A friend recently got 'rooted'. He was using ssh (not ssh2). He was getting pages on his phone and processes were dying and such, so he installed "chkrootkit" which is a program that checks your system to see if there is any of a number of root kits installed. He had SuckIt installed on his machine and now has a server to rebuild
Unfortunately he used ssh to login and check his other server, so now he has 2 servers to rebuild.
Since I noticed my /var/log/secure file getting large at the beginning of the month I've made some changes to sshd_config:
1. PermitRootLogin no Users just have to login to an unprivileged account, then su if they want root access.
2. Banner /etc/banner This file is displayed after you enter your user name. I changed the banner file as below:
password: $ Unauthorized use of this service is strictly prohibited. Unauthorized attempts to use this service, upload information or change information on this service are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act.
I put "password:" and "$" in the banner to trip up the automated scripts these guys appear to be using. I don't know if it works, it just seems like a good idea.
3. DenyUsers adm admin apache bin daemon dovecot ftp games gopher halt lp mail mail null mysql named news nfsnobody nobody nscd operator pcap postgres rpc rpcuser rpm shutdown simon smmsp squid sshd sync uucp vcsa webalizer
A list of all the folks who cannot login.
4. AllowUsers boopy A list of all the folks who can login, just in case I left anyone out of the previous list. Only boopy gets in.
Finally, I populated hosts.deny with the apparent IP addresses of the worst offenders:
ALL: 222.237.79.237\
210.68.8.169\
68.58.89.36\
200.164.92.234\
210.75.224.29\
81.168.255.137\
64.151.75.92\
148.245.97.130\
131.202.163.23\
162.39.201.74\
67.172.114.3\
206.165.120.54\
222.122.60.42\
211.136.90.75\
.
.
.
141.28.18.200
ALL services are denied to these IP addresses. Well, I guess the well trained hacker changes his IP address often, but since I made this change login attempts are down to 10% of what they were. I add them 1 per line so I don't go berserk maintaining the list. Note that the \ character 'continues' the line.
5. I enable VerifyReverseMapping, but I haven't seen this work. It doesn't deny me access from the IP address I always use. It sounds like people who fail a 'reverse IP address' test of some sort (phony IP addresses?) get rejected.
Is there a way to automatically populate hosts.deny? How would I keep my own IP address out of there?
Any other security suggestions?
(On 3/26/2005 Dirk added this:)
Here's a little widget I wrote this morning for summarizing my secure log. Way better than actually reading it. I take these results and update /etc/hosts.deny. I have most of South Korea and Taiwan blocked now.
[root@mammoth tmp]# cat test grep 'Failed password' /var/log/secure|cut -d ']' --fields=2|cut -d ' ' --fields=9|uniq -c|sort -nr [root@mammoth tmp]# sh test 707 209.253.78.9 600 193.178.210.35 115 217.34.37.166 107 63.107.208.110 107 220.95.215.148 107 161.53.191.13 90 81.169.137.164 9 211.184.70.140 9 207.207.186.182 8 62.193.236.45 8 208.13.106.89 1 211.90.27.133 1 211.157.102.10
Got something to add? Send me email.
More Articles by Dirk Hart © 2011-04-30 Dirk Hart
Be respectful to your superiors, if you have any. (Mark Twain)
Wed Mar 2 13:23:29 2005: 99 anonymous
Yap, pretty sure I'm going to ban all of Korea and China from ssh on my server.
--dhh
Wed Mar 2 23:18:16 2005: 103 TonyLawrence
There's a pam module for blacklisting: (link)
Might be useful..
Fri Mar 4 00:20:06 2005: 105 adanac
This is what you might see in your log if VerifyReverseMapping fails:
Mar 3 17:46:34 mammoth sshd[26428]: Illegal user jordan from 205.246.18.240
Mar 3 17:46:34 mammoth sshd[26428]: Address 205.246.18.240 maps to monolith.vet
eransadvantage.com, but this does not map back to the address - POSSIBLE BREAKIN
ATTEMPT!
