Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: block ssh attach

  1. Default block ssh attach

    hi

    i have a machine who run opensuse 11.2 with a sshd server open

    in /etc/sysconfig/SuSEfirewall2 file i have

    Code:
    FW_CONFIGURATIONS_EXT="sshd"
    FW_SERVICES_EXT_TCP=""
    FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
    i checked in the log and i have

    Code:
    Apr 10 19:07:57 linux-d1x3 sshd[4569]: Invalid user oracle from 80.191.117.91
    Apr 10 19:08:00 linux-d1x3 sshd[4572]: Invalid user oracle from 80.191.117.91
    Apr 10 19:08:03 linux-d1x3 sshd[4575]: Invalid user test from 80.191.117.91
    Apr 10 19:08:05 linux-d1x3 sshd[4579]: Invalid user test from 80.191.117.91
    Apr 10 19:08:08 linux-d1x3 sshd[4582]: Invalid user test from 80.191.117.91
    Apr 10 19:08:10 linux-d1x3 sshd[4585]: Invalid user test from 80.191.117.91
    Apr 10 19:08:13 linux-d1x3 sshd[4588]: Invalid user test from 80.191.117.91
    Apr 10 19:08:16 linux-d1x3 sshd[4591]: Invalid user test1 from 80.191.117.91
    Apr 10 19:08:18 linux-d1x3 sshd[4595]: Invalid user test from 80.191.117.91
    Apr 10 19:08:21 linux-d1x3 sshd[4598]: Invalid user cvsuser from 80.191.117.91
    Apr 10 19:08:29 linux-d1x3 sshd[4609]: Invalid user user1 from 80.191.117.91
    Apr 10 19:08:31 linux-d1x3 sshd[4613]: Invalid user user1 from 80.191.117.91
    Apr 10 19:08:34 linux-d1x3 sshd[4616]: Invalid user ftpuser from 80.191.117.91
    
    Apr 16 15:03:12 linux-d1x3 sshd[19738]: Invalid user jeffrey from 202.107.209.33
    Apr 16 15:03:14 linux-d1x3 sshd[19743]: Invalid user andres from 202.107.209.33
    Apr 16 15:03:17 linux-d1x3 sshd[19786]: Invalid user andrei from 202.107.209.33
    Apr 16 15:03:19 linux-d1x3 sshd[19811]: Invalid user vincent from 202.107.209.33
    Apr 16 15:03:21 linux-d1x3 sshd[19815]: Invalid user tina from 202.107.209.33
    Apr 16 15:03:24 linux-d1x3 sshd[19820]: Invalid user roland from 202.107.209.33
    Apr 16 15:03:26 linux-d1x3 sshd[19824]: Invalid user kim from 202.107.209.33
    Apr 16 15:03:28 linux-d1x3 sshd[19828]: Invalid user gnats from 202.107.209.33
    Apr 16 15:03:30 linux-d1x3 sshd[19832]: Invalid user elizabeth from 202.107.209.33
    Apr 16 15:03:33 linux-d1x3 sshd[19836]: Invalid user content from 202.107.209.33
    so the hacker try to connect every 3 seconds...
    so FW_SERVICES_ACCEPT_EXT don't seem to do its job...


    on the web, some people put FW_CONFIGURATIONS_EXT empty
    i don't really understand why... it's it ok to put nothing when we want to allow ssh?

    how to block the ip after 2 failed attempts?

    in /etc/ssh/sshd_config i put
    MaxAuthTries 3

    don't know if that will stop the hacker to try to connect every 3 seconds?

    any help?
    thanks

  2. #2

    Default Re: block ssh attach

    I did a little bit of google search and one result from bugzilla discussion was related to the fact that "the first firewall rule will apply <<as is>> so conesquently the next settings will be ignored".

    This would be the explanation to
    on the web, some people put FW_CONFIGURATIONS_EXT empty
    if

    FW_CONFIGURATIONS_EXT="sshd"

    is the first rule in the chain it will work as it is - no limitations

    and

    FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
    is later in the table.

    I might be wrong about it since I can't look at the moment to the rules / documentation but I think it's worth trying to leave that line empty and use only the second one.

    The discussion is available here.

    Cheers

    PS

    Another useful thing to make it hard for the script kiddies would be to change the default sshd port and ask your users to use key auth instead of the normal user / pass.

  3. #3
    Vahis NNTP User

    Default Re: block ssh attach

    On 04/17/2010 10:26 AM, collinm wrote:
    >
    > hi
    >
    > i have a machine who run opensuse 11.2 with a sshd server open
    >
    > i checked in the log and i have
    >
    >
    > Code:
    > --------------------
    > Apr 10 19:07:57 linux-d1x3 sshd[4569]: Invalid user oracle from 80.191.117.91
    > Apr 10 19:08:00 linux-d1x3 sshd[4572]: Invalid user oracle from 80.191.117.91


    <snip>

    > --------------------
    >
    >
    > so the hacker try to connect every 3 seconds...


