LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-03-2004, 12:02 AM   #1
pembo13
Member
 
Registered: May 2003
Location: Caribbean
Distribution: Fedora Core2
Posts: 403

Rep: Reputation: 30
SSH Security


Hello,

I was just watchign my Secuirty Logs, and i've just noticed numerous attempts by some one unknown to me from ip address 221.166.169.102 (which is ping`able and nmap`able by the way) . What action should I take? And shoudl I block this Ip address at the firewall level?

On a side note, is it posoible to block root shh logins otuside my network? Thank you.
 
Old 09-03-2004, 12:18 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
disabling root logins via ssh is very recommended, it gives you an additional layer of security...

to do that just make sure that in your /etc/ssh/sshd_config file you have this:

PermitRootLogin no

good luck...
 
Old 09-03-2004, 12:23 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
See the news thread on ssh login attempts at the top of the forum for more info as well.
 
Old 09-03-2004, 12:25 AM   #4
mindmerge
LQ Newbie
 
Registered: Apr 2004
Location: San Tan Valley, Az
Distribution: Any... but I prefer Debian based...
Posts: 26

Rep: Reputation: 15
Cool Restriction and Abuse

Is the machine accepting more than admin logins through SSH? If not, create an admin group and restrict login to that group. Or if it is just you restrict the login to you and you alone.

Also, this type of scanning sucks and should be stopped. Report the abuse to the net-block owner's abuse or technical contact.

I typically send the full output from:

host
whois
nslookup
dig

Have fun....
-james
 
Old 09-03-2004, 01:24 AM   #5
DavidPhillips
LQ Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163

Rep: Reputation: 58
It should be reported, but as far as security goes I would not worry too much about them guessing your password.
 
Old 09-03-2004, 09:11 AM   #6
pembo13
Member
 
Registered: May 2003
Location: Caribbean
Distribution: Fedora Core2
Posts: 403

Original Poster
Rep: Reputation: 30
Is it as all possible to get PermitRootLogin no on a host basis? Just from a slightly lazy stand point, would rather not have to su, when i ssh within my private LAN.

I read the thread on SSH login attempts seems like what happened give the fact that it all happened within a minute. But is this something which happens from 0wend/infected machines or from malicious machines?

I've already written to the email address I picked up for a whois. But how do I find restrict ssh logins based on group membership? Better yet, any good links on hardening sshd?

Thanks.....I'll be sure to post the SSH Login attemps thread to my local LUG
 
Old 09-03-2004, 02:12 PM   #7
mindmerge
LQ Newbie
 
Registered: Apr 2004
Location: San Tan Valley, Az
Distribution: Any... but I prefer Debian based...
Posts: 26

Rep: Reputation: 15
Cool SSH login attempts

Yes you can restrict per host, the easiest way would be to use webmin which can help you to fine tune your configuration.
- Browse through, "Servers" / "SSH Server" this is where you configure SSH,
for your particular needs look for Client Host Options to modify these settings.

Resources for SSH:

The OpenSSH manual...

Putty, is a good SSH client for windows....terminal or tunneling vnc it works great.

IBM LPI series, I finally got them all printed up and bound for myself....woohoo I can study! You are looking for the last tutorial...

I have been hungrily looking at Secure Shell: The Definitive Guide for years now.....

Have fun...
-james
 
Old 09-03-2004, 02:57 PM   #8
zedmelon
Member
 
Registered: Jun 2004
Location: colorado, USA
Distribution: slack, oBSD
Posts: 119

Rep: Reputation: 24
use sudo

Quote:
Just from a slightly lazy stand point, would rather not have to su, when i ssh within my private LAN.
Use sudo (pronounced "soo-doo", it stands for "superuser do").

If you haven't already created a regular account for yourself, you should. Anytime you can work without being root, it's a good idea; we've all typed the command we wish half a second later we had read more carefully. Using sudo, you can give yourself temporary root privileges only when you need them. Then you can deny root login (one of the first things to harden sshd), but you can still become root easily, and if you have users who need privileges for a couple occasionsal tasks, you don't have to give THEM your root password, and you can define and limit what they're allowed to do (in /etc/sudoers). As a side benefit on systems with many users, you still have accountability because users' commands are logged while root's generally aren't.

Type
Code:
sudo <command>
and you're prompted for your password (not root's), which it keeps in a cache for a while (default 5 minutes), so you're only prompted once. Then the command is executed as if root had typed it. You can extend the time to whatever, but 5 min. is generally adequate, since you generally do a couple things (like updating /etc/mail/aliases then newaliases, or editing httpd.conf then bouncing apache), then you're back to not needing root anymore. The countdown also resets each time you type a sudo command, so it's not greatly annoying if you need to do a dozen things that will take you fifteen minutes. If you're going to be needing root powers for a longer while, you can always
Code:
sudo su - root
...and you get root's privileges and default environment.

/etc/sudoers defines who can do what with sudo, so you'll have to add your user account to it. For a bit tighter security, you can add the new user to the group wheel and only allow that group to execute commands using sudo.

Just like "su," sudo defaults to root if you don't specify a user but isn't limited to the superuser. You can do
Code:
sudo -u <otheruser> <command>
and execute the command as that user. That makes it fun to send mail harrassing a coworker from another. Whee.

Example /etc/sudoers file:
Code:
# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers file.
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root    ALL=(ALL) ALL
weenor  ALL=(ALL) NOPASSWD: ALL 
grunt   ALL = /usr/bin/su backups
%admin  ALL=(ALL) ALL
Everyone in the admin group can execute anything they want, weenor can do it all without being prompted for a password, and grunt can only su to user backups so he can run the nightly tape archive (you could easily transfer or add this responsibility to another user for tom's vacation). Yeah, I know cron can do the backup, but this is an example :P

-------
edit: mindmerge makes a great point mentioning PuTTY. I've never tunneled VNC with it, but it's the best free windows ssh client I've seen, and it comes with pscp, a windows secure copy client that I haven't seen beaten by anything, free or otherwise.

Last edited by zedmelon; 09-03-2004 at 03:10 PM.
 
Old 09-03-2004, 03:07 PM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Re: SSH login attempts

Quote:
Originally posted by mindmerge
Yes you can restrict per host, the easiest way would be to use webmin which can help you to fine tune your configuration.
The rest of your post is all great information, but I have to say that recommending people get webmin just to configure SSH is rather dubious. That doesn't really teach anyone how to use their system and can create a lot more questions and confusion while they try to install webmin.
 
Old 09-03-2004, 04:30 PM   #10
linuxboy69
Member
 
Registered: Oct 2003
Distribution: Redhat 9
Posts: 138

Rep: Reputation: 15
Quote:
And shoudl I block this Ip address at the firewall level?
http://www.dshield.org/warning_expla...&Submit=Submit

It seems that he has attacked other people as well... I have recently had similar problems and I just changed the ssh configuration file to not allow root logins. Has worked great for me. The inconvenience of having to "su -" is a small price to pay.
 
Old 09-03-2004, 10:11 PM   #11
pembo13
Member
 
Registered: May 2003
Location: Caribbean
Distribution: Fedora Core2
Posts: 403

Original Poster
Rep: Reputation: 30
Hey guys, thanks for all the info.

I already knew about sudo, guess I should have said that before. Was just hoping sshd allowed acls based on user, group and connecting host.

Thanks for the webmin suggestions, but even in my rookieness, I've been somewhat paranoid, the idea of some web interface somehow altering that many configs just worries me, I think I'll give the man a good read through.

Well I've just disallowed rootlogins, alas i shall have to su/sudo. But to side questions:

1) Is there away to be instantly alelrted (have a script run) on a failed ssh login? Right now, I have my server call me when power goes and it switches to UPS. I am hoping for something similar with such hack attempts.

2) Is it possible/advisable to download a list of malicious ips and filter them out at an iptables level? I would hate to get 0wned out of my own igorance.

Thanks
 
Old 09-03-2004, 10:34 PM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally posted by pembo13
Is there away to be instantly alelrted (have a script run) on a failed ssh login?
i think you can do that with logwatch:

http://www.logwatch.org

Quote:
Is it possible/advisable to download a list of malicious ips and filter them out at an iptables level? I would hate to get 0wned out of my own igorance.
it's possible, but honestly i think that's a really bad idea... the inverse would be cool, though... what i mean is using iptables to only allow certain IPs to connect to the ssh daemon...


Last edited by win32sux; 09-03-2004 at 10:37 PM.
 
Old 09-03-2004, 10:55 PM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Re: SSH Security

Quote:
Originally posted by pembo13
I was just watchign my Secuirty Logs, and i've just noticed numerous attempts by some one unknown to me from ip address 221.166.169.102 (which is ping`able and nmap`able by the way) . What action should I take? And shoudl I block this Ip address at the firewall level?
you really shouldn't worry too much about this... you could go ahead and block the IP if it helps you sleep better, but the script kiddies and their pet spiders and scanners can just change their IP... what i'm getting at is that blacklisting every IP that does something funny is not very effective... it's an infinite cycle...

script kiddies, spiders, worms, rootkits, scanners, etc are all part of the internet ecosystem and it's better to be prepared for them FROM ANY IP ADDRESS...

of course if some IP has you pinned-down under a non-distributed cyber-attack (DOS, brute-force, etc.), then DROPing that IP would be great in that case... a distributed cyber-attack would be a completely different story, of course...

a script that sends tcp/22 requests from certain IPs to DROP for X amount of time after sshd gets a X amount of login failures from that IP would be awesome...

anybody know how to do this??

=)
 
Old 09-03-2004, 11:10 PM   #14
pembo13
Member
 
Registered: May 2003
Location: Caribbean
Distribution: Fedora Core2
Posts: 403

Original Poster
Rep: Reputation: 30
Well I'll take a look at logwatch very soon.

But based on your (win32sux) last post, I'm guessign that one coudl write up a script usign log watch to do that.
 
Old 09-03-2004, 11:13 PM   #15
pembo13
Member
 
Registered: May 2003
Location: Caribbean
Distribution: Fedora Core2
Posts: 403

Original Poster
Rep: Reputation: 30
Just took a quick look at logwatch, but seems like this is a batch process, and not an online, watch type process. I very well may be wrong here.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
security ssh and ftp basketkase999 Linux - Security 1 03-08-2005 04:43 PM
Security level and SSH maxo Linux - Security 1 12-17-2004 05:05 PM
security on ssh spank Linux - Security 1 02-26-2004 02:22 PM
ssh security ashley75 Linux - General 7 09-19-2003 11:15 AM
SSH Security 1jamie Linux - Security 2 09-08-2003 01:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration