LinHES Forums
http://forum.linhes.org/

Securing SSH: auditing the logs
http://forum.linhes.org/viewtopic.php?f=5&t=21278
Page 1 of 1

Author:  gatorback [ Fri Aug 13, 2010 9:22 pm ]
Post subject:  Securing SSH: auditing the logs

I used these commands to search the SSH logs:

Code:
[root@mythtv ~]# grep -ir ssh /var/log/* > output.txt


Code:
[root@mythtv ~]# grep -ir BREAK-IN /var/log/auth.log > breakin.txt


I noticed there were quite a few connection refusals from unknown IP addresses.

Is there anything that I need to do to (short of closing up port 22)? I suppose that I could map it another port, however, that would do little because I would think there are plenty of port scanners out there.

Author:  graysky [ Sat Aug 14, 2010 8:42 am ]
Post subject: 

Best advice is to use a high non-standard port (like >40000). You can try a knock script if you want which causes ssh only to allow connections that try to come in on several ports in a specific order.

Author:  Martian [ Sat Aug 14, 2010 10:54 am ]
Post subject: 

I use denyhosts to help keep my ssh a little more secure.

http://denyhosts.sourceforge.net/

Author:  gatorback [ Sat Aug 14, 2010 12:08 pm ]
Post subject: 

@Martian: cool. A process that reviews logs for IP addresses of suspected breakins and puts them on the deny list. I found this URL to install, however, I am hesitant to use this because LinHes has migrated from Debian to ArchLinux: apt-get is replaced by pacman. I am not sure what other gotchas there would be. Martian, did you get this working with LinHes? I looked in your signature, but did not see this info. Maybe the optimal COA is remapping SSH to a nonstandard port and enabling port 22 as a 'honeypot' for the script to identify and block attacks.

OK, so I reviewed my log again and if found this:

Quote:
/var/log/auth.log:Aug 14 09:31:40 mythtv sshd[16746]: Invalid user test from 62.141.33.225
/var/log/auth.log:Aug 14 09:31:40 mythtv sshd[16746]: pam_unix(sshd:auth): check pass; user unknown
/var/log/auth.log:Aug 14 09:31:40 mythtv sshd[16746]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.141.33.225
/var/log/auth.log:Aug 14 09:31:42 mythtv sshd[16746]: Failed password for invalid user test from 62.141.33.225 port 35324 ssh2
/var/log/auth.log:Aug 14 09:31:43 mythtv sshd[16751]: Address 62.141.33.225 maps to avserver1.de, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!


The log shows 30 attempts every 4 seconds. This IP address has earned a spot on the deny hosts list.

Given that there is a hosts.allow file:

Code:
cat /etc/hosts.allow

Quote:
# /etc/hosts.allow
#
sshd:ALL
ALL: 192.168.
ALL: 10.
ALL: 127.0.0.1
ALL: 172.16.
# End of file

I reasoned there is a host.deny file and added the offender's IP address range to the deny list:

Code:
cat /etc/hosts.deny

Quote:
#
# /etc/hosts.deny
#
#
# 2010-08-14
# Invalid user plesk-kaka 62.141.33.225 does not map to avserver1.de
ALL: 62.141.33.
#
# ALL: ALL: DENY

# End of file


Not sure if my syntax of the IP address in hosts.deny is correct. Does the SSHD statements in hosts.allow defeat the statement added to hosts.deny? I would think that an IP addr in hosts.deny would trump the sshd:all in hosts.allow? If you have experience, please weigh-in.

I am not sure how to verify (test) that this is effective. I would suppose that if there are no more incidents, from the offending IP range, in the log that MAY be an indicator of success but, the attacks from this IP may have stopped for whatever the reason. Any suggestions \ guidance is appreciated.

Given that I only intend to access this machine from CONUS, I think that a list of IP address blocks could be added to hosts.deny: I would have no qualms blocking all OCONUS IP addresses. I am not sure what the Google keyword would be to search for this list: suggestions are appreciated.

Author:  uteck [ Sat Aug 14, 2010 12:47 pm ]
Post subject: 

gatorback wrote:
Quote:
Not sure if my syntax of the IP address in hosts.deny is correct. Does the SSHD statements in hosts.allow defeat the statement added to hosts.deny? I would think that an IP addr in hosts.deny would trump the sshd:all in hosts.allow? If you have experience, please weigh-in.
This is correct, The hosts files are a 2-step precess, first the hosts.allow is checked to see if the service is allowed, or if a white list is being used of authorized IPs, then hosts.deny is checked for denied services and IPs.
Quote:
I am not sure how to verify (test) that this is effective. I would suppose that if there are no more incidents in the log that MAY be an indicator of success but, the attacks from this IP may have stopped for whatever the reason. Any suggestions \ guidance is appreciated.


Your files look good to me. Kind of hard to test since you would have to spoof that IP which is a bit beyond me.
But if you wanted to manually install Denyhosts, it is just a python script that is called via a cron job every 5 minutes, so you could manually install it if you wanted to. The only downside I experienced was when my hosts.deny file had over 20k entries and it look about a minute for that old box to parse the file.

Author:  gatorback [ Sat Aug 14, 2010 1:55 pm ]
Post subject: 

I have two ISP providers (until Tuesday) which would enable me to simulate an SSH attack. That being said, I tried adding 76.106.137.XXX to the host.deny table and bounced the SSHD service:
Code:
cat /etc/hosts.deny

Quote:
#
# /etc/hosts.deny
#
#
# 2010-08-14
# Invalid user plesk-kaka 62.141.33.225 does not map to avserver1.de
all: 62.141.33.
# My second ISP (simulated attacker)
all: 76.106.137.
#
# ALL: ALL: DENY

# End of file


Bounced SSHD:

Quote:
[root@mythtv ~]# sv start sshd
ok: run: sshd: (pid 9602) 40s


No Joy: I was expecting the server to block logon request from 76.106.137.XXX.

