nixCraft Linux Forum

nixCraft

Linux Tech Support Forum

Failed SSH login attempts and how to avoid brute ssh attacks

This is a discussion on Failed SSH login attempts and how to avoid brute ssh attacks within the Networking, Firewalls and Security forums, part of the Mastering Servers category; Hello all, Please share your tips and howto about avoiding failed login ssh attempt (brute ssh attack) and securing SSH ...


Go Back   nixCraft Linux Forum > Mastering Servers > Networking, Firewalls and Security

Register FAQ Members List Calendar Mark Forums Read
  #1 (permalink)  
Old 12-19-2006, 04:40 AM
rockdalinux's Avatar
Contributors
User
 
Join Date: May 2005
Location: Bangalore
My distro: RHEL, HP-UX, Solaris, FreeBSD, Ubuntu
Posts: 576
Rep Power: 7
rockdalinux is a jewel in the rough rockdalinux is a jewel in the rough rockdalinux is a jewel in the rough rockdalinux is a jewel in the rough
Default Failed SSH login attempts and how to avoid brute ssh attacks

Hello all,

Please share your tips and howto about avoiding failed login ssh attempt (brute ssh attack) and securing SSH based remote Login system.

This is kind of a group project and I am expecting to everyone share their valuable experience. Please consider following

SSH brute force attacks
SSH dictionary attacks
Buffer overflow attack
Securing shell access via ssh

Step # 1: Change the ssh port
Open config file /etc/ssh/sshd_config
Code:
vi /etc/ssh/sshd_config
Default port is 22 set to something else like 678
Code:
Port 678
Step # 2: Bind ssh to specific IP address
Usually all server comes with 5 or more public IP address. No need to bind to all IP address. Just bind to one IP address.
Code:
ListenAddress 65.1.5.1
Step # 3: Only use SSH protocol 2
Code:
Protocol 2
Step # 4: Do not allow root to login
Code:
PermitRootLogin no
Step # 5: Deny root user login
Code:
DenyUsers root
Step # 6: Setup login banner
Code:
Banner /etc/ssh.go.txt
Save and close file. Create file
Code:
vi /etc/ssh.go.txt
Type message in file
Code:
************************************************************

This is a private server!!! All ssh login attempts are logged and 
monitored by our staff. All unauthorized login attempts will be 
investigated and  repoeted to local authorities.
If you have any login problem please contact helpdesk us at
Phone: 888-555-777 or email us
Email:  support@mycorop.com
******************************************************************
Save and close file. Restart sshd
Code:
/etc/init.d/sshd restart
Now to login always use:
Code:
ssh -p PORT user@IP-address
ssh -p PORT user@your.server.com
ssh -p 678 rocky@65.1.5.1
For scp use -P port option
Code:
scp -P 678 local.txt rocky@65.1.5.1:/home/rocky
How to Disable SSHD password authentication
As suggested by monk you can automate password less logins with ssh client keys instead of password authentication.

Type at your local Linux/UNIX workstation; create a public/private key pair:
Code:
ssh-keygen -t rsa
Just press [Enter] key when promoted for a passphrase. Just hit [Enter] key twice. Now you have ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub files. Copy ~/.ssh/id_rsa.pub file to your remote ssh server using scp:

First login to remove server over ssh and create .ssh directory:
Code:
ssh -p 678 user@65.1.5.1
Now create .ssh dir and set permission to 0700
Code:
mkdir .ssh && chmod 0700
logout
Now type following at client system (copy file to remote server as authorized_keys2)
Code:
scp -P 678 ~/.ssh/id_rsa.pub user@65.1.5.1:.ssh/authorized_keys2
scp  -P 678 ~/.ssh/id_rsa.pub user@65.1.5.1:/home/user/.ssh/authorized_keys2
Now you can login to remote system w/o password from your local Linux/UNIX workstation.

Code:
ssh -p 678 user@65.1.5.1
On serer open /etc/ssh/sshd_config
Code:
vi /etc/ssh/sshd_config
And disable password authtication
Code:
PasswordAuthentication no
Restart sshd
Code:
/etc/init.d/sshd restart
__________________
Rocky Jr.
You may have my body & soul, but you will never touch my pride!

