By chance, i looked into syslog ( /var/log/syslog ) and saw a ssh attempt to login from a ip outside local network. It was a brute force attack that started 7 days ago.. See down the post how to protect ssh from further attacks.
Looking at the logs ( tail -n 200000 /var/log/syslog ) noticed that the attack started on:
Sep 15 21:01:37 cerval sshd[13101]: Failed password for root from 114.80.94.183 port 42023 ssh2
then the attack went on …
I checked the logs and saw the attack. stopped ssh. no more fun for you :(
I decided finally, after 6 years of laziness to build up some security.
Getting started with iptables
The guys at netfilter created, omnipresent on most of Linux machines, a packet filtering system called iptables.
The iptables Rules
For creating a bash script to create all the rules need, i used this online iptables wizard. (don’t forget to remove “LINWIZ-” from the script created)
Running iptables
Next run the script sh iptables.sh, save it /etc/init.d/iptables save, and then start, stop and start iptables again ( /etc/init.d/iptables start; /etc/init.d/iptables stop; /etc/init.d/iptables start )
and check if the rules are active with iptables -L -v
To get a better understanding check Stateful Firewall and Masquerading on Linux
Protecting ssh
Luckly gentoo portage has sshguard, which has lots of nice features!
Unmasked it to use a decent version (portage has 1.0 as stable, 1.4 as latest, but sshguard is v1.5rc4, which is the last RC planned before 1.5 stable. )
and then, emerge -av sshguard.
Its FAQ has the script to use for booting but the “-l” option wasn’t working on this version, so i used this instead
#! /bin/sh
case $1 in
start)
tail -n0 -F /var/log/auth.log | /usr/local/sbin/sshguard &
;;
stop)
killall sshguard
;;
*)
echo "Use start or stop"
exit 1
;;
esac
Add to the rc levels to ensure it starts at every boot:
rc-update add sshguard default
If you are using syslog-ng with sshguard
On Gentoo, just add this to /etc/syslog-ng/syslog-ng.conf:
#create a new destination for sshguard
destination sshguardproc {
program("/usr/sbin/sshguard"
template("$DATE $FULLHOST $MESSAGE\n"));
};
#creates a filter called f_sshlogs for auth and authpriv system logs
filter f_sshlogs { facility(auth, authpriv) and match("sshd"); }; # for sshguard
log { source(src); filter(f_sshlogs); destination(sshguardproc); };
Restart sshd
Start ssh again! /etc/init.d/sshd start
[...] Yet another ssh brute force attack and how to protect against it with iptables and sshguard – Tento návod mi pomohl nějak se dostat do problematiky, v praxi jsem ovšem postupoval trochu odlišně. [...]
Pingback by Domácí server s Gentoo | Zaantarovo — April 26, 2013 @ 11:17 am
[...] Yet another ssh brute force attack and how to protect against it with iptables and sshguard – Tento návod mi pomohl nějak se dostat do problematiky, v praxi jsem ovšem postupoval trochu odlišně. [...]
Pingback by Domácí server s Gentoo: SSH | Zaantarovo — May 5, 2013 @ 3:34 pm