# ssh crackers beating hosts.deny?

## Havin_it

Hi,

Just came home and saw my WAN-facing SSH server being very active.  Logging in I discovered a slew of auth log entries like the following (this is from the rogue host's first appearance) :

```
Nov 25 22:34:01 brazil sshd[30028]: Did not receive identification string from 195.3.193.87

Nov 25 22:37:49 brazil sshd[30029]: Address 195.3.193.87 maps to server-karree.de, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Nov 25 22:37:49 brazil sshd[30029]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=195.3.193.87  user=root

Nov 25 22:37:51 brazil sshd[30029]: Failed password for root from 195.3.193.87 port 45913 ssh2

Nov 25 22:37:52 brazil sshd[30031]: Address 195.3.193.87 maps to server-karree.de, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Nov 25 22:37:52 brazil sshd[30031]: Invalid user db2rsync from 195.3.193.87

Nov 25 22:37:52 brazil sshd[30031]: pam_unix(sshd:auth): check pass; user unknown

Nov 25 22:37:52 brazil sshd[30031]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=195.3.193.87

Nov 25 22:37:54 brazil sshd[30031]: Failed password for invalid user db2rsync from 195.3.193.87 port 46530 ssh2

Nov 25 22:37:54 brazil sshd[30033]: Address 195.3.193.87 maps to server-karree.de, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

```

...and so forth, for a good 40 minutes before I decided to block it at the firewall.

Problem is: I run denyhosts, and it had done its job and added "sshd: 195.3.193.87" to the end of my hosts.deny file after the third failure.  But still the attempts continued!

Once that IP is in hosts.deny, it should be refused even attempting to login -- shouldn't it?

----------

## steveb

I think hosts.deny only works with PAM enabled systems or systems using tcpwrappers. A more stable approach then using hosts.deny would be to use something like fail2ban and block the access with netfilters.

// SteveB

----------

## Cyker

Confirmed; You need the tcpd flag and the tcpwrappers stuff to be able to use hosts.deny.

It'd probably be easier to modify your setup to block at the firewall 'tho.

----------

## ScOut3R

I'd suggest port knocking. It's useful for me to "hide" the ssh daemon.

----------

## SweepingOar

Why not just use pubkey only and turn off all unix password and interactive/pam logins? Where is the auth log on Gentoo anyway? My sshd lines just show up in messages mixed in with everything else. On my BSD box there's a separate log file just for auth (probably called auth.log).

I used this guide to set up pubkey ssh logins on my machine, but this is just one of many guides on doing this:

http://blog.unixlore.net/2006/04/five-minutes-to-more-secure-ssh.html

----------

## ScOut3R

You can finetune syslog-ng to use separate log files, or you can use the hardened profile, where it is default. But be aware, that pubkey auth is not the ultimate solution, because the ssh daemon is still visible to the outside, thats why i prefer port knocking.

----------

## bunder

 *SweepingOar wrote:*   

> Where is the auth log on Gentoo anyway? My sshd lines just show up in messages mixed in with everything else. On my BSD box there's a separate log file just for auth (probably called auth.log).

 

i use sysklogd and they're in /var/log/auth.log

----------

## Havin_it

As to where the output is taken from: I use syslog-ng, and the output is written both to /var/log/messages and /var/log/auth.log, the latter of which is read by denyhosts.

I know that it works, because I locked myself out a couple of times when I set it up  :Wink: 

Once an IP is added to hosts.deny, it gets "connection refused" (no password prompt, no check for host-key) unless/until I remove that IP again from the file (which I had to do for my own client machine's IP).  Each IP gets 4 strikes for valid usernames, 4 strikes for invalid usernames, 2 for root (yes, root login is permitted, that's why I am using denyhosts!).

In this case, the evil IP was added to hosts.deny after 1 failed password for root and 7 failed passwords for invalid users (according to comparing the timestamps of the relevant lines). After this happened, the pattern of repeated login-attempts continued for nearly an hour.  The output does (AFAIK) indicate that these attempts were still being given a password prompt, when they should have been "connection refused" after the ban took effect. Is this analysis correct?

