Author |
Message |
gatorback
|
Posted: Fri Aug 13, 2010 9:22 pm |
|
Joined: Wed May 09, 2007 8:47 pm
Posts: 367
Location:
Minnesota- Brrrrr!
|
I used these commands to search the SSH logs:
Code: [root@mythtv ~]# grep -ir ssh /var/log/* > output.txt Code: [root@mythtv ~]# grep -ir BREAK-IN /var/log/auth.log > breakin.txt
I noticed there were quite a few connection refusals from unknown IP addresses.
Is there anything that I need to do to (short of closing up port 22)? I suppose that I could map it another port, however, that would do little because I would think there are plenty of port scanners out there.
_________________ R7.3: 0.22.20091023-1, Hauppauge PVR-500 (Philips FQ1236A MK4), Gigabyte Gigabyte EG45M-UD2H, E5200 2.4Ghz, 2GB RAM, NVIDIA GEFORCE 256MB
Last edited by gatorback on Sat Aug 14, 2010 12:33 pm, edited 1 time in total.
|
|
Top |
|
|
graysky
|
Posted: Sat Aug 14, 2010 8:42 am |
|
Joined: Wed Dec 10, 2003 8:31 pm
Posts: 1996
Location:
/dev/null
|
Best advice is to use a high non-standard port (like >40000). You can try a knock script if you want which causes ssh only to allow connections that try to come in on several ports in a specific order.
_________________ Retired KM user (R4 - R6.04); friend to LH users.
|
|
Top |
|
|
Martian
|
Posted: Sat Aug 14, 2010 10:54 am |
|
Joined: Wed Feb 08, 2006 6:13 pm
Posts: 480
Location:
IN
|
I use denyhosts to help keep my ssh a little more secure.
http://denyhosts.sourceforge.net/
_________________ ABIT NF-M2 nView | Athlon 64 X2 3800+ | 2GB DDR2 800 | HDHomerun | GeForce 6150 (onboard) | WD 640 GB SATA HD | DVD-RW (sata) | StreamZap IR receiver with Logitech Harmony remote
Vizio 37" LCD HDTV (1080p)
|
|
Top |
|
|
gatorback
|
Posted: Sat Aug 14, 2010 12:08 pm |
|
Joined: Wed May 09, 2007 8:47 pm
Posts: 367
Location:
Minnesota- Brrrrr!
|
@Martian: cool. A process that reviews logs for IP addresses of suspected breakins and puts them on the deny list. I found this URL to install, however, I am hesitant to use this because LinHes has migrated from Debian to ArchLinux: apt-get is replaced by pacman. I am not sure what other gotchas there would be. Martian, did you get this working with LinHes? I looked in your signature, but did not see this info. Maybe the optimal COA is remapping SSH to a nonstandard port and enabling port 22 as a 'honeypot' for the script to identify and block attacks.
OK, so I reviewed my log again and if found this:
Quote: /var/log/auth.log:Aug 14 09:31:40 mythtv sshd[16746]: Invalid user test from 62.141.33.225 /var/log/auth.log:Aug 14 09:31:40 mythtv sshd[16746]: pam_unix(sshd:auth): check pass; user unknown /var/log/auth.log:Aug 14 09:31:40 mythtv sshd[16746]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.141.33.225 /var/log/auth.log:Aug 14 09:31:42 mythtv sshd[16746]: Failed password for invalid user test from 62.141.33.225 port 35324 ssh2 /var/log/auth.log:Aug 14 09:31:43 mythtv sshd[16751]: Address 62.141.33.225 maps to avserver1.de, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! The log shows 30 attempts every 4 seconds. This IP address has earned a spot on the deny hosts list. Given that there is a hosts.allow file: Code: cat /etc/hosts.allow Quote: # /etc/hosts.allow # sshd:ALL ALL: 192.168. ALL: 10. ALL: 127.0.0.1 ALL: 172.16. # End of file I reasoned there is a host.deny file and added the offender's IP address range to the deny list: Code: cat /etc/hosts.deny Quote: # # /etc/hosts.deny # # # 2010-08-14 # Invalid user plesk-kaka 62.141.33.225 does not map to avserver1.de ALL: 62.141.33. # # ALL: ALL: DENY
# End of file
Not sure if my syntax of the IP address in hosts.deny is correct. Does the SSHD statements in hosts.allow defeat the statement added to hosts.deny? I would think that an IP addr in hosts.deny would trump the sshd:all in hosts.allow? If you have experience, please weigh-in.
I am not sure how to verify (test) that this is effective. I would suppose that if there are no more incidents, from the offending IP range, in the log that MAY be an indicator of success but, the attacks from this IP may have stopped for whatever the reason. Any suggestions \ guidance is appreciated.
Given that I only intend to access this machine from CONUS, I think that a list of IP address blocks could be added to hosts.deny: I would have no qualms blocking all OCONUS IP addresses. I am not sure what the Google keyword would be to search for this list: suggestions are appreciated.
