LinHES Forums http://forum.linhes.org/ |
|
Securing SSH: auditing the logs http://forum.linhes.org/viewtopic.php?f=5&t=21278 |
Page 1 of 1 |
Author: | gatorback [ Fri Aug 13, 2010 9:22 pm ] |
Post subject: | Securing SSH: auditing the logs |
I used these commands to search the SSH logs: Code: [root@mythtv ~]# grep -ir ssh /var/log/* > output.txt Code: [root@mythtv ~]# grep -ir BREAK-IN /var/log/auth.log > breakin.txt
I noticed there were quite a few connection refusals from unknown IP addresses. Is there anything that I need to do to (short of closing up port 22)? I suppose that I could map it another port, however, that would do little because I would think there are plenty of port scanners out there. |
Author: | graysky [ Sat Aug 14, 2010 8:42 am ] |
Post subject: | |
Best advice is to use a high non-standard port (like >40000). You can try a knock script if you want which causes ssh only to allow connections that try to come in on several ports in a specific order. |
Author: | Martian [ Sat Aug 14, 2010 10:54 am ] |
Post subject: | |
I use denyhosts to help keep my ssh a little more secure. http://denyhosts.sourceforge.net/ |
Author: | gatorback [ Sat Aug 14, 2010 12:08 pm ] |
Post subject: | |
@Martian: cool. A process that reviews logs for IP addresses of suspected breakins and puts them on the deny list. I found this URL to install, however, I am hesitant to use this because LinHes has migrated from Debian to ArchLinux: apt-get is replaced by pacman. I am not sure what other gotchas there would be. Martian, did you get this working with LinHes? I looked in your signature, but did not see this info. Maybe the optimal COA is remapping SSH to a nonstandard port and enabling port 22 as a 'honeypot' for the script to identify and block attacks. OK, so I reviewed my log again and if found this: Quote: /var/log/auth.log:Aug 14 09:31:40 mythtv sshd[16746]: Invalid user test from 62.141.33.225 /var/log/auth.log:Aug 14 09:31:40 mythtv sshd[16746]: pam_unix(sshd:auth): check pass; user unknown /var/log/auth.log:Aug 14 09:31:40 mythtv sshd[16746]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.141.33.225 /var/log/auth.log:Aug 14 09:31:42 mythtv sshd[16746]: Failed password for invalid user test from 62.141.33.225 port 35324 ssh2 /var/log/auth.log:Aug 14 09:31:43 mythtv sshd[16751]: Address 62.141.33.225 maps to avserver1.de, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! The log shows 30 attempts every 4 seconds. This IP address has earned a spot on the deny hosts list. Given that there is a hosts.allow file: Code: cat /etc/hosts.allow Quote: # /etc/hosts.allow # sshd:ALL ALL: 192.168. ALL: 10. ALL: 127.0.0.1 ALL: 172.16. # End of file I reasoned there is a host.deny file and added the offender's IP address range to the deny list: Code: cat /etc/hosts.deny Quote: #
# /etc/hosts.deny # # # 2010-08-14 # Invalid user plesk-kaka 62.141.33.225 does not map to avserver1.de ALL: 62.141.33. # # ALL: ALL: DENY # End of file Not sure if my syntax of the IP address in hosts.deny is correct. Does the SSHD statements in hosts.allow defeat the statement added to hosts.deny? I would think that an IP addr in hosts.deny would trump the sshd:all in hosts.allow? If you have experience, please weigh-in. I am not sure how to verify (test) that this is effective. I would suppose that if there are no more incidents, from the offending IP range, in the log that MAY be an indicator of success but, the attacks from this IP may have stopped for whatever the reason. Any suggestions \ guidance is appreciated. Given that I only intend to access this machine from CONUS, I think that a list of IP address blocks could be added to hosts.deny: I would have no qualms blocking all OCONUS IP addresses. I am not sure what the Google keyword would be to search for this list: suggestions are appreciated. |
Author: | uteck [ Sat Aug 14, 2010 12:47 pm ] |
Post subject: | |
gatorback wrote: Quote: Not sure if my syntax of the IP address in hosts.deny is correct. Does the SSHD statements in hosts.allow defeat the statement added to hosts.deny? I would think that an IP addr in hosts.deny would trump the sshd:all in hosts.allow? If you have experience, please weigh-in. This is correct, The hosts files are a 2-step precess, first the hosts.allow is checked to see if the service is allowed, or if a white list is being used of authorized IPs, then hosts.deny is checked for denied services and IPs.Quote: I am not sure how to verify (test) that this is effective. I would suppose that if there are no more incidents in the log that MAY be an indicator of success but, the attacks from this IP may have stopped for whatever the reason. Any suggestions \ guidance is appreciated.
