51:43 debian-router sshd[6090]: Failed password for invalid user scanner from 81.23.114.14 port 55133 ssh2
Jan 20 15:51:45 debian-router sshd[6092]: Invalid user work from 81.23.114.14
Jan 20 15:51:22 debian-router sshd[6080]: Failed password for invalid user music from 81.23.114.14 port 53957 ssh2
Jan 20 15:51:24 debian-router sshd[6082]: Invalid user test from 81.23.114.14
Look at the back of your computer and you'll find a cable which connects it to the Internet. Unplug that cable! Seriously, that's the only way you'll stop it. This is just script kiddie stuff, looking for usernames that may exist on your system and may have weak passwords. Like that user nagios, nagios is some network monitoring software and I'm guessing there may be a default account it sets up with the username nagios.
What you can do is put stuff in place to minimize the risk of someone getting in. Some such measures are:
- Use strong passwords. No dictionary words (happiness - the feeling someone got recently after running a brute force dictionary attach on a Twitter account recently - Google for more info.)
- Disable root logins via ssh if you haven't already.
- If it's feasible, restrict where you accept ssh connections from. Do you need to be able to login via ssh from anywhere in the world, or just from other machines on your home network?
- Make your ssh daemon listen on a different port other than 22.
- Increase the delay after a failed login attempt until another login attempt can be made.
all of the above are great suggestions. I would also suggest only allowing key logins, no passwords. had the same problem with my pet server that i left at the office with an outside line for a couple weeks.
I use denyhosts. I automatically adds the hack source to hosts.deny after 4 failed login attempts. Works great. I get about 5 different source attempts per day. Just too many Window zombies out there.
I am running a squid server at home and I was looking at ...<SNIP>...
There are thousands of these.
What step should I take next to prevent this.
Thanks in advanced for your help.
I added a simple iptables rule to my machine to block the brute force attacks. It took them from about 125k/day to about 100/day.
Code:
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --name SSHATTEMPTS --rsource -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSHATTEMPTS --rsource
Basically if someone hits ssh 3 times in 60 seconds it blocks them until there are at least 60 seconds of quiet time from their address. It's quickly become one of my favorite iptables rules.
In addition, changing the port, disabling root logins, port knocking, and use key auth instead of password auth will all make you more secure.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.