# Skrypt Kiddies are after me

## Shan

Not to be sensational but for the past few days I've been getting a multitude of lines in my /var/log/messages log such as:

 *Quote:*   

> Mar 24 22:16:56 nexus Unauthorized AccessIN=eth0 OUT= MAC=00:05:5d:ce:82:03:00:50:57:01:2e:69:08:00 SRC=58.120.227.155 DST=REMOVED_BY_SHAN_PRIOR_TO_POSTING LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=7212 WINDOW=16384 RES=0x00 SYN URGP=0
> 
> Mar 24 22:19:46 nexus Unauthorized AccessIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:57:01:2e:69:08:00 SRC=69.171.208.1 DST=255.255.255.255 LEN=328 TOS=0x06 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=308

 

I wasn't terribly concerned since I *think* my iptables ruleset (see below) has me reasonably secure; however I noticed that I've started getting ssh login failures as well:

 *Quote:*   

> Mar 24 22:14:30 nexus sshd[6357]: Invalid user mickey from 61.130.101.46
> 
> Mar 24 22:14:37 nexus sshd[6367]: Invalid user admin from 61.130.101.46
> 
> Mar 24 22:14:43 nexus sshd[6377]: Invalid user admin from 61.130.101.46
> ...

 

Once I noticed these I started getting a bit more worried.  I'm fortunate in that the box they're attempting to break into is just a gateway / file server so there is only one "real" user besides root; however I know that there are flaws in my setup.  For the time being I've set my ListenAddress to my local network in my sshd_config but I'm not sure what else I should do.  The problem being that I need to balance security with usefulness.  While there are no outside services available to the internet from this box, I can't just add a global block to all incoming connections because there are several other uses on my network who like to do things like host games, file transfer to friends, and the likes.  Activities that are random and unplannable as it were.

Ideally I'd like to do a few things; but I'm not sure how (or if) they're possible.  For starters, I'm the *only* one who ever ssh's into this boxen, and its only from INSIDE the network.  I *think* my above config change has essentially secured ssh from outside attacks, provided my iptables does its job; however I would like (if possible) some way to ensure that these brute force attacks get noticed, and action is taken immediately.  Is there some way to tell SSH that if a user fails a password more than once (eg 2 tries) they get blacklisted for an amount of time?  I've already go "MaxAuthTries 1" but all that does is stop them from spamming passwords, it doesn't stop them from re-initiating a login attempt.

Secondly; I know quite a few IP ranges that I could block in my IPtables setup that would eliminate quite a few of these script kiddies, however I'm not sure how to go about adding /ranges/ to block; if its even possible.  An example range would be like "208.169.96.0 - 208.173.191.255".

Lastly, is there anything else I should be doing with my iptables setup; or doing differently?

 *Shans IPTables Script wrote:*   

> ###################
> 
> ##INITIAL STARTUP##
> 
> ###################
> ...

 

EDIT:  I've changed my iptables script slighty, and hopefully stopped any possibility of any outsider trying to login via ssh by only allowing ssh connections from the internal ethernet card....I think.

----------

## Shan

I found this in Blinkeye's signature while reading this thread (which I'd started to read before posting my own in hopes of gathering some more up to date suggestions) and it looks like it'll be a good start for what I need but I'm increasingly paranoid now >.>

----------

## GenKreton

This seems to be to be a bit overly paranoid. The ssh attacks are automated and everyone running a server on port 22 sees them. Your best bet is to not mess with them. Lock your ssh with keys if you can, make sure you dont have any stupid users with shells like "test" and emerge fail2ban. Fail2ban is your best friend for stopping those attacks automagically by banning them after a certain number of failures, for only a designated amount of time; it's great.

----------

## minskpower

 *GenKreton wrote:*   

> This seems to be to be a bit overly paranoid. The ssh attacks are automated and everyone running a server on port 22 sees them. Your best bet is to not mess with them. Lock your ssh with keys if you can, make sure you dont have any stupid users with shells like "test" and emerge fail2ban. Fail2ban is your best friend for stopping those attacks automagically by banning them after a certain number of failures, for only a designated amount of time; it's great.

