Hacker/illegal abuse on server - can I stop it?

[kuhle]

In the last 2 weeks or so, I have had daily reports which are causing great concern. It is spammers/hackers trying to log into the server.

Can anyone tell me how I can stop them, or deny them access when it detects that they are running many of these? The sort of extracts I get are as follows - they are SO LONG that I have only included a few entries and these are all from one day's log:
================================
sshd:
Authentication Failures:
root (203.123.176.242): 22 Time(s)
adm (210.114.223.66): 16 Time(s)
ftp (210.114.223.66): 14 Time(s)
james (210.114.223.66): 14 Time(s)
mail (210.114.223.66): 14 Time(s)
mysql (210.114.223.66): 14 Time(s)
apache (210.114.223.66): 12 Time(s)
postfix (210.114.223.66): 12 Time(s)
postgres (210.114.223.66): 12 Time(s)
postgres (203.123.176.242): 8 Time(s)
mailman (203.123.176.242): 4 Time(s)
mailnull (203.123.176.242): 2 Time(s)
mysql (203.123.176.242): 2 Time(s)
pcap (203.123.176.242): 2 Time(s)
root (prx.funetia.pl): 2 Time(s)
smmsp (203.123.176.242): 2 Time(s)
tomcat4 (203.123.176.242): 2 Time(s)
uucp (203.123.176.242): 2 Time(s)
Invalid Users:
Unknown Account: 2725 Time(s)
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=210.114.223.66 : 1584 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=203.123.176.242 : 780 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=125.215.206.110 : 355 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=duy194.internetdsl.tpnet.pl : 4 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=219.235.231.103 : 2 Time(s)
======================================

Failed logins from these:
Clara/password from ::ffff:125.215.206.110: 2 Time(s)
Claudia/password from ::ffff:125.215.206.110: 2 Time(s)
Jana/password from ::ffff:125.215.206.110: 1 Time(s)
achim/password from ::ffff:125.215.206.110: 1 Time(s)
adam/password from ::ffff:210.114.223.66: 14 Time(s)
adelbert/password from ::ffff:125.215.206.110: 1 Time(s)
adele/password from ::ffff:125.215.206.110: 2 Time(s)
adm/password from ::ffff:210.114.223.66: 16 Time(s)
admin/password from ::ffff:203.123.176.242: 16 Time(s)
admin/password from ::ffff:210.114.223.66: 6 Time(s)
admin2/password from ::ffff:203.123.176.242: 2 Time(s)
administrator/password from ::ffff:203.123.176.242: 2 Time(s)
adrian/password from ::ffff:125.215.206.110: 1 Time(s)


============================

Illegal users from these:
Clara/none from ::ffff:125.215.206.110: 2 Time(s)
Clara/password from ::ffff:125.215.206.110: 2 Time(s)
Claudia/none from ::ffff:125.215.206.110: 2 Time(s)
Claudia/password from ::ffff:125.215.206.110: 2 Time(s)
Jana/none from ::ffff:125.215.206.110: 1 Time(s)
Jana/password from ::ffff:125.215.206.110: 1 Time(s)
achim/none from ::ffff:125.215.206.110: 1 Time(s)
achim/password from ::ffff:125.215.206.110: 1 Time(s)
adam/none from ::ffff:210.114.223.66: 14 Time(s)
adam/password from ::ffff:210.114.223.66: 14 Time(s)
adelbert/none from ::ffff:125.215.206.110: 1 Time(s)
adelbert/password from ::ffff:125.215.206.110: 1 Time(s)
adele/none from ::ffff:125.215.206.110: 2 Time(s)
adele/password from ::ffff:125.215.206.110: 2 Time(s)
admin/none from ::ffff:203.123.176.242: 16 Time(s)
admin/none from ::ffff:210.114.223.66: 6 Time(s)
admin/password from ::ffff:203.123.176.242: 16 Time(s)
admin/password from ::ffff:210.114.223.66: 6 Time(s)
admin2/none from ::ffff:203.123.176.242: 2 Time(s)
admin2/password from ::ffff:203.123.176.242: 2 Time(s)
administrator/none from ::ffff:203.123.176.242: 2 Time(s)
administrator/password from ::ffff:203.123.176.242: 2 Time(s)

 

[CryoGenID]

Well,

the easiest thing to do:
Change the SSH-Port

Away from 22 to something much higher (40122 or so)...

