Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Security
Protecting Linux against automated attackers
Share
Print
CommentsBrute-force attackers use so-called dictionary attacks, attempting many different login/password combinations in an attempt to hit on one that matches. In most cases, these scripts use a pre-programmed "dictionary" of often-used account names (such as www, admin, test, or guest). These scripts then attempt common passwords (often just the name of the account or an empty string). When one attempt fails, the script continues on, attempting other entries in its dictionary, until it has exhausted every pair (which can total hundreds of login attempts).
One of the most popular scripts attackers have employed has been the "haita" script, often paired with a fast port scanner. The port scanner first scans blocks of IP addresses, checking for an open SSH port (22). When the scanner finds a potential target, it stores the address in a database for later. Usually within a few hours of the initial scan, the brute-force script will begin attempting dictionary attacks on each of the IP addresses within this database. Once it finds a successful login/password combination, the script alerts a human operator and hands off login access to the machine. This attacker can then log into the breached system and employ it for his own nefarious purposes.
What happens once a computer system has been compromised? According to many systems administrators, attackers first use the compromised box to begin additional attacks on other computer systems, attempting to gain access to even more machines. Many of these systems are employed as "zombies," used to deliver hundreds of thousands of spam emails to unsuspecting inboxes. Or, if the compromised system particularly juicy, the attacker may install a keystroke logger to capture passwords for bank accounts and other information. The attacker may also attempt to gather company information, perhaps for blackmail purposes.
How to protect yourself
With so many attacks occurring on a daily basis -- even to everyday home users -- how can you protect yourself?
- Always choose good passwords. A good password is one that is not easy to guess, has both numbers and letters in it, and is usually more than six characters long. Also, use different passwords for different accounts; that way, if one password is ever compromised, you can decrease the fallout.
- Disable SSH access unless you really need it. If you must have it, try to set up restricted access lists, denying every IP address that's not on your list. This isn't always feasible, which is why the scripts listed in this article are so useful.
- Disable root logins via SSH. There are few reasons why this should be turned on in the first place, so make sure it's off. In addition, you can specify which users are allowed to log into the system via SSH with the AllowUsers option (followed by a list of user name patterns, separated by spaces).
- Regularly update your system's software. If it's ever compromised, you'll be able to reduce the effectiveness of rootkits and other privilege-escalation software by eliminating known security vulnerabilities.
| Creating a strong password |
|---|
|
Many people have created rules for strong passwords, and different organizations have different policies regarding strong passwords. Following these seven common-sense rules can go a long way toward preventing even determined attackers from guessing their way into your account:
These rules, along with other helpful information regarding Linux passwords, can be found in the Linux.com article "CLI Magic: passwd and passwords". |
Daemon Shield
Daemon Shield is a small Python script that is started at boot time and continuously monitors a syslog file (usually /var/log/messages) for login attempts (including SSH, FTP, and other services). The configuration file specifies the amount of time to wait between processing the syslog file for changes (a greater interval can improve performance), the number of acceptable attempts within a specified period of time, and what to do if an address is found that violates this policy.
In general, the script has some good features (such as the ability to block an address for a specified period of time). It uses iptables to handle the blocklist (which, when combined with an iptables firewall-type rule set, gives administrators good control over the network security of their computer system). However, Daemon Shield suffers greatly when parsing long syslog files; it may not block an address until many attempts into the attack (or until after the attack is complete). Having a good log-rolling policy for your syslog file is crucial to getting the best performance out of Daemon Shield.
Once the software is installed, you'll need to configure it for your installation. First, make sure you have an /etc/sysconfig/iptables file (some distributions, notably Mandriva, do not create this file by default). Iptables can generate this file automatically. Under Red Hat, you can try:
service iptables save
Under Mandrake and several other distributions, use the iptables-save program if it's available in your PATH:
iptables-save
Once you've created the /etc/sysconfig/iptables file, configure it to begin using the Daemon Shield rules. According to the Daemon Shield install file:
Add the following line to the list of iptables chains:
:Kiddies - [0:0]
Then add the following lines to the end of the file:
-A Kiddies -j LOG --log-level info --log-prefix "Dropped IP: " -m limit --limit
-A Kiddies -j DROP
These options instruct iptables to consult the auto-generated Daemon Shield block list before allowing each TCP connection (remember that Daemon Shield can monitor login attempts for services other than just SSH).