    The most important thing, as always, is to have strong passwords.
    You should be fine, those attempt are just usual noise then.

    But if you want to know

    > how to block the ip after 2 failed attempts?


    see my instructions here:

    http://waxborg.servepics.com/howto/harden-ssh

    Vahis
    --
    http://waxborg.servepics.com
    openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default
    15:00pm up 22 days 18:18, 14 users, load average: 0.23, 0.20, 0.11

  4. Default Re: block ssh attach

    thanks a lot for all theses informations

  5. #5
    Join Date
    Jul 2008
    Location
    Bellevue, WA
    Posts
    14,114

    Default Re: block ssh attach

    On Sat, 17 Apr 2010 07:26:01 +0000, collinm wrote:

    > in /etc/ssh/sshd_config i put
    > MaxAuthTries 3
    >
    > don't know if that will stop the hacker to try to connect every 3
    > seconds?


    You might try looking at fail2ban - I've not used it (yet, but
    coincidentally I noticed someone trying to hack into my ftp server last
    night and just set a firewall rule to deal with it), but I hear it's
    pretty good at dealing with this kind of thing.

    What you've put in won't block them, but will just reset the
    authentication cycle IIRC (ie, the password prompt for interactive
    attempts would ask 3 times and then fail, and they'd have to start over).

    Jim
    --
    Jim Henderson
    openSUSE Forums Administrator

  6. #6
    Vahis NNTP User

    Default Re: block ssh attach

    On 04/17/2010 06:56 PM, collinm wrote:
    >
    > thanks a lot for all theses informations
    >
    >


    Blockhosts just got added to OBS:
    http://software.opensuse.org/search?...L&q=blockhosts

    I changed the one I had to that one, works perfectly

    Vahis
    --
    http://waxborg.servepics.com
    openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default
    22:13pm up 23 days 1:31, 15 users, load average: 0.01, 0.07, 0.16

  7. #7

    Default Re: block ssh attach

    The more often I read this great advice of installing a tool like fail2ban/blockhosts etc. to "improve security" or even to "block an attack", the more I wish something like this

    Attacking Log Analysis tools

    will happen again, soon (the sooner the better).

    This is even more true if this "attack" is the standard "background noise" of the internet today.
    Never attribute to malice that which can be adequately explained by stupidity. (R.J. Hanlon)

  8. #8
    Vahis NNTP User

    Default Re: block ssh attach

    On 04/18/2010 05:36 PM, Akoellh wrote:
    >
    > The more often I read this great advice of installing a tool like
    > fail2ban/blockhosts etc. to "improve security" or even to "block an
    > attack", the more I wish something like this
    >
    > 'Attacking Log Analysis tools'
    > (http://www.ossec.net/main/attacking-log-analysis-tools)
    >
    > will happen again, soon (the sooner the better).
    >
    > This is even more true if this "attack" is the standard "background
    > noise" of the internet today.
    >
    >


    There it says that the attacker can attempt to log in by hiding the real
    IP and thus being allowed to attempt to log in.

    He still can't log in, just attempt to.

    Blockhosts and similar only keep logs tidier if you like, nothing else.
    They are not security measures in any manner.

    Vahis
    --
    http://waxborg.servepics.com
    openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default
    18:46pm up 23 days 22:04, 15 users, load average: 0.20, 0.33, 0.30

  9. #9

    Default Re: block ssh attach

    Quote Originally Posted by Vahis View Post
    Blockhosts and similar only keep logs tidier if you like, nothing else.
    There is something else, they open up another potential attack vector, for no reason.

    And as ....

    Quote Originally Posted by Vahis View Post
    They are not security measures in any manner.
    .. it does not make real sense to use them.
    Never attribute to malice that which can be adequately explained by stupidity. (R.J. Hanlon)

  10. #10
    Vahis NNTP User

    Default Re: block ssh attach

    On 04/18/2010 07:06 PM, Akoellh wrote:
    >
    > Vahis;2154268 Wrote:
    >> Blockhosts and similar only keep logs tidier if you like, nothing else.

    >
    > There is something else, they open up another potential attack vector,
    > for no reason.
    >
    > And as ....
    >
    > Vahis;2154268 Wrote:
    >>
    >> They are not security measures in any manner.

    >
    > . it does not make real sense to use them.
    >
    >


    I agree. Like I wrote to OP:

    "The most important thing, as always, is to have strong passwords".

    "Strong" can be discussed, of course.

    Mine are over 20 characters, with numbers and upper and lower case mixed.

    They or parts of them can't be found in any dictionary in any language.

    That's how I _think_ I've kept them strong.

    Vahis
    --
    http://waxborg.servepics.com
    openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default
    19:12pm up 23 days 22:30, 15 users, load average: 0.20, 0.20, 0.19

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •