Hello Skunkers I have a Linux Box that is on the internet.I have several times noticed that when i look at my log files in /var/log/secure i notice alot of possible break in attempts eg 32 proxicious sshd[32036]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cl67-179-182-213.cl.metrocom.ru user=root Jan 25 19:02:34 proxicious sshd[32036]: Failed password for root from 213.182.179.67 port 47122 ssh2 Jan 25 19:02:34 proxicious sshd[32037]: Received disconnect from 213.182.179.67: 11: Bye Bye Jan 25 19:02:36 proxicious sshd[32038]: pam_unix(sshd:auth): authentication failure; logname= uid=0 There are so many ip addresses trying to enter this box.I have been blocking the IP addresses using iptables -A INPUT -s a.b.c.d -j DROP from the box. My question is,if there are very many IP's trying;is there a simpler method of doing this or do i have to do it one by one.(really frustrating) PS I have not enabled SELinux becoz sometimes it becomes a hindrance alot. Any help is appreciated Regards ---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
It may be easier to do an allow rules for IPs you want to access the server via SSH than vice versa. This is the best practice I believe. Secondly, there is a file /etc/ssh/sshd_config.You may want to have the following PermitRootLogin no AllowUsers user1, user2, user3. -----Original Message----- From: Cynthia Wahome <cwahome@jambo.co.ke> Reply-to: Skunkworks Forum <skunkworks@lists.my.co.ke> To: skunkworks@my.co.ke Subject: [Skunkworks] CentOS SERVER SECURITY Date: Mon, 1 Feb 2010 10:11:38 +0300 (EAT) Hello Skunkers I have a Linux Box that is on the internet.I have several times noticed that when i look at my log files in /var/log/secure i notice alot of possible break in attempts eg 32 proxicious sshd[32036]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cl67-179-182-213.cl.metrocom.ru user=root Jan 25 19:02:34 proxicious sshd[32036]: Failed password for root from 213.182.179.67 port 47122 ssh2 Jan 25 19:02:34 proxicious sshd[32037]: Received disconnect from 213.182.179.67: 11: Bye Bye Jan 25 19:02:36 proxicious sshd[32038]: pam_unix(sshd:auth): authentication failure; logname= uid=0 There are so many ip addresses trying to enter this box.I have been blocking the IP addresses using iptables -A INPUT -s a.b.c.d -j DROP from the box. My question is,if there are very many IP's trying;is there a simpler method of doing this or do i have to do it one by one.(really frustrating) PS I have not enabled SELinux becoz sometimes it becomes a hindrance alot. Any help is appreciated Regards ---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world" _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
Sorry; AllowUsers user1 user2 user3 not AllowUsers user1, user2, user3 #No commas. -----Original Message----- From: Alex Nderitu <nderitualex@gmail.com> Reply-to: Skunkworks Forum <skunkworks@lists.my.co.ke> To: Skunkworks Forum <skunkworks@lists.my.co.ke> Cc: skunkworks@my.co.ke Subject: Re: [Skunkworks] CentOS SERVER SECURITY Date: Mon, 01 Feb 2010 10:17:52 +0300 It may be easier to do an allow rules for IPs you want to access the server via SSH than vice versa. This is the best practice I believe. Secondly, there is a file /etc/ssh/sshd_config.You may want to have the following PermitRootLogin no AllowUsers user1, user2, user3. -----Original Message----- From: Cynthia Wahome <cwahome@jambo.co.ke> Reply-to: Skunkworks Forum <skunkworks@lists.my.co.ke> To: skunkworks@my.co.ke Subject: [Skunkworks] CentOS SERVER SECURITY Date: Mon, 1 Feb 2010 10:11:38 +0300 (EAT) Hello Skunkers I have a Linux Box that is on the internet.I have several times noticed that when i look at my log files in /var/log/secure i notice alot of possible break in attempts eg 32 proxicious sshd[32036]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cl67-179-182-213.cl.metrocom.ru user=root Jan 25 19:02:34 proxicious sshd[32036]: Failed password for root from 213.182.179.67 port 47122 ssh2 Jan 25 19:02:34 proxicious sshd[32037]: Received disconnect from 213.182.179.67: 11: Bye Bye Jan 25 19:02:36 proxicious sshd[32038]: pam_unix(sshd:auth): authentication failure; logname= uid=0 There are so many ip addresses trying to enter this box.I have been blocking the IP addresses using iptables -A INPUT -s a.b.c.d -j DROP from the box. My question is,if there are very many IP's trying;is there a simpler method of doing this or do i have to do it one by one.(really frustrating) PS I have not enabled SELinux becoz sometimes it becomes a hindrance alot. Any help is appreciated Regards ---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world" _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
Thank you very much
Sorry; AllowUsers user1 user2 user3 not AllowUsers user1, user2, user3 #No commas.
-----Original Message----- From: Alex Nderitu <nderitualex@gmail.com> Reply-to: Skunkworks Forum <skunkworks@lists.my.co.ke> To: Skunkworks Forum <skunkworks@lists.my.co.ke> Cc: skunkworks@my.co.ke Subject: Re: [Skunkworks] CentOS SERVER SECURITY Date: Mon, 01 Feb 2010 10:17:52 +0300
It may be easier to do an allow rules for IPs you want to access the server via SSH than vice versa. This is the best practice I believe. Secondly, there is a file /etc/ssh/sshd_config.You may want to have the following
PermitRootLogin no AllowUsers user1, user2, user3.
-----Original Message----- From: Cynthia Wahome <cwahome@jambo.co.ke> Reply-to: Skunkworks Forum <skunkworks@lists.my.co.ke> To: skunkworks@my.co.ke Subject: [Skunkworks] CentOS SERVER SECURITY Date: Mon, 1 Feb 2010 10:11:38 +0300 (EAT)
Hello Skunkers
I have a Linux Box that is on the internet.I have several times noticed that when i look at my log files in /var/log/secure i notice alot of possible break in attempts eg
32 proxicious sshd[32036]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cl67-179-182-213.cl.metrocom.ru user=root Jan 25 19:02:34 proxicious sshd[32036]: Failed password for root from 213.182.179.67 port 47122 ssh2 Jan 25 19:02:34 proxicious sshd[32037]: Received disconnect from 213.182.179.67: 11: Bye Bye Jan 25 19:02:36 proxicious sshd[32038]: pam_unix(sshd:auth): authentication failure; logname= uid=0
There are so many ip addresses trying to enter this box.I have been blocking the IP addresses using
iptables -A INPUT -s a.b.c.d -j DROP from the box.
My question is,if there are very many IP's trying;is there a simpler method of doing this or do i have to do it one by one.(really frustrating) PS I have not enabled SELinux becoz sometimes it becomes a hindrance alot.
Any help is appreciated Regards
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
Hello Cynthia Wahome You can write a shell script to block the IP sample in the file attached or you can block them from the IPTABLES platform * * 1. login into the shell as a root user 2. Run IP tables command (* iptables -A INPUT -s IP-ADDRESS -j DROP)* 3. To Limit or chuck access from an IP using a certain PORT eg 45 or 25 4. # iptables -A INPUT -s 12.22.22.165 -p tcp --destination-port 45 -j DROP 5. The above will simamisha all the packets coming from port 45 using the specified IP Hope it helpz.
Thanks alot benjamin
Hello Cynthia Wahome
You can write a shell script to block the IP sample in the file attached
or you can block them from the IPTABLES platform * *
1. login into the shell as a root user 2. Run IP tables command (* iptables -A INPUT -s IP-ADDRESS -j DROP)* 3. To Limit or chuck access from an IP using a certain PORT eg 45 or 25 4. # iptables -A INPUT -s 12.22.22.165 -p tcp --destination-port 45 -j DROP 5. The above will simamisha all the packets coming from port 45 using the specified IP
Hope it helpz.
