More ssh ideas

Author: Dirk Hart
Date: Thu Feb 24 23:10:38 2005
Subject: More ssh ideas

A friend recently got 'rooted'. He was using ssh (not ssh2). He was getting pages on his phone and processes were dying and such, so he installed "chkrootkit" which is a program that checks your system to see if there is any of a number of root kits installed. He had SuckIt installed on his machine and now has a server to rebuild

Unfortunately he used ssh to login and check his other server, so now he has 2 servers to rebuild.

Since I noticed my /var/log/secure file getting large at the beginning of the month I've made some changes to sshd_config:

1. PermitRootLogin no Users just have to login to an unprivileged account, then su if they want root access.

2. Banner /etc/banner This file is displayed after you enter your user name. I changed the banner file as below:

password:
$

Unauthorized use of this service is strictly prohibited.  Unauthorized
attempts to use this service, upload information or change information
on this service are strictly prohibited and may be punishable under the
Computer Fraud and Abuse Act of 1986 and the National Information
Infrastructure Protection Act.

I put "password:" and "$" in the banner to trip up the automated scripts these guys appear to be using. I don't know if it works, it just seems like a good idea.

3. DenyUsers adm admin apache bin daemon dovecot ftp games gopher halt lp mail mail null mysql named news nfsnobody nobody nscd operator pcap postgres rpc rpcuser rpm shutdown simon smmsp squid sshd sync uucp vcsa webalizer

A list of all the folks who cannot login.

4. AllowUsers boopy A list of all the folks who can login, just in case I left anyone out of the previous list. Only boopy gets in.

Finally, I populated hosts.deny with the apparent IP addresses of the worst offenders:

ALL: 222.237.79.237\
210.68.8.169\
68.58.89.36\
200.164.92.234\
210.75.224.29\
81.168.255.137\
64.151.75.92\
148.245.97.130\
131.202.163.23\
162.39.201.74\
67.172.114.3\
206.165.120.54\
222.122.60.42\
211.136.90.75\
.
.
.
141.28.18.200

ALL services are denied to these IP addresses. Well, I guess the well trained hacker changes his IP address often, but since I made this change login attempts are down to 10% of what they were. I add them 1 per line so I don't go berserk maintaining the list. Note that the \ character 'continues' the line.

5. I enable VerifyReverseMapping, but I haven't seen this work. It doesn't deny me access from the IP address I always use. It sounds like people who fail a 'reverse IP address' test of some sort (phony IP addresses?) get rejected.

Is there a way to automatically populate hosts.deny? How would I keep my own IP address out of there?

Any other security suggestions?

(On 3/26/2005 Dirk added this:)

Here's a little widget I wrote this morning for summarizing my secure log. Way better than actually reading it. I take these results and update /etc/hosts.deny. I have most of South Korea and Taiwan blocked now.

[root@mammoth tmp]# cat test
grep 'Failed password' /var/log/secure|cut -d ']' --fields=2|cut -d ' '
--fields=9|uniq -c|sort -nr

[root@mammoth tmp]# sh test
   707 209.253.78.9
   600 193.178.210.35
   115 217.34.37.166
   107 63.107.208.110
   107 220.95.215.148
   107 161.53.191.13
    90 81.169.137.164
     9 211.184.70.140
     9 207.207.186.182
     8 62.193.236.45
     8 208.13.106.89
     1 211.90.27.133
     1 211.157.102.10

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER) (NEWEST)

Printer Friendly Version

Home

Dirk Hart

-> More ssh ideas

13 comments

Increase ad revenue 50-250% with Ezoic

Inexpensive and informative Apple related e-books:

Take Control of Numbers

Take Control of Security for Mac Users

Take Control of OS X Server

Take Control of Preview

El Capitan: A Take Control Crash Course

Wed Mar 2 13:23:29 2005: 99 anonymous

Yap, pretty sure I'm going to ban all of Korea and China from ssh on my server.

--dhh

Wed Mar 2 23:18:16 2005: 103 TonyLawrence

There's a pam module for blacklisting: (link)

Might be useful..

Fri Mar 4 00:20:06 2005: 105 adanac

This is what you might see in your log if VerifyReverseMapping fails:

Mar 3 17:46:34 mammoth sshd[26428]: Illegal user jordan from 205.246.18.240
Mar 3 17:46:34 mammoth sshd[26428]: Address 205.246.18.240 maps to monolith.vet
eransadvantage.com, but this does not map back to the address - POSSIBLE BREAKIN
ATTEMPT!