Now that iptables is configured to use the Daemon Shield service, the next step is to begin editing the Daemon Shield configuration file, /usr/local/etc/daemonshield.conf, to suit your installation. I found working with the configuration file to be confusing. For instance, the syntax of the ignorestring option, which allows you to set Daemon Shield to automatically ignore any logins made from the specified set of IP addresses or ranges, is certainly a little confusing. Here's the entry I used to automatically ignore (and thereby always allow) addresses originating from 10.*.*.* and 192.168.*.* networks:
ignorestring=10\.\d{1,3}\.\d{1,3}\.\d{1,3} 192\.168\.\d{1,3}\.\d{1,3}
I then edited the set of commands relating to the time intervals that Daemon Shield uses. First, I adjusted the expireblocktime option, which is the length of time an IP address should be blocked from attempting to log into the system after Daemon Shield has determined it to be a brute-force attacker. I used the value 180 (in minutes, so three hours), which seemed like a reasonable amount of time: not too long that a false-positive means complete lockout, but long enough that brute-forcers will likely move on. If you wish to block the address indefinitely, then you can set expireblocktime to 0.
Next set the logwatchinterval, which specifies the length of time (in seconds) that Daemon Shield should wait between checking the log file for changes (it accomplishes this by periodically stating the log file and comparing its filesize). This is a low-resource operation, though logwatchinterval should still be set to a reasonable length of time (I left the default of five seconds). In addition to this option, there is logprocessdelay, which specifies the length of time to wait between the initial time when the log was determined to have changed and the time when Daemon Shield opens the log to find potential dictionary attacks. It's probably best to leave this as a very low number.
The next option is watchwindow. Daemon Shield stats at the tail end of the log file and works its way up to earlier entries, with its upper threshold being the current time minus watchwindow (in seconds). This reduces the overhead for Daemon Shield, so it doesn't have to crawl through every single entry in the log file. Unfortunately, if a brute-force attacker is attempting logins over a very long period of time (say only a few times an hour), then Daemon Shield could potentially miss the attacks. Luckily, I have never seen this happen. Instead, the dictionary attack scripts seem to try all their combinations as quickly as possible before moving on. I left the default at one hour (3,600 seconds).
| Attackers' weapons |
|---|
|
Attackers employ a variety of tools in their attempts to gain control over unprotected Linux boxes, including:
|
recentwindow. The idea is that for an attacker to qualify for the block list, it must have perpetrated at least one attack within the recentwindow time period. This option seeks to restrict Daemon Shield to blocking only current attacks, and not ones that occurred recently (but are not currently ongoing). This option can be tricky: the default is set to 240 (seconds), so an attacker must have attempted a login within the last two minutes in order for it to qualify for blocking. However, the attacker could have attempted any number of attacks within the last watchwindow seconds, all of which must be summed together by Daemon Shield to determine if the IP address is a candidate for blocking.
Finally, Daemon Shield can send email reports whenever it blocks or unblocks IP addresses. It can also enable and disable other services -- default checks by Daemon Shield include SSH, FTP, Telnet, and even PAM.
Once Daemon Shield has been installed and configured, it's time to start checking for attackers. Under Mandriva and most other distributions, you can start Daemon Shield simply by going to /etc/init.d and running:
./daemonshield start
Additionally, the make install script should take the steps necessary to ensure Daemon Shield is started at boot. If you're having trouble getting the daemon to start (or if it's not starting automatically when the system is started), consult the INSTALL file in the daemonshield-X.X.X directory.
BlockHosts
BlockHosts, another script written in Python, is easier to set up, maintain, and configure. The idea behind BlockHosts is to continuously scan a syslog file for SSHD failed login attempts, and add the IP addresses listed there (after a predetermined number of attempts have been exceeded) to the system's /etc/hosts.deny file -- a different approach from that of Daemon Shield, which uses iptables to block connection attempts.
After installing the software, run the included setup script (as described in the INSTALL file). The setup script copies and installs all of the necessary BlockHosts files to their proper locations:
python setup.py install -force
If you get an error message about missing a Makefile (python2.4/config/Makefile, for instance), then you probably don't have the Python developer tools installed (under Mandriva and Debian, it's named python-dev), so you must install this missing software before continuing.
Once you have the BlockHosts script installed, begin configuration by editing the /etc/blockhosts.cfg file with your favorite text editor. BlockHosts comes with a default configuration file with all options commented out. Edit this file and uncomment each line suitable for your installation. All of the options are well-documented in the comments, and can be uncommented by removing the "#" at the beginning of each line.
Once your configuration file is ready, the next step is to prepare the /etc/hosts.deny (or /etc/hosts.allow, depending on your installation) for BlockHosts by copying the following lines (in their entirety) to your hosts.{deny|allow} file:
#---- BlockHosts Additions
#---- BlockHosts Additions
sshd:ALL:spawn (/usr/bin/blockhosts.py --verbose >> /var/log/blockhosts.log 2>&1 )&:allow
proftpd:ALL: spawn (/usr/bin/blockhosts.py --verbose >> /var/log/blockhosts.log 2>&1 )&:allow
These instructions tell the system to automatically run (spawn) the BlockHosts script (/usr/bin/blockhosts.py) each time a user attempts to connect to your system via either SSH or ProFTP. The script will then determine if the connecting host should be allowed access or be blocked.
Once you have completed these steps, can begin watching for dictionary attacks. Each blocked address will be added to your hosts.{deny|allow} file and prevented from accessing your machine for the specified length of time (specified by AGE_THRESHOLD in the /etc/blockhosts.cfg file).
sshdfilter
Numerous other scripts are available to perform tasks similar to those of the two detailed above. One such promising script is sshdfilter, which blocks dictionary attackers using iptables, and is very efficient in how it detects them. The sshdfilter script starts the SSHD service itself, and instructs SSHD to output all log details to stdout (which is then captured by sshdfilter). In this way, the script can detect attacks as they happen, in real time, and significantly reduces the overhead involved in searching for offenders.
Unfortunately, the sshdfilter script is more complex to set up and install than the Daemon Shield software, partly because the author has made distribution-specific installation files that failed for my (non-included) Mandriva system. Out-of-the-box configurations include Red Hat 7.3 and 9.0, Fedora Core 3, and Debian 3.1. Details exist for users who want to attempt an install on an unsupported system, though they appear to be highly platform-specific.
Employing the basic practices and scripts above, you can harden your Linux machine against many of the dictionary SSH attacks that plague Linux systems today. Keeping your system's software up to date goes a long way toward protecting yourself against many common security vulnerabilities that automated scripts attempt to take advantage of. Don't let your system be the jumping-off point for spam, additional system attacks, or even blackmail -- protect yourself with these practices today.
Ryan Twomey is a co-founder of Draconis Software, which offers a free personal edition of its commercial server monitoring software.
Comments
on Protecting Linux against automated attackersNote: Comments are owned by the poster. We are not responsible for their content.
portknocking for shorewall: <a href="http://shorewall.net/PortKnocking.html" title="shorewall.net">http://shorewall.net/PortKnocking.html</a shorewall.net>
Sorry, but running a script that then does its job without any setup necessary that can't be circumvented by sniffing is a tad bit more reliable, don't you think?
it should be sufficent to simply knock out *scripts*. never said that it's *the* solution against human attackers.
AllowUsers mariochi jardel
to<nobr> <wbr></nobr>/etc/ssh/sshd_config
and that's it. Script kiddie's attacks are directed at standard accounts, e.g. root ftp admin<nobr> <wbr></nobr>...
su privileged_account_name
or
sudo privileged_command_the_account_has_access_to
Use logging and alerts if su or sudo is used.
And don't forget 'Protocol 2' in sshd_config....
Posted by: Anonymous Coward on September 23, 2005 10:24 AM<a href="http://mail-index.netbsd.org/tech-security/2002/03/14/0001.html" title="netbsd.org">Protocol 2</a netbsd.org>
email the port knocking code to the server encrypted.
Html knocking is along the same line.
Old rule hide in plain site stops most people. Feed back form. Correctly formated message sets the port knocking and activates for a short time to let you in from a partical IP.
Non standard and moving ports makes it alot harder. Single access port knocking helps. If known your IP inregard to the server(You IP is X) Ie you opened the door. Note if you have messaged the IP as well hack attempts are verry limited.
I prefer the layered approach to security.
1st layer: Firewall and limited access time.
2nd layer: Restricted network access using pam's access module and tcp wrappers.
3rd layer: Restricted ssh access to single user account.
4th layer: Key and passphrase authorization.
It doesn't stop there. The 1st layer relies on security through obscurity, by only hiding what's already there. It's controlled, but I have to rely on security updates to keep things relatively secure. Finally, I run md5 checks on binaries and backup all databases and user data using rsnapshot to protect me from the day of armageddon!<nobr> <wbr></nobr>:)
Exponential back-off would be even better, but a little more complex.
1. Bind sshd to another port, this is security by obscurity and here it works, cause scripts usually scan only this port.
2. Remove the ssh banner that appears when connecting to sshd by modifying the source and compiling the sshd yourself. This is security by obscurity and here it works, too. Scripts often check these banner for version information.
3. Use port knocking techniques to open the port on demand.
4. Use key authentification instead of password.
5. Use an IDS with active response.
my 2cent
the polarizer
<a href="http://www.codixx.de/polarizer.html" title="codixx.de">http://www.codixx.de/polarizer.html</a codixx.de>
> on demand.
This seems interesting, can you provide a link?
I've written a how-to with info for putting this to work, but it's on spanish :
<a href="http://www.narcotize.com/maruja-digital/2005/08/09/port-knockin-tacticas-adicionales-de-seguridad/" title="narcotize.com">http://www.narcotize.com/maruja-digital/2005/08/0<nobr>9<wbr></nobr> /port-knockin-tacticas-adicionales-de-seguridad/</a narcotize.com>
But you can find info on the knockd (one port knocking daemon implementation) homepage:
<a href="http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki" title="zeroflux.org">http://www.zeroflux.org/cgi-bin/cvstrac/knock/wik<nobr>i<wbr></nobr> </a zeroflux.org>
It's plain easy<nobr> <wbr></nobr>:D
Andor
my implementation: <a href="http://jiyu.gnook.org/~kouhz/spoks/" title="gnook.org">http://jiyu.gnook.org/~kouhz/spoks/</a gnook.org>
<a href="http://thc.org/thc-amap/" title="thc.org">http://thc.org/thc-amap/</a thc.org>
Better to assume that an attacker will be able to map your ports and what is listening accurately.
Using key authentication and IDS are great suggestions.
I found that just changing the port number avoid most of the attack attempts.
Obscurity does not work if someone is decided to attack your system, but it helps avoid the stupid scripts that try dictionary attacks.
It's like the "ADT" sign in the yard... it does nothing really, but a thief will choose a house without the sign if possible.
<a href="http://denyhosts.sourceforge.net/" title="sourceforge.net">http://denyhosts.sourceforge.net/</a sourceforge.net>
[URL=http://lowerbackpain.0pi.com/backpain.htm] Back Pain [/URL]
[URL=http://painreliefproduct.guildspace.com] Pain relief [/URL]
[URL=http://painreliefmedic.friendpages.com] Pain relief [/URL]
[URL=http://nervepainrelief.jeeran.com/painrelief<nobr>.<wbr></nobr> htm] Nerve pain relief [/URL]
A more iptables-centric discussion on this topic
Posted by: Anonymous Coward on September 22, 2005 09:18 PM<a href="http://wiki.clug.org.za/index.php/Defending_Against_Brute_Force_SSH_Attacks" title="clug.org.za">http://wiki.clug.org.za/index.php/Defending_Again<nobr>s<wbr></nobr> t_Brute_Force_SSH_Attacks</a clug.org.za>
Since this is a single line modification, it is easy and safe to do. This will throw off any brute force attack.
Re:Add a sleep() to SSH password function
Posted by: Anonymous Coward on September 24, 2005 03:58 AMA strong approach is to use public keys, so that the server authenticates the client with public-key crypto.
It uses PAM to blacklist 1) addresses from which failed logins originate, and 2) the local accts. themselves; it doesn't rely on log scanning. No. of attempts, blacklisting duration, local accts. to ignore, etc. etc. are all configurable.
A) After 3 failed logins, sleep x seconds before allow a new login.
B) Hide the banner that says what service and version is running.
Automatically Blocking SSH Attackes From Script Kiddies?
<a href="http://www.debian-administration.org/articles/250" title="debian-adm...ration.org">http://www.debian-administration.org/articles/250</a debian-adm...ration.org>
From the description:
knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.
sshblock
Posted by: blindcoder on September 22, 2005 05:53 PMSimple solution is here:
<a href="http://shellscripts.org/project/sshblock" title="shellscripts.org">http://shellscripts.org/project/sshblock</a shellscripts.org>
Quote the wiki:
Using this script and iptables/at you can block logins when there have been more than 10 failed attempts from an IP.
If there has been no attempted login within an hour, the IP is removed and has 10 attempts again.
If a login is successful, the IP? is also removed.
If you do not have a logrotate mechanism in place, simply start<nobr> <wbr></nobr>./block.pl. Otherwise start it like this: # while : ; do<nobr> <wbr></nobr>./block.pl ; done
This will ensure that it will restart after a log has been moved away.
#