1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

About security

Discussion in 'Plesk for Linux - 8.x and Older' started by MaRiOs, Sep 19, 2005.

  1. MaRiOs

    MaRiOs Guest

    0
     
    This is not really about plesk but...
    i think you may be insterested.

    I am fed up of watching lines like this one :

    Sep 19 07:30:18 linux7 sshd(pam_unix)[13414]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=gsinternational.com
    Sep 19 07:30:21 linux7 sshd(pam_unix)[13420]: check pass; user unknown

    in my logs.

    Is there any way to lock some one from the firewall by using the hostname?
    cause if i ping gsinternational.com i get an ip and I block it with the firewall module,but i think they use fake hostnames,so can I block the hostname?
     
  2. mian

    mian Guest

    0
     
    they can't really use fake hostnames, but if you want to keep trying to block them you will be pretty busy as you get them from all different people every day. I just wokeup and my morning log has these, and this is a daily occurence everyone has to deal with.

    Failed logins from these:
    ftp/password from 124-110-60-69.serverpronto.com (69.60.110.124): 3 Time(s)
    lp/password from 124-110-60-69.serverpronto.com (69.60.110.124): 3 Time(s)
    root/password from 124-110-60-69.serverpronto.com (69.60.110.124): 36 Time(s)
    root/password from petrointrade-2.ip.PeterStar.net (82.140.81.26): 9 Time(s)

    the safest thing todo is if you don't offer SSH to your users firewall it from everyone but yourself so you can get in. you should have PermitRootLogins no in SSH server config anyway so all the root attempts are useless as even if they somehow get the password it won't let them in. and make sure you can't get into the other common accounts they try (lp,mail,ftp,postmaster,named,operator,halt,shutdown,sync,uucp,gopher,daemon,games ,adm,news) are a few off hand. you could disable password logins entirely so only public/private key authentication is allowed too. obviously firewall everyone is the best method if you don't offer SSH.
     
  3. MaRiOs

    MaRiOs Guest

    0
     
    i have followed your last step, i did some script for automatic keys creation so i will disable pass login, but i just want to know if i can block these ppl.


    they are not attackin on ssh but on ftp etc too.
     
  4. mian

    mian Guest

    0
     
  5. jamesyeeoc

    jamesyeeoc Guest

    0
     
    Marios, I believe the short answer to your question is there is no way to block based on just the hostname, firewalls deal with IP addresses.

    For an automated setup, check into installing both APF and BFD, some minor configurations and it can and will block repeated failed attempts automatically.

    DO NOT do your initial tests on a live production server. Until you are familiar enough with these, you should be doing it on a TEST SERVER. If this is not possible, then I advise much CAUTION since initially they may block too much until you get them configured properly.

    They work well with Plesk servers, I believe there is at least one post in the forums which details how to get it setup.

    You can do the search on freshmeat.net and elsewhere, but who knows if any given package may be Plesk friendly or not. At least APF and BFD can be used on Plesk servers and work well together as an automated solution.
     
  6. MaRiOs

    MaRiOs Guest

    0
     
    thank you people i will do a research.
     
  7. rvdmeer

    rvdmeer Guest

    0
     
    I like simple solutions.
    My sshd deamon is constantly hammered by Scriptkiddies using random dictionary attacks.
    One simple way to prevent most is changing the port where sshd listens on, or use an unusual portmapping.
    I dont really like that however. Dont ask me why, it has probably something to do with my bad memory. I keep forgetting those ports.

    Two other simple mechanisms which you could implement are:

    1) restricting allowed useraccounts. Esp. if you dont have a very common username like Jack or John:

    AllowUsers secretuser othersecretuser@192.168.3.*

    By adding the ipaddress you only allow login from that particular ipaddress for that particular user.

    2) rectrict the number of tries for password guessing

    MaxStartups 10:30:60


    From the manpages:

    Specifies the maximum number of concurrent unauthenticated con-
    nections to the sshd daemon. Additional connections will be
    dropped until authentication succeeds or the LoginGraceTime
    expires for a connection. The default is 10.

    read more at this blogentry at ap-lawrence.
    http://aplawrence.com/Blog/B1117.html
     
  8. pdreissen

    pdreissen Guest

    0
     
    I agree with this. We are running APF and BFD, wich works great and is blocking about 4 ip addresses every day. You will get an e-mail about every block, in case it is a false positive. However we never had a false positive untill today!

    Check out this thread, for a great tutorial how to secure your plesk server and installing apf and bfd.

    http://forum.plesk.com/showthread.php?s=&threadid=19876&highlight=howto+setup+new+plesk
     
  9. MaRiOs

    MaRiOs Guest

    0
     
    these are very interesting ideas I have to consider,especially the last one.
    thank you!
     
  10. pdreissen

    pdreissen Guest

    0
     
    APF Also has a development mode, if you need to install it in production environment. If you make a failure, you wait for 5 minutes and everything turns normal.

    Check it out great stuff!
     
  11. MaRiOs

    MaRiOs Guest

    0
     
    @rvdmeer

    I added these 2 lines :

    MaxStartups 10:30:60
    LoginGraceTime 120

    in my /etc/ssh/ssh_config

    but I still see ppl hammering the server like that :

    Sep 28 04:35:33 linux7 sshd(pam_unix)[21059]:
    Sep 28 04:35:36 linux7 sshd(pam_unix)[21061]:
    Sep 28 04:35:36 linux7 sshd(pam_unix)[21061]:
    Sep 28 04:35:37 linux7 sshd(pam_unix)[21063]:
    Sep 28 04:35:37 linux7 sshd(pam_unix)[21063]:
    Sep 28 04:35:40 linux7 sshd(pam_unix)[21065]:

    for more than 30 times in a row .

    the options i added should prevent that happening...shouldnt they ?
     
  12. MaRiOs

    MaRiOs Guest

    0
     
    Any ideas ?

    I dont understand, I had put the options you said in the conf file of sshd and restarted the server
    and still I see ppl hammering my server like this :

    Oct 13 19:35:19 linux7 sshd(pam_unix)[11393]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
    Oct 13 19:35:21 linux7 sshd(pam_unix)[11395]: check pass; user unknown
    Oct 13 19:35:21 linux7 sshd(pam_unix)[11395]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
    Oct 13 19:35:22 linux7 sshd(pam_unix)[11397]: check pass; user unknown
    Oct 13 19:35:22 linux7 sshd(pam_unix)[11397]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
    Oct 13 19:35:24 linux7 sshd(pam_unix)[11402]: check pass; user unknown
    Oct 13 19:35:24 linux7 sshd(pam_unix)[11402]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
    Oct 13 19:35:24 linux7 sshd(pam_unix)[11404]: check pass; user unknown
    Oct 13 19:35:24 linux7 sshd(pam_unix)[11404]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
    Oct 13 19:35:26 linux7 sshd(pam_unix)[11406]: check pass; user unknown
    Oct 13 19:35:26 linux7 sshd(pam_unix)[11406]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
    Oct 13 19:35:27 linux7 sshd(pam_unix)[11408]: check pass; user unknown
    Oct 13 19:35:27 linux7 sshd(pam_unix)[11408]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
    Oct 13 19:35:29 linux7 sshd(pam_unix)[11411]: check pass; user unknown
    Oct 13 19:35:29 linux7 sshd(pam_unix)[11411]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
    Oct 13 19:35:29 linux7 sshd(pam_unix)[11413]: check pass; user unknown
    Oct 13 19:35:29 linux7 sshd(pam_unix)[11413]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
    Oct 13 19:35:31 linux7 sshd(pam_unix)[11415]: check pass; user unknown
    Oct 13 19:35:31 linux7 sshd(pam_unix)[11415]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
    Oct 13 19:35:32 linux7 sshd(pam_unix)[11417]: check pass; user unknown
    Oct 13 19:35:32 linux7 sshd(pam_unix)[11417]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
    Oct 13 19:35:34 linux7 sshd(pam_unix)[11419]: check pass; user unknown
    Oct 13 19:35:34 linux7 sshd(pam_unix)[11419]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
    Oct 13 19:35:34 linux7 sshd(pam_unix)[11421]: check pass; user unknown
    Oct 13 19:35:34 linux7 sshd(pam_unix)[11421]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=vps.starwinddesign.com
    Oct 13 19:35:36 linux7 sshd(pam_unix)[11423]: check pass; user unknown
     
  13. jamesyeeoc

    jamesyeeoc Guest

    0
     
    Please read the full post referenced by rvdmeer.

    An additional piece of info about the 10:30:60 is:
    So you may want to play with the numbers. When reading ap-lawrence's blog post, keep in mind that his paths may be slightly different than yours.
     
  14. MaRiOs

    MaRiOs Guest

    0
     
    So if I change it to MaxStartups 10:50:15
    that means that after 10 failed tries the server will deny 50% of the next tries? and when they get to 15 it will deny his access completely,right?
     
  15. jamesyeeoc

    jamesyeeoc Guest

    0
     
    If there are currently 10 unauthenticated connections, then additional connection attempts will be refused with a probability of 50%, and after there are 15 unauthenticated connections then all additional connection attempts (from anyone) will be refused.

    So when there are 10 unauthorized connections, then the probability factor comes into play. At this point any additional connection attempts will fail half the time due to the 50.

    Of the other half attempts, once there are 15 unauthorized connections, then ALL further connection attempts made by ANYONE will be refused.

    That's how I understand the blog post info.
     
  16. MaRiOs

    MaRiOs Guest

    0
     
    damn the last part isnt clever at all...
     
Loading...