Maximal protection of SSH attacks. If your server
has to stay with open port SSH (Secure Shell) to the whole
world
If you're a a remote Linux many other Unix based OSes, you have
defitenily faced the security threat of many failed ssh logins or
as it's better known
a brute force attack
During such attacks your
/var/log/messages or
/var/log/auth gets filled in with various failed password
logs like for example:
Feb 3 20:25:50 linux sshd[32098]: Failed password for invalid
user oracle from 95.154.249.193 port 51490 ssh2
Feb 3 20:28:30 linux sshd[32135]: Failed password for invalid user
oracle1 from 95.154.249.193 port 42778 ssh2
Feb 3 20:28:55 linux sshd[32141]: Failed password for invalid user
test1 from 95.154.249.193 port 51072 ssh2
Feb 3 20:30:15 linux sshd[32163]: Failed password for invalid user
test from 95.154.249.193 port 47481 ssh2
Feb 3 20:33:20 linux sshd[32211]: Failed password for invalid user
testuser from 95.154.249.193 port 51731 ssh2
Feb 3 20:35:32 linux sshd[32249]: Failed password for invalid user
user from 95.154.249.193 port 38966 ssh2
Feb 3 20:35:59 linux sshd[32256]: Failed password for invalid user
user1 from 95.154.249.193 port 55850 ssh2
Feb 3 20:36:25 linux sshd[32268]: Failed password for invalid user
user3 from 95.154.249.193 port 36610 ssh2
Feb 3 20:36:52 linux sshd[32274]: Failed password for invalid user
user4 from 95.154.249.193 port 45514 ssh2
Feb 3 20:37:19 linux sshd[32279]: Failed password for invalid user
user5 from 95.154.249.193 port 54262 ssh2
Feb 3 20:37:45 linux sshd[32285]: Failed password for invalid user
user2 from 95.154.249.193 port 34755 ssh2
Feb 3 20:38:11 linux sshd[32292]: Failed password for invalid user
info from 95.154.249.193 port 43146 ssh2
Feb 3 20:40:50 linux sshd[32340]: Failed password for invalid user
peter from 95.154.249.193 port 46411 ssh2
Feb 3 20:43:02 linux sshd[32372]: Failed password for invalid user
amanda from 95.154.249.193 port 59414 ssh2
Feb 3 20:43:28 linux sshd[32378]: Failed password for invalid user
postgres from 95.154.249.193 port 39228 ssh2
Feb 3 20:43:55 linux sshd[32384]: Failed password for invalid user
ftpuser from 95.154.249.193 port 47118 ssh2
Feb 3 20:44:22 linux sshd[32391]: Failed password for invalid user
fax from 95.154.249.193 port 54939 ssh2
Feb 3 20:44:48 linux sshd[32397]: Failed password for invalid user
cyrus from 95.154.249.193 port 34567 ssh2
Feb 3 20:45:14 linux sshd[32405]: Failed password for invalid user
toto from 95.154.249.193 port 42350 ssh2
Feb 3 20:45:42 linux sshd[32410]: Failed password for invalid user
sophie from 95.154.249.193 port 50063 ssh2
Feb 3 20:46:08 linux sshd[32415]: Failed password for invalid user
yves from 95.154.249.193 port 59818 ssh2
Feb 3 20:46:34 linux sshd[32424]: Failed password for invalid user
trac from 95.154.249.193 port 39509 ssh2
Feb 3 20:47:00 linux sshd[32432]: Failed password for invalid user
webmaster from 95.154.249.193 port 47424 ssh2
Feb 3 20:47:27 linux sshd[32437]: Failed password for invalid user
postfix from 95.154.249.193 port 55615 ssh2
Feb 3 20:47:54 linux sshd[32442]: Failed password for www-data from
95.154.249.193 port 35554 ssh2
Feb 3 20:48:19 linux sshd[32448]: Failed password for invalid user
temp from 95.154.249.193 port 43896 ssh2
Feb 3 20:48:46 linux sshd[32453]: Failed password for invalid user
service from 95.154.249.193 port 52092 ssh2
Feb 3 20:49:13 linux sshd[32458]: Failed password for invalid user
tomcat from 95.154.249.193 port 60261 ssh2
Feb 3 20:49:40 linux sshd[32464]: Failed password for invalid user
upload from 95.154.249.193 port 40236 ssh2
Feb 3 20:50:06 linux sshd[32469]: Failed password for invalid user
debian from 95.154.249.193 port 48295 ssh2
Feb 3 20:50:32 linux sshd[32479]: Failed password for invalid user
apache from 95.154.249.193 port 56437 ssh2
Feb 3 20:51:00 linux sshd[32492]: Failed password for invalid user
rds from 95.154.249.193 port 45540 ssh2
Feb 3 20:51:26 linux sshd[32501]: Failed password for invalid user
exploit from 95.154.249.193 port 53751 ssh2
Feb 3 20:51:51 linux sshd[32506]: Failed password for invalid user
exploit from 95.154.249.193 port 33543 ssh2
Feb 3 20:52:18 linux sshd[32512]: Failed password for invalid user
postgres from 95.154.249.193 port 41350 ssh2
