CentOS - Jul 2008 - Ideas for stopping ssh brute force attacks

just wanted to get some feedback from the community. Over the last few
days I have noticed my web server and email box have attempted to ssh'd to
using weird names like admin,appuser,nobody,etc.... None of these are
valid users. I know that I can block sshd all together with iptables but
that will not work for us. I did a little research on google and found
programs like sshguard and sshdfilter. Just wanted to know if anyone had
any experience with anything like these programs or have any other advice.
I really appreciate it.

--
Bo Lynch

I have been using fail2ban to limit the attacks.  It works exactly as they
advertise and I am happy with it.

--
Andrew
> -----Original Message-----
> From: centos-bounces at centos.org
> [mailto:centos-bounces at centos.org] On Behalf Of Bo Lynch
> Sent: Monday, July 21, 2008 2:43 PM
> To: centos at centos.org
> Subject: [CentOS] Ideas for stopping ssh brute force attacks
>
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have
> attempted to ssh'd to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with
> iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if
> anyone had
> any experience with anything like these programs or have any
> other advice.
> I really appreciate it.
>
> --
> Bo Lynch
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

easiest way with centos board tools is iptable recent module ...

simply limit the amount of connections a host is allowed to the ssh port

iptables -N SSHSCAN
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent --set --name SSH
iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name SSH
-j DROP

limits each host to 3 connections within 5 minutes. enough to make bots stop
and still not too annoying for users that mistype their password 3x3 times

On Mon, Jul 21, 2008 at 10:43 PM, Bo Lynch <blynch at ameliaschools.com>
wrote:
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to ssh'd
to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if anyone had
> any experience with anything like these programs or have any other advice.
> I really appreciate it.
>
> --
> Bo Lynch
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20080721/f214fb43/attachment-0001.html>

Bo Lynch wrote:
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to ssh'd
to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if anyone had
> any experience with anything like these programs or have any other advice.
> I really appreciate it.
Perhaps some FAQs on SSH at the CentOS wiki will help you out too.

http://wiki.centos.org/HowTos/Network/SecuringSSH

Regards,
Max

On Mon, Jul 21, 2008 at 3:43 PM, Bo Lynch <blynch at ameliaschools.com>
wrote:
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to ssh'd
to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if anyone had
> any experience with anything like these programs or have any other advice.
> I really appreciate it.
Possibly begin by not allowing root access. Don't use passwords, use keys.

http://wiki.centos.org/TipsAndTricks/SshTips/SshKeyAuthentication

> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org]On
> Behalf Of Bo Lynch
> Sent: Monday, July 21, 2008 3:43 PM
> To: centos at centos.org
> Subject: [CentOS] Ideas for stopping ssh brute force attacks
>
>
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to ssh'd
to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if anyone had
> any experience with anything like these programs or have any other advice.
> I really appreciate it.
>
> --
> Bo Lynch
>
Just change the default port.
You can also limit the allowed nocks on door with iptables, but changing the
port is much eaieer.
Cleans up the logs real nice.
Dan


> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Bo Lynch wrote:
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to ssh'd
to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if anyone had
> any experience with anything like these programs or have any other advice.
> I really appreciate it.
> 
There's a page on the Wiki with a few suggestions for hardening SSH:

http://wiki.centos.org/HowTos/Network/SecuringSSH

There are a number of measures you can take and employing a few in 
combination is always a good idea. Strong passwords are a must as is 
disabling root logins. Firewalling and/or key-based authentication with 
passwords disabled are great where that is possible. Moving SSH to a 
non-standard port will certainly reduce your levels of background noise 
but doesn't necessarily make your setup inherently more secure.

My personal opinion is that there is enough there to work with without 
having to resort to 3rd party add-ons :)

Bo Lynch wrote:
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to
> ssh'd to using weird names like admin,appuser,nobody,etc.... None of
> these are valid users. I know that I can block sshd all together with
> iptables but that will not work for us. I did a little research on
> google and found programs like sshguard and sshdfilter. Just wanted
> to know if anyone had any experience with anything like these
> programs or have any other advice. I really appreciate it.
The simplest thing is to change the port.  I know it's "security
through
obscurity", but it works well and can be used along with whatever other
security enhancements you care to use.

-- 
Bowie

"Bo Lynch" <blynch at ameliaschools.com> wrote:
>>
Just wanted to know if anyone had any experience with anything like these
programs or have any other advice.
<<

No need for any add-ons. Just do two things:

1. Disable password logins. In /etc/ssh/sshd_config, add

PasswordAuthentication no

Now you will have to authenticate by private key, but that's always been
the best idea, anyway. Now the script kiddies can bang on your system all
day and they won't get anywhere.

2. If the bandwidth they're wasting continues to annoy you, then rate-limit
connections to the ssh port. Using the default firewall config in
/etc/sysconfig/iptables, add this:

# Rate limit connections to port 22 to slow SSH brute force attacks
-A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m limit --limit
1/minute
-A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --update
--seconds 180 --hitcount 3 -j DROP

Then restart the iptables service. That'll slow them right down, if they
can even figure out what's going on.

