Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was just watchign my Secuirty Logs, and i've just noticed numerous attempts by some one unknown to me from ip address 221.166.169.102 (which is ping`able and nmap`able by the way) . What action should I take? And shoudl I block this Ip address at the firewall level?
On a side note, is it posoible to block root shh logins otuside my network? Thank you.
Is the machine accepting more than admin logins through SSH? If not, create an admin group and restrict login to that group. Or if it is just you restrict the login to you and you alone.
Also, this type of scanning sucks and should be stopped. Report the abuse to the net-block owner's abuse or technical contact.
Is it as all possible to get PermitRootLogin no on a host basis? Just from a slightly lazy stand point, would rather not have to su, when i ssh within my private LAN.
I read the thread on SSH login attempts seems like what happened give the fact that it all happened within a minute. But is this something which happens from 0wend/infected machines or from malicious machines?
I've already written to the email address I picked up for a whois. But how do I find restrict ssh logins based on group membership? Better yet, any good links on hardening sshd?
Thanks.....I'll be sure to post the SSH Login attemps thread to my local LUG
Yes you can restrict per host, the easiest way would be to use webmin which can help you to fine tune your configuration.
- Browse through, "Servers" / "SSH Server" this is where you configure SSH,
for your particular needs look for Client Host Options to modify these settings.
Just from a slightly lazy stand point, would rather not have to su, when i ssh within my private LAN.
Use sudo (pronounced "soo-doo", it stands for "superuser do").
If you haven't already created a regular account for yourself, you should. Anytime you can work without being root, it's a good idea; we've all typed the command we wish half a second later we had read more carefully. Using sudo, you can give yourself temporary root privileges only when you need them. Then you can deny root login (one of the first things to harden sshd), but you can still become root easily, and if you have users who need privileges for a couple occasionsal tasks, you don't have to give THEM your root password, and you can define and limit what they're allowed to do (in /etc/sudoers). As a side benefit on systems with many users, you still have accountability because users' commands are logged while root's generally aren't.
Type
Code:
sudo <command>
and you're prompted for your password (not root's), which it keeps in a cache for a while (default 5 minutes), so you're only prompted once. Then the command is executed as if root had typed it. You can extend the time to whatever, but 5 min. is generally adequate, since you generally do a couple things (like updating /etc/mail/aliases then newaliases, or editing httpd.conf then bouncing apache), then you're back to not needing root anymore. The countdown also resets each time you type a sudo command, so it's not greatly annoying if you need to do a dozen things that will take you fifteen minutes. If you're going to be needing root powers for a longer while, you can always
Code:
sudo su - root
...and you get root's privileges and default environment.
/etc/sudoers defines who can do what with sudo, so you'll have to add your user account to it. For a bit tighter security, you can add the new user to the group wheel and only allow that group to execute commands using sudo.
Just like "su," sudo defaults to root if you don't specify a user but isn't limited to the superuser. You can do
Code:
sudo -u <otheruser> <command>
and execute the command as that user. That makes it fun to send mail harrassing a coworker from another. Whee.
Example /etc/sudoers file:
Code:
# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers file.
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
weenor ALL=(ALL) NOPASSWD: ALL
grunt ALL = /usr/bin/su backups
%admin ALL=(ALL) ALL
Everyone in the admin group can execute anything they want, weenor can do it all without being prompted for a password, and grunt can only su to user backups so he can run the nightly tape archive (you could easily transfer or add this responsibility to another user for tom's vacation). Yeah, I know cron can do the backup, but this is an example :P
------- edit: mindmerge makes a great point mentioning PuTTY. I've never tunneled VNC with it, but it's the best free windows ssh client I've seen, and it comes with pscp, a windows secure copy client that I haven't seen beaten by anything, free or otherwise.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Re: SSH login attempts
Quote:
Originally posted by mindmerge Yes you can restrict per host, the easiest way would be to use webmin which can help you to fine tune your configuration.
The rest of your post is all great information, but I have to say that recommending people get webmin just to configure SSH is rather dubious. That doesn't really teach anyone how to use their system and can create a lot more questions and confusion while they try to install webmin.
It seems that he has attacked other people as well... I have recently had similar problems and I just changed the ssh configuration file to not allow root logins. Has worked great for me. The inconvenience of having to "su -" is a small price to pay.
I already knew about sudo, guess I should have said that before. Was just hoping sshd allowed acls based on user, group and connecting host.
Thanks for the webmin suggestions, but even in my rookieness, I've been somewhat paranoid, the idea of some web interface somehow altering that many configs just worries me, I think I'll give the man a good read through.
Well I've just disallowed rootlogins, alas i shall have to su/sudo. But to side questions:
1) Is there away to be instantly alelrted (have a script run) on a failed ssh login? Right now, I have my server call me when power goes and it switches to UPS. I am hoping for something similar with such hack attempts.
2) Is it possible/advisable to download a list of malicious ips and filter them out at an iptables level? I would hate to get 0wned out of my own igorance.
Is it possible/advisable to download a list of malicious ips and filter them out at an iptables level? I would hate to get 0wned out of my own igorance.
it's possible, but honestly i think that's a really bad idea... the inverse would be cool, though... what i mean is using iptables to only allow certain IPs to connect to the ssh daemon...
Originally posted by pembo13 I was just watchign my Secuirty Logs, and i've just noticed numerous attempts by some one unknown to me from ip address 221.166.169.102 (which is ping`able and nmap`able by the way) . What action should I take? And shoudl I block this Ip address at the firewall level?
you really shouldn't worry too much about this... you could go ahead and block the IP if it helps you sleep better, but the script kiddies and their pet spiders and scanners can just change their IP... what i'm getting at is that blacklisting every IP that does something funny is not very effective... it's an infinite cycle...
script kiddies, spiders, worms, rootkits, scanners, etc are all part of the internet ecosystem and it's better to be prepared for them FROM ANY IP ADDRESS...
of course if some IP has you pinned-down under a non-distributed cyber-attack (DOS, brute-force, etc.), then DROPing that IP would be great in that case... a distributed cyber-attack would be a completely different story, of course...
a script that sends tcp/22 requests from certain IPs to DROP for X amount of time after sshd gets a X amount of login failures from that IP would be awesome...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.