Solved

hacker trying to SSH into my PC

Posted on 2004-08-31
9
477 Views
Last Modified: 2010-04-22
recently i have been getting alot of IP address trying to log into my linux box like below
sshd:
   Invalid Users:
      Unknown Account: 13 Time(s)
   Authentication Failures:
      unknown (163.25.65.3 ): 1 Time(s)
      root (70-240-3-135.ded.swbell.net ): 6 Time(s)
      unknown (70-240-3-135.ded.swbell.net ): 12 Time(s)

I have also noticed that  there is only 2 people with static ip address that only log into the PC
So i was hoping someone could tell me how i can configure SSH to only allow certain IP addresses to log into the box
0
Comment
Question by:jaxxman
  • 5
  • 4
9 Comments
 
LVL 1

Expert Comment

by:njk123
Comment Utility
I would use iptables

iptables --insert INPUT --protocol tcp --syn --destination-port ssh -j DROP
iptables --insert INPUT --protocol tcp --syn --source A.B.C.D --destination-port ssh -j ACCEPT
iptables --insert INPUT --protocol tcp --syn --source M.N.O.P --destination-port ssh -j ACCEPT

A.B.C.D and M.N.O.P are the appropriate IP addresses of allowed ssh connections.  Also please note this small snip only protects ssh.  You may want to look at nailing shut other ports.

0
 

Author Comment

by:jaxxman
Comment Utility
yes i have seen somthing like this in /etc/sysconfig/iptables  file. i use this to edit the firewall rules ( is this an acceptable way to manage firewall rules as i am new to linux firewalls)
but if i cut and paste your text into the file below will it not counter act something else. please see belew

cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.7a on Mon Dec 29 01:12:14 2003
*mangle
:PREROUTING ACCEPT [206802:138357614]
:INPUT ACCEPT [26619:2104008]
:FORWARD ACCEPT [180176:136253197]
:OUTPUT ACCEPT [10270:1357971]
:POSTROUTING ACCEPT [190431:137609998]
COMMIT
# Completed on Mon Dec 29 01:12:14 2003
# Generated by iptables-save v1.2.7a on Mon Dec 29 01:12:14 2003
*nat
:PREROUTING ACCEPT [17963:1374930]
:POSTROUTING ACCEPT [1696:82932]
:OUTPUT ACCEPT [100:6562]
[0:0] -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.254.4
[0:0] -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.254.4
[0:0] -A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Mon Dec 29 01:12:14 2003
# Generated by iptables-save v1.2.7a on Mon Dec 29 01:12:14 2003
*filter
:INPUT DROP [2:156]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:88]
:firewalled - [0:0]
:silent - [0:0]
:tcpflags - [0:0]
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j tcpflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j tcpflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j tcpflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j tcpflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j tcpflags
[0:0] -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
[0:0] -A INPUT -p icmp -j firewalled
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT
[3:603] -A INPUT -d 192.168.253.3 -i eth0 -j ACCEPT
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[5:390] -A INPUT -j firewalled
[0:0] -A FORWARD -p udp -m udp --dport 137 -j silent
[0:0] -A FORWARD -p udp -m udp --dport 138 -j silent
[0:0] -A FORWARD -p udp -m udp --dport 139 -j silent
[0:0] -A FORWARD -p udp -m udp --dport 445 -j silent
[5:390] -A firewalled -m limit --limit 15/min -j LOG --log-prefix "Firewalled:"
[5:390] -A firewalled -j DROP
[0:0] -A silent -j DROP
[0:0] -A tcpflags -m limit --limit 15/min -j LOG --log-prefix "TCPflags:"
[0:0] -A tcpflags -j DROP
COMMIT
# Completed on Mon Dec 29 01:12:14 2003

Please advice on how  to secure my network
0
 
LVL 1

Expert Comment

by:njk123
Comment Utility
Not sure about the 'Secure my network' comment, as that would take much more bandwidth -and information- than I currently have.  However with respect to the original question and ssh I would take the line

[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT

in your file and change it to the following 2 lines

[0:0] -A INPUT -i eth1 -p tcp -m tcp --source A.B.C.D --dport 22 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --source M.N.O.P --dport 22 -j ACCEPT

which should only allow those ip addresses to connect to your sshd.

