I’ve noticed over the past week in the /var/log/messages file the following lines:
Oct 27 10:03:41 mutalisk sshd[16097]: Invalid user alecz from 119.188.7.48
Oct 27 10:03:43 mutalisk sshd[16100]: Invalid user nickelan from 119.188.7.48
Oct 27 10:03:46 mutalisk sshd[16104]: Invalid user nickelan from 119.188.7.48
Oct 27 10:03:53 mutalisk sshd[16113]: Invalid user stella from 119.188.7.48
Oct 27 10:03:55 mutalisk sshd[16117]: Invalid user ernie from 119.188.7.48
Oct 27 10:04:14 mutalisk sshd[16143]: Invalid user doodz from 119.188.7.48
Oct 27 10:04:28 mutalisk sshd[16163]: Invalid user admin from 119.188.7.48
Oct 27 10:04:30 mutalisk sshd[16167]: Invalid user test from 119.188.7.48
Oct 28 13:47:28 mutalisk sshd[28174]: Invalid user oracle from 119.161.145.205
Oct 28 13:47:31 mutalisk sshd[28178]: Invalid user oracle from 119.161.145.205
Oct 28 13:47:34 mutalisk sshd[28181]: Invalid user oracle from 119.161.145.205
Oct 28 13:47:38 mutalisk sshd[28184]: Invalid user oracle from 119.161.145.205
Oct 28 13:47:41 mutalisk sshd[28188]: Invalid user apache from 119.161.145.205
Oct 28 13:47:45 mutalisk sshd[28192]: Invalid user apache from 119.161.145.205
Oct 28 13:47:48 mutalisk sshd[28195]: Invalid user scan from 119.161.145.205
Oct 28 13:47:51 mutalisk sshd[28199]: Invalid user paulo from 119.161.145.205
Oct 28 13:47:54 mutalisk sshd[28203]: Invalid user paulo from 119.161.145.205
Oct 28 13:47:57 mutalisk sshd[28206]: Invalid user nagios from 119.161.145.205
Oct 28 13:48:00 mutalisk sshd[28211]: Invalid user nagios from 119.161.145.205
Oct 28 13:48:04 mutalisk sshd[28214]: Invalid user nagios from 119.161.145.205
Oct 28 13:48:10 mutalisk sshd[28221]: Invalid user info from 119.161.145.205
Obviously somebody is trying to breaking into my Suse 11.4 box from the Internet. My question is, what does Suse do to counteract this? And is there any way I can deny these attempts better than it’s currently being handled? My main issue is the IP of the box that’s attempting to break in changes every few min, or it stops and then tries again later (like in the example above).
> Obviously somebody is trying to breaking into my Suse 11.4 box from the
> Internet. My question is, what does Suse do to counteract this?
Well, you have sshd service active, so it will do nothing. It is warning
you of the repeated attempts.
> And is
> there any way I can deny these attempts better than it’s currently being
> handled? My main issue is the IP of the box that’s attempting to break
> in changes every few min, or it stops and then tries again later (like
> in the example above).
Use the FW_SERVICES_ACCEPT_EXT variable in the /etc/sysconfig/SuSEfirewall2
file.
Also, you can do other things, like moving sshd to another port, using key
pairs instead of passwords… I think you can also only allow ssh access to
a group of users.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 30.10.2011 17:36, PsychoGTI wrote:
>
> Hello,
>
> I’ve noticed over the past week in the /var/log/messages file the
> following lines:
>
>
> Code:
> --------------------
>
> Oct 27 10:03:41 mutalisk sshd[16097]: Invalid user alecz from 119.188.7.48
>
> Obviously somebody is trying to breaking into my Suse 11.4 box from the
> Internet. My question is, what does Suse do to counteract this?
If you like, you can stop that noise easily.
I’m assuming here that the normal stuff is done already to start with
and so that is just noise.
I wrote some notes some time ago about a script called ‘blockhosts’
Works like a charm and it’s nowadays available also from the repos.
Change your search engine to Suse and look for it, then use 1-click install.
I’ll describe what I am doing. And I’ll describe it for 3 computer - desktop, laptop, work. The work system is a desktop at my work. The others are at home.
For all of those systems, I use public key authentication. I have configured sshd to only allow public key authentication. Because of that, I am not at all concerned about somebody breaking in. It simply isn’t going to happen. So the only actual concern I have, is with logs filling up.
On the work machine, I do nothing beyond the use of public key authentication. I probably should check the size of the log files from time to time, but they have not grown so large as to be a problem. The work machine is running all the time, and exposed to the Internet.
On my laptop, I do nothing beyond use of public key authentication. However, most of the time the laptop is behind the home router and port 22 is not exposed to the Internet. Just about the only logins are from me on my desktop.
On my desktop, I do have port forwarding set so that port 22 is exposed to the Internet. To reduce the noise in the logs, I have lines in “/etc/hosts.allow” and “/etc/hosts.deny” to allow ssh access only from localhost, from my home LAN, and from a block of IPs at work. I am unlikely to want to connect from elsewhere but if that is ever needed, I could go through my work machine.
I’ll take a look at the SSH config and secure guides posted. Thanks for the tip!
I’m unclear as to how the FW_SERVICES_ACCEPT_EXT field will help me out. Do you have any insight into this? I’ve already got the firewall locked so it’s just the ports I need that are open both on my Suse Firewall as well as the router firewall.
