View unanswered posts    View active topics

All times are UTC - 6 hours





Post new topic Reply to topic  [ 15 posts ] 
Print view Previous topic   Next topic  
Author Message
Search for:
PostPosted: Fri Aug 13, 2010 9:22 pm 
Offline
Joined: Wed May 09, 2007 8:47 pm
Posts: 367
Location: Minnesota- Brrrrr!
I used these commands to search the SSH logs:

Code:
[root@mythtv ~]# grep -ir ssh /var/log/* > output.txt


Code:
[root@mythtv ~]# grep -ir BREAK-IN /var/log/auth.log > breakin.txt


I noticed there were quite a few connection refusals from unknown IP addresses.

Is there anything that I need to do to (short of closing up port 22)? I suppose that I could map it another port, however, that would do little because I would think there are plenty of port scanners out there.

_________________
R7.3: 0.22.20091023-1, Hauppauge PVR-500 (Philips FQ1236A MK4), Gigabyte Gigabyte EG45M-UD2H, E5200 2.4Ghz, 2GB RAM, NVIDIA GEFORCE 256MB


Last edited by gatorback on Sat Aug 14, 2010 12:33 pm, edited 1 time in total.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Aug 14, 2010 8:42 am 
Offline
Joined: Wed Dec 10, 2003 8:31 pm
Posts: 1995
Location: /dev/null
Best advice is to use a high non-standard port (like >40000). You can try a knock script if you want which causes ssh only to allow connections that try to come in on several ports in a specific order.

_________________
Retired KM user (R4 - R6.04); friend to LH users.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Aug 14, 2010 10:54 am 
Offline
Joined: Wed Feb 08, 2006 6:13 pm
Posts: 480
Location: IN
I use denyhosts to help keep my ssh a little more secure.

http://denyhosts.sourceforge.net/

_________________
ABIT NF-M2 nView | Athlon 64 X2 3800+ | 2GB DDR2 800 | HDHomerun | GeForce 6150 (onboard) | WD 640 GB SATA HD | DVD-RW (sata) | StreamZap IR receiver with Logitech Harmony remote

Vizio 37" LCD HDTV (1080p)


Top
 Profile  
 
 Post subject:
PostPosted: Sat Aug 14, 2010 12:08 pm 
Offline
Joined: Wed May 09, 2007 8:47 pm
Posts: 367
Location: Minnesota- Brrrrr!
@Martian: cool. A process that reviews logs for IP addresses of suspected breakins and puts them on the deny list. I found this URL to install, however, I am hesitant to use this because LinHes has migrated from Debian to ArchLinux: apt-get is replaced by pacman. I am not sure what other gotchas there would be. Martian, did you get this working with LinHes? I looked in your signature, but did not see this info. Maybe the optimal COA is remapping SSH to a nonstandard port and enabling port 22 as a 'honeypot' for the script to identify and block attacks.

OK, so I reviewed my log again and if found this:

Quote:
/var/log/auth.log:Aug 14 09:31:40 mythtv sshd[16746]: Invalid user test from 62.141.33.225
/var/log/auth.log:Aug 14 09:31:40 mythtv sshd[16746]: pam_unix(sshd:auth): check pass; user unknown
/var/log/auth.log:Aug 14 09:31:40 mythtv sshd[16746]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.141.33.225
/var/log/auth.log:Aug 14 09:31:42 mythtv sshd[16746]: Failed password for invalid user test from 62.141.33.225 port 35324 ssh2
/var/log/auth.log:Aug 14 09:31:43 mythtv sshd[16751]: Address 62.141.33.225 maps to avserver1.de, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!


The log shows 30 attempts every 4 seconds. This IP address has earned a spot on the deny hosts list.

