Securing your Linux server from SSH attacks


If you build any server that is accessible from the internet then you are in for a world of pain. All the servers I have ever tended to build have sat behind a nice corporate firewall controlled by me, and to SSH to them you needed to be in our network. What a great strategy, if you can not get to me you can not hack me :). Or the script kiddies can not have a pop and use valuable bandwidth and server resources.

So as soon as you get to Amazon AWS you need to seriously start thinking about your server security. You have of course got the AWS security groups to help you, but we no have a need to allow SSH access to some of our servers by third party people.

Therefore you need to harden the servers even more, Amazon goes some way with protecting their servers with key access only, but sometimes you need to give good old username and password access.

You therefore will start seeing entries in your /var/log/secure file something along the lines of :

Jul 1 20:48:28 ip-10-228-234-162 sshd[6901]: pam_succeed_if(sshd:auth): error retrieving information about user andreea
Jul 1 20:48:30 ip-10-228-234-162 sshd[6901]: Failed password for invalid user andreea from 27.54.120.3 port 42511 ssh2
Jul 1 19:48:30 ip-10-228-234-162 sshd[6904]: Received disconnect from 27.54.120.3: 11: Bye Bye
Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: Invalid user davida from 27.54.120.3
Jul 1 19:48:32 ip-10-228-234-162 sshd[6914]: input_userauth_request: invalid user davida
Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: pam_unix(sshd:auth): check pass; user unknown
Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruse
r= rhost=27.54.120.3

How annoying, that you have to expend time and effort with this these idiots.

Well luckily Linux has some built in defence mechanisms against such people in the hosts.deny file.

You could manually go through or get someone to go through you secure file but someone who is far more cleaver that me, has written a utility that does this for you. http://denyhosts.sourceforge.net/

What a tool, there is a brilliant README file in the install directory, but as usual  to make it easy or your and me, here are the highlights to get it working

yum install python

cd ~
mkdir software
cd software
wget http://sourceforge.net/projects/denyhosts/files/denyhosts/2.6/DenyHosts-2.6.tar.gz/download
tar -xvzf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install

cd /usr/share/denyhosts

cp denyhosts.cfg-dist denyhosts.cfg
cp daemon-control-dist daemon-control

vi denyhosts.cfg
chown root:root daemon-control
chmod 700 daemon-control

vi denyhosts.cfg

Change the file to match your distribution, I am using a Red Hat based distro as you would expect being in Amazon. I left everything as standard except I turned on the sync to get the host IP addresses of these annoying idiots.

The instructions for starting the daemon automatically is so straight forward, the guy who wrote this sure did understand the software but also how to document it 🙂

cd /etc/init.d

ln -s /usr/share/denyhosts/daemon-control denyhosts

If you have chkconfig installed you can then use it to
ensure that DenyHosts runs at boot time:

chkconfig –add denyhosts

service denyhosts start

Advertisements


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s