Other syntax tried in hosts.deny includes:
Quote:
ALL: 76.106.137. :DENY
SSHD: 76.106.137.

Again, no joy.

Author:  Martian [ Sat Aug 14, 2010 10:16 pm ]
Post subject: 

gatorback wrote:
Martian, did you get this working with LinHes?

I don't run denyhosts on my LinHES box. Port 22 is open to my server PC (file, print, web, e-mail, etc...) so I run it on that PC (which is now running Arch). If I need to access any other PCs on my network it is then done from from there.

For example to access my Myth box from work, I ssh into my server and then ssh into my Myth box from my server. If I want to access my desktop (Windows) I use VNC tunneled over the ssh connection to my server.

This way I only have one PC exposed and it is (hopefully) protected by denyhosts and a really long password.

As was stated though, denyhosts is just a script so I can't image it would be difficult to setup on LinHES.

Martian

Author:  Too Many Secrets [ Sat Aug 14, 2010 10:48 pm ]
Post subject: 

This is dated, but it might be a starting point. If someone gets Denyhosts working with linhes, maybe they could update? I just haven't made the time to play with it.

Author:  Golffies [ Mon Aug 16, 2010 10:56 am ]
Post subject:  cross reference

Hi,

working with hosts.allow and hosts.deny configuration files has also been covered in the thread : Can only SSH in locally.

Author:  mihanson [ Mon Aug 16, 2010 2:10 pm ]
Post subject: 

Here's how I deal with this...

Create a script called ssh_firewall.sh or similar. The contents will be:

Code:
[mihanson@mythbox-mbe ~]$ cat /usr/local/bin/ssh_firewall
#!/bin/bash

# Set up the firewall rule
/usr/sbin/iptables -N SSH_CHECK
/usr/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
/usr/sbin/iptables -A SSH_CHECK -m recent --set --name SSH
/usr/sbin/iptables -A SSH_CHECK -m recent --update --seconds 90 --hitcount 4 --name SSH -j DROP
# Start the firewall
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward


Call this new script (be sure to chmod it to be executable) from /etc/runit/1.local. What the script does is stop responding to ssh requests from a particular ip for 5 minutes when someone tries to connect more than 4 times in 90 seconds. Works very well and keeps my logs clean. :D There is a way to do this directly in etcnet, but I never got it working that way.

Author:  gatorback [ Sat Sep 04, 2010 10:53 am ]
Post subject:  Knockd

This layer of security is at the router level and is detailed here:

http://www.dd-wrt.com/wiki/index.php/Knockd

http://www.youtube.com/watch?v=EbzrLPf6 ... re=related

This would require that your router firmware to be updated.

Author:  Liv2Cod [ Fri Sep 10, 2010 10:31 am ]
Post subject:  Just move it

I really suggest you just pick a port other than 22. I did that and the number of bogus logon attempts dropped to zero. Sometimes the simplest methods ARE the best. And drop pings if you can, too. Anything you can do to "stealth" your IP address is good.

Author:  Golffies [ Mon Feb 07, 2011 5:39 am ]
Post subject:  elegant solution

Just noticed with some lag how elegant and easy was your solution. I pushed it on the fly to my LinHES box. Would recommend to add that script in a coming version.

mihanson wrote:
Here's how I deal with this...

What the script does is stop responding to ssh requests from a particular ip for 5 minutes when someone tries to connect more than 4 times in 90 seconds. Works very well and keeps my logs clean. :D

Author:  Golffies [ Wed Nov 23, 2011 10:09 am ]
Post subject:  Cutting down 99% of fraudulent ssh login attempts

Hi Mike,

For half a year, I have been running the script you submitted; it is effective at cutting down 99% of fraudulent ssh login attempts. Actually great ! Did you manage to include it in LinHES R7.1 ?

A side question: my host faced once an attacker whose IP address has not been blocked by the firewalling rules of your script. The remote host opened many simultaneous connexions in parallel, to crawl faster, and managed to send 444 requests from 11:00 to 12:30 am, local time.

What went wrong there ?


Here is a sample of the 'sudo lastb' output :

Code:
akkat    ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akkat    ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akkamra  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akkamra  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akjcc    ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akjcc    ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akjain1  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akjain1  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akjain   ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akjain   ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akjaik   ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akjaik   ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akiyama  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akiyama  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akit     ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akit     ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akira    ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akira    ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akimoto  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akimoto  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akidcom  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:24 - 12:24  (00:00)
akidcom  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:24 - 12:24  (00:00)

[SNIP]

ab4t     ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:02 - 11:02  (00:00)
ab4t     ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:02 - 11:02  (00:00)
aavishka ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:02 - 11:02  (00:00)
aavishka ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:02 - 11:02  (00:00)
aatul    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:02 - 11:02  (00:00)
aatul    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:02 - 11:02  (00:00)
aarti    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aarti    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aaron    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aaron    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aaren    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aaren    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aamamun  ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aamamun  ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aalvarez ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aalvarez ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aakash   ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aakash   ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
a        ssh:notty    121.31.xxx.xxx   Fri Oct 28 10:59 - 10:59  (00:00)
a        ssh:notty    121.31.xxx.xxx   Fri Oct 28 10:59 - 10:59  (00:00)

Author:  gatorback [ Wed Nov 23, 2011 10:25 am ]
Post subject:  DD-WRT Optware Stophammer

I am a using an ASUS-RTN16 with DD-WRT \ Optware using Stophammer to blacklist IP addresses. Search for Stophammer in the webpage.

Asiablock is another Optware service: other countries can be blocked as well.

Page 1 of 1 All times are UTC - 6 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/