Link to home
Create AccountLog in
Avatar of sheepfarmer
sheepfarmer

asked on

Persisant attacks logged on a Linux server

Our logs indicate persistant attempts to log into our box as root and admin from foreign IP addresses (every few seconds)
Apart from ensuring a strong password and setting up firewall access to ssh from specific fixed IP addresses only, its there anything else we can practically do to either stop the attacks and/or secure the box.

Do most admin ignore this sort of attack as background 'noise'.

Thanks
SF
Avatar of sheetbird
sheetbird

If you have port 22 open and visible to the internet then it's going to get substantial traffic from ssh version checkers.  There's not much you can do about it other than setting up port knocking, which is setting up an obscure port like 8426 to listen for a "knock" and then it opens port 22 for some period of time to let the person log in.   I've never set it up I just live with the scans.

ASKER CERTIFIED SOLUTION
Avatar of TimEliseo
TimEliseo
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I ,personally, setted up the ssh on different port from default 22. Works...

Knocking is even better alternative, but running different port is so simple...
I have been in enough situations where the only SSH client available could not easily be changed to use a port other than 22 that it's been worth the extra trouble of having the server on 22.

Knocking is also a hassle unless your client can do it automatically (you'd have to do the knock manually with a Web browser of something).

So in my experience the rate-limiting solution has been the best tradeoff for the sake of convenience.

First of all, disable root login directly from ssh. If you need root access, login as normal user and then su to it later. This can be done by setting "PermitRootLogin" to "no" in /etc/ssh/sshd_config.

Secondly, relocate the listening port of ssh, if possible. This can be done by adding the "-p portnum" parameter to sshd. If you use xinetd, set it under the "server_args" setting of sshd config.

Thirdly, limit the access to ssh port, if accesses are always come from fixed range of known IP addresses.

Fourthly, use IDS/IPS to slow down or block the traffic of port scanning or brute force guessing. Take a look at Snort and related software.

Of course, a secured and hard to guess password is always a must.







Hi,

I would strongly recommend you use pam_abl, pam_abl provides:

Auto blacklisting of hosts and users responsible for repeated failed authentication attempts. Generally configured so that blacklisted users still see normal login prompts but are guaranteed to fail to authenticate.

Brute force password discovery attacks involve repeated attempts to authenticate against a service using a dictionary of common passwords. While it is desirable to enforce strong passwords for users this is not always possible and in cases where a weak password has been used brute force attacks can be effective.

You can check this out more at: http://www.hexten.net/pam_abl/
pam_abl is cute, but note, that such attacks are usually distributed(from various IPs) and from dynamic IPs. The list will grow huge. There are simpler sollutions I guess.
pam_abl will add that extra security which is required. Also implementation of iptales and no allowing root
remote login is secure.
I'd vote for iptables --limit option 'cause it is independent of the clients allowed to connect and it manages any IP without having a black- or whitelist up-to-date.
The only drawback is that clever stealth scans are still possible, but who cares if your system is secured:)
Avatar of sheepfarmer

ASKER

Yes, I'm inclinded to agree with the iptables - at least the connection throttle will reduce the number of dictionary password attempts in a given period.

Thanks for all the responses.
SF