APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed
RSS Feeds RSS Feeds











(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
->
-> More ssh ideas


More ssh ideas



Author: Dirk Hart
Date: Thu Feb 24 23:10:38 2005
Subject: More ssh ideas


A friend recently got 'rooted'. He was using ssh (not ssh2). He was getting pages on his phone and processes were dying and such, so he installed "chkrootkit" which is a program that checks your system to see if there is any of a number of root kits installed. He had SuckIt installed on his machine and now has a server to rebuild

Unfortunately he used ssh to login and check his other server, so now he has 2 servers to rebuild.

Since I noticed my /var/log/secure file getting large at the beginning of the month I've made some changes to sshd_config:

1. PermitRootLogin no Users just have to login to an unprivileged account, then su if they want root access.

2. Banner /etc/banner This file is displayed after you enter your user name. I changed the banner file as below:

password:
$

Unauthorized use of this service is strictly prohibited.  Unauthorized
attempts to use this service, upload information or change information
on this service are strictly prohibited and may be punishable under the
Computer Fraud and Abuse Act of 1986 and the National Information
Infrastructure Protection Act.
 

I put "password:" and "$" in the banner to trip up the automated scripts these guys appear to be using. I don't know if it works, it just seems like a good idea.

3. DenyUsers adm admin apache bin daemon dovecot ftp games gopher halt lp mail mail null mysql named news nfsnobody nobody nscd operator pcap postgres rpc rpcuser rpm shutdown simon smmsp squid sshd sync uucp vcsa webalizer

A list of all the folks who cannot login.

4. AllowUsers boopy A list of all the folks who can login, just in case I left anyone out of the previous list. Only boopy gets in.

Finally, I populated hosts.deny with the apparent IP addresses of the worst offenders:

ALL: 222.237.79.237\
210.68.8.169\
68.58.89.36\
200.164.92.234\
210.75.224.29\
81.168.255.137\
64.151.75.92\
148.245.97.130\
131.202.163.23\
162.39.201.74\
67.172.114.3\
206.165.120.54\
222.122.60.42\
211.136.90.75\
.
.
.
141.28.18.200

ALL services are denied to these IP addresses. Well, I guess the well trained hacker changes his IP address often, but since I made this change login attempts are down to 10% of what they were. I add them 1 per line so I don't go berserk maintaining the list. Note that the \ character 'continues' the line.

5. I enable VerifyReverseMapping, but I haven't seen this work. It doesn't deny me access from the IP address I always use. It sounds like people who fail a 'reverse IP address' test of some sort (phony IP addresses?) get rejected.

Is there a way to automatically populate hosts.deny? How would I keep my own IP address out of there?

Any other security suggestions?



(On 3/26/2005 Dirk added this:)

Here's a little widget I wrote this morning for summarizing my secure log. Way better than actually reading it. I take these results and update /etc/hosts.deny. I have most of South Korea and Taiwan blocked now.

[root@mammoth tmp]# cat test
grep 'Failed password' /var/log/secure|cut -d ']' --fields=2|cut -d ' '
--fields=9|uniq -c|sort -nr

[root@mammoth tmp]# sh test
   707 209.253.78.9
   600 193.178.210.35
   115 217.34.37.166
   107 63.107.208.110
   107 220.95.215.148
   107 161.53.191.13
    90 81.169.137.164
     9 211.184.70.140
     9 207.207.186.182
     8 62.193.236.45
     8 208.13.106.89
     1 211.90.27.133
     1 211.157.102.10
 



If this page was useful to you, please help others find it:  





13 comments




More Articles by



Click here to add your comments
- no registration needed!




Wed Mar 2 13:23:29 2005: 99   anonymous


Yap, pretty sure I'm going to ban all of Korea and China from ssh on my server.

--dhh



Wed Mar 2 23:18:16 2005: 103   TonyLawrence

gravatar
There's a pam module for blacklisting: http://www.hexten.net/sw/pam_abl/index.mhtml

Might be useful..







Fri Mar 4 00:20:06 2005: 105   adanac


This is what you might see in your log if VerifyReverseMapping fails:

Mar 3 17:46:34 mammoth sshd[26428]: Illegal user jordan from 205.246.18.240
Mar 3 17:46:34 mammoth sshd[26428]: Address 205.246.18.240 maps to monolith.vet
eransadvantage.com, but this does not map back to the address - POSSIBLE BREAKIN
ATTEMPT!






Wed Nov 2 00:25:44 2005: 1267   anonymous


Actually what I've done to date is I put together a list of IP blocks I deny SSH access to by default on every system I build. The list started with all Non-Arin IP blocks and was peared down as I found places where I was a little too aggressive. I also wrote a perl script which I cron to run every couple of minutes which parses my /var/log/secure file for SSH login failures. It then adds new deny entries to the /etc/hosts.allow file to block those IP address's if the number of failures exceeds a preset number in a preset time interval. IE: by default, if there are more than 10 login failures from the same IP address and the failures are less than 5 seconds apart on average, then it is added to host.allow automatically because it is considered a brute force attack. If there are more than 50 failures in total, regardless of the interval, the ip address is added. The script also adds a header block to the hosts.allow file where you can add in a "Whitelist" of IP addresses which will always be first in the list and therefore can never be denied.

