brute force attack detected in /var/log/messages
Hi Forum,
A brute force attack on sshd has been detected in /var/log/messages cat /var/log/messages | grep sshd cat /var/log/messages | grep Failed I have the IP the attack has come from - 1/ any info on how to blacklist known IPs for sshd (and other/all services) 2/ I would really like to hear peoples imaginative suggestions for the known IPs ;-) Thanks, |
iptables?
Take a look at here: http://www.cyberciti.biz/faq/linux-iptables-drop/ Code:
/sbin/iptables -I INPUT -s {IP-HERE} -j DROP |
Install and configure fail2ban, exactly the service that you need for your purpose.
|
Or try sshblock which is available on SBo
|
How about configuring SSH to use shared keys? That way you can disable password logins altogether.
|
Quote:
just a comment: instead of cat filename | grep pattern just use grep pattern filename |
There is also DenyHosts (http://denyhosts.sourceforge.net/). Been around for quite a while. It monitors your logs and when it sees this sort of activity it creates an entry for you in iptables or /etc/hosts.deny (either of these will stop a site from connecting); it's a daemon, it works (been using it for years).
Other options are country blocks, see for example http://ipinfodb.com/ip_country_block.php#blocklist. You can get iptables or htaccess entries and just block the entire country (Chine, for example, is a good one to bock along with Russia, both Koreas, and others). You get list and write a little AWK program that creates the iptables entry, pretty easy. If you're open to the Internet you're going to get whacked by script kiddies and bad actors (such as China); DenyHosts (along with the other methods in other posts above) is a good tool that you don't have fiddle with constantly and does a good job. Hope this helps some. |
Why just block IP from China? Do you mean there is no bad hacker from US etc?
For sshd protection, normally I just change the port number. |
accesslists are to implemented (whitelists and blacklists) -
I will post more info on how to set these up for other viewers/readers. Why does slackware have more than one 'messages' file? e.g. ls -lah /var/log/ | grep messages -rw-r--r-- 1 root root 460K May 4 07:26 messages -rw-r--r-- 1 root root 1.8M Apr 26 04:30 messages.1 -rw-r--r-- 1 root root 170K Apr 7 04:34 messages.2 -rw-r--r-- 1 root root 358K Apr 4 04:26 messages.3 -rw-r--r-- 1 root root 190K Mar 24 04:38 messages.4 ? |
those are just rotated logs ("man logrotate").
|
Rotation logs (logrotate). If you don't already, change the default port ASAP!
|
Quote:
Reasons for not using DenyHosts in its default configuration: http://www.linuxquestions.org/questi...iptables-3036/ Reasons for not changing the port SSH listens on: /etc/services (as in IANA assigned ports aka interoperability and obfuscation) Wrt using RBL's like DShield, OpenBL.org I think its use is debatable as it doesn't relate to local conditions. In other words you may be investing resources in banning hosts that may have either scanned your particular ranges ages ago or will never scan your range RSN. (Also see this (2008) and this (more recent).) |
Quote:
Quote:
Code:
whois 180.153.224.106 While you're about it, go read http://www.economist.com/news/specia...bashed-masters and make up your own mind. Script kiddies and port scanners are one thing, state-sponsored attacks are quite another. Do countries spy on one another? Of course they do and have done so for thousands of years in one form or another. It seem, though, that China has taken it to a new level. Hope this helps some. |
Personally I don't see the need for fail2ban in this situation. Its one more package he has to install and one more thing that has to be memory resident. The kernel and some iptables rules already offer what is needed.
If you use a strong password or disable password authentication and use ssh keys than slowing down an attacker is enough to prevent a brute force attack from working and spare your logs. Code:
iptables -A INPUT -p TCP -m state --state NEW -m recent --name probe_list --update --seconds 300 --hitcount 5 -j DROP I would reserve things like fail2ban for other services like web applications where its normal for a client to be repeatedly establishing TCP sessions or anything UDP. |
Disable password logins and allow only ssh keys. In addition disable remote root logins. Oh, and make your root password long.
|
All times are GMT -5. The time now is 01:04 PM. |