 

He is right, stop worrying about this and change sshd listen port to something above 1024.

I don't have any entries in the log since I did that. If you disable root login, change the port and have a strong password for you user, you can almost forget about this issue.

----------

## krolden

Why not use pub key?

----------

## F.Ultra

 *Quote:*   

> I've changed my iptables script slighty, and hopefully stopped any possibility of any outsider trying to login via ssh by only allowing ssh connections from the internal ethernet card....I think

 Yes you did, and boy was I puzzled by why you where seeing anuthorized ssh login atempts from the outside when I saw that this was blocked in your netfilter script, atleast until I read your edit line that you did this very change   :Very Happy: 

----------

## Shan

Thanks to blinkeyes afformentioned script, and the changes I made to my sshd_config file the login attempts seem to have subsided (understandable, their attack is interrupted at the start XD) however changing my SSHD port or using pub keys isn't a solution to the problem; or atleast, not as good of a solution as I'd like.  I'm still seeing a lot of the "UNAUTHORIZED ACCESSS" lines in my messages file, however they've changed slightly, and I'm not sure if its because the Skrypt Kiddies have advanced or because of my tightening my iptables a bit and giving me false positives.

 *Quote:*   

> Mar 26 09:10:01 nexus Unauthorized AccessIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18393 DF PROTO=TCP SPT=4581 DPT=25 WINDOW=32767 RES=0x00 SYN URGP=0
> 
> Mar 26 09:10:04 nexus Unauthorized AccessIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18395 DF PROTO=TCP SPT=4581 DPT=25 WINDOW=32767 RES=0x00 SYN URGP=0
> 
> Mar 26 09:10:10 nexus Unauthorized AccessIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18397 DF PROTO=TCP SPT=4581 DPT=25 WINDOW=32767 RES=0x00 SYN URGP=0

 

Notice, if you will, that this is claiming to be coming from localhost TO localhost but I don't know of anything on this machine that would be doing something to trigger my own iptables ruleset; unless its when sendmail kickes on to (try) and send me an email whenever I get a failled SSH login / Block attack.

----------

## minskpower

I can understand why public keys are not so good, sometimes you can't carry them everywhere.

But please explain why changing ports is restricted. If you really worry about ssh bots or you don't want to have large ssh log files, changing the port is absolutely the best solution.

----------

## GenKreton

Along the same lines, if you cannot change ports, then you could try what they call "port knocking." There are a lot of scripts out there that handle it by know. If you try to access certain ports in a set sequence it will then only open port 22.

----------

## F.Ultra

 *Quote:*   

> unless its when sendmail kickes on to (try) and send me an email whenever I get a failled SSH login / Block attack.

 Since destport is 25 I would say that it is sendmail that is trying to send mails yes.

----------

## F.Ultra

 *Quote:*   

> I'm still seeing a lot of the "UNAUTHORIZED ACCESSS" lines in my messages file

 This is because every ssh attempt is now blocked by iptables/netfilter and since you have configured iptables/netfilter to issue such a log line for each and every drop then this is no mystery  :Wink: 

And I really think that UNAUTHORIZED ACCESS is the wrong word to use here since what you are logging is attempts that failed because the attempt was filtered by netfilter.

----------

## Shan

 *F.Ultra wrote:*   

>  *Quote:*   I'm still seeing a lot of the "UNAUTHORIZED ACCESSS" lines in my messages file This is because every ssh attempt is now blocked by iptables/netfilter and since you have configured iptables/netfilter to issue such a log line for each and every drop then this is no mystery 

 

.......I should have recognized that.  Really, I should have.  I mean I'm no expert at iptables rulesets, and indeed my own listed script is just a hack at a dozen different ones I've seen posted but why I didn't recognize the fact that this is the case is beyond me.  Must be I need more alone time with the clue-hammer.

On the downside, now that I've thought of things a bit more, by blocking SSH connections from outside my local network via IPTables, my the Blacklisting script will never see action.  I'm wondering if it would be..."better" to remove the pertinent lines in my iptables script blocking external connections, and instead leat the blacklisting script handling blocking the attacks.

