April 12th, 2009 Category: Linux Server
As written in a previous article Defending Againt SSH Attacks I think it’s really worth trying to install a tool like denyhosts. Since about 5 days denyhosts blocks IP addresses from all over the world every few minutes. In total now more than 550 different blocked IP addresses.
The reason seems that the IP address of my server has been added to a bot network which tries to hack servers using SSH brute force attacks. As far as I know such bot networks are built up with Viruses and Trojans. I think there is no reason why your server may have also been added to such a list, somehow IP addresses seem to added.
But the question is how to defend against such brute force attacks from bot networks?
Known Methods
- Install a tool like denyhosts
- Always keep the SSH daemon up to date!
- Move the SSH port from 22 to some other port
- Disable password authentication and use key authentication
- Slow down the amount of connections from the same IP using iptables and module “recent”
- Open the SSH port after a trigger on a different port using iptables
I think there is one additional easy method to defend against such attacks. Why I think so? Read on..
Another Simple Method
When checking the auth.log we see that the user names of the attacks are taken from a dictionary:
Failed keyboard-interactive/pam for invalid user aderes from 195.xxx.xxx.xx port 39566 ssh2
Failed keyboard-interactive/pam for invalid user aderyn from 203.xxx.xxx.xx port 44099 ssh2
Failed keyboard-interactive/pam for invalid user adi from 78.xxx.xxx.xx port 42748 ssh2
Failed keyboard-interactive/pam for invalid user adia from 89. port 51028 ssh2
Failed keyboard-interactive/pam for invalid user adiel from 217. port 33861 ssh2
Failed keyboard-interactive/pam for invalid user adila from 77. port 52867 ssh2
It seems that the bots are not adding digits to the user names. So I think one easy method to defend against such attacks is:
- add at least one digit to user names on your server if you have the possibility
And definitely never ever add a user “admin”. In my logs the user “admin” is always used for brute force attacks:
Failed keyboard-interactive/pam for invalid user admin from 203.xxx.xxx.xx port 39711 ssh2
Failed keyboard-interactive/pam for invalid user admin from 203.xxx.xxx.xx port 55493 ssh2
Failed keyboard-interactive/pam for invalid user admin from 220.xxx.xxx.xx port 34502 ssh2
Failed keyboard-interactive/pam for invalid user admin from 80.xxx.xxx.xx port 51846 ssh2
Failed keyboard-interactive/pam for invalid user admin from 80.xxx.xxx.xx port 53934 ssh2
Written on April 12, 2009 | Posted in
Linux Server
April 10th, 2009 Category: iPhone
Definitely a useful tool for network administrator or people dealing with Linux servers: TouchTerm. Two versions are available: light and pro. I’ve running the light version on my iPhone. The pro version comes with gestures, additional plug ins and many more.
TouchTerm supports the landscape mode as well. SSH connections are managed with a session manager, which makes in unnecessary to enter host names for every connection.
Links:
Written on April 10, 2009 | Posted in
iPhone
February 21st, 2009 Category: General, Linux
Annoyed of typing login passwords?
Your desktop is running with Windows and you often need to connect remote servers using SSH then you will already know PuTTY. You will also know that it’s getting frustrating to enter the passoword every time. There is a simple way to login to remote machines using RSA/DAS keys.
What is needed?
First of all you will need to download the PuTTY.exe. And to generate the keys on your Windows desktop you’ll need to download PuTTYgen.exe as well.
Key Generation
Start PuTTYgen.exe after download and press the Generate button. Now follow the instruction and move the mouse cursor over the desired area. I’ve used the default parameter [x] SSH-2 RSA with a key length of 1024 bits.
I leave the Key passphrase empty because I don’t want to enter any passwords during login.
To have the key later available for other servers use the “Save public key” and “Save private key” button. My private key is saved as haifisch.ppk and my public key as haifisch. By the way, haifisch is German and means shark.
Now mark the generated public key, copy it to the clip board and paste it into ~/.ssh/authorized_keys file on the remote server of the user you want to login as.
PuTTY Configuration
Keys have been generated and stored on the remote server, therefore PuTTYgen can be closed now and the PuTTY.exe is needed now.
In PuTTY under the item “Session” enter the host name of the remote server and connection type SSH. Next choose “Connection/Data” and enter the remote user name. Also the previously defined private key is needed, it is given in “Connection/SSH/Auth” using the “Browse” button. In my case it’s haifisch.ppk.
When all settings are done go back to “Session”, enter a name for this session and press “Save”.
That’s it. Try it by double clicking on the saved session.
Login via Desktop Icon
If you want to have a desktop icon which opens putty and logs into a remote server generate a file e.g. www.myserver.com.bat with the content:
start C:\temp\putty\putty.exe -load "Session Name in PuTTY"
Now generate a link to this batch file on your desktop and login in by double clicking.
Written on February 21, 2009 | Posted in
General,
Linux
December 30th, 2008 Category: Linux Server
As soon as you put a server online you will recognize many many attempts accessing the SSH port like these one:
Dec 28 06:48:11 hostname sshd[12258]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=somehost.somewhere
Dec 28 06:48:12 hostname sshd[12256]: error: PAM: User not known to the underlying authentication module for illegal user saman from somehost.somewhere
Dec 28 06:48:13 hostname sshd[12256]: Failed keyboard-interactive/pam for invalid user saman from xx.xxx.xx.xxx port 27751 ssh2
Annoying script kids… An easy method to protect at least a little bit against such attacks is a tool called denyhosts. I use it on all my servers because it’s easy to install. denyhosts automatically blocks ssh attacks by adding entries to /etc/hosts.deny.
Using debian Etch installation is really simple:
apt-get install denyhosts
Next edit /etc/denyhosts.conf and change:
PURGE_DENY = 1w
PURGE_THRESHOLD = 0
and start the daemon:
/etc/init.d/denyhosts start
That’s all. Sure it’s not a perfect solution which helps for everything, but nevertheless it will increase your security.
All you have to to now is wait and check the /etc/hosts.deny Depending on your configuration denyhosts will automatically delete expired entries.
Written on December 30, 2008 | Posted in
Linux Server
