More ssh ideas

A friend recently got 'rooted'. He was using ssh (not ssh2). He was getting pages on his phone and processes were dying and such, so he installed "chkrootkit" which is a program that checks your system to see if there is any of a number of root kits installed. He had SuckIt installed on his machine and now has a server to rebuild

Unfortunately he used ssh to login and check his other server, so now he has 2 servers to rebuild.

Since I noticed my /var/log/secure file getting large at the beginning of the month I've made some changes to sshd_config:

1. PermitRootLogin no Users just have to login to an unprivileged account, then su if they want root access.

2. Banner /etc/banner This file is displayed after you enter your user name. I changed the banner file as below:

password:
$

Unauthorized use of this service is strictly prohibited.  Unauthorized
attempts to use this service, upload information or change information
on this service are strictly prohibited and may be punishable under the
Computer Fraud and Abuse Act of 1986 and the National Information
Infrastructure Protection Act.
 

I put "password:" and "$" in the banner to trip up the automated scripts these guys appear to be using. I don't know if it works, it just seems like a good idea.

3. DenyUsers adm admin apache bin daemon dovecot ftp games gopher halt lp mail mail null mysql named news nfsnobody nobody nscd operator pcap postgres rpc rpcuser rpm shutdown simon smmsp squid sshd sync uucp vcsa webalizer

A list of all the folks who cannot login.

4. AllowUsers boopy A list of all the folks who can login, just in case I left anyone out of the previous list. Only boopy gets in.

Finally, I populated hosts.deny with the apparent IP addresses of the worst offenders:

ALL: 222.237.79.237\
210.68.8.169\
68.58.89.36\
200.164.92.234\
210.75.224.29\
81.168.255.137\
64.151.75.92\
148.245.97.130\
131.202.163.23\
162.39.201.74\
67.172.114.3\
206.165.120.54\
222.122.60.42\
211.136.90.75\
.
.
.
141.28.18.200

ALL services are denied to these IP addresses. Well, I guess the well trained hacker changes his IP address often, but since I made this change login attempts are down to 10% of what they were. I add them 1 per line so I don't go berserk maintaining the list. Note that the \ character 'continues' the line.

5. I enable VerifyReverseMapping, but I haven't seen this work. It doesn't deny me access from the IP address I always use. It sounds like people who fail a 'reverse IP address' test of some sort (phony IP addresses?) get rejected.

Is there a way to automatically populate hosts.deny? How would I keep my own IP address out of there?

Any other security suggestions?

(On 3/26/2005 Dirk added this:)

Here's a little widget I wrote this morning for summarizing my secure log. Way better than actually reading it. I take these results and update /etc/hosts.deny. I have most of South Korea and Taiwan blocked now.

[root@mammoth tmp]# cat test
grep 'Failed password' /var/log/secure|cut -d ']' --fields=2|cut -d ' '
--fields=9|uniq -c|sort -nr

[root@mammoth tmp]# sh test
   707 209.253.78.9
   600 193.178.210.35
   115 217.34.37.166
   107 63.107.208.110
   107 220.95.215.148
   107 161.53.191.13
    90 81.169.137.164
     9 211.184.70.140
     9 207.207.186.182
     8 62.193.236.45
     8 208.13.106.89
     1 211.90.27.133
     1 211.157.102.10
 

More Articles by Dirk Hart

Click here to add your comments




Wed Mar 2 13:23:29 2005: Subject:   anonymous


Yap, pretty sure I'm going to ban all of Korea and China from ssh on my server.

--dhh



Wed Mar 2 23:18:16 2005: Subject:   TonyLawrence


There's a pam module for blacklisting: http://www.hexten.net/sw/pam_abl/index.mhtml

Might be useful..





Fri Mar 4 00:20:06 2005: Subject: VerifyReverseMapping   adanac


This is what you might see in your log if VerifyReverseMapping fails:

Mar 3 17:46:34 mammoth sshd[26428]: Illegal user jordan from 205.246.18.240
Mar 3 17:46:34 mammoth sshd[26428]: Address 205.246.18.240 maps to monolith.vet
eransadvantage.com, but this does not map back to the address - POSSIBLE BREAKIN
ATTEMPT!