Feb 3 21:02:04 linux sshd[32652]: Failed password for invalid user
shell from 95.154.249.193 port 54454 ssh2
Feb 3 21:02:30 linux sshd[32657]: Failed password for invalid user
radio from 95.154.249.193 port 35462 ssh2
Feb 3 21:02:57 linux sshd[32663]: Failed password for invalid user
anonymous from 95.154.249.193 port 44290 ssh2
Feb 3 21:03:23 linux sshd[32668]: Failed password for invalid user
mark from 95.154.249.193 port 53285 ssh2
Feb 3 21:03:50 linux sshd[32673]: Failed password for invalid user
majordomo from 95.154.249.193 port 34082 ssh2
Feb 3 21:04:43 linux sshd[32684]: Failed password for irc from
95.154.249.193 port 50918 ssh2
Feb 3 21:05:36 linux sshd[32695]: Failed password for root from
95.154.249.193 port 38577 ssh2
Feb 3 21:06:30 linux sshd[32705]: Failed password for bin from
95.154.249.193 port 53564 ssh2
Feb 3 21:06:56 linux sshd[32714]: Failed password for invalid user
dev from 95.154.249.193 port 34568 ssh2
Feb 3 21:07:23 linux sshd[32720]: Failed password for root from
95.154.249.193 port 43799 ssh2
Feb 3 21:09:10 linux sshd[32755]: Failed password for invalid user
bob from 95.154.249.193 port 50026 ssh2
Feb 3 21:09:36 linux sshd[32761]: Failed password for invalid user
r00t from 95.154.249.193 port 58129 ssh2
Feb 3 21:11:50 linux sshd[537]: Failed password for root from
95.154.249.193 port 58358 ssh2
This
brute force dictionary attacks often succeed where
there is a user with a weak a password, or some old forgotten test
user account.
Just recently on one of the servers I administrate I have catched a
malicious attacker originating from Romania, who was able to break
with my system
test account with the weak password
tset .
Thanksfully the
script kiddie was unable to get root access
to my system, so what he did is he just started another ssh brute
force scanner to crawl the net and look for some other vulnerable
hosts.
As you read in my recent example being immune against SSH brute
force attacks is a very essential security step, the administrator
needs to take on a newly installed server.
The
easiest way to get read of the brute force attacks
without using some external brute force filtering software like
fail2ban can be done by:
1.
By using an iptables filtering rule to filter every IP which
has failed in logging in more than 5 times
To use this brute force prevention method you need to use the
following iptables rules:
linux-host:~# /sbin/iptables -I INPUT -p tcp --dport 22 -i
eth0 -m state -state NEW -m recent -set
linux-host:~# /sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m
state -state NEW \
-m recent -update -seconds 60 -hitcount 5 -j
DROP
This iptables rules will filter out the SSH port to an every IP
address with more than 5 invalid attempts to login to
port
22
2.
Getting rid of brute force attacks through use of hosts.deny
blacklists
sshbl - The
SSH blacklist, updated every few minutes, contains IP addresses of
hosts which tried to bruteforce into any of currently 19 hosts (all
running OpenBSD, FreeBSD or some Linux) using the SSH protocol. The
hosts are located in Germany, the United States, United Kingdom,
France, England, Ukraine, China, Australia, Czech Republic and
setup to report and log those attempts to a central database. Very
similar to all the spam blacklists out there.
To use
sshbl you will have to set up in your root crontab
the following line:
*/60 * * * * /usr/bin/wget -qO /etc/hosts.deny
http://www.sshbl.org/lists/hosts.deny
To set it up from console issue:
linux-host:~# echo '*/60 * * * * /usr/bin/wget -qO
/etc/hosts.deny http://www.sshbl.org/lists/hosts.deny' | crontab -u
root -
These crontab will download and substitute your system default
hosts with the one regularly updated on
sshbl.org , thus
next time a brute force attacker which has been a reported attacker
will be filtered out as your Linux or Unix system finds out the IP
matches an ip in
/etc/hosts.deny
The
/etc/hosts.deny filtering rules are written in a way
that only publicly known brute forcer IPs will only be filtered for
the SSH service, therefore other system services like
Apache or
a radio, tv streaming server will be still accessible for the
brute forcer IP.
It's a good practice actually to use both of the methods ;)
Thanks to
Static (Multics) a close friend of mine for
inspiring this article.