Laurent’s Weblog

For some years , many Brutes force attacks happen on opened SSH port of servers publicly reachable from the Internet (ie., a private server you can own/rent)

It has been my case during several weeks : i currently have a private server for a project. This server is powered by Linux, and provides a Web application.

Until some weeks ago , i only protect the machine with rules for the Firewall: i only accept incoming requests on my HTTP port and SSH port (SSH is required for us, admin and developers, thus for upgrade, patch, install new components, checkout/commit code into the Subversion repository, deploy the web application)

But this is not enough :

Attackers, certainly use (as me) the famous “nmap” tool from insecure.org and can find in less of 3 minutes what are opened ports by sending simple SYN/ACKS on TCP/UDP.

Once the opened ports are found , what happens… all is first written in the SSH logs, available in the /var/log/auth.log file (and archived others auth.log.1.gz,…, auth.log.6.gz)

For example these lines :

Feb 12 12:18:29 <my_box> sshd[25129]: Illegal user admin01 from ::ffff:83.14.144.210
Feb 12 12:18:35 <my_box> sshd[25177]: Illegal user test from ::ffff:83.14.144.210
Feb 12 12:18:43 <my_box> sshd[25195]: Illegal user test1 from ::ffff:83.14.144.210
Here we see only only three accounts, but there are thousands ( quite 4mo of these lines have been extracted from my logs already) : all are coming from a dictionary. And what i saw, it was concurrently distributed among many (zombie) machines.

The attacks sometimes caused a Deny of Service : my machine froze , connections SSH & HTTP could not be possible after that. A remote reboot by the web console was the only solution.

To Strike back these Attacks , i installed one security tool :

PORTSENTRY :

PortsEntry is available on Debian Etch depots : main – contrib & non-free

To verify launch :

apt-cache search portsentry

You should see

portsentry - Portscan detection daemon

Then install by :

apt-get install portsentry

PortSentry is an IDS (Intrusion Detection System) : detects attacks by port scans and can react by creating dynamically Firewall rules and routes on the attacked port.

Check configuration files, it should be :

File /etc/portsentry/portsentry.conf

############################# Configuration PortSentry #

############################ADVANCED_PORTS_TCP="1024"

ADVANCED_PORTS_UDP="1024"

ADVANCED_EXCLUDE_TCP="113,139"

ADVANCED_EXCLUDE_UDP="520,138,137,67"

IGNORE_FILE="/etc/portsentry/portsentry.ignore"

HISTORY_FILE="/var/lib/portsentry/portsentry.history"

BLOCKED_FILE="/var/lib/portsentry/portsentry.blocked"

RESOLVE_HOST = "0"

BLOCK_UDP="1"

BLOCK_TCP="1"

KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"

SCAN_TRIGGER="0"

# EOF

File /etc/default/portsentry :

######################

# Default PortSentry #

######################TCP_MODE="atcp"

UDP_MODE="audp"

File /etc/logrotate.d/portsentry

#####################

# Rotate PortSentry #

#####################/var/lib/portsentry/portsentry.* {

 weekly

 rotate 4

 compress

 missingok

 notifempty

 create 0640 root root

 sharedscripts

 postrotate

 /etc/init.d/portsentry restart > /dev/null 2>&1

 endscript

}

Launch portsentry :

$ /etc/init.d/portsentry start

And combined to portsentry i made other things :

1) Change SSH port: Change the port sshd is listening to. Edit the sshd config file (/etc/ssh/sshd_config) and change the value of Port to something other than 22. Restart the sshd server (/etc/init.d/sshd restart). This will reduce dramatically the number of attacks you’ll get.

2) Use strong passwords for your Linux users (long, mixing lower and upper case, symbols and numbers) or use ssh keys that will make the whole ssh attack pointless.