Wed Nov 2 00:25:44 2005: 1267 anonymous

Actually what I've done to date is I put together a list of IP blocks I deny SSH access to by default on every system I build. The list started with all Non-Arin IP blocks and was peared down as I found places where I was a little too aggressive. I also wrote a perl script which I cron to run every couple of minutes which parses my /var/log/secure file for SSH login failures. It then adds new deny entries to the /etc/hosts.allow file to block those IP address's if the number of failures exceeds a preset number in a preset time interval. IE: by default, if there are more than 10 login failures from the same IP address and the failures are less than 5 seconds apart on average, then it is added to host.allow automatically because it is considered a brute force attack. If there are more than 50 failures in total, regardless of the interval, the ip address is added. The script also adds a header block to the hosts.allow file where you can add in a "Whitelist" of IP addresses which will always be first in the list and therefore can never be denied.

Since I added these measures, the number of failed login attempts on any given day on my servers has dropped from over 7000 to less than a few hundred on a bad day.

If anyone is interested, there is a project on sourceforge which is similar to what I have written but is far mor feature rich. It is however written in python and I have no intention of ever installing python on any of my servers unless I absolutely have to. If anyone is interested in a copy of the script, feel free to e-mail me at cgardiner@quadrix.com.

Wed Jan 18 19:52:12 2006: 1521 apex

grep 'Failed password' /var/log/messages | cut -f 13 -d ' ' | grep '\.' | uniq -c

Sun Mar 26 02:26:10 2006: 1820 b0x

noob Debian user here

My 2 cents

/etc/cron.hourly/sshd_deny

grep 'Invalid user' /var/log/auth.log* | cut -d ']' --fields=2 | cut -d ' ' --fields=6 | uniq -dc | sort -nr | awk '{ print "sshd: " $2 "/255.255.255.255" }' > /etc/hosts.deny

Fri Sep 5 09:44:19 2008: 4525 Matey

Hello All:
Thanks for the info. (I am looking for Correct Syntax)!

We've been getting many of these would-be hackers on our site lately and I was trying to put all their IP addresses from /var/log/auth.log file into /etc/hosts.deny BUT I keep
getting errors from the system such as this one:

warning: /etc/hosts.deny, line 31: missing ":" separator

and so on...(many such lines)?
Here's a portion of my .deny file;

# ALL: PARANOID
ALL:
79.187.241.62:
82.50.250.22:
82.179.130.135:
69.80.255.165:
219.150.196.6:
83.16.112.18:
222.191.240.194:
219.150.196.0/12:
168.234.227.2:
219.150.196.6:
200.228.120.130:

Any ways as you can see I did put Colons : as separators. why then errors/warnings??

Any idea how you would input separators (using ) debian linux (ubuntu 704?)
BTW I used , (commas) before and got errors about them too?

Thank You!

BTW thanks to those who wrote the Automatic hosts.deny file population! I have not perfected that for my system yet but I get an idea (New to Linux at these levels)!
Regards;

Fri Sep 5 11:22:00 2008: 4526 TonyLawrence

Isn't the format

ALL:ipaddress
ALL:ipaddress

etc.??

Thu Mar 5 06:35:28 2009: 5605 PrestonKutzner

I'm sure you probably have already stumbled upon this utility already, but you could use denyhosts ( (link) ) to do what you're talking about. It is very configurable and watches your auth log as well as managing hosts.deny for you.

Thu Mar 5 11:37:46 2009: 5606 TonyLawrence

Well, I hadn't seen that before so I'm glad you took the time to point us at it!

Thu Mar 5 23:48:43 2009: 5615 ToKy

Besides not allowing root logins I find that using public-keys is the best way to eliminate most of the things mentioned on this post.

Now, when you create your keys you better put a passphrase to it. Even though its pretty difficult for someone to get your private key, if they do and you didn't put a passphrase on your key....they just got VIP access to your server. Once the pubkey is setup then disable passwordauthentication and thats that, no more brute force thru ssh!

On your sshd_config file:
PubkeyAuthentication yes

TRY to set it up locally first before you try to do it remotly other wise you might lock yourself out!

Fri Mar 6 03:20:29 2009: 5616 TonyLawrence

Yes, of course. See (link) here for instructions.

Fri Mar 6 04:13:15 2009: 5617 PrestonKutzner

Well, glad I could help with denyhosts. I've been using it on several servers I administer. It's also handy in that it can be configured to email you when it blocks an IP address. It can add a bit of noise to the SNR, but can be handy to keep an eye on what's going on with regards to SSH on your systems. You can be fairly granular with the configuration too, which I personally like. In general, it's been a good tool in my experience.

------------------------

Printer Friendly Version

Have you tried Searching this site?

Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Printer Friendly Version