Ideally I think, it would be best to keep the iptables script as is, and modify the blacklist script to handle the different source of information (that is, the messages IPTables is spitting out); but I'm clueless as to how to begin; python isn't my forte to say the least.

----------

## Utoxin

ssh attacks are dirt common, as already stated. Don't know about the other utility mentioned, but I use denyhosts on my servers, and it's been incredible. I reccomend checking it out.

----------

## F.Ultra

 *Quote:*   

> Ideally I think, it would be best to keep the iptables script as is, and modify the blacklist script to handle the different source of information (that is, the messages IPTables is spitting out); but I'm clueless as to how to begin; python isn't my forte to say the least.

 While not knowing how to do this myself either, I would agree that this is far of the better approach and I am actually stunned that the blacklist scripts doesn't already do it like this per default  :Shocked: 

----------

## Mad Merlin

My suggestion is to make them guess the user and the password, rather than just the password.

in /etc/ssh/sshd_config:

PermitRootLogin no

AllowUsers <username>

----------

## muhsinzubeir

im browsing on my auth.log, and I see invalid users...does this mean that my box was compromised?Here is the sample of the log:

 *Quote:*   

> Jun  6 07:34:03 gendesktop sshd[29951]: Invalid user zzz from 200.7.198.162
> 
> Jun  6 07:34:06 gendesktop sshd[29955]: Invalid user frank from 200.7.198.162
> 
> Jun  6 07:34:09 gendesktop sshd[29959]: Invalid user dan from 200.7.198.162
> ...

 

----------

## nixnut

merged above post here

----------

## vaguy02

muhsinzubeir,

No, that's perfectly normal when running a SSH server on port 22. They have a script trying every combo of username possible. Just use fail2ban, it's in the portage. 

Robert

----------

## muhsinzubeir

thanks Robert....ive tried that fail2ban, sounds pretty cool idea....

----------

## vaguy02

The great thing about fail2ban is that it's not only ssh, but you can use it on just about anything that logs if you play with it. So, you can use it for protecting email servers or web server or just about anything really.

Robert

----------

## muhsinzubeir

if i got it right, this fail2ban can send email notifications.So i added the mail part on fail2ban.conf....how do i test if this notificaiton setup is working?

P:S

Dumm question but all i can think of is banning an ip address by tryin   :Smile: 

----------

## vaguy02

I would suggest going to a friends house or ask a friend online to hit your firewall. Banning your own IP could cause problems if it doesn't release after the time period you specify. (I've had that happen a few times)  :Rolling Eyes: 

----------

## Anarcho

 *Shan wrote:*   

> Thanks to blinkeyes afformentioned script, and the changes I made to my sshd_config file the login attempts seem to have subsided (understandable, their attack is interrupted at the start XD) however changing my SSHD port or using pub keys isn't a solution to the problem; or atleast, not as good of a solution as I'd like.  I'm still seeing a lot of the "UNAUTHORIZED ACCESSS" lines in my messages file, however they've changed slightly, and I'm not sure if its because the Skrypt Kiddies have advanced or because of my tightening my iptables a bit and giving me false positives.
> 
>  *Quote:*   Mar 26 09:10:01 nexus Unauthorized AccessIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18393 DF PROTO=TCP SPT=4581 DPT=25 WINDOW=32767 RES=0x00 SYN URGP=0
> 
> Mar 26 09:10:04 nexus Unauthorized AccessIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18395 DF PROTO=TCP SPT=4581 DPT=25 WINDOW=32767 RES=0x00 SYN URGP=0
> ...

 

These are connections from just localhost to localhost. That's because you didn't allow the lo device for anything.

You should add lines like the following to your iptables script or otherwise some things might not work as aspected:

```
$IPTABLES -A FORWARD -i lo -j ACCEPT

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A OUTPUT -i lo -j ACCEPT
```

----------

## blueflame

Just reconfigure your SSH server to use a different, but easily remembered for you, port number. That's what I did   :Very Happy: 

----------

## eccerr0r

And again I will warn there are sometimes sites that you happen to be at that disallow arbitrary ports to be opened through their firewall, so some people like me, have to just sit there and let the attacks happen and pray your users don't have crappy passwords.