If you have knowledge, let others light their candles at it.

Certified to work on HP-UX / Sun Solaris / RedHat
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 12-19-2006, 04:49 AM
raj raj is offline
Contributors
User
 
Join Date: Jun 2005
Location: Hyderabad
Posts: 148
Rep Power: 4
raj is on a distinguished road
Default

Rocky I am not good at securing servers but here is the command that will tell you if you are under attack. It will list failed login attempts along with host/ip address:

Code:
grep -i 'authentication failure' /var/log/messages|awk '{ print $13 }' | cut -b7- | sort | uniq -c
O/P
Code:
      10 xxx.vnsl.in
      12 xxx.xxx.yyy.zzz
      56 xxx.xxx.yyy.zzz
__________________
Raj
Linux rulz.
I have never turned back in my life ; I shall not do so today.. haha
Reply With Quote
  #3 (permalink)  
Old 12-19-2006, 11:58 PM
Senior Member
User
 
Join Date: Dec 2006
Location: /B!n@ry
My distro: openSuSE 10.2
Posts: 127
Rep Power: 0
B!n@ry
Send a message via MSN to B!n@ry
Default

Well this can be done by installing the csf firewall found here: http://www.configserver.com/cp/csf.html
It can do all the following:
This suite of scripts provides:

* Straight-forward SPI iptables firewall script
* Daemon process that checks for login authentication failures for:
o courier imap and pop3
o ssh
o non-ssl cpanel / whm / webmail (ssl cpanel/whm login tracking support available in EDGE release)
o pure-pftd
o password protected web pages (htpasswd)
o mod_security failures
* POP3/IMAP login tracking to enforce logins per hour
* SSH login notification
* SU login notification
* Excessive connection blocking
* WHM configuration interface
* WHM iptables report log
* Easy upgrade between versions from within WHM
* Pre-configured to work on a cPanel server with all the standard cPanel ports open
* Auto-configures the SSH port if it's non-standard on installation
* Block traffic on unused server IP addresses - helps reduce the risk to your server
* Alert when end-user scripts sending excessive emails per hour - for identifying spamming scripts
* Suspicious process reporting - reports potential exploits running on the server
* Excessive cPanel user processes reporting
* Excessive cPanel user process usage reporting and optional termination
* Suspicious file reporting - reports potential exploit files in /tmp and similar directories
* Directory and file watching - reports if a watched directory or a file changes
* Block traffic on the DShield Block List and the Spamhaus DROP List
* Pre-configured settings for Low, Medium or High firewall security
* Works with multiple ethernet devices
* Server Security Check - Performs a basic security and settings check on the server
* Allow Dynamic DNS IP addresses - always allow your IP address even if it changes whenever you connect to the internet
* Alert sent if server load average remains high for a specified length of time


To enable the ssh login failure detection do:
LF_SSHD = "1"

__________________
LivE Free 0r DiE
L!nux rul3z aLL
Reply With Quote
  #4 (permalink)  
Old 12-20-2006, 12:08 AM
Junior Member
 
Join Date: Dec 2006
Posts: 3
Rep Power: 0
SoFy
Default

y0 can use CSF with lfd as binary say or APF with bfd
Reply With Quote
  #5 (permalink)  
Old 12-20-2006, 12:27 AM
nixcraft's Avatar
Never say die
User
 
Join Date: Jan 2005
Location: BIOS
My distro: Any distro with shell
Posts: 964
Rep Power: 10
nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute
Default

B!n@ry, excellent find

This is new to me, generally I use apf or write iptables from scratch for client. BDF is also good.
__________________
Vivek | My personal blog
Linux Evangelist
Play hard stay cool
Reply With Quote
  #6 (permalink)  
Old 12-20-2006, 12:35 AM
Senior Member
User
 
Join Date: Dec 2006
Location: /B!n@ry
My distro: openSuSE 10.2
Posts: 127
Rep Power: 0
B!n@ry
Send a message via MSN to B!n@ry
Default