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
Some of these attempts could be bots. Change ur sshd port to something higher than port 20000 and if the attacks continue no that you have someone all over your box! On 2/1/10, Cynthia Wahome <cwahome@jambo.co.ke> wrote:
Thanks alot benjamin
Hello Cynthia Wahome
You can write a shell script to block the IP sample in the file attached
or you can block them from the IPTABLES platform * *
1. login into the shell as a root user 2. Run IP tables command (* iptables -A INPUT -s IP-ADDRESS -j DROP)* 3. To Limit or chuck access from an IP using a certain PORT eg 45 or 25 4. # iptables -A INPUT -s 12.22.22.165 -p tcp --destination-port 45 -j DROP 5. The above will simamisha all the packets coming from port 45 using the specified IP
Hope it helpz.
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/
On Mon, Feb 1, 2010 at 10:11 AM, Cynthia Wahome <cwahome@jambo.co.ke> wrote:
Hello Skunkers
I have a Linux Box that is on the internet.I have several times noticed that when i look at my log files in /var/log/secure i notice alot of possible break in attempts eg
32 proxicious sshd[32036]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cl67-179-182-213.cl.metrocom.ru user=root Jan 25 19:02:34 proxicious sshd[32036]: Failed password for root from 213.182.179.67 port 47122 ssh2 Jan 25 19:02:34 proxicious sshd[32037]: Received disconnect from 213.182.179.67: 11: Bye Bye Jan 25 19:02:36 proxicious sshd[32038]: pam_unix(sshd:auth): authentication failure; logname= uid=0
There are so many ip addresses trying to enter this box.I have been blocking the IP addresses using
iptables -A INPUT -s a.b.c.d -j DROP from the box.
My question is,if there are very many IP's trying;is there a simpler method of doing this or do i have to do it one by one.(really frustrating) PS I have not enabled SELinux becoz sometimes it becomes a hindrance alot.
These should not bother you if you know that you have secured your sshd service. The other thing you could do is to change the default sshd port from 22 to something else known only to people who need it. FWIW, what Alex Nderitu has posted should really help. Most Linuxes come with that option set to "yes". *BSDs have it set to "no". -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
Thank alot washington Will certainly do that
On Mon, Feb 1, 2010 at 10:11 AM, Cynthia Wahome <cwahome@jambo.co.ke> wrote:
Hello Skunkers
I have a Linux Box that is on the internet.I have several times noticed that when i look at my log files in /var/log/secure i notice alot of possible break in attempts eg
32 proxicious sshd[32036]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cl67-179-182-213.cl.metrocom.ru user=root Jan 25 19:02:34 proxicious sshd[32036]: Failed password for root from 213.182.179.67 port 47122 ssh2 Jan 25 19:02:34 proxicious sshd[32037]: Received disconnect from 213.182.179.67: 11: Bye Bye Jan 25 19:02:36 proxicious sshd[32038]: pam_unix(sshd:auth): authentication failure; logname= uid=0
There are so many ip addresses trying to enter this box.I have been blocking the IP addresses using
iptables -A INPUT -s a.b.c.d -j DROP from the box.
My question is,if there are very many IP's trying;is there a simpler method of doing this or do i have to do it one by one.(really frustrating) PS I have not enabled SELinux becoz sometimes it becomes a hindrance alot.
These should not bother you if you know that you have secured your sshd service. The other thing you could do is to change the default sshd port from 22 to something else known only to people who need it. FWIW, what Alex Nderitu has posted should really help. Most Linuxes come with that option set to "yes". *BSDs have it set to "no".
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"
Hi Cynthia Wahome wrote:
These should not bother you if you know that you have secured your sshd service. The other thing you could do is to change the default sshd port from 22 to something else known only to people who need it.
Most common practice is to put the port to higher numbers i.e > 1024. The reason being that most port scans are limited within the normal port range i.e 0 - 1024. Once you have this in place, and yes its always safe to disable root access via SSH, you reduce your brute-force attacks. Regards, Michuki.
participants (6)
-
Alex Nderitu -
Benjamin -
Cynthia Wahome -
Gichuki John Chuksjonia -
Michuki Mwangi -
Odhiambo Washington