Your files look good to me. Kind of hard to test since you would have to spoof that IP which is a bit beyond me. But if you wanted to manually install Denyhosts, it is just a python script that is called via a cron job every 5 minutes, so you could manually install it if you wanted to. The only downside I experienced was when my hosts.deny file had over 20k entries and it look about a minute for that old box to parse the file. |
Author: | gatorback [ Sat Aug 14, 2010 1:55 pm ] |
Post subject: | |
I have two ISP providers (until Tuesday) which would enable me to simulate an SSH attack. That being said, I tried adding 76.106.137.XXX to the host.deny table and bounced the SSHD service: Code: cat /etc/hosts.deny
Quote: # # /etc/hosts.deny # # # 2010-08-14 # Invalid user plesk-kaka 62.141.33.225 does not map to avserver1.de all: 62.141.33. # My second ISP (simulated attacker) all: 76.106.137. # # ALL: ALL: DENY # End of file Bounced SSHD: Quote: [root@mythtv ~]# sv start sshd ok: run: sshd: (pid 9602) 40s No Joy: I was expecting the server to block logon request from 76.106.137.XXX. Other syntax tried in hosts.deny includes: Quote: ALL: 76.106.137. ENY
SSHD: 76.106.137. Again, no joy. |
Author: | Martian [ Sat Aug 14, 2010 10:16 pm ] |
Post subject: | |
gatorback wrote: Martian, did you get this working with LinHes?
I don't run denyhosts on my LinHES box. Port 22 is open to my server PC (file, print, web, e-mail, etc...) so I run it on that PC (which is now running Arch). If I need to access any other PCs on my network it is then done from from there. For example to access my Myth box from work, I ssh into my server and then ssh into my Myth box from my server. If I want to access my desktop (Windows) I use VNC tunneled over the ssh connection to my server. This way I only have one PC exposed and it is (hopefully) protected by denyhosts and a really long password. As was stated though, denyhosts is just a script so I can't image it would be difficult to setup on LinHES. Martian |
Author: | Too Many Secrets [ Sat Aug 14, 2010 10:48 pm ] |
Post subject: | |
This is dated, but it might be a starting point. If someone gets Denyhosts working with linhes, maybe they could update? I just haven't made the time to play with it. |
Author: | Golffies [ Mon Aug 16, 2010 10:56 am ] |
Post subject: | cross reference |
Hi, working with hosts.allow and hosts.deny configuration files has also been covered in the thread : Can only SSH in locally. |
Author: | mihanson [ Mon Aug 16, 2010 2:10 pm ] |
Post subject: | |
Here's how I deal with this... Create a script called ssh_firewall.sh or similar. The contents will be: Code: [mihanson@mythbox-mbe ~]$ cat /usr/local/bin/ssh_firewall
#!/bin/bash # Set up the firewall rule /usr/sbin/iptables -N SSH_CHECK /usr/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK /usr/sbin/iptables -A SSH_CHECK -m recent --set --name SSH /usr/sbin/iptables -A SSH_CHECK -m recent --update --seconds 90 --hitcount 4 --name SSH -j DROP # Start the firewall /bin/echo 1 > /proc/sys/net/ipv4/ip_forward Call this new script (be sure to chmod it to be executable) from /etc/runit/1.local. What the script does is stop responding to ssh requests from a particular ip for 5 minutes when someone tries to connect more than 4 times in 90 seconds. Works very well and keeps my logs clean. There is a way to do this directly in etcnet, but I never got it working that way. |
Author: | gatorback [ Sat Sep 04, 2010 10:53 am ] |
Post subject: | Knockd |
This layer of security is at the router level and is detailed here: http://www.dd-wrt.com/wiki/index.php/Knockd http://www.youtube.com/watch?v=EbzrLPf6 ... re=related This would require that your router firmware to be updated. |
Author: | Liv2Cod [ Fri Sep 10, 2010 10:31 am ] |
Post subject: | Just move it |
I really suggest you just pick a port other than 22. I did that and the number of bogus logon attempts dropped to zero. Sometimes the simplest methods ARE the best. And drop pings if you can, too. Anything you can do to "stealth" your IP address is good. |
Author: | Golffies [ Mon Feb 07, 2011 5:39 am ] |
Post subject: | elegant solution |
Just noticed with some lag how elegant and easy was your solution. I pushed it on the fly to my LinHES box. Would recommend to add that script in a coming version. mihanson wrote: Here's how I deal with this...