Quote:
B!n@ry, excellent find
nixCraft, its not a "find" its installed on our Servers

Quote:
generally I use apf or write iptables from scratch for client.
Ohhhh, man all from scratch ???? what a head ache
__________________
LivE Free 0r DiE
L!nux rul3z aLL
Reply With Quote
  #7 (permalink)  
Old 12-20-2006, 01:27 AM
monk's Avatar
Senior Member
User
 
Join Date: Jan 2005
Location: Tibet
My distro: Debian GNU/Linux
Posts: 482
Rep Power: 5
monk will become famous soon enough monk will become famous soon enough
Default

Why not disabling password authentication? This will almost solve all problems.
Code:
PasswordAuthentication no
Reply With Quote
  #8 (permalink)  
Old 12-20-2006, 01:30 AM
monk's Avatar
Senior Member
User
 
Join Date: Jan 2005
Location: Tibet
My distro: Debian GNU/Linux
Posts: 482
Rep Power: 5
monk will become famous soon enough monk will become famous soon enough
Default

Quote:
Originally Posted by B!n@ry
Ohhhh, man all from scratch ???? what a head ache
Sure it is a pain but sometime you have to write everything from scratch. If you are setting up a cluster or complicated networking APF or other scripts are not useful.

And not to mention you can make some good money by providing customized solution
Reply With Quote
  #9 (permalink)  
Old 12-20-2006, 02:18 AM
sweta's Avatar
Contributors
User
 
Join Date: Feb 2005
Location: New Delhi
My distro: Suse, RHEL, Vista
Posts: 152
Rep Power: 4
sweta will become famous soon enough
Default

this post rockz

make sure your file permissions on both ~/.ssh/* and server:~/.ssh/* set to 0600. Your private key file id_rsa must be present only on your local Linux/UNIX workstation.

Chk out Top Ten Secure Shell FAQs http://www.oreillynet.com/pub/a/orei...tips_0101.html
Quote:
Originally Posted by Bin@ry
nixCraft, its not a "find" its installed on our Servers
LOL ... do u have your own box for learning or for business??? I think nixcrat is not using any sort of CP just a guess

Bye
__________________
Friends - v-nessa - missyAdmin
Reply With Quote
  #10 (permalink)  
Old 12-20-2006, 02:34 AM
nixcraft's Avatar
Never say die
User
 
Join Date: Jan 2005
Location: BIOS
My distro: Any distro with shell
Posts: 964
Rep Power: 10
nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute
Default

Here is the line from my pf firewall script
Code:
pass inet proto tcp from any to any port 22 keep state (max-src-conn-rate 5 / 60)
My pf limits the connection rate to port 22 to five per minute. You can set to 2 or anything else. It will stop attacker who is trying out attack on ssh server as my firewall blocks incoming request to 5.

For iptables see tutorial written by our friends @ debian-administration.org http://www.debian-administration.org/articles/187

@sweta
I do use CP for clients but personally I don't use any CP. I was not aware of csf firewall script or module. There are tons of such script exists.

@bin@ry
Hehe yes sometime I do write it from scratch

@monk
Buddy don't give us our secrets in public making money is not bad I guess :P
__________________
Vivek | My personal blog
Linux Evangelist
Play hard stay cool
Reply With Quote
Reply

Bookmarks


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads

Thread Thread Starter Forum Replies Last Post
to avoid recommended memory message in RHEL token CentOS / RHEL / Fedora 0 04-22-2008 07:08 AM
dovecot: pop3-login: pop3-login: error while loading shared libraries: libsepol.so.1 raj Mail Servers 1 11-15-2007 10:43 AM
avoid displaying errors while executing a script vikas027 Shell scripting 4 10-31-2007 11:57 AM
Linux / UNIX set increase the number of failed login retries with SSH client sweta Getting started tutorials 0 06-12-2007 02:35 AM
Apache SYN Flood Attacks and how to stop / avoid them cbzee Web servers 1 12-21-2006 03:30 AM


All times are GMT +5.5. The time now is 11:06 AM.


Powered by vBulletin® Version 3.7.3 - Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.2.0

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36