Securing your Linux server from SSH attacksPosted: July 4, 2012
If you build any server that is accessible from the internet then you are in for a world of pain. All the servers I have ever tended to build have sat behind a nice corporate firewall controlled by me, and to SSH to them you needed to be in our network. What a great strategy, if you can not get to me you can not hack me :). Or the script kiddies can not have a pop and use valuable bandwidth and server resources.
So as soon as you get to Amazon AWS you need to seriously start thinking about your server security. You have of course got the AWS security groups to help you, but we no have a need to allow SSH access to some of our servers by third party people.
Therefore you need to harden the servers even more, Amazon goes some way with protecting their servers with key access only, but sometimes you need to give good old username and password access.
You therefore will start seeing entries in your /var/log/secure file something along the lines of :
Jul 1 20:48:28 ip-10-228-234-162 sshd: pam_succeed_if(sshd:auth): error retrieving information about user andreea
Jul 1 20:48:30 ip-10-228-234-162 sshd: Failed password for invalid user andreea from 126.96.36.199 port 42511 ssh2
Jul 1 19:48:30 ip-10-228-234-162 sshd: Received disconnect from 188.8.131.52: 11: Bye Bye
Jul 1 20:48:32 ip-10-228-234-162 sshd: Invalid user davida from 184.108.40.206
Jul 1 19:48:32 ip-10-228-234-162 sshd: input_userauth_request: invalid user davida
Jul 1 20:48:32 ip-10-228-234-162 sshd: pam_unix(sshd:auth): check pass; user unknown
Jul 1 20:48:32 ip-10-228-234-162 sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruse
How annoying, that you have to expend time and effort with this these idiots.
Well luckily Linux has some built in defence mechanisms against such people in the hosts.deny file.
You could manually go through or get someone to go through you secure file but someone who is far more cleaver that me, has written a utility that does this for you. http://denyhosts.sourceforge.net/
What a tool, there is a brilliant README file in the install directory, but as usual to make it easy or your and me, here are the highlights to get it working
yum install python
tar -xvzf DenyHosts-2.6.tar.gz
python setup.py install
cp denyhosts.cfg-dist denyhosts.cfg
cp daemon-control-dist daemon-control
chown root:root daemon-control
chmod 700 daemon-control
Change the file to match your distribution, I am using a Red Hat based distro as you would expect being in Amazon. I left everything as standard except I turned on the sync to get the host IP addresses of these annoying idiots.
The instructions for starting the daemon automatically is so straight forward, the guy who wrote this sure did understand the software but also how to document it 🙂
ln -s /usr/share/denyhosts/daemon-control denyhosts
If you have chkconfig installed you can then use it to
ensure that DenyHosts runs at boot time:
chkconfig –add denyhosts
service denyhosts start