Then those attempts will decrease _enormously_

 

[lvalics]

Or close for default SSH port 22 and open only to your IP from firewall. See in my signature on HOW TO.

 

[kuhle]

Thank you both very much for those suggestions.

If I change SSH port, will this affect customers who need to get into their web management? Please can you tell me how to check/change the SSH port?

I could restrict access to my IP only, but that would not help when I am elsewhere which I often am.

I was hoping also to be able to block IP ranges on the firewall, but in my Plesk 8.1, it looks as if the IP ranges that you put in are those which will be ACCEPTED, and clearly I want to blacklist IP ranges. Can you tell me how to do that?

 

[lvalics]

First of all is important which firewall you use.
Plesk one or other, like Kiss, APF?
Plesk one has GUI interface, easier to set, but not so advanced.
APF is much more advanced.

Regarding SSH port, if you don't have static IP, then change your port.
Clients will login into PLESK, not with SSH, so only you should use it.

 

[kuhle]

I am using the Plesk firewall - the GUI makes it easier for me, accepting that it is not as advanced as others.

I personally have a static IP, but if I need to do things remotely, that is why I want to just change the SSH port. Can you tell me how to do that?

THANK YOU for your help.

 

[lvalics]

I think (not sure) that you cannot from PLESK ... I use apf.

 

[atomicturtle]

My 2 cents here, Im not a fan of changing the port. At best this just stops worms that dont port scan a host before trying to brute force the service. This is the real threat, moving the port does nothing to defend against it, and at worst adds admin overhead.

1) DONT USE PASSWORDS. Passwords are a bad security model, people forget them, use easily guessed ones, and regularly lose them. SSH has had a 2 factor authentication system for 12 years now, take advantage of it. Futhermore if you're managing 10's or 100's of systems with passwords you've either got to remember them, save them, or duplicate them across those systems. Again increasing your exposure when a password is compromised. Disable password authentication completely, and these brute force attacks are completely benign. Use keys and you've got 1 set of keys for every system. Edit /etc/ssh/sshd_config and set the following:
PasswordAuthentication no

Create your ssh keys, upload them to the box, test them, and then restart sshd.


2) Assuming you've done item 1, and you dont care to see the access attempts in your logs any more, you can restrict access with firewall rules, or my personal preference, use an IDS like logwatch or DenyHosts to automatically shun someone when they attempt to brute force the system. There is value in detecting this type of event, as it allows you to detect known attackers, and block their access to other services. I've seen brute forcers try on the SMTP port at the same time they're going after ssh.

 

[kuhle]

thank you both, and thanks for your useful post, atomicturtle.

Were all the attacks listed in the original post SSH ones?

I will do some research on IDS.

THANK YOU all, once again for your help.

 

[Highland]

Another option not mentioned here is fail2ban (requires iptables to work). Keeps the brute force people at bay. Keep in mind that if you install APF for your firewall that when you restart APF it will wipe the f2b bans.

 

[kuhle]

I have been looking at various IDS. It would seem sensible to stick with Logwatch as that is already on my server, and is what reports the multitude of attempted hacks.

Is there a way that Logwatch can be used to blacklist these IP addresses? It would seem that it is possible from what atomicturtle said, but I cannot fathom out how.

Grateful for any advice.

 

[thesafa]

how to change SSH port?

I am using Plesk 8.1 for Unix, and getting tons of failed attempts to connect to SSH in my daily logwatch.

I'd very much appreciate if you could explain how you can change the SSH port.

Thank you!

