[SATLUG] security, brute force ssh, and others

Daniel J. Givens daniel at rugmonster.org
Wed Apr 30 07:16:49 CDT 2008


Chris Lemire wrote:
> I want to secure my system even more than it is now.
> 
> Here's a sample of of my /var/log/secure.
> 
> Apr 29 01:56:29 localhost unix_chkpwd[18920]: password check failed for user (root)
> Apr 29 01:56:29 localhost sshd[18918]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.7.231.74  user=root
> Apr 29 01:56:31 localhost sshd[18918]: Failed password for root from 61.7.231.74 port 54430 ssh2
> Apr 29 06:56:31 localhost sshd[18919]: Received disconnect from 61.7.231.74: 11: Bye Bye

...

> That IP was traced back to Thailand. I was a hacker running backtrack 3 beta, I F*** him up with metasploit and others, at least a dos such as hping3, milw0rm, etc. /me fires up Backtrack 3 beta in VMWare Server. Check this out.
> 
> [root at localhost ~]# grep "Failed password" /var/log/secure* | wc -l
> 10955
> [root at localhost ~]# 
> 
> I could figure out how to block his stinking ip quickly when I thought I knew how, so I disabled ssh and that was the end of that. having ssh on a virtual private trusted network could help. Also I'm looking into security measures to stop brute force attacks. I'm thinking of installing ipcops on my second machine and have it act as a router, but im pretty happen with it's Debian Lenny Encrypted Logical Volumes right now. I want to do the same as the satlug and no-ip.com does. I want to block the western hemisphere no matter how much that offends them. Would someone tell me how to accomplish that. I'm loading up Backtrack 3 beta for that thailand ip right now, several ports opened.


The answer you seek is Fail2Ban (www.fail2ban.org). It will watch your 
logs for (definable) patterns and do (definable) actions, such as adding 
netfilter rules to drop traffic from offending hosts. I've used it to 
great success to block bots like this.

By the way, this is extremely common. You really don't have anything to 
worry about here. Just make sure remote root login is disabled in SSH 
and think about setting up a group called sshusers and add the 
AllowGroups option to /etc/ssh/sshd_config.

AllowGroups
	This keyword can be followed by a list of group name patterns,	
	separated by spaces.  If specified, login is allowed only for
	users whose primary group or supplementary group list matches
	one of the patterns.  Only group names are valid; a numerical
	group ID is not recognized.  By default, login is allowed for
	all groups.  The allow/deny directives are processed in the
	following order: DenyUsers, AllowUsers, DenyGroups, and finally
	AllowGroups.

You could also look into key-based authentication. I only use Fail2Ban 
to keep my logs from filling up with that crap. I've found that the bots 
stop as soon as you block them, so I've got it set to block the 
offending IP for 5 minutes. It's enough to make them go away and I can't 
think of a single instance that they've come back.

Remember that most bots are just malware infected end-user machines. If 
you h at X0r that system, you're breaking your ISP's usage agreement and 
risk getting your service discontinued, if not a visit from someone in 
law enforcement. Even if you take down one bot, there are thousands more 
to do the same thing. If you don't need SSH available to the Internet, 
then either shut it off or limit access to it for your local network.

There are plenty of steps you can take at the host level to limit access 
to services such as implementing netfilter rules at the host, adding 
user-based access rights, disabling unnecessary services, and limiting 
the interfaces necessary services listen on. Your reaction to this is a 
bit knee jerk. You should investigate steps you can take that don't 
involve additional computers driving your electric bill up and eating up 
your spare time unless you just want to do that. Most people really 
don't need all that.

Cheers,
Daniel


More information about the SATLUG mailing list