10.17.05
sshd lockdown
Finally decided that I should lock down my hosts.allow and hosts.deny files on my debian server to limit the script attacks I’ve been seeing in my log files. For example, heres an excerpt from my /var/log/auth.log file using nice simple grep 'Illegal' > dump.txt
Oct 17 20:05:50 ### sshd[9802]: Illegal user 1 from ::ffff:218.80.206.142 Oct 17 20:05:52 ### sshd[9804]: Illegal user 2 from ::ffff:218.80.206.142 Oct 17 20:05:56 ### sshd[9806]: Illegal user 3 from ::ffff:218.80.206.142 Oct 17 20:05:58 ### sshd[9808]: Illegal user a from ::ffff:218.80.206.142 Oct 17 20:06:01 ### sshd[9810]: Illegal user aa from ::ffff:218.80.206.142 Oct 17 20:06:07 ### sshd[9812]: Illegal user aaa from ::ffff:218.80.206.142 Oct 17 20:25:28 ### sshd[9853]: Illegal user annette from ::ffff:218.80.206.142 Oct 17 20:25:31 ### sshd[9856]: Illegal user anngret from ::ffff:218.80.206.142 Oct 17 20:25:34 ### sshd[9858]: Illegal user anni from ::ffff:218.80.206.142 Oct 17 20:25:38 ### sshd[9860]: Illegal user annica from ::ffff:218.80.206.142 Oct 17 20:25:40 ### sshd[9862]: Illegal user annick from ::ffff:218.80.206.142 Oct 17 20:25:42 ### sshd[9864]: Illegal user annie from ::ffff:218.80.206.142 Oct 17 20:25:45 ### sshd[9866]: Illegal user annigret from ::ffff:218.80.206.142 Oct 17 20:25:53 ### sshd[9869]: Illegal user annika from ::ffff:218.80.206.142 Oct 17 20:25:56 ### sshd[9871]: Illegal user annik from ::ffff:218.80.206.142 Oct 17 20:26:00 ### sshd[9873]: Illegal user annike from ::ffff:218.80.206.142 Oct 17 20:26:04 ### sshd[9875]: Illegal user annikki from ::ffff:218.80.206.142 Oct 17 20:26:06 ### sshd[9878]: Illegal user annina from ::ffff:218.80.206.142 Oct 17 20:26:09 ### sshd[9880]: Illegal user annita from ::ffff:218.80.206.142 Oct 17 20:26:12 ### sshd[9882]: Illegal user annk!athrin from ::ffff:218.80.206.142
etc…
Not happy Jan.
(Actually, i’m using the debian package of logcheck which sends me nice reports about what’s going on. You have to set up a few rules to quiet down when you first set it up, but its nice to see what has and hasn’t happened - very nice. Anybody use anything else?)
Now, I had debated using some of the nice responses people have used to counter the increase in this sort of attack. For example sshdfilter by Greg (?) updates iptables when it notes an attack in the log. There are other approaches that use Perl or Bash scripts and modify the hosts.allow and hosts.deny files - also nice.
But then i realised i was heading for overkill - keep it simple methinks.
If i really think about who and what is using my server via ssh!
d, surely it’s better in my case to just deny everyone from accessing my server via sshd unless i specifcially allow it. On the few occasions when i’m away, i can easily log in to an accepted machine and ssh across - it’s a nice simple and strong solution for now. Later… we’ll see if i need something else.
I had to look up the man files (with “pinfo” actually which i quite like) for “hosts_access” and “hosts_options”. I decided to use the extended “option” syntax so that I could keep all my new additions int the one “hosts.allow” file instead of splitting it across the two. It does mean i’ve actually got both the allow and the deny rules in the “allow” file, but i think that’s better. So, I added some entries like
#allow my local connections inside my firewalled lan sshd: 192.168.: allow #other entires i know i need ie work etc. sshd: my.work.domain.: allow ... #now deny everyone else who tries! :*p sshd: ALL: deny
I’ll see how it goes for the next few days… and its nice to know there are other solutions out there if i need something with more smarts.