Best,

--- Les Bell
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909

> iptables -N SSHSCAN
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
> iptables -A SSHSCAN -m recent --set --name SSH
> iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name
SSH
> -j DROP
hey, this is awesome. we're currently filtering log files looking for 
multiple failed connections, then adding them to iptables for a few 
minutes. this is much cleaner. :)

thanks.

-- 
Spiro Harvey                  Knossos Networks Ltd
021-295-1923                    www.knossos.net.nz

"Lanny Marcus" <lmmailinglists at gmail.com> wrote:
>>
The above link is mostly dead. The data isn't there yet.
<<

I did a write-up on generating SSH keys on both Windows and Linux, along
with some additional tips on OpenSSH configuration. It's at
http://www.lesbell.com.au/Home.nsf/web/SSH+for+Server+Administration?OpenDocument
 if anyone needs it.

Best,

--- Les Bell
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909

Provided you have ssh set up to ensure that root cannot login directly
and/or keys instead of passwords must be used, you aren't in much danger
of being compromised.

To ensure the logs are mostly kept clean however, you need yet another
solution such as changing the port, port-knocking, or a script such as
fail2ban, denyhosts and blockhosts.

fail2ban is a script which writes blacklisted IPs to iptables then
denies them access to every service including ftp and http, not just
ssh.

Because I don't believe a solution such as fail2ban will scale (it can't
be healthy having tens of thousands of IPs in iptables), I use denyhosts
on my servers and have done so successfully for the past 12 months.
Denyhosts is a script which writes blacklisted IPs to hosts.deny,
preventing them from accessing ssh as well as any other service which
uses tcp wrappers. It has a truly wonderful feature where you can sync
your results with a central server to share IPs for banning. This means
my servers now have about 12000 IPs which are permanently blacklisted.
There are just two disadvantages with denyhosts: with a large number of
entries in hosts.deny, there is a noticeable delay (several seconds in
my case) when logging in with ssh. And you can only deny requests which
use tcp wrappers.

I've never used Blockhosts, but I believe it is similar to fail2ban, in
that it can disallow blacklisted IPs from accessing any service, not
just ssh.

Just one other thing: if you use a script, you need to be careful you
don't accidentally ban your own IP (by entering a wrong password too
many times) when accessing a remote server. :/

Whatever, you decided to use, the more security you have, the more
awkward it will be to access your own server/s.

Bo Lynch wrote:
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to ssh'd
to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if anyone had
> any experience with anything like these programs or have any other advice.
> I really appreciate it.
>   
I have moved sshd to a different port number.

Michael Gabriel wrote:
> 
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to ssh'd
to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if anyone had
> any experience with anything like these programs or have any other advice.
> I really appreciate it.
>
I don't know if anybody on this list tried SPA (Single Packet 
Authorization):

http://www.linuxjournal.com/article/9565


As another person mentioned earlier, the idea of using VPN is very good.

I use pfSense and the VPN server inside gives the connecting user an 
address on a virtual subnet.  Each user is given a distinct fixed ip 
address.  Then it's easy to setup firewall rules based on what you allow 
the user to do.  I do 10 Mbps symmetric with a "recycled" 1U Dell 
PowerEdge 350 (PIII/800, 512 Megs RAM).  We do QoS (we have 1 WME 
Streaming Server, 1 Darwin Streaming On Demand Server, FTP, DNS, SMTP, 
etc).  The CPU usage is very low.  I love pfSense a lot.  The only thing 
i struggled a little was when i tried to authenticate the user with 
Active Directory (M$ IAS = RADIUS).  It works but i have yet to find a 
way to assign a fixed address to each user.  I can do this if i use 
pfSense integrated user manager (for VPN).

In another place, i use a CentOS box as a remote gateway using SSH.  I 
changed the SSH Port, use DenyHost, force SSH V2 and forbid password 
login (SSH Key login mandatory).  I even got a VBS script for our 
Winblows users that uses plink (member of the PuTTY Family) to connect, 
authenticate with keys and launch RDP Terminal to connect to the 
Winblows Terminal Server (all this automated).  The only prompt the user 
has is for entering his remote login name (the user must know it or the 
connection will be refused).

I did an installer (with Nullsoft's NSIS) so allowed Winblows users can 
install easily all this: The installer creates icons, protect SSH keys 
(NTFS Encryption), etc... The installer is protected by a password.


Hope this helped!


Guy Boisvert, ing.
IngTegration inc.

"David Dyer-Bennet" <dd-b at dd-b.net> wrote:
>>
Yes, but if there are *any* ports exposed, seems like those are equally
possible.
<<

Sort of. Changing the port used by sshd stops the completely clueless
script kiddies, since they don't even bother looking at anything other than
port 22. Putting it way up high, among the ephemeral ports, will slow down
the slightly more clueful who perform nmap scans, since nmap only scans
around 1500 ports by default, and if sshd isn't running on one of those,
they won't spot it.

However, it won't deter the intelligent or curious attacker; these guys
will scan all ports (slowly, so you may not even notice them) and they will
use banner enumeration to identify the services, rather than assuming.