_________________ R7.3: 0.22.20091023-1, Hauppauge PVR-500 (Philips FQ1236A MK4), Gigabyte Gigabyte EG45M-UD2H, E5200 2.4Ghz, 2GB RAM, NVIDIA GEFORCE 256MB
|
|
Top |
|
|
uteck
|
Posted: Sat Aug 14, 2010 12:47 pm |
|
Joined: Thu Dec 07, 2006 10:25 am
Posts: 109
Location:
Elgin, Illinois
|
gatorback wrote:
Quote: Not sure if my syntax of the IP address in hosts.deny is correct. Does the SSHD statements in hosts.allow defeat the statement added to hosts.deny? I would think that an IP addr in hosts.deny would trump the sshd:all in hosts.allow? If you have experience, please weigh-in. This is correct, The hosts files are a 2-step precess, first the hosts.allow is checked to see if the service is allowed, or if a white list is being used of authorized IPs, then hosts.deny is checked for denied services and IPs. Quote: I am not sure how to verify (test) that this is effective. I would suppose that if there are no more incidents in the log that MAY be an indicator of success but, the attacks from this IP may have stopped for whatever the reason. Any suggestions \ guidance is appreciated.
Your files look good to me. Kind of hard to test since you would have to spoof that IP which is a bit beyond me.
But if you wanted to manually install Denyhosts, it is just a python script that is called via a cron job every 5 minutes, so you could manually install it if you wanted to. The only downside I experienced was when my hosts.deny file had over 20k entries and it look about a minute for that old box to parse the file.
_________________ The Atomic Ant.
|
|
Top |
|
|
gatorback
|
Posted: Sat Aug 14, 2010 1:55 pm |
|
Joined: Wed May 09, 2007 8:47 pm
Posts: 367
Location:
Minnesota- Brrrrr!
|
I have two ISP providers (until Tuesday) which would enable me to simulate an SSH attack. That being said, I tried adding 76.106.137.XXX to the host.deny table and bounced the SSHD service:
Code: cat /etc/hosts.deny
Quote: # # /etc/hosts.deny # # # 2010-08-14 # Invalid user plesk-kaka 62.141.33.225 does not map to avserver1.de all: 62.141.33. # My second ISP (simulated attacker) all: 76.106.137. # # ALL: ALL: DENY
# End of file Bounced SSHD: Quote: [root@mythtv ~]# sv start sshd ok: run: sshd: (pid 9602) 40s No Joy: I was expecting the server to block logon request from 76.106.137.XXX. Other syntax tried in hosts.deny includes: Quote: ALL: 76.106.137. ENY SSHD: 76.106.137.
Again, no joy.
_________________ R7.3: 0.22.20091023-1, Hauppauge PVR-500 (Philips FQ1236A MK4), Gigabyte Gigabyte EG45M-UD2H, E5200 2.4Ghz, 2GB RAM, NVIDIA GEFORCE 256MB
|
|
Top |
|
|
Martian
|
Posted: Sat Aug 14, 2010 10:16 pm |
|
Joined: Wed Feb 08, 2006 6:13 pm
Posts: 480
Location:
IN
|
gatorback wrote: Martian, did you get this working with LinHes?
I don't run denyhosts on my LinHES box. Port 22 is open to my server PC (file, print, web, e-mail, etc...) so I run it on that PC (which is now running Arch). If I need to access any other PCs on my network it is then done from from there.
For example to access my Myth box from work, I ssh into my server and then ssh into my Myth box from my server. If I want to access my desktop (Windows) I use VNC tunneled over the ssh connection to my server.
This way I only have one PC exposed and it is (hopefully) protected by denyhosts and a really long password.
As was stated though, denyhosts is just a script so I can't image it would be difficult to setup on LinHES.
Martian
_________________ ABIT NF-M2 nView | Athlon 64 X2 3800+ | 2GB DDR2 800 | HDHomerun | GeForce 6150 (onboard) | WD 640 GB SATA HD | DVD-RW (sata) | StreamZap IR receiver with Logitech Harmony remote
Vizio 37" LCD HDTV (1080p)
|
|
Top |
|
|
Too Many Secrets
|
Posted: Sat Aug 14, 2010 10:48 pm |
|
Joined: Fri Oct 20, 2006 12:04 pm
Posts: 905
Location:
LA, CA
|
This is dated, but it might be a starting point. If someone gets Denyhosts working with linhes, maybe they could update? I just haven't made the time to play with it.
|
|
Top |
|
|
Golffies
|
Posted: Mon Aug 16, 2010 10:56 am |
|
Joined: Mon Dec 18, 2006 1:20 pm
Posts: 98
Location:
Krakow, Poland, EU
|
Hi,
working with hosts.allow and hosts.deny configuration files has also been covered in the thread : Can only SSH in locally.
|
|
Top |
|
|
mihanson
|
Posted: Mon Aug 16, 2010 2:10 pm |
|
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location:
Los Angeles
|
Here's how I deal with this...