Wed Nov 2 00:25:44 2005: 1267 anonymous
Actually what I've done to date is I put together a list of IP blocks I deny SSH access to by default on every system I build. The list started with all Non-Arin IP blocks and was peared down as I found places where I was a little too aggressive. I also wrote a perl script which I cron to run every couple of minutes which parses my /var/log/secure file for SSH login failures. It then adds new deny entries to the /etc/hosts.allow file to block those IP address's if the number of failures exceeds a preset number in a preset time interval. IE: by default, if there are more than 10 login failures from the same IP address and the failures are less than 5 seconds apart on average, then it is added to host.allow automatically because it is considered a brute force attack. If there are more than 50 failures in total, regardless of the interval, the ip address is added. The script also adds a header block to the hosts.allow file where you can add in a "Whitelist" of IP addresses which will always be first in the list and therefore can never be denied.
Since I added these measures, the number of failed login attempts on any given day on my servers has dropped from over 7000 to less than a few hundred on a bad day.
If anyone is interested, there is a project on sourceforge which is similar to what I have written but is far mor feature rich. It is however written in python and I have no intention of ever installing python on any of my servers unless I absolutely have to. If anyone is interested in a copy of the script, feel free to e-mail me at cgardiner@quadrix.com.
Wed Jan 18 19:52:12 2006: 1521 apex
Sun Mar 26 02:26:10 2006: 1820 b0x
noob Debian user here
My 2 cents
/etc/cron.hourly/sshd_deny
grep 'Invalid user' /var/log/auth.log* | cut -d ']' --fields=2 | cut -d ' ' --fields=6 | uniq -dc | sort -nr | awk '{ print "sshd: " $2 "/255.255.255.255" }' > /etc/hosts.deny
Fri Sep 5 09:44:19 2008: 4525 Matey
Hello All:
Thanks for the info. (I am looking for Correct Syntax)!
We've been getting many of these would-be hackers on our site lately and I was trying to put all their IP addresses from /var/log/auth.log file into /etc/hosts.deny BUT I keep
getting errors from the system such as this one:
warning: /etc/hosts.deny, line 31: missing ":" separator
and so on...(many such lines)?
Here's a portion of my .deny file;
# ALL: PARANOID
ALL:
79.187.241.62:
82.50.250.22:
82.179.130.135:
69.80.255.165:
219.150.196.6:
83.16.112.18:
222.191.240.194:
219.150.196.0/12:
168.234.227.2:
219.150.196.6:
200.228.120.130:
Any ways as you can see I did put Colons : as separators. why then errors/warnings??
Any idea how you would input separators (using ) debian linux (ubuntu 704?)
BTW I used , (commas) before and got errors about them too?
Thank You!
BTW thanks to those who wrote the Automatic hosts.deny file population! I have not perfected that for my system yet but I get an idea (New to Linux at these levels)!
Regards;
Fri Sep 5 11:22:00 2008: 4526 TonyLawrence
Isn't the format
ALL:ipaddress
ALL:ipaddress
etc.??
Thu Mar 5 06:35:28 2009: 5605 PrestonKutzner
I'm sure you probably have already stumbled upon this utility already, but you could use denyhosts ( (link) ) to do what you're talking about. It is very configurable and watches your auth log as well as managing hosts.deny for you.
Thu Mar 5 11:37:46 2009: 5606 TonyLawrence
Well, I hadn't seen that before so I'm glad you took the time to point us at it!
Thu Mar 5 23:48:43 2009: 5615 ToKy
Besides not allowing root logins I find that using public-keys is the best way to eliminate most of the things mentioned on this post.
Now, when you create your keys you better put a passphrase to it. Even though its pretty difficult for someone to get your private key, if they do and you didn't put a passphrase on your key....they just got VIP access to your server. Once the pubkey is setup then disable passwordauthentication and thats that, no more brute force thru ssh!
On your sshd_config file:
PubkeyAuthentication yes
TRY to set it up locally first before you try to do it remotly other wise you might lock yourself out!
Fri Mar 6 03:20:29 2009: 5616 TonyLawrence
Yes, of course. See (link) here for instructions.
Fri Mar 6 04:13:15 2009: 5617 PrestonKutzner
Well, glad I could help with denyhosts. I've been using it on several servers I administer. It's also handy in that it can be configured to email you when it blocks an IP address. It can add a bit of noise to the SNR, but can be handy to keep an eye on what's going on with regards to SSH on your systems. You can be fairly granular with the configuration too, which I personally like. In general, it's been a good tool in my experience.
------------------------
Printer Friendly Version
More ssh ideas Copyright © February 2005 Dirk Hart
Have you tried Searching this site?
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.
Contact us
Printer Friendly Version