Dealing with SSH scans

From Unixshell# community wiki

Jump to: navigation, search

This is relatively old news for a lot of weary administrators who review their server logs nightly Grin. For those who have not seen the constant barrage of failed logins, this should serve as an alert to go and secure your server.

If you don't know about it yet, attackers have been scanning large ranges of IPs with compromised servers. The current scanning tool is fairly rudimentary, and is hard coded with a username/password combination list-wise, installed, and executed on a server.

From analysis, most of the passwords that have been used were found to be plain-text dictionary based passwords. The single most common account attacked was 'root'.

Once the attacker gains access to a server (preferably one with root access) he/she will typically perform the following: Install another scanner similar to the one used to find the host. Install a variety of rootkits, DDoS tools, eggdrops, possibly an IRCd.

Further analysis has shown that the steps after compromise were done by hand, with many attackers typically being very paranoid and checking 'w' every so often (this may also be an attempt to hide their own presence, but it is unlikely since they leave .history intact).

Prevention techniques are quite simple, but can be a pain for a lot of people. These are the big ones right now:

The two easiest of them all:

  • Choose secure passwords! That means letters, numbers, symbols, uppercase, lowercase, non-dictionary mumbo-jumbo that you can barely pronounce. APG can help with this), as can /usr/bin/mkpasswd, which is installed by default on all Fedora and RHEL systems. Does not require root access to run.
  • Stop using the root account completely as a login. Install/Enable sudo/su access. Disable root logins in sshd_config, and restart sshd. Continue logging in with a regular user account, and use sudo/su to gain root functionality. For further security use the AllowUser / AllowGroup configuration directives to limit which users sshd will allow login.

The ones you may want to read up on before you do:

  • Disable password authentication completely. Some people are very against this for a variety of reasons I won't get into here, but it is a sure way of getting people off your box since they'll need to do key authentication.
  • Install an IPS system that actively locks out a remote user if they fail to log-in after a certain amount of tries.
  • Run sshd on a different port. Most scans just look for ssh on the default port 22. Move it to some random high port number, and you'll stop most automated scans. In Debian you can do this by adding a "Ports" parameter to the /etc/sshd_config file.
  • Install a little python script called Blockhosts. It will automatically detect and add denied IPs to the host.allow or host.deny files for a specified amount of time (default is 12 hours). It does require python 2.3, 2.2 was included (and needed) by my CentOS, but was able to install 2.3 along side to use it with the script.

Included with blockhost was an excellent set of instructions for installation. The only thing I had to do differently was instead of using: 

python setup.py install -force

For install I used: 

python2.3 setup.py install -force

To get it to use the proper interpreter for installation. Now if someone attempts a brute force or dictionary attack 7 times there IP is added to deny for 12 hours, and of course, hopefully they move on to easier targets.

The script is very small, but seems to run automatically after install (You do need to run it manually the first time) and does not seem to use much in the way of resources. Still re learning this stuff, but thought I would add this to this list of security suggestions. Smiley










[l_sp_24]

aciphex 20mg Deltasone buy amaryl actos met plus adalat xl adalat cc altace and hair thinning arava side effects atarax hydroxyzine

beach flower sympathy mlm local lead chicago sympathy flower affiliate lead marketing mlm network mlm lead generation art clip flower sympathy mlm lead generation company generation lead site web mlm lead generation network marketing mlm software free sample mlm lead free mlm lead generation 1,000 free lead mlm 1000 free lead mlm sympathy flower toronto mlm lead generation online generation lead mlm program generation lead real time mlm buy flower funeral sympathy uk generation in lead mlm real time generation lead marketing mlm network flower ontario sympathy everyday free lead mlm targeted mlm lead opt in mlm email lead mlm opt in lead opt in mlm lead opt mlm lead flor carpet tile milliken carpet carpet cleaning franchise chem dry carpet cleaning mohawk carpet berber carpet dalton carpet miele vacuum cleaner electrolux vacuum cleaner ultrasonic cleaner kirby vacuum cleaner ultrasonic jewelry cleaner grout cleaner hardwood floor cleaner upholstery cleaner hoover steam cleaner exclusive mlm lead 20 generation lead marketing mlm network wild flower triathlon email free in lead mlm opt generation mlm lead custom business free lead mlm opportunity seeker capture free lead mlm affiliate free lead lead marketing mlm network nutrition business opportunity seeker mlm lead capture free lead mlm system flower from made silk sympathy wreath mlm genealogy lead ikebana flower arrangement flower hibiscus picture tattoo double opt in mlm lead flower mississauga sympathy generating guerilla lead marketing mlm program etobicoke flower sympathy

Retrieved from "http://www.unixshell.com/wiki/index.php/Dealing_with_SSH_scans"
Personal tools