Given that there is a hosts.allow file:

Code:
cat /etc/hosts.allow

Quote:
# /etc/hosts.allow
#
sshd:ALL
ALL: 192.168.
ALL: 10.
ALL: 127.0.0.1
ALL: 172.16.
# End of file

I reasoned there is a host.deny file and added the offender's IP address range to the deny list:

Code:
cat /etc/hosts.deny

Quote:
#
# /etc/hosts.deny
#
#
# 2010-08-14
# Invalid user plesk-kaka 62.141.33.225 does not map to avserver1.de
ALL: 62.141.33.
#
# ALL: ALL: DENY

# End of file


Not sure if my syntax of the IP address in hosts.deny is correct. Does the SSHD statements in hosts.allow defeat the statement added to hosts.deny? I would think that an IP addr in hosts.deny would trump the sshd:all in hosts.allow? If you have experience, please weigh-in.

I am not sure how to verify (test) that this is effective. I would suppose that if there are no more incidents, from the offending IP range, in the log that MAY be an indicator of success but, the attacks from this IP may have stopped for whatever the reason. Any suggestions \ guidance is appreciated.

Given that I only intend to access this machine from CONUS, I think that a list of IP address blocks could be added to hosts.deny: I would have no qualms blocking all OCONUS IP addresses. I am not sure what the Google keyword would be to search for this list: suggestions are appreciated.

_________________
R7.3: 0.22.20091023-1, Hauppauge PVR-500 (Philips FQ1236A MK4), Gigabyte Gigabyte EG45M-UD2H, E5200 2.4Ghz, 2GB RAM, NVIDIA GEFORCE 256MB


Top
 Profile  
 
 Post subject:
PostPosted: Sat Aug 14, 2010 12:47 pm 
Offline
Joined: Thu Dec 07, 2006 10:25 am
Posts: 109
Location: Elgin, Illinois
gatorback wrote:
Quote:
Not sure if my syntax of the IP address in hosts.deny is correct. Does the SSHD statements in hosts.allow defeat the statement added to hosts.deny? I would think that an IP addr in hosts.deny would trump the sshd:all in hosts.allow? If you have experience, please weigh-in.
This is correct, The hosts files are a 2-step precess, first the hosts.allow is checked to see if the service is allowed, or if a white list is being used of authorized IPs, then hosts.deny is checked for denied services and IPs.
Quote:
I am not sure how to verify (test) that this is effective. I would suppose that if there are no more incidents in the log that MAY be an indicator of success but, the attacks from this IP may have stopped for whatever the reason. Any suggestions \ guidance is appreciated.


Your files look good to me. Kind of hard to test since you would have to spoof that IP which is a bit beyond me.
But if you wanted to manually install Denyhosts, it is just a python script that is called via a cron job every 5 minutes, so you could manually install it if you wanted to. The only downside I experienced was when my hosts.deny file had over 20k entries and it look about a minute for that old box to parse the file.

_________________
The Atomic Ant.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Aug 14, 2010 1:55 pm 
Offline
Joined: Wed May 09, 2007 8:47 pm
Posts: 367
Location: Minnesota- Brrrrr!
I have two ISP providers (until Tuesday) which would enable me to simulate an SSH attack. That being said, I tried adding 76.106.137.XXX to the host.deny table and bounced the SSHD service:
Code:
cat /etc/hosts.deny

Quote:
#
# /etc/hosts.deny
#
#
# 2010-08-14
# Invalid user plesk-kaka 62.141.33.225 does not map to avserver1.de
all: 62.141.33.
# My second ISP (simulated attacker)
all: 76.106.137.
#
# ALL: ALL: DENY

# End of file


Bounced SSHD:

Quote:
[root@mythtv ~]# sv start sshd
ok: run: sshd: (pid 9602) 40s


No Joy: I was expecting the server to block logon request from 76.106.137.XXX.

Other syntax tried in hosts.deny includes:
Quote:
ALL: 76.106.137. :DENY
SSHD: 76.106.137.

Again, no joy.

