Methods and Software Tools for Protecting Against SSH Brute-Force Attacks on Linux Server (Redhat, CentOS).
(1 votes, average: 5 out of 5)
Loading ...1, Allow only a few IP addresses to login:
edit /etc/hosts.allow:
sshd: 127.0.0.1: ALLOW
sshd: 138.178.145.12: ALLOW
edit /etc/hosts.allow:
sshd: ALL: deny
2, Deploy IPtables firewall.
on linux shell run this command:
setup
3, Change SSH port from 22 to another port e.g., 2200.
vi /etc/ssh/sshd_config
look for #Port 22, change it to
Port 2200
4, Disable Password Authentication and use SSH key-based logins
edit /etc/ssh/sshd_config
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no
Generate private-public key:
see My-Whiteboard.com for example : http://www.my-whiteboard.com/linux-admin/automated-backup-of-remote-linux-server-to-local-usb-disk-using-rsync-and-cygwin.html
5, Disable root login:
vi /etc/ssh/sshd_config
change #PermitRootLogin yes to
PermitRootLogin no
6, Limit Connections
Issue the following commands on shell to limit TCP connections.
Replacing <n> with the number of connections per second you want to set, and <m> with burst rate which u want the server to start applying the limit, both without brackets.
iptables -t nat -N syn-flood
iptables -t nat -A syn-flood -m limit -limit <n>/s -limit-burst <m> -j RETURN
iptables -t nat -A syn-flood -j DROP
iptables -t nat -A PREROUTING -i $EXT_IFACE -d $DEST_IP -p tcp -syn -j syn-flood
This will limit maximum number of TCP connections that can connect to your server to n connections per second, after m connections have been established.
6, Install OSSEC Host-based Intrusion Detection System: OSSEC: http://www.ossec.net. OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows. Similar software:
- Snort: http://snort.org/. Snort is by far the most widely deployed open source tool for network intrusion detection and prevention in small to large-carrier enterprise organizations.
- Bro: http://www.bro-ids.org/ Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity. Bro detects intrusions by first parsing network traffic to extract is application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome. Its analysis includes detection of specific attacks (including those defined by signatures, but also those defined in terms of events) and unusual activities (e.g., certain hosts connecting to certain services, or patterns of failed connection attempts).
- Nagios: http://www.nagios.org/, Nagios is a host and service monitor designed to inform you of network problems before your clients, end-users or managers do. It has been designed to run under the Linux operating system, but works fine under most *NIX variants as well. The monitoring daemon runs intermittent checks on hosts and services you specify using external “plugins” which return status information to Nagios. When problems are encountered, the daemon can send notifications out to administrative contacts in a variety of different ways (email, instant message, SMS, etc.). Current status information, historical logs, and reports can all be accessed via a web browser.
7, Alternatively, you can install one of the following lightweight anti-brute-force software tools.
- Fail2ban: http://www.fail2ban.org. Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. These rules can be defined by the user. Fail2ban can read multiple log files such as sshd or Apache web server ones.
- BlockHosts: http://www.aczoom.com/cms/blockhosts Blocks IP addresses based on SSH or FTP incoming login failures, by looking at SSHD and ProFTPD logs, and updating hosts.allow as needed.Blocks IP addresses based on SSH or FTP incoming login failures, by looking at SSHD and ProFTPD logs, and updating hosts.allow as needed.
- DenyHost: http://denyhosts.sourceforge.net DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host. Additionally, upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host. An email report can be sent to a system admin.
- SSHDFilter: http://www.csc.liv.ac.uk/~greg/sshdfilter/, sshdfilter blocks the frequent brute force attacks on ssh daemons, it does this by directly reading the sshd logging output (or syslog output) and generating iptables (or ipfw) rules, the process can be quick enough to block an attack before they get a chance to enter any password at all.
- pam-abl: http://sourceforge.net/projects/pam-abl, pam_abl provides auto blacklisting of hosts and users responsible for repeated failed authentication attempts. Generally configured so that blacklisted users still see normal login prompts but are guaranteed to fail to authenticate.
- SSHBan: http://nixbit.com/cat/internet/log-analyzers/sshban/. sshban is simple daemon designed to ban SSH-flooders. sshban is something like Fail2ban, but much simpler and faster. Instead of scanning system logs, it uses pipe to directly receive data from logger.
- IPTables/Netfilter Recent Module: http://www.snowman.net/projects/ipt_recent/, This module allows you to track recent IP addresses visited on your site and can use it to match against them with some criteria.
- Brute-Force Detection: http://rfxnetworks.com/bfd.php. BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans.
- sshd_sentry: http://linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry. sshd_sentry is a per script used to monitor the sshd logs, detect repeated failed login attempts, and blacklist the hosts whence such attempts originate.
- SSHGuard: http://sshguard.sourceforge.net/, Sshguard is a log monitor. It protects networked hosts from the today’s widespread brute force attacks against services, most notably SSH. It detects such attacks and blocks the author’s address with a firewall rule. it can protect against brute force attacks these services: sshd, dovecot, proftpd, pure-ftpd, FreeBSD ftpd, UWimap (imap, pop).
- sshit: http://anp.ath.cx/sshit/, sshit is a Perl script that blocks IP addresses generating too many failed login attempts within a specified time.
- BlockSSHD: http://blocksshd.sourceforge.net/, BlockSSHD is a Perl script based on BruteForceBlocker v1.2.3 that dynamically adds IPTables rules for Linux and pf firewall rules for BSD that block SSH brute force attacks. It can also detect ProFTPd login failures.
- Ssh-faker http://www.pkts.ca/ssh-faker.shtml, Similar to sshit.
- ShellTer: http://shellter.sourceforge.net/, ShellTer is an iptables-based firewall. It supports port forwarding, blacklisting, whitelisting.
- sshutout: http://www.techfinesse.com/sshutout/sshutout.html, sshutout is a Daemon to Stop SSH Dictionary Attacks.
8, To prevent remote log injection, you need to patch the following software
If you install one of these three most popular anti-brute-force software, i.e., Fail2ban, BlockHosts, DenyHosts, you should patch these software:
Fail2ban author, Cyril Jaquier, suggested to use the following patch to fix the problem:
--- sshd.conf.orig 2007-06-05 22:00:24.000000000 +0200
+++ sshd.conf 2007-06-05 22:00:41.000000000 +0200
@@ -14,10 +14,10 @@
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#
-failregex = Authentication failure for .* from
- Failed [-/\w]+ for .* from
- ROOT LOGIN REFUSED .* FROM
- [iI](?:llegal|nvalid) user .* from
+failregex = Authentication failure for .* from $
+ Failed [-/\w]+ for .* from $
+ ROOT LOGIN REFUSED .* FROM $
+ [iI](?:llegal|nvalid) user .* from $# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
BlockHosts author, Avinash Chopde, suggested that by changing the SSHD/VSFTP regexes to the following, fixes the problem:
"SSHD-NotAllowed": r"""^.*(?!sshd)sshd\[(?P\d+)\]: User .* from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because none of user’s groups are listed in AllowGroups$”"”,“VSFTPD-Fail”: r”"”\[pid \d+\] \[.*?\] FAIL LOGIN: Client “(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})”$”"”,
DenyHosts Change the FAILED_ENTRY_REGEX5 (at regex.py) to the following, will fix the problem:
FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed because none of user's groups are listed in AllowGroups$""")
Ref: http://www.ossec.net/en/attacking-loganalysis.html
9, Restart sshd
/etc/init.d/sshd restart
10. Finally, use Nessus to test your server’s security:
Nessus http://www.nessus.org/nessus/. The free open source Nessus vulnerability scanner has become the de facto standard in enterprise environments and vendors selling vulnerability management tools and services for actively assessing the risks inherent in a company’s mission-critical devices and applications. Nessus is used in more than 75,000 organizations worldwide.
Popularity: 1%