Hope this helps.
0
 

Author Comment

by:jaxxman
Comment Utility
ok thanks,
what does this line do in the sshd_config file
LISTEN: 0.0.0.0

and what does the line i am taking out do in the iptables file.
also the way i manage my firewall rules by just editting this file is this the norm in which to secure my network.

you have been very helpful to me thanks
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Expert Comment

by:njk123
Comment Utility
LISTEN 0.0.0.0 tells sshd to _listen_ on every interface for a connection request.  (More correctly it listens on every ip address associated with this host)  Specifically -in your case- the ip addresses of eth0, eth1, lo0.  This is a typical configuration and I wouldnt recommend changing it (at least not without a lot more information).  Moreover the iptables commands will provide finer control over who can connect and on what interface.


The line you are taking out
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
says to allow _ALL_ connections inbound to sshd (22).

The lines you are adding
[0:0] -A INPUT -i eth1 -p tcp -m tcp --source A.B.C.D --dport 22 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --source M.N.O.P --dport 22 -j ACCEPT
say allow inbound connections to sshd (22) _only from ip addresses_ A.B.C.D and M.N.O.P

0
 
LVL 1

Accepted Solution

by:
njk123 earned 30 total points
Comment Utility
Oh yeah and about 'the norm' way to secure your network.....not sure that there is a norm method, perhaps for your version of Linux (RHS??) this is the most 'correct' way, using iptables-save and iptables-restore.  However, the correct way is anyway that you understand what is happening and can secure your system.  For me it is a carefully constructed set of iptables scripts that I have crafted.

Hope all this helps more than it confuses.

0
 

Author Comment

by:jaxxman
Comment Utility
yes you have been very helpful
0
 

Author Comment

by:jaxxman
Comment Utility
i have just been looking at my firewall script in /etc/iptables-gw
i run this file and it updates iptables.

i tried putting your line in but it did not work, i also tried turning  port 22 off and i could still ssh into the pc could you please have a look at my file below:-

# I find it easier to modify this file and run it (make sure it is executable
# with 'chmod +x iptables-gw') to change the rulesets, rather than
# modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT="/sbin/iptables"
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=eth1
INSIDE=eth0
INSIDE_IP=192.168.253.3
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP

$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP

$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# Use  NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
 $IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 192.168.254.4
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# Don't leak SMB traffic onto the Internet. We've slipped the surly bonds of windows
# and are dancing on the silvery wings of Linux.
#
$IPT -A FORWARD -p udp --dport 137 -j silent
$IPT -A FORWARD -p udp --dport 138 -j silent
$IPT -A FORWARD -p udp --dport 139 -j silent
$IPT -A FORWARD -p udp --dport 445 -j silent
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#$IPT -A INPUT -i eth1 -p tcp -m tcp --source 192.168.253.2 --dport 22 -j ACCEPT
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.254.4
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 192.168.254.4
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.0.0.10
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 443 -j DNAT --to 192.168.254.4
#
# Examples of allowing inbound for the port forwarding examples above.
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 443 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following  if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the  IP to be that of the INSIDE interface
# of the firewall.
#
$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
#
# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPT -A INPUT -j firewalled
0
 
LVL 1

Expert Comment

by:njk123
Comment Utility
Okay the file you posted doesnt appear to allow ssh at least not on the box that these iptables commands are running.  Is ssh running on the same box as your http server (192.168.254.4)?  If so you are not interested in the INPUT table but the PREROUTING table .. see below

If you want to allow ssh into this host then you need to add a line similar to the commented out line.
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp  --dport 22 -j ACCEPT

specifically you need to add
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --source A.B.C.D --dport 22 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --source M.N.O.P --dport 22 -j ACCEPT

(note: no '#' symbol)

If you are mapping all incoming connections to 192.168.254.4 then you need to add similar lines to
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 192.168.254.4

specifically you need to add
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --source A.B.C.D --dport 22 -j DNAT --to 192.168.254.4
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --source M.N.O.P --dport 22 -j DNAT --to 192.168.254.4

(again note: no '#' symbol)

It is kinda tough to comment much more without knowing what role 192.168.254.4 and 192.168.253.2 plays? Moreover, a better understanding of your network topology would be required to dig further.



0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now