_________________
R7.3: 0.22.20091023-1, Hauppauge PVR-500 (Philips FQ1236A MK4), Gigabyte Gigabyte EG45M-UD2H, E5200 2.4Ghz, 2GB RAM, NVIDIA GEFORCE 256MB


Top
 Profile  
 
 Post subject:
PostPosted: Sat Aug 14, 2010 10:16 pm 
Offline
Joined: Wed Feb 08, 2006 6:13 pm
Posts: 480
Location: IN
gatorback wrote:
Martian, did you get this working with LinHes?

I don't run denyhosts on my LinHES box. Port 22 is open to my server PC (file, print, web, e-mail, etc...) so I run it on that PC (which is now running Arch). If I need to access any other PCs on my network it is then done from from there.

For example to access my Myth box from work, I ssh into my server and then ssh into my Myth box from my server. If I want to access my desktop (Windows) I use VNC tunneled over the ssh connection to my server.

This way I only have one PC exposed and it is (hopefully) protected by denyhosts and a really long password.

As was stated though, denyhosts is just a script so I can't image it would be difficult to setup on LinHES.

Martian

_________________
ABIT NF-M2 nView | Athlon 64 X2 3800+ | 2GB DDR2 800 | HDHomerun | GeForce 6150 (onboard) | WD 640 GB SATA HD | DVD-RW (sata) | StreamZap IR receiver with Logitech Harmony remote

Vizio 37" LCD HDTV (1080p)


Top
 Profile  
 
 Post subject:
PostPosted: Sat Aug 14, 2010 10:48 pm 
Offline
Joined: Fri Oct 20, 2006 12:04 pm
Posts: 905
Location: LA, CA
This is dated, but it might be a starting point. If someone gets Denyhosts working with linhes, maybe they could update? I just haven't made the time to play with it.


Top
 Profile  
 
 Post subject: cross reference
PostPosted: Mon Aug 16, 2010 10:56 am 
Offline
Joined: Mon Dec 18, 2006 1:20 pm
Posts: 98
Location: Krakow, Poland, EU
Hi,

working with hosts.allow and hosts.deny configuration files has also been covered in the thread : Can only SSH in locally.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Aug 16, 2010 2:10 pm 
Offline
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location: Los Angeles
Here's how I deal with this...

Create a script called ssh_firewall.sh or similar. The contents will be:

Code:
[mihanson@mythbox-mbe ~]$ cat /usr/local/bin/ssh_firewall
#!/bin/bash

# Set up the firewall rule
/usr/sbin/iptables -N SSH_CHECK
/usr/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
/usr/sbin/iptables -A SSH_CHECK -m recent --set --name SSH
/usr/sbin/iptables -A SSH_CHECK -m recent --update --seconds 90 --hitcount 4 --name SSH -j DROP
# Start the firewall
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward


Call this new script (be sure to chmod it to be executable) from /etc/runit/1.local. What the script does is stop responding to ssh requests from a particular ip for 5 minutes when someone tries to connect more than 4 times in 90 seconds. Works very well and keeps my logs clean. :D There is a way to do this directly in etcnet, but I never got it working that way.

_________________
Mike
My Hardware Profile


Top
 Profile  
 
 Post subject: Knockd
PostPosted: Sat Sep 04, 2010 10:53 am 
Offline
Joined: Wed May 09, 2007 8:47 pm
Posts: 367
Location: Minnesota- Brrrrr!
This layer of security is at the router level and is detailed here:

http://www.dd-wrt.com/wiki/index.php/Knockd

http://www.youtube.com/watch?v=EbzrLPf6 ... re=related

This would require that your router firmware to be updated.

_________________
R7.3: 0.22.20091023-1, Hauppauge PVR-500 (Philips FQ1236A MK4), Gigabyte Gigabyte EG45M-UD2H, E5200 2.4Ghz, 2GB RAM, NVIDIA GEFORCE 256MB


Top
 Profile  
 
 Post subject: Just move it
PostPosted: Fri Sep 10, 2010 10:31 am 
Offline
Joined: Fri May 21, 2004 11:55 pm
Posts: 1206
Location: Silicon Valley, CA
I really suggest you just pick a port other than 22. I did that and the number of bogus logon attempts dropped to zero. Sometimes the simplest methods ARE the best. And drop pings if you can, too. Anything you can do to "stealth" your IP address is good.

