A friend recently got 'rooted'. He was using ssh (not ssh2). He was getting pages on his phone and processes were dying and such, so he installed "chkrootkit" which is a program that checks your system to see if there is any of a number of root kits installed. He had SuckIt installed on his machine and now has a server to rebuild
Unfortunately he used ssh to login and check his other server, so now he has 2 servers to rebuild.
Since I noticed my /var/log/secure file getting large at the beginning of the month I've made some changes to sshd_config:
1. PermitRootLogin no Users just have to login to an unprivileged account, then su if they want root access.
2. Banner /etc/banner This file is displayed after you enter your user name. I changed the banner file as below:
password: $ Unauthorized use of this service is strictly prohibited. Unauthorized attempts to use this service, upload information or change information on this service are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act.
I put "password:" and "$" in the banner to trip up the automated scripts these guys appear to be using. I don't know if it works, it just seems like a good idea.
3. DenyUsers adm admin apache bin daemon dovecot ftp games gopher halt lp mail mail null mysql named news nfsnobody nobody nscd operator pcap postgres rpc rpcuser rpm shutdown simon smmsp squid sshd sync uucp vcsa webalizer
A list of all the folks who cannot login.
4. AllowUsers boopy A list of all the folks who can login, just in case I left anyone out of the previous list. Only boopy gets in.
Finally, I populated hosts.deny with the apparent IP addresses of the worst offenders:
ALL services are denied to these IP addresses. Well, I guess the well trained hacker changes his IP address often, but since I made this change login attempts are down to 10% of what they were. I add them 1 per line so I don't go berserk maintaining the list. Note that the \ character 'continues' the line.
5. I enable VerifyReverseMapping, but I haven't seen this work. It doesn't deny me access from the IP address I always use. It sounds like people who fail a 'reverse IP address' test of some sort (phony IP addresses?) get rejected.
Is there a way to automatically populate hosts.deny? How would I keep my own IP address out of there?
Any other security suggestions?
(On 3/26/2005 Dirk added this:)
Here's a little widget I wrote this morning for summarizing my secure log. Way better than actually reading it. I take these results and update /etc/hosts.deny. I have most of South Korea and Taiwan blocked now.
[root@mammoth tmp]# cat test grep 'Failed password' /var/log/secure|cut -d ']' --fields=2|cut -d ' ' --fields=9|uniq -c|sort -nr [root@mammoth tmp]# sh test 707 126.96.36.199 600 188.8.131.52 115 184.108.40.206 107 220.127.116.11 107 18.104.22.168 107 22.214.171.124 90 126.96.36.199 9 188.8.131.52 9 184.108.40.206 8 220.127.116.11 8 18.104.22.168 1 22.214.171.124 1 126.96.36.199
Got something to add? Send me email.
More Articles by Dirk Hart © 2011-04-30 Dirk Hart