Create a script called ssh_firewall.sh or similar. The contents will be:
Code: [mihanson@mythbox-mbe ~]$ cat /usr/local/bin/ssh_firewall #!/bin/bash
# Set up the firewall rule /usr/sbin/iptables -N SSH_CHECK /usr/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK /usr/sbin/iptables -A SSH_CHECK -m recent --set --name SSH /usr/sbin/iptables -A SSH_CHECK -m recent --update --seconds 90 --hitcount 4 --name SSH -j DROP # Start the firewall /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
Call this new script (be sure to chmod it to be executable) from /etc/runit/1.local. What the script does is stop responding to ssh requests from a particular ip for 5 minutes when someone tries to connect more than 4 times in 90 seconds. Works very well and keeps my logs clean. There is a way to do this directly in etcnet, but I never got it working that way.
_________________ Mike
My Hardware Profile
|
|
Top |
|
|
gatorback
|
Posted: Sat Sep 04, 2010 10:53 am |
|
Joined: Wed May 09, 2007 8:47 pm
Posts: 367
Location:
Minnesota- Brrrrr!
|
|
Top |
|
|
Liv2Cod
|
Posted: Fri Sep 10, 2010 10:31 am |
|
Joined: Fri May 21, 2004 11:55 pm
Posts: 1206
Location:
Silicon Valley, CA
|
I really suggest you just pick a port other than 22. I did that and the number of bogus logon attempts dropped to zero. Sometimes the simplest methods ARE the best. And drop pings if you can, too. Anything you can do to "stealth" your IP address is good.
_________________ Do you code to live, or live to code? Search LinHES forum through Google
|
|
Top |
|
|
Golffies
|
Posted: Mon Feb 07, 2011 5:39 am |
|
Joined: Mon Dec 18, 2006 1:20 pm
Posts: 98
Location:
Krakow, Poland, EU
|
Just noticed with some lag how elegant and easy was your solution. I pushed it on the fly to my LinHES box. Would recommend to add that script in a coming version.
mihanson wrote: Here's how I deal with this... What the script does is stop responding to ssh requests from a particular ip for 5 minutes when someone tries to connect more than 4 times in 90 seconds. Works very well and keeps my logs clean.
|
|
Top |
|
|
Golffies
|
Posted: Wed Nov 23, 2011 10:09 am |
|
Joined: Mon Dec 18, 2006 1:20 pm
Posts: 98
Location:
Krakow, Poland, EU
|
Hi Mike,
For half a year, I have been running the script you submitted; it is effective at cutting down 99% of fraudulent ssh login attempts. Actually great ! Did you manage to include it in LinHES R7.1 ?
A side question: my host faced once an attacker whose IP address has not been blocked by the firewalling rules of your script. The remote host opened many simultaneous connexions in parallel, to crawl faster, and managed to send 444 requests from 11:00 to 12:30 am, local time.
What went wrong there ?
Here is a sample of the 'sudo lastb' output :
Code: akkat ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akkat ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akkamra ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akkamra ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akjcc ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akjcc ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akjain1 ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akjain1 ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akjain ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akjain ssh:notty 121.31.xxx.xxx Fri Oct 28 12:28 - 12:28 (00:00) akjaik ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akjaik ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akiyama ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akiyama ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akit ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akit ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akira ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akira ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akimoto ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akimoto ssh:notty 121.31.xxx.xxx Fri Oct 28 12:26 - 12:26 (00:00) akidcom ssh:notty 121.31.xxx.xxx Fri Oct 28 12:24 - 12:24 (00:00) akidcom ssh:notty 121.31.xxx.xxx Fri Oct 28 12:24 - 12:24 (00:00)
[SNIP]
ab4t ssh:notty 121.31.xxx.xxx Fri Oct 28 11:02 - 11:02 (00:00) ab4t ssh:notty 121.31.xxx.xxx Fri Oct 28 11:02 - 11:02 (00:00) aavishka ssh:notty 121.31.xxx.xxx Fri Oct 28 11:02 - 11:02 (00:00) aavishka ssh:notty 121.31.xxx.xxx Fri Oct 28 11:02 - 11:02 (00:00) aatul ssh:notty 121.31.xxx.xxx Fri Oct 28 11:02 - 11:02 (00:00) aatul ssh:notty 121.31.xxx.xxx Fri Oct 28 11:02 - 11:02 (00:00) aarti ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aarti ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aaron ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aaron ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aaren ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aaren ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aamamun ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aamamun ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aalvarez ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aalvarez ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aakash ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) aakash ssh:notty 121.31.xxx.xxx Fri Oct 28 11:00 - 11:00 (00:00) a ssh:notty 121.31.xxx.xxx Fri Oct 28 10:59 - 10:59 (00:00) a ssh:notty 121.31.xxx.xxx Fri Oct 28 10:59 - 10:59 (00:00)
|
|
Top |
|
|
gatorback
|
Posted: Wed Nov 23, 2011 10:25 am |
|
Joined: Wed May 09, 2007 8:47 pm
Posts: 367
Location:
Minnesota- Brrrrr!
|
|
Top |
|
|