_________________
Do you code to live, or live to code?
Search LinHES forum through Google


Top
 Profile  
 
 Post subject: elegant solution
PostPosted: Mon Feb 07, 2011 5:39 am 
Offline
Joined: Mon Dec 18, 2006 1:20 pm
Posts: 98
Location: Krakow, Poland, EU
Just noticed with some lag how elegant and easy was your solution. I pushed it on the fly to my LinHES box. Would recommend to add that script in a coming version.

mihanson wrote:
Here's how I deal with this...

What the script does is stop responding to ssh requests from a particular ip for 5 minutes when someone tries to connect more than 4 times in 90 seconds. Works very well and keeps my logs clean. :D


Top
 Profile  
 
PostPosted: Wed Nov 23, 2011 10:09 am 
Offline
Joined: Mon Dec 18, 2006 1:20 pm
Posts: 98
Location: Krakow, Poland, EU
Hi Mike,

For half a year, I have been running the script you submitted; it is effective at cutting down 99% of fraudulent ssh login attempts. Actually great ! Did you manage to include it in LinHES R7.1 ?

A side question: my host faced once an attacker whose IP address has not been blocked by the firewalling rules of your script. The remote host opened many simultaneous connexions in parallel, to crawl faster, and managed to send 444 requests from 11:00 to 12:30 am, local time.

What went wrong there ?


Here is a sample of the 'sudo lastb' output :

Code:
akkat    ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akkat    ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akkamra  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akkamra  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akjcc    ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akjcc    ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akjain1  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akjain1  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akjain   ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akjain   ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:28 - 12:28  (00:00)
akjaik   ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akjaik   ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akiyama  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akiyama  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akit     ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akit     ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akira    ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akira    ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akimoto  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akimoto  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:26 - 12:26  (00:00)
akidcom  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:24 - 12:24  (00:00)
akidcom  ssh:notty    121.31.xxx.xxx   Fri Oct 28 12:24 - 12:24  (00:00)

[SNIP]

ab4t     ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:02 - 11:02  (00:00)
ab4t     ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:02 - 11:02  (00:00)
aavishka ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:02 - 11:02  (00:00)
aavishka ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:02 - 11:02  (00:00)
aatul    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:02 - 11:02  (00:00)
aatul    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:02 - 11:02  (00:00)
aarti    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aarti    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aaron    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aaron    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aaren    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aaren    ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aamamun  ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aamamun  ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aalvarez ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aalvarez ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aakash   ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
aakash   ssh:notty    121.31.xxx.xxx   Fri Oct 28 11:00 - 11:00  (00:00)
a        ssh:notty    121.31.xxx.xxx   Fri Oct 28 10:59 - 10:59  (00:00)
a        ssh:notty    121.31.xxx.xxx   Fri Oct 28 10:59 - 10:59  (00:00)


Top
 Profile  
 
PostPosted: Wed Nov 23, 2011 10:25 am 
Offline
Joined: Wed May 09, 2007 8:47 pm
Posts: 367
Location: Minnesota- Brrrrr!
I am a using an ASUS-RTN16 with DD-WRT \ Optware using Stophammer to blacklist IP addresses. Search for Stophammer in the webpage.

Asiablock is another Optware service: other countries can be blocked as well.

_________________
R7.3: 0.22.20091023-1, Hauppauge PVR-500 (Philips FQ1236A MK4), Gigabyte Gigabyte EG45M-UD2H, E5200 2.4Ghz, 2GB RAM, NVIDIA GEFORCE 256MB


Top
 Profile  
 

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 15 posts ] 


All times are UTC - 6 hours




Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group

Theme Created By ceyhansuyu