3) Disable root login and force SSH 2 protocol :

Now copy and paste the following line to edit the necessary file for SSH logins

nano /etc/ssh/sshd_config

You should now be in the actual file – find the line

Protocol 2, 1

Uncomment this line and change it to look like this:

Protocol 2

As the next step find the line

PermitRootLogin yes

Uncomment that line and make it look like

PermitRootLogin no

Save and exit the file with Ctrl+X and then Y then enter

Now restart SSH

/etc/rc.d/init.d/sshd restart

 

4) Disable Telnet Access. Telnet is not secure, and your password is sent in plain text, so don’t use it! Disable it now and forever and use SSH instead.

1. Login to your server through SSH and su to root.

2. Type pico /etc/xinetd.d/telnet

3. Look for the line: disable = no and replace with disable = yes

4. Now restart the inetd service: /etc/rc.d/init.d/xinetd restart

5. Also – Turn it off through chkconfig as well because it can still start through hat.

/sbin/chkconfig telnet off

 

 

5) Limit connections:

This method limits the number of SYN (connection establishment) packets. The effect of this should be unnoticed by legitimate users, but it will delay an attacker that is making repeated connections. For instance, if you want to limit the connection rate to port 2222 to three per minute:

iptables -A INPUT -p tcp –dport 2222 –syn -m limit –limit 1/m –limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp –dport 2222 –syn -j DROP

 

6) I only allow SSH logins with encryption keys. We have to create the keys first and we have to take care of the private keys (have secure copies of them).

Basically we have to create a pair of public and private key in the client computer and copy the public key in the server.

 

Linux/Mac :

# ssh-keygen -t rsa

 

The private key is generated into $HOME/.ssh/id_rsa, and the public key into $HOME/.ssh/id_rsa.pub
It’s the public key that we have to append to the server’s .ssh/authorized_key2 file, located in the home directory of the user we want to authenticate.

 

In Windows, if we are using Putty we can use puttygen to create the pair, then save the private key to the local computer (we can protect the file with a passphrase) and similarly copy the public key to the same file in the server. The formats of the keys in Putty are different that the ones generated with OpenSSH, but if we already have an OpenSSH one puttygen can convert it to its format.

Disable SSH login with password; we can change the SSH server configuration file so that sshd will only accept keys as form of authentication.

Edit /etc/ssh/sshd_config and set:

PasswordAuthentication no

7) Don’t forget to set a password for the root user of mySQL

 

Finally several other tools against Brute Force Attacks exist :

 

SSHDFilter -SSHDFilter blocks the frequent brute-force attacks by directly reading the SSH daemon logs and generating firewall rules to block the attack. The blocking firewall policy is defined by a list of block-rules. Download SSHDFilter.

pam_abl – A Pluggable Authentication Module that provides auto blacklisting of hosts and users responsible for repeated failed authentication attempts. Download pam_abl.

SSHBan – SSHban is simple daemon designed to ban attackers. Instead of scanning SSH logs, SSHBan directly receives data from the logger. Download SSHBan.

IPTables Recent Module – This Linux-kernel module allows you to track seen IP addresses and be able to match against them using some criteria. This module is extremely useful to build up a temporary list of IP addresses that attempt to brute-force your SSH server and drop everything coming from them for a given amount of time. Download IPTables Recent module.

DenyHost – DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server brute-force attacks . It observers login attempts to the SSH server and if it determines a possible brute-force attack, it will add the IP address to /etc/hosts.deny. Download DenyHost.

Brute-Force Detection -BFD is a shell script for parsing application logs and checking for authentication failures and block the IP address using custom firewall rules. Download Brute-Force Detection.

sshd_sentry – SSHD Sentry is a Perl script that monitors SSH server logs, detects repeated failed login attempts and adds the hosts to a black list. Download sshd_sentry.

SSHGuard – Protects networks from brute force attacks against ssh servers. It detects such attacks and blocks the host’s address with a firewall rule. Download SSHGuard.

Source :

http://www.webhostingresourcekit.com/109.html

http://www.security-hacks.com/

http://www.fduran.com/