 

[CryoGenID]

That's easy

/etc/ssh/sshd.conf
-> change the port to something else but 22 (40022 for example)

then run a "service sshd restart"

That's it

 

[Mr.Yes]

Hi Ivalics,

since yesterday i used Plesk Firewall module but today i installed your APF firewall. Now i need to know if i have to deinstall Plesk Module to work with APF or not.

Again i would like you check my conf.apf file,
thank you

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,8443"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="37,53,873"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"


# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="20,21,22,25,53,37,43,80,113,443,465,873,5224"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="53,873"

# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"

 

[lvalics]

I close port 22 for all and open in /etc/apf/allow.... for IP.
APF will overwrite PLESK firewall.

 

[Mr.Yes]

Ciao Valics,

do you remove port 22 in

IG_TCP_CPORTS (inbound) as well in
EG_TCP_CPORTS (outbound) ??

So if APF win on Plesk firewall i don't need to uninstall it? Good news, i remember i red in this forum in the past i had to uninstall it to work with APF

thanx

 

[lvalics]

Yes, we remove port 22 cause we allow it to IP ...

As far as I know not need to uninstall.

 

[nullbarriere]

Um zu verhindern, dass bei jedem automatischen Portscan der offene SSH Port erkannt wird, kann man den Standardport des SSH Dienstes ändern.

SSH Dienst Konfigurationsdatei ändern
Dazu muss man in der Konfigurationsdatei die Portnummer überschreiben. Die Konfigurationsdatei liegt gewöhnlich im Verzeichnis /etc/ssh/sshd_config (Achtung! Nicht: ... ssh_config verwenden, sondern sshd_config). Falls die Datei nicht dort ist: mal mit "find -name sshd_config" probieren.

Der SSH-Standardport 22 ist zugleich der Defaultwert für den Dienst, deshalb ist die Anweisung "Port 22" standardgemäß auskommentiert: "#Port 22". Da sshd nicht so hoch springen kann, muss der Zaun (#) entfernt werden. Dann kann man eine eigene (unbenutzte!) Portnummer angeben, z.B. "Port 12345".

Mit "netstat -nlt" kann man sich zuvor versichern, dass die gewählte Portnummer tatsächlich unbenutzt ist:
der Output sollte folgende Zeile nicht enthalten:

tcp 0 0 127.0.0.1:12345 0.0.0.0:*

SSH Dienst neustarten
Um die Änderung an der sshd_config zu aktivieren, muss sshd neu gestartet werden: "/etc/init.d/sshd reload" (Achtung! Nicht: "ssh reload", sondern "sshd reload").

Ein erneutes "netstat -nlt" sollte den Erfolg bestätigen.

Viel Spass!
Beim nächsten Einloggen nicht vergessen, die Portänderung im Terminalprogramm anzugeben!

 

[Amin Taheri]

For those of you who do not speak German, here is what he said

In order to prevent that with each automatic haven CAN the open SSH haven is recognized, one can change the standard haven of the SSH of service. SSH service configuration file change in addition must one in the configuration file the haven number overwrite.

The configuration file lies usually in the listing /etc/ssh/sshd_config (note! Not: ... use ssh_config, but sshd_config). If the file is not there: times with "find name sshd_config" try. The SSH Standardport 22 is at the same time the default value for the service, therefore the instruction "haven 22" is out-commentated standard in accordance with: "# haven 22". Since sshd so highly cannot jump, the fence (#) must be removed.

Then one can do a its own (unused!) Haven number indicate, e.g.. "haven 12345". With "netstat" can one nlt insure itself before that the selected haven number is actually unused: the output should not contain the following line:

tcp 0 0 127.0.0.1:12345 0.0.0.0: * SSH service start again around the change at that sshd_config to activate, must again be started sshd: "/etc/init.d/sshd reload" (note! Not: "ssh reload", but "sshd reload").

A renewed "netstat nlt" should success confirm. Much fun! When next logging in do not forget to indicate the change of haven in the terminal program!

Note: I dont speak german either, I just used this translator
http://babelfish.altavista.com/tr