(One place I go to often, I can't open a ssh session from any port but 22, all other ports except possibly 80 and 443 are blocked by a rule on the firewall.  Because of the port restrictions, can't port knock either.)

----------

## muhsinzubeir

```
 cat /var/log/apache2/access_log|grep 85.190.0.3
```

 *Quote:*   

> 85.190.0.3 - - [16/Jul/2008:12:00:23 +0200] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 298
> 
> 85.190.0.3 - - [16/Jul/2008:12:00:23 +0200] "POST http://213.92.8.7:31204/ HTTP/1.0" 200 2697
> 
> 85.190.0.3 - - [18/Jul/2008:14:32:01 +0200] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 298
> ...

 

Tried googling but cant get a clue what is that connect/post means?Anything violating security stuffs?, kinda of a noob on servers,i just have a home page tht im hosting while learning some few stuffs and experimenting on my site..

Normal accesing the server will leave me with a log of this kind:

 *Quote:*   

> 192.168.1.1 - - [18/Jul/2008:13:26:44 +0200] "GET /images/background_content.gif HTTP/1.1" 304 -
> 
> 192.168.1.1 - - [18/Jul/2008:13:26:44 +0200] "GET /images/background_bottom.gif HTTP/1.1" 304 -
> 
> 

 

thanks

----------

## NeddySeagoon

muhsinzubeir,

GET fetches things from a website

POST attempts to put things there. Hopefully it fails

----------

## muhsinzubeir

thanks NeddySeagoon...ppl try to be smart he, so they tried to post/upload stuffs on my server  :Smile: 

----------

## muhsinzubeir

im still a noob in iptables, but i think ive solved that guys with this:

Problem:

```
85.190.0.3 - - [05/Aug/2008:12:05:53 +0200] "CONNECT 213.92.8.7:31204 HTTP/1.0" 200 6622

85.190.0.3 - - [05/Aug/2008:12:05:53 +0200] "POST http://213.92.8.7:31204/ HTTP/1.0" 200 6622
```

solutions:

```
iptables -A INPUT -s 85.190.0.3 -j DROP
```

checking:iptables -L

```
DROP       all  --  proxyscan.freenode.net  anywhere 
```

P:S

Ill learn iptables later on, but i think i can have some peace from that buddy for now.... what do u think? :Wink: 

----------

## eccerr0r

Ack..wait a minute... 85.190.0.3 is proxyscan.freenode.net - the proxy sniffer for the IRC network FreeNode.

Yes, the IRC network freenode (which hosts #gentoo) that you're connecting to is just checking whether or not your machine is compromised.  I think these connects are benign, they're not script kiddies, they just don't want people using someone else's machine to connect to their IRC network.  They do this by sending http commands previously known to be indicative of a compromised/bouncer box, and they do this every time you connect to the IRC network.

But it's OK to block them, but does not make sense to block just them - if you want to block, block for everyone.  Which means no HTTP access for anyone...

----------

## muhsinzubeir

aah...anyway they still leave something on my logfile despite those above iptable rule:

i also tried this:

```
iptables -A INPUT -s 85.190.0.3 -p tcp --destination-port 80 -j DROP 
```

 :Embarassed:   :Embarassed:  so i still cant block them...looks like i have to learn iptables anyway  :Embarassed: 

P:S

I think it sucks that they are playin with my server...

Edit

Later on I found out that actually the order of the rules does influence iptables, this is the reason why the above 2 posts didnt work.

----------

## NeddySeagoon

muhsinzubeir,

freenode are not playing with your server.  Read the conditions of use next time you log into freenode.

The openly declare that they run a proxy scanner. As long as they can't detect that you are running an open proxy, your connection to freenode will be permitted.

Many other orgainsations (like your ISP) also scan you for various things but are not as open about it as freenode.

----------

