[SATLUG] security, brute force ssh, and others
Daniel J. Givens
daniel at rugmonster.org
Wed Apr 30 07:16:49 CDT 2008
Chris Lemire wrote:
> I want to secure my system even more than it is now.
> Here's a sample of of my /var/log/secure.
> Apr 29 01:56:29 localhost unix_chkpwd: password check failed for user (root)
> Apr 29 01:56:29 localhost sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.127.116.11 user=root
> Apr 29 01:56:31 localhost sshd: Failed password for root from 18.104.22.168 port 54430 ssh2
> Apr 29 06:56:31 localhost sshd: Received disconnect from 22.214.171.124: 11: Bye Bye
> That IP was traced back to Thailand. I was a hacker running backtrack 3 beta, I F*** him up with metasploit and others, at least a dos such as hping3, milw0rm, etc. /me fires up Backtrack 3 beta in VMWare Server. Check this out.
> [root at localhost ~]# grep "Failed password" /var/log/secure* | wc -l
> [root at localhost ~]#
> I could figure out how to block his stinking ip quickly when I thought I knew how, so I disabled ssh and that was the end of that. having ssh on a virtual private trusted network could help. Also I'm looking into security measures to stop brute force attacks. I'm thinking of installing ipcops on my second machine and have it act as a router, but im pretty happen with it's Debian Lenny Encrypted Logical Volumes right now. I want to do the same as the satlug and no-ip.com does. I want to block the western hemisphere no matter how much that offends them. Would someone tell me how to accomplish that. I'm loading up Backtrack 3 beta for that thailand ip right now, several ports opened.
The answer you seek is Fail2Ban (www.fail2ban.org). It will watch your
logs for (definable) patterns and do (definable) actions, such as adding
netfilter rules to drop traffic from offending hosts. I've used it to
great success to block bots like this.
By the way, this is extremely common. You really don't have anything to
worry about here. Just make sure remote root login is disabled in SSH
and think about setting up a group called sshusers and add the
AllowGroups option to /etc/ssh/sshd_config.
This keyword can be followed by a list of group name patterns,
separated by spaces. If specified, login is allowed only for
users whose primary group or supplementary group list matches
one of the patterns. Only group names are valid; a numerical
group ID is not recognized. By default, login is allowed for
all groups. The allow/deny directives are processed in the
following order: DenyUsers, AllowUsers, DenyGroups, and finally
You could also look into key-based authentication. I only use Fail2Ban
to keep my logs from filling up with that crap. I've found that the bots
stop as soon as you block them, so I've got it set to block the
offending IP for 5 minutes. It's enough to make them go away and I can't
think of a single instance that they've come back.
Remember that most bots are just malware infected end-user machines. If
you h at X0r that system, you're breaking your ISP's usage agreement and
risk getting your service discontinued, if not a visit from someone in
law enforcement. Even if you take down one bot, there are thousands more
to do the same thing. If you don't need SSH available to the Internet,
then either shut it off or limit access to it for your local network.
There are plenty of steps you can take at the host level to limit access
to services such as implementing netfilter rules at the host, adding
user-based access rights, disabling unnecessary services, and limiting
the interfaces necessary services listen on. Your reaction to this is a
bit knee jerk. You should investigate steps you can take that don't
involve additional computers driving your electric bill up and eating up
your spare time unless you just want to do that. Most people really
don't need all that.
More information about the SATLUG