I was thinking of changing the port number. I don’t think I can use public key authentication method as I use NX a lot, which carries through an SSH tunnel. I don’t see at the moment how I would configure that using just the PKI key. (It might be able too, but I have to explore this more).
I don’t mind the reporting level. I’m not trying to hide it, in fact I’ve very happy that I came across it.
I’ll install your script tonight and see if I can dynamically lock out the suspect IP’s. Thanks for this one, looks like this should do it. I was hoping that Suse would have a way to do this already, but guess not.
Another thought that came to mind would be limited the user accounts that SSH accepts. Make it so that root and all other accounts except my user account cannot log into the box… I’ll have to look for how to set the account access lists as well… With all of this combined, I think I will be fairly safe. (Hopefully, knock on wood).
Awesome, script works well. Only thing is it’s a one-time run script. So I’ve made an entry into the crontab to run it every couple minutes seeing as this is a constant issue at this time, and want to block them as soon as it’s detected. I might scale it back after a couple weeks if this problem disappears.
> robin_listas;2398857 Wrote:
>>
>> Use the FW_SERVICES_ACCEPT_EXT variable in the
>> /etc/sysconfig/SuSEfirewall2
>> file.
>>
>
> I’m unclear as to how the FW_SERVICES_ACCEPT_EXT field will help me
> out. Do you have any insight into this? I’ve already got the firewall
> locked so it’s just the ports I need that are open both on my Suse
> Firewall as well as the router firewall.
It is documented in that file, you just have to look at it.
It denies repeated failed connection attempts.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
> I’ll install your script tonight and see if I can dynamically lock out
> the suspect IP’s. Thanks for this one, looks like this should do it. I
> was hoping that Suse would have a way to do this already, but guess
> not.
It does, I told you about it.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
WOW… FAIL ON MY PART. Sorry Carlos, you’re right. I must have been reading something else in the config file. There’s even an example there using SSH to help me out.
I’ve set it up for a day ban, as the attempts seem to cycle over the course of a day. Combined with the script which I’ve setup to ban the IP’s for 2 months… I should hopefully eliminate this issue.
On 31.10.2011 03:16, PsychoGTI wrote:
>
> Vahis;2398861 Wrote:
>>
>> I wrote some notes some time ago about a script called ‘blockhosts’
>>
>> Works like a charm and it’s nowadays available also from the repos.
>> Change your search engine to Suse and look for it, then use 1-click
>> install.
>>
>> Here’s my notes:
>> ‘harden ssh | Waxborg’ (http://waxborg.servepics.com/howto/harden-ssh)
>>
>> After David Bolt put it to the repos there’s nowadays some unnecessary
>> steps there
>>
>
> Awesome, script works well. Only thing is it’s a one-time run script.
It works every time when there is an invalid attempt.
It blocks the IP for a certain time. A few hours is enough.
If you block the addresses for long times your list becomes very long.
Now this list must be read read every time and it makes things slower.
> So I’ve made an entry into the crontab to run it every couple minutes
> seeing as this is a constant issue at this time, and want to block them
> as soon as it’s detected.
The attempt itself launches the script. No need for a cron job.
Just make sure you set it up right.
I might scale it back after a couple weeks if
> this problem disappears.
This will not disappear. Believe me.
Vahis
http://waxborg.servepics.com
openSUSE 11.4 (x86_64) 2.6.37.6-0.7-default main host
openSUSE 12.1 RC 1 (x86_64) 3.1.0-rc9-1-desktop in VirtualBox
openSUSE 11.4 (i586) 3.0.7-45-desktop “Tumbleweed” in EeePC 900
On 31.10.2011 03:16, PsychoGTI wrote:
>
> Vahis;2398861 Wrote:
>>
>> ‘harden ssh | Waxborg’ (http://waxborg.servepics.com/howto/harden-ssh)
>>
>> After David Bolt put it to the repos there’s nowadays some unnecessary
>> steps there
>
> I might scale it back after a couple weeks if
> this problem disappears.
>
If you want to see where these attempts come from and how many they are,
open a terminal, become root and copy/paste this to the terminal:
grep ‘Invalid user’ /var/log/messages
|awk ‘{ip_array$10]++;} END{for(ip_address in ip_array)
{print “FROM “,ip_address,” there
were”,ip_array[ip_address],“attempts”}}’ | less
Vahis
http://waxborg.servepics.com
openSUSE 11.4 (x86_64) 2.6.37.6-0.7-default main host
openSUSE 12.1 RC 1 (x86_64) 3.1.0-rc9-1-desktop in VirtualBox
openSUSE 11.4 (i586) 3.0.7-45-desktop “Tumbleweed” in EeePC 900
fail2ban is available for openSUSE (in the standard repo) and for most Linux distros and does a relativ good job. It blocks any IP on any port after a certain number of attempts to connect, that you can define. You can also write you own filters and jails: MANUAL 0 8 - Fail2ban
> WOW… FAIL ON MY PART. Sorry Carlos, you’re right. I must have been
> reading something else in the config file. There’s even an example there
> using SSH to help me out.
It denies access to an IP that tries ssh and fails 3 times in one minute,
as given in the example, and it works at the firewall level.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
