For those who have server that is always connected to the internet, it is common to notice in the log file that someone has been trying to gain entry into the server by using dictionary attack or brute force attack.
In /var/log/messages we can see those attempts:
Mar 20 19:28:17 serverku sshd(pam_unix)[14456]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.178.20.170
Mar 20 19:28:24 serverku sshd(pam_unix)[14458]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.178.20.170
Mar 20 19:28:30 serverku sshd(pam_unix)[14460]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.178.20.170 user=root
Mar 20 19:28:37 serverku sshd(pam_unix)[14462]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.178.20.170 user=root
Mar 20 19:28:44 serverku sshd(pam_unix)[14464]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.178.20.170 user=root
Mar 20 19:28:51 serverku sshd(pam_unix)[14466]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.178.20.170
Mar 20 22:15:13 serverku sshd(pam_unix)[15883]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.73.231.29
Mar 20 22:15:17 serverku sshd(pam_unix)[15885]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.73.231.29
Mar 20 22:15:22 serverku sshd(pam_unix)[15887]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.73.231.29
Mar 20 22:15:26 serverku sshd(pam_unix)[15889]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.73.231.29
Mar 20 22:15:30 serverku sshd(pam_unix)[15891]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.73.231.29
Mar 21 00:22:03 serverku sshd(pam_unix)[16944]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.4.119 user=root
Mar 21 00:22:10 serverku sshd(pam_unix)[16946]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.4.119 user=root
Mar 21 00:22:17 serverku sshd(pam_unix)[16948]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.4.119 user=root
Sometimes it happens so many times, as we can also see in our LogWatch:
sshd:
Authentication Failures:
unknown (210.72.201.10): 232 Time(s)
root (host-ip167-189.crowley.pl): 89 Time(s)
unknown (220.117.240.34): 35 Time(s)
root (220.117.240.34): 16 Time(s)
apache (210.72.201.10): 1 Time(s)
apache (220.117.240.34): 1 Time(s)
bin (210.72.201.10): 1 Time(s)
ftp (220.117.240.34): 1 Time(s)
mail (210.72.201.10): 1 Time(s)
mysql (210.72.201.10): 1 Time(s)
mysql (220.117.240.34): 1 Time(s)
nobody (210.72.201.10): 1 Time(s)
postgres (210.72.201.10): 1 Time(s)
root (210.72.201.10): 1 Time(s)
xfs (210.72.201.10): 1 Time(s)
Invalid Users:
Unknown Account: 267 Time(s)
Actually those attempts are not so dangerous as long as we secure our server with good password and routine updates.
But, it is so much better if we strenghten our server by limiting those crackers chance to break in into our server by blocking the IP address after certain attempts.
We can achieve this using a script called denyhosts.
From yum info:
DenyHosts is a script intended to help Linux system administrators thwart
ssh server attacks. DenyHosts scans an ssh server log, updates
/etc/hosts.deny after a configurable number of failed attempts from a
rogue host is determined, and alerts the administrator of any suspicious
logins. http://denyhosts.sourceforge.net/
For CentOS users, it comes from rpmforge repository, so add this into /etc/yum.repos.d/CentOS-Base.repo
#dag
[dag] name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1
Then import the gpg key:
rpm –import http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
For Fedora Core users, it’s already included in Extras repository, and also you don’t need to copy the configuration files and startup script. They are already there.
To install denyhosts:
yum install denyhosts
After it is installed, we then configure it. There are example files located in :
/usr/share/doc/denyhosts-2.2/
Steps to configure it:
1. Copy file denyhosts.conf-dist into /etc/denyhosts/denyhosts.cfg
Edit file /etc/denyhosts/denyhosts.cfg, adjust to our needs. You can use the standard, or modify it, such as:
DENY_THRESHOLD_INVALID = 5
block each host after the number of failed login attempts has exceeded this value. This value applies to invalid user login attempts (eg. non-existent user accounts)
DENY_THRESHOLD_VALID = 10
block each host after the number of failed login attempts has exceeded this value. This value applies to valid user login attempts (eg. user accounts that exist in /etc/passwd) except for the "root" user
DENY_THRESHOLD_ROOT = 1
block each host after the number of failed login attempts has exceeded this value. This value applies to "root" user login attempts only.
ADMIN_EMAIL = emailkamu@domainkamu.com
whether we want to be notified by email of newly blocked IPs.
Let’s explore the options, the explanation is very clear.
2. Next, we copy the startup script into /etc/init.d/
cp /usr/share/doc/denyhosts-2.2/daemon-control /etc/init.d/denyhosts
Don’t forget to edit it so that it knows where the config file is:
DENYHOSTS_CFG = "/etc/denyhosts/denyhosts.cfg"
3. Then we add the script into the startup list:
chkconfig –add denyhosts
chkconfig –level 345 denyhosts on
4. We can now run the daemon:
service denyhosts start
Now, it is running. Wait for a day or two and we will start receiving notification about blocked IPs:
Email message follows:
From: DenyHosts <nobody@localhost>
To: emailkamu@domainkamu.com
Subject: DenyHosts Report
Date: Mon, 27 Mar 2006 19:44:15 +0700
Added the following hosts to /etc/hosts.deny:
148.245.12.101 (na-12-101.na.avantel.net.mx)
202.181.213.162 (unknown)
61.218.185.123 (61-218-185-123.HINET-IP.hinet.net)
141.24.205.224 (ktxeon.theoinf.tu-ilmenau.de)
61.153.4.55 (unknown)
59.120.13.130 (59-120-13-130.HINET-IP.hinet.net)
200.243.33.5 (unknown)
220.95.230.169 (unknown)
Conclusion
With those IPs blocked, at least it will give the crackers difficult times in breaking in into our server because the chance is getting smaller. Hopefully this howto can hep you secure your server.
v.0.1 by ari_stress a.k.a tiger74 a.k.a Fajar Priyanto Bukit Sentul, 30 March 2006. Email: fajarpri at arinet dot org. He is a Microsoft Certified Professional who falls in love with Linux. Working at an automotive dealer in Jakarta