Moving sshd to a non-standard port is one of the worst examples of relying
on security by obscurity. Its only advantage is that it cuts out some noise
in the logs, but proper precautions do that as well, without lulling you
into a false sense of security. Rate limiting, combined with enforcement of
really strong passwords, or even better, public/private key authentication,
is real security.

A useful additional layer of defence, if you want it, is a daemon that will
watch for port scans on the simple services ports and immediately insert a
firewall rule to block that source - such as the old PortSentry, if you can
find it, or some more modern equivalent. Of course, this won't do much to
defend against some types of stealthy scans, such as idle time scans.

Best,

--- Les Bell, RHCE, CISSP
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909

Ned Slider <ned at unixmail.co.uk> wrote:
>>
I don't think anyone is suggesting running SSH on a non-standard port as
a sole means of defence
<<

I should hope not, but the point does bear making.
>>
We should also remember that public/private key authentication is only
secure as the host the private key is stored on when keys without
passphrases are employed (all too common where users don't want to trade
using a password for a passphrase).
<<

Another good point. This is why I strongly recommend the use of ssh-agent
(or Pageant for those with a Windows desktop) as a mechanism for minimising
the inconvenience of constant prompting for a strong key passphrase. Of
course, this has to be coupled with awareness of the need to lock the
workstation or unload the keys when leaving the desk.

The other piece of the puzzle is agent forwarding, so that I only need to
keep a private key on my workstation, even when logging in to a gateway
machine and then to a server beyond it. They private key file is always
under my local physical control - in fact, the truly paranoid can keep
their private keys on a USB device or a smartcard.

Using this approach, I can sit at my university office desk, provide a
passphrase once when loading a key into the ssh agent, and then connect
through firewalls to machines in my home office, with no further prompting
or inconvenience and very low probability of the private key being
compromised.

Best,

--- Les Bell, RHCE, CISSP
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909

Scott Silva <ssilva at sgvwater.com> wrote:
>>
Portsentry is still available on sourceforge I believe.
<<

Good call - http://sourceforge.net/projects/sentrytools/ shows they were
uploaded back in 2003 and it looks like nothing has happened since then.
There must be more modern equivalents, surely?

Best,

--- Les Bell, RHCE, CISSP
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909

On Wed, 23 Jul 2008 10:10:14 +1000, Les Bell wrote
> Scott Silva <ssilva at sgvwater.com> wrote:
> 
> >>
> Portsentry is still available on sourceforge I believe.
> <<
> 
> Good call - http://sourceforge.net/projects/sentrytools/ shows they were
> uploaded back in 2003 and it looks like nothing has happened since then.
> There must be more modern equivalents, surely?
I wrote a Perl daemon that I use to tail service log files.  Initially it was
a Postfix log scanner that looked for unknown address attempts, relay
attempts, and honey pot email addresses that I embedded in my web pages.  When
any of these hits turned up in the mail log, the senders IP was added to the
iptables rules.  My goal was to cut down on spam.  It helped some, but not
enough to call it a complete success.  But it's very modular.

I started having some problems with brute force ftp attacks.  Very annoying,
kept filling up the log files (and my log partition) with chaff.  So I wrote
another module for my daemon to scan the ftp logs as well and firewall any ip
that failed to log in after 10 tries (a 3 hour time out).  This was very
successful and now ftp crack attacks are a thing of the past.

I've never had ssh problems.  My ssh port rules limited it to a few known IP
addresses that I may need remote access from.  But my Perl daemon could be
easily expanded with another module to scan for ssh attacks.  Provided
you've
got some Perl experience and time to hack (I'm hog tied for the next while).

Scott

-- 
Registered Linux user #395249, http://counter.li.org
Nothing goes to waste when Little Fish are near!
(http://www.littlefish.ca)

On Mon, Jul 21, 2008 at 04:43:11PM -0400, Bo Lynch
wrote:
> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to ssh'd
to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if anyone had
> any experience with anything like these programs or have any other advice.
> I really appreciate it.
If you have a web server on the same system, you can use php and tcp
wrappers to restrict ssh inbound traffic to known systems, plus give
you a back-door key to permit yourself access from arbitrary systems
on the internet.  

http://wiki.xdroop.com/space/Linux/Limited+SSH+Access

-- 
 /\oo/\
/ /()\ \ David Mackintosh | 
         dave at xdroop.com  | http://www.xdroop.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<http://lists.centos.org/pipermail/centos/attachments/20080723/0d785390/attachment-0001.sig>

No method is perfect, but something that seems to work ok in practice is 
to just move ssh to a different TCP port, and -j DROP the unused ports.

Failproof? No, but it reduces the noise tremendously.

If the script kiddies learn the new port (unlikely), either move it to 
another port, or apply one of the other methods already recommended in 
this thread.

-- 
Florin Andrei

http://florin.myip.org/

Florin Andrei wrote:
> Bowie Bailey wrote:
> > 
> > I know it's "security through obscurity"
> 
> That's not necessarily a bad thing.
> 
> It is bad if it's the _only_ protection.
Right.  I was just trying to head off the inevitable objections.

Not that it worked...  :)

-- 
Bowie