forum.excito.org

Hi all,

First of all, I'm aware of that opening opening ports 21 and 22 will make bubba (or any computer exposed to the internet) vulnerable for intrusion. So this is not at all a problem specific to the bubba server.

Nevertheless...

While looking into my /var/log/auth.log file, I can see multiple unauthorized logon attempts (ssh or ftp) from the same ip, trying to logon using different user id's in a short time.

I'm wondering if there´s a way to automatically block repeated logon attempts from the same ip, to the same port, using different user id:s?

Blocking the ip-addresses in my firewall is not an option, since a lot of different addresses is used.

Any help would be greatly appreciated!

Hi lelle,

Its quite common to see this in your logfiles. These are mostly bots trying to brute force their way into your machine.

Unfortunately neither the ssh server nor the ftp server has built in protection against this form of attacks.

There are however a few things one can do.

First off only expose ports you really use to the Internet.

Use good passwords and dont add unneeded users, especially not with usernames like test etc.

There are some settings in ssh that makes life a _little_ harder for those trying to break into your systems. Look at the sshd_config and the options LoginGraceTime and MaxStartups. Setting these to a bit lower values then default should make things a bit harder.

Other solutions, if you only access Bubba with these services from a few well known places, is to use hosts.allow and hosts.deny with tcp wrappers, short intro here fx, to limit hosts that have access to specific servers on Bubba.

And finnaly there are some automated ways to block these attempts but these are not very easy to setup and some of them requires you to run a firewall on your machine.

Example on such solution is fx, fail2ban or others linked from that one http://www.fail2ban.org/wiki/index.php/Links

/Tor

Hi Lelle,

in addition to what Tor said i would recommend changing the port of sshd and possibly also the proftpd to a non-standard port.

Most automatic bots out there try only at default ports.

if you look in your /etc/ssh/sshd_config you will find a "Port" directive, change that to something else, like 222 instead of 22.
(and of course you need to specify the new port from wherever you're accessing the server and update your firewall-rules)

The same goes for proftpd, change the "port" directive in /etc/proftpd.conf

make sure to restart services after you change settings to make them effective, by invoking "/etc/init.d/ssh restart" and "/etc/init.d/proftpd restart".

/Bjorn

Hi Tor and Bjorn,

Thanks for your help!

Changing the ports for ssh/ftp to non-standard numbers & restarting the daemons looks like a very easy way to put this kind of logons to a grinding halt.

Did this a couple of days ago, and now my /var/log/auth.log now shows no suspicious activities!

Thanks again for your suggestions, tor and bjorn

Hi,

the tool you are looking for is called DenyHosts: http://denyhosts.sourceforge.net/

Greetings,
Jin

Hi Jin,

Thanks, I'll have look at it, but it seems that simply changing the ports did the trick.

Jin wrote: the tool you are looking for is called DenyHosts: http://denyhosts.sourceforge.net/

Hi Jin,
did you try to run this on your bubba? How is the performance? I run it on a virtual host. It might be a bit to heavy?

Regarding the idea of non standard ports: You might also just change the port forwarding in your router - so externally it listens to port 222 and forwards it to 22. Which is easier to set up, but of course a bit strange, as the bubba is reachable differently internally and externally.

dsp

I noted the following link the other day:
http://www.itwire.com/content/view/13841/53/

Haven't tried it on the Bubba yet, so no guarantees given.

/MD