(BTW, after I closed the WAN ssh port for an hour or so the evil host had given up, and I haven't seen it again since. Other bad guys have not been so persistent, but some still seem to be getting more attempts than my denyhosts.conf should be allowing them.)

----------

## RiverRat

 *Havin_it wrote:*   

> 
> 
> I know that it works, because I locked myself out a couple of times when I set it up 
> 
> 

 

This doesn't always seem to be the case.  See here for references:

https://forums.gentoo.org/viewtopic-p-5099314.html

https://bugs.gentoo.org/show_bug.cgi?id=222777

----------

## RiverRat

The solution is here:  https://forums.gentoo.org/viewtopic-p-4146699.html#4146699

----------

## Havin_it

Thanks RiverRat, I thought I was the only one suffering this until now!

I have one question: the server is behind a router/modem so its private IP is 192.168.x.x, is this all I need to put for ListenAddress? The WAN address is dynamic - does this mean I will be unable to connect from outside?

----------

## M

You should then set port forwarding on your router, and make sshd listen on local 192.168.x.x address. I was using denyhost before but all I do now is set port on which ssh listen on something bigger than 1024 and use pubkey auth. Quite simple, no more attacks...

----------

## darkphader

 *Havin_it wrote:*   

> I have one question: the server is behind a router/modem so its private IP is 192.168.x.x, is this all I need to put for ListenAddress? The WAN address is dynamic - does this mean I will be unable to connect from outside?

 

By default it will listen on all addresses, if you only have the one then there's nothing to do. If you had multiple interfaces or secondary IP addresses and wanted to restrict the listening to particular ones then you would want to use/modify this entry.

As M mentioned you would need to forward the proper port on your router but since your address is dynamic you will most likely need to use DDNS service for access from the outside (or have some way of knowing the outside IP address). Of course you will also want to make sure that your inside IP address remains constant or your forwarded port wont get to your system. The DHCP service in some home routers cannot reserve IP addresses and therefore you may not always get the same one if you rely on it.

Some don't like to change the SSH default port but I'm in agreement with M on this. After moving to a higher port number I've seen absolutely zero bot attacks. I think they figure if you've done that you are already wise and they would be wasting their time to test every port (they are, after all, looking for an easy mark). And use pubkey - no passwords, plus an "AllowUsers username" line (man sshd_config) and "UsePAM no" (or configure PAM properly - I don't have any PAM skills), and any attempt to connect without a proper username will not even get a password prompt (and a connection would require the users private key). No need for tcpwrappers/hosts.deny/etc.

Chris

----------

## Havin_it

I do also have pubkeys set up for connecting from my laptop, but I also need to keep password auth for times when I'm at another computer.  Also, I used to use a random high port, but found that it was blocked by some of the public APs I used. PAM is something I might try looking at, though.

I already have the WAN port forwarded to the server. What I was really asking was do I need to have the (current) WAN IP listed in the config file for sshd to accept connections from the WAN?

ListenAddress 192.168.x.x

...do I also need...

ListenAddress my.routers.internet.address

?

----------

## darkphader

 *Havin_it wrote:*   

> I already have the WAN port forwarded to the server. What I was really asking was do I need to have the (current) WAN IP listed in the config file for sshd to accept connections from the WAN?
> 
> ListenAddress 192.168.x.x
> 
> ...do I also need...
> ...

 

No. That wont do you any good as it can't bind to that address - it's not on your system.

Chris

----------

## darkphader

 *Havin_it wrote:*   

> I do also have pubkeys set up for connecting from my laptop, but I also need to keep password auth for times when I'm at another computer.

 

Those are the times you need your private key on a flash drive or other portable media.

Chris

----------

## eccerr0r

 *darkphader wrote:*   

> Some can't like to change the SSH default port

 

Fixed.

Depending on your remote location you do not always have the liberty of using ssh on any port.  Some firewalls deny outgoing ports on all but well-known ports - if I changed my port on my home machine, I will have effectively locked myself out from my remote site.  I also cannot use port knocking, at least on arbitrary ports, for the same reason.

----------

