Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I know this is an ongoing thread and i'm not that active on this forum, but I wanted to share some work I did in case it helps others.
Originally I was looking for a way to stop dead any script kiddies doing an ssh attack on my home server. This isn't a corporate server so I wasn't too bothered about making the scripts complex.
My research bought me to this thread and I quite liked the one a few pages back which is a reactive script, so took that as a basis and made a couple of pretty ugly new scripts (that could be made much better), but they seem to work right now.
The preposition for my approach is simply to watch my secure log file and react by shutting down the IP connection when someone misbehaves. I don't want to actively chase these kids off my system, I want my system to simply close the door the first time they do something I don't like. I have a telnet bear trap that does exactly the same thing (in a different way) and I wanted to extend the security logic to this.
My first script resides within /etc/init.d and is configured for sysconfig. I call it ssh_defender
#!/bin/bash
#set -x
#
# chkconfig: 2345 56 24
# description: watches for the ssh abuse and stops it
#
# This is a quick script to launch the ssh defender program which is found
# in /usr/local/bin
#
case "$1" in
start)
start
;;
stop)
stop
;;
*)
echo $"Usage: $0 {start|stop}"
exit 1
esac
As you can see this is simply a handler script that calls another script I wrote. I couldn't get the whole thing to work the way I wanted so I resorted to this. I really couldn't get PID handling at all right so it's an ugly solution that I have but it works for now till I can work out how to capture the correct PID of the core process.
Anyway, the script it calls is in /usr/local/bin with a "good_names" file in /usr/local
#!/bin/bash
#set -x
#
# This is a quick script written to prevent these SSH attacks
#
tail -0f /var/log/secure |
while read mm dd hms localhostname sshd word1 word2 word3 word4 host1 ho
st2 rest;
do
if [ $word3 != "`grep $word3 /usr/local/good_names`" ];
then
$iptables -I INPUT -s $host1 -j DROP
elif [ "$word1 $word2 $word3 $word4" = "Failed password for $word4" ];
then
echo "Watching $word4 for bad password attempts"
fi
done
Now I started off with a bad_name file and put all the usual culprits in there like admin, test, patrick, etc.. but as I run a home system with only a couple of valid ID's available for login I reverted the logic and said anyone I don't have as a valid login get's shut out. This way we get around the issue of locking out a user when they get their password wrong.
To get around some silly text parsing that I couldn't be bothered to deal with you need to put the user "for" into the good_names file. This get's around logging an entry when a user successfully logs in and the third word is "for". Dumb but a hack. :-)
So then lastly you make your /usr/local/good_names file and fill it one per line with valid users and you're away.
Just to make it all startup and stop properly I ran chkconfig --add ssh_defender which now seems to be in the --list, although I haven't rebooted yet to make sure it stops and restarts correctly.
So.. massive apologies for such a crappy piece of scripting. I'm no coder that's for sure, but as I spent a couple of days looking for this on the web I figured I'd share the one I ended up with by way of thanks for giving me a head start. If anyone makes this any better and wants to share it back again I'm more than willing to learn a little more about scripting.
is outgoing communication via port 43 neccessary by any means? and how to set my box not to listen to 32768,x11,910 in the first place although it's not allowed by IPT and any quick tips about sunrpc and ipp? I'm interested in what's needed to be in listening state for ssh server any of the ipp sunrpc mandatory?
Last edited by johnnydangerous; 02-05-2005 at 08:29 PM.
Originally posted by cpharvey Now I started off with a bad_name file and put all the usual culprits in there like admin, test, patrick, etc.. but as I run a home system with only a couple of valid ID's available for login I reverted the logic and said anyone I don't have as a valid login get's shut out. This way we get around the issue of locking out a user when they get their password wrong.
To get around some silly text parsing that I couldn't be bothered to deal with you need to put the user "for" into the good_names file. This get's around logging an entry when a user successfully logs in and the third word is "for". Dumb but a hack. :-)
So then lastly you make your /usr/local/good_names file and fill it one per line with valid users and you're away.
So what happens if someone mistypes their username?
Well its a good point, and hence you might want to go with a 'bad_names' files, but as i'm the only one who really logs into the box (as I said this is a home server not a corporate server) then I'll just lock myself out till I can get in from another IP. I'm not worried about it for myself as I have numerous ways to get connected and fix the problem.
Never the less, it's a good point and I'll have to watch myself.
any clues port 43? outgoing what for my machine generated that traffic? do you know a monitoring tool which lists the process pid using specific connection....
http://www.grc.com/port_43.htm says that port 43 is used for whois. (Type whois google.com in a console terminal.) That site seems to be a good resource btw, You should bookmark it. (by which I mean the first link -- but Google is a good resource too )
Also, running netstat with the -p flag tells it to display the pid/name of the process using that socket/port. It solves quite some paranoia, when they're all listed with 'gaim' or 'firefox' next to them, rather than just being random IP addresses.
yes -p works great but I'm struggling to find some sofisticated GUI tool for example to show exactly what traffic is generating each application in means per second or total...
Well annoying as stupid scriptkiddies are - they now started to cloak their IP
here a short excerp from my logs
Quote:
Mar 3 15:33:38 localhost sshd[2433]: Did not receive identification string from ::ffff:217.115.198.59
Mar 3 15:41:12 localhost sshd[2444]: Address 217.115.198.59 maps to www.onlinebp.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 3 15:41:12 localhost sshd[2446]: Illegal user patrick from ::ffff:217.115.198.59
Mar 3 15:41:12 localhost sshd[2446]: Address 217.115.198.59 maps to www.onlinebp.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 3 15:41:13 localhost sshd[2453]: Illegal user patrick from ::ffff:217.115.198.59
Mar 3 15:41:13 localhost sshd[2453]: Address 217.115.198.59 maps to www.onlinebp.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
People had the cheek claiming I got a battering ram mentality but what is the f****g use of this
use ssh2
Dont login thru root
make sure ftp users cannot also login thru ssh
use difficult passwords
dont allow root to login
change in passwd the shells to false if user is not allow to login
and dont make simpel users like test password test
10x I forgot about that way really was helpful because when I tried with auto update got some checksum errors but in this site it's easy to find different repo
btw: someone tried even user name : pamela oh I'm bursting in tears which was along with patrick root jane ..... many many more this guy really spend a day on my sshd I should change the port maybe,
can someone tell in few words how to take advantage of portsentry I mean it's set & running but where to check results? I just saw lots of not-really-informational entries about portsenty in my logs.. also SELinux need promiscuos mode to be able to start snort... which I don't like how to workaround? and same as portsentry where are snort results... I'm lost in the logs... how to make sshd output be in separate file?? pls help me out here
Last edited by johnnydangerous; 03-14-2005 at 02:32 PM.
Originally posted by johnnydangerous btw: someone tried even user name : pamela oh I'm bursting in tears which was along with patrick root jane ..... many many more this guy really spend a day on my sshd I should change the port maybe,
can someone tell in few words how to take advantage of portsentry I mean it's set & running but where to check results? I just saw lots of not-really-informational entries about portsenty in my logs.. also SELinux need promiscuos mode to be able to start snort... which I don't like how to workaround? and same as portsentry where are snort results... I'm lost in the logs... how to make sshd output be in separate file?? pls help me out here
I don't know anything about snort or portsentry. But I do know you can out put all of your ssh login attempts by simply doing the command cat /var/log/secure | grep sshd | grep Failed ---This is to see the failed SSH attempts on your machine. You can make this a cronjob and mail it to you or output it to a file >> sshfailed.txt
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.