What the script does is stop responding to ssh requests from a particular ip for 5 minutes when someone tries to connect more than 4 times in 90 seconds. Works very well and keeps my logs clean. |
Author: | Golffies [ Wed Nov 23, 2011 10:09 am ] |
Post subject: | Cutting down 99% of fraudulent ssh login attempts |
Hi Mike, For half a year, I have been running the script you submitted; it is effective at cutting down 99% of fraudulent ssh login attempts. Actually great ! Did you manage to include it in LinHES R7.1 ? A side question: my host faced once an attacker whose IP address has not been blocked by the firewalling rules of your script. The remote host opened many simultaneous connexions in parallel, to crawl faster, and managed to send 444 requests from 11:00 to 12:30 am, local time. What went wrong there ? Here is a sample of the 'sudo lastb' output : Code: akkat ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00)
akkat ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akkamra ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akkamra ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akjcc ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akjcc ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akjain1 ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akjain1 ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akjain ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akjain ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akjaik ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akjaik ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akiyama ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akiyama ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akit ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akit ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akira ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akira ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akimoto ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akimoto ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akidcom ssh:notty 121.31.xxx.xxx Fri Oct 28 12:24 - 12:24 (00:00) akidcom ssh:notty 121.31.xxx.xxx Fri Oct 28 12:24 - 12:24 (00:00) [SNIP] ab4t ssh:notty 121.31.xxx.xxx Fri Oct 28 11:02 - 11:02 (00:00) ab4t ssh:notty 121.31.xxx.xxx Fri Oct 28 11:02 - 11:02 (00:00) aavishka ssh:notty 121.31.xxx.xxx Fri Oct 28 11:02 - 11:02 (00:00) aavishka ssh:notty 121.31.xxx.xxx Fri Oct 28 11:02 - 11:02 (00:00) aatul ssh:notty 121.31.xxx.xxx Fri Oct 28 11:02 - 11:02 (00:00) aatul ssh:notty 121.31.xxx.xxx Fri Oct 28 11:02 - 11:02 (00:00) aarti ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aarti ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aaron ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aaron ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aaren ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aaren ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aamamun ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aamamun ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aalvarez ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aalvarez ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aakash ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aakash ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) a ssh:notty 121.31.xxx.xxx Fri Oct 28 10:59 - 10:59 (00:00) a ssh:notty 121.31.xxx.xxx Fri Oct 28 10:59 - 10:59 (00:00) |
Author: | gatorback [ Wed Nov 23, 2011 10:25 am ] |
Post subject: | DD-WRT Optware Stophammer |
I am a using an ASUS-RTN16 with DD-WRT \ Optware using Stophammer to blacklist IP addresses. Search for Stophammer in the webpage. Asiablock is another Optware service: other countries can be blocked as well. |
Page 1 of 1 | All times are UTC - 6 hours |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |