By chance, i looked into syslog ( /var/log/syslog ) and saw a ssh attempt to login from a ip outside local network. It was a brute force attack that started 7 days ago.. See down the post how to protect ssh from further attacks.
Looking at the logs ( tail -n 200000 /var/log/syslog ) noticed that the attack started on:
Sep 15 21:01:37 cerval sshd[13101]: Failed password for root from 114.80.94.183 port 42023 ssh2
then the attack went on by
66.219.59.10
193.106.65.15
85.62.8.13Sep 17 21:43:44 cerval sshd[18343]: reverse mapping checking getaddrinfo for 85.62.8.13.static.abi.uni2.es [85.62.8.13] failed – POSSIBLE BREAK-IN ATTEMPT
Then more brute force from
87.106.243.162
85.10.136.18Sep 18 09:33:10 cerval sshd[28178]: Address 222.253.174.238 maps to localhost, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
and more
222.253.174.238
75.127.81.15
93.182.137.2
68.71.97.58 …
and still more from
201.240.99.126
59.151.119.180
124.232.131.82
119.188.7.164
200.121.131.166
on the 20th, things got intensified with 3 simultanious attacks:
Sep 20 14:11:38 cerval sshd[7749]: Failed password for root from 118.68.202.49 port 4921 ssh2
Sep 20 14:11:38 cerval sshd[7747]: Failed password for root from 58.186.10.126 port 3667 ssh2
Sep 20 14:11:38 cerval sshd[7753]: Failed password for root from 123.20.1.43 port 3703 ssh2
and yet some more:
200.37.45.101
bj141-147-66.bjtelecom.net [219.141.147.66]
195.58.83.74
61.150.72.170
UDP packets ??
Sep 22 09:03:20 cerval [3971817.790301] UDP: short packet: From 0.136.255.255:35010 25649/99 to 80.173.165.1:6881
and finally
220.226.22.72
213.172.36.130
194.190.129.49
I checked the logs and saw the attack. stopped ssh. no more fun for you :(
I decided finally, after 6 years of laziness to build up some security.
Getting started with iptables
The guys at netfilter created, omnipresent on most of Linux machines, a packet filtering system called iptables.
The iptables Rules
For creating a bash script to create all the rules need, i used this online iptables wizard. (don’t forget to remove “LINWIZ-” from the script created)
Running iptables
Next run the script sh iptables.sh, save it /etc/init.d/iptables save, and then start, stop and start iptables again ( /etc/init.d/iptables start; /etc/init.d/iptables stop; /etc/init.d/iptables start )
and check if the rules are active with iptables -L -v
To get a better understanding check Stateful Firewall and Masquerading on Linux
Protecting ssh
Luckly gentoo portage has sshguard, which has lots of nice features!
Unmasked it to use a decent version (portage has 1.0 as stable, 1.4 as latest, but sshguard is v1.5rc4, which is the last RC planned before 1.5 stable. )
and then, emerge -av sshguard.
Its FAQ has the script to use for booting but the “-l” option wasn’t working on this version, so i used this instead
#! /bin/sh
case $1 in
start)
tail -n0 -F /var/log/auth.log | /usr/local/sbin/sshguard &
;;
stop)
killall sshguard
;;
*)
echo "Use start or stop"
exit 1
;;
esac
Add to the rc levels to ensure it starts at every boot:
rc-update add sshguard default
If you are using syslog-ng with sshguard
On Gentoo, just add this to /etc/syslog-ng/syslog-ng.conf:
#create a new destination for sshguard
destination sshguardproc {
program("/usr/sbin/sshguard"
template("$DATE $FULLHOST $MESSAGE\n"));
};
#creates a filter called f_sshlogs for auth and authpriv system logs
filter f_sshlogs { facility(auth, authpriv) and match("sshd"); }; # for sshguard
log { source(src); filter(f_sshlogs); destination(sshguardproc); };
Restart sshd
Start ssh again! /etc/init.d/sshd start