Wed Nov 2 00:25:44 2005: Subject:   anonymous


Actually what I've done to date is I put together a list of IP blocks I deny SSH access to by default on every system I build. The list started with all Non-Arin IP blocks and was peared down as I found places where I was a little too aggressive. I also wrote a perl script which I cron to run every couple of minutes which parses my /var/log/secure file for SSH login failures. It then adds new deny entries to the /etc/hosts.allow file to block those IP address's if the number of failures exceeds a preset number in a preset time interval. IE: by default, if there are more than 10 login failures from the same IP address and the failures are less than 5 seconds apart on average, then it is added to host.allow automatically because it is considered a brute force attack. If there are more than 50 failures in total, regardless of the interval, the ip address is added. The script also adds a header block to the hosts.allow file where you can add in a "Whitelist" of IP addresses which will always be first in the list and therefore can never be denied.

Since I added these measures, the number of failed login attempts on any given day on my servers has dropped from over 7000 to less than a few hundred on a bad day.

If anyone is interested, there is a project on sourceforge which is similar to what I have written but is far mor feature rich. It is however written in python and I have no intention of ever installing python on any of my servers unless I absolutely have to. If anyone is interested in a copy of the script, feel free to e-mail me at cgardiner@quadrix.com.




Wed Jan 18 19:52:12 2006: Subject: Here's what I use on FreeBSD   apex

grep 'Failed password' /var/log/messages | cut -f 13 -d ' ' | grep '\.' | uniq -c

Sun Mar 26 02:26:10 2006: Subject: Furth more   b0x


noob Debian user here

My 2 cents

/etc/cron.hourly/sshd_deny

grep 'Invalid user' /var/log/auth.log* | cut -d ']' --fields=2 | cut -d ' ' --fields=6 | uniq -dc | sort -nr | awk '{ print "sshd: " $2 "/255.255.255.255" }' > /etc/hosts.deny



Fri Sep 5 09:44:19 2008: Subject: Security log/hacker attack-Hosts.deny file Syntax?   Matey


Hello All:
Thanks for the info. (I am looking for Correct Syntax)!

We've been getting many of these would-be hackers on our site lately and I was trying to put all their IP addresses from /var/log/auth.log file into /etc/hosts.deny BUT I keep
getting errors from the system such as this one:

warning: /etc/hosts.deny, line 31: missing ":" separator

and so on...(many such lines)?
Here's a portion of my .deny file;

# ALL: PARANOID
ALL:
79.187.241.62:
82.50.250.22:
82.179.130.135:
69.80.255.165:
219.150.196.6:
83.16.112.18:
222.191.240.194:
219.150.196.0/12:
168.234.227.2:
219.150.196.6:
200.228.120.130:

Any ways as you can see I did put Colons : as separators. why then errors/warnings??

Any idea how you would input separators (using ) debian linux (ubuntu 704?)
BTW I used , (commas) before and got errors about them too?

Thank You!

BTW thanks to those who wrote the Automatic hosts.deny file population! I have not perfected that for my system yet but I get an idea (New to Linux at these levels)!
Regards;

---

Unix and Linux Support

---

Fri Sep 5 11:22:00 2008: Subject:   TonyLawrence


Isn't the format

ALL:ipaddress
ALL:ipaddress

etc.??



Thu Mar 5 06:35:28 2009: Subject:   PrestonKutzner


I'm sure you probably have already stumbled upon this utility already, but you could use denyhosts ( http://denyhosts.sourceforge.net ) to do what you're talking about. It is very configurable and watches your auth log as well as managing hosts.deny for you.



Thu Mar 5 11:37:46 2009: Subject:   TonyLawrence


Well, I hadn't seen that before so I'm glad you took the time to point us at it!



Thu Mar 5 23:48:43 2009: Subject: More options   ToKy


Besides not allowing root logins I find that using public-keys is the best way to eliminate most of the things mentioned on this post.

Now, when you create your keys you better put a passphrase to it. Even though its pretty difficult for someone to get your private key, if they do and you didn't put a passphrase on your key....they just got VIP access to your server. Once the pubkey is setup then disable passwordauthentication and thats that, no more brute force thru ssh!

On your sshd_config file:
PubkeyAuthentication yes

TRY to set it up locally first before you try to do it remotly other wise you might lock yourself out!





Fri Mar 6 03:20:29 2009: Subject:   TonyLawrence


Yes, of course. See http://aplawrence.com/Security/sshpassphrases.html here for instructions.



Fri Mar 6 04:13:15 2009: Subject:   PrestonKutzner


Well, glad I could help with denyhosts. I've been using it on several servers I administer. It's also handy in that it can be configured to email you when it blocks an IP address. It can add a bit of noise to the SNR, but can be handy to keep an eye on what's going on with regards to SSH on your systems. You can be fairly granular with the configuration too, which I personally like. In general, it's been a good tool in my experience.

Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.