Since I added these measures, the number of failed login attempts on any given day on my servers has dropped from over 7000 to less than a few hundred on a bad day.

If anyone is interested, there is a project on sourceforge which is similar to what I have written but is far mor feature rich. It is however written in python and I have no intention of ever installing python on any of my servers unless I absolutely have to. If anyone is interested in a copy of the script, feel free to e-mail me at [email protected]






Wed Jan 18 19:52:12 2006: 1521   apex


grep 'Failed password' /var/log/messages | cut -f 13 -d ' ' | grep '\.' | uniq -c




Sun Mar 26 02:26:10 2006: 1820   b0x


noob Debian user here

My 2 cents

/etc/cron.hourly/sshd_deny

grep 'Invalid user' /var/log/auth.log* | cut -d ']' --fields=2 | cut -d ' ' --fields=6 | uniq -dc | sort -nr | awk '{ print "sshd: " $2 "/255.255.255.255" }' > /etc/hosts.deny



Fri Sep 5 09:44:19 2008: 4525   Matey


Hello All:
Thanks for the info. (I am looking for Correct Syntax)!

We've been getting many of these would-be hackers on our site lately and I was trying to put all their IP addresses from /var/log/auth.log file into /etc/hosts.deny BUT I keep
getting errors from the system such as this one:

warning: /etc/hosts.deny, line 31: missing ":" separator

and so on...(many such lines)?
Here's a portion of my .deny file;

# ALL: PARANOID
ALL:
79.187.241.62:
82.50.250.22:
82.179.130.135:
69.80.255.165:
219.150.196.6:
83.16.112.18:
222.191.240.194:
219.150.196.0/12:
168.234.227.2:
219.150.196.6:
200.228.120.130:

Any ways as you can see I did put Colons : as separators. why then errors/warnings??

Any idea how you would input separators (using ) debian linux (ubuntu 704?)
BTW I used , (commas) before and got errors about them too?

Thank You!

BTW thanks to those who wrote the Automatic hosts.deny file population! I have not perfected that for my system yet but I get an idea (New to Linux at these levels)!
Regards;






Fri Sep 5 11:22:00 2008: 4526   TonyLawrence

gravatar
Isn't the format

ALL:ipaddress
ALL:ipaddress

etc.??



Thu Mar 5 06:35:28 2009: 5605   PrestonKutzner

gravatar
I'm sure you probably have already stumbled upon this utility already, but you could use denyhosts ( http://denyhosts.sourceforge.net ) to do what you're talking about. It is very configurable and watches your auth log as well as managing hosts.deny for you.



Thu Mar 5 11:37:46 2009: 5606   TonyLawrence

gravatar
Well, I hadn't seen that before so I'm glad you took the time to point us at it!



Thu Mar 5 23:48:43 2009: 5615   ToKy

gravatar
Besides not allowing root logins I find that using public-keys is the best way to eliminate most of the things mentioned on this post.

Now, when you create your keys you better put a passphrase to it. Even though its pretty difficult for someone to get your private key, if they do and you didn't put a passphrase on your key....they just got VIP access to your server. Once the pubkey is setup then disable passwordauthentication and thats that, no more brute force thru ssh!

On your sshd_config file:
PubkeyAuthentication yes

TRY to set it up locally first before you try to do it remotly other wise you might lock yourself out!







Fri Mar 6 03:20:29 2009: 5616   TonyLawrence

gravatar
Yes, of course. See http://aplawrence.com/Security/sshpassphrases.html here for instructions.



Fri Mar 6 04:13:15 2009: 5617   PrestonKutzner

gravatar
Well, glad I could help with denyhosts. I've been using it on several servers I administer. It's also handy in that it can be configured to email you when it blocks an IP address. It can add a bit of noise to the SNR, but can be handy to keep an eye on what's going on with regards to SSH on your systems. You can be fairly granular with the configuration too, which I personally like. In general, it's been a good tool in my experience.

Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments


If you want a picture to show with your comment, go get a Gravatar

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Jump to Comments



Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

I am a Kerio reseller. Articles here related to Kerio products reflect my honest opinion, but I do have an obvious interest in selling those products also.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.

g_face.jpg

This post tagged:

       - DirkHart
       - Forum
       - SSH
       - Security



















My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix systems!


book graphic unix and linux troubleshooting guide



Buy Kerio from a dealer
who knows tech:
I sell and support

Kerio Connect Mail server, Control, Workspace and Operator licenses and subscription renewals



Click and enter your name and phone number to call me about Kerio® products right now (Flash required)