sshd, security, and break-in attempts

Well, I finally got my games server up an running on it's own static IP address, outside the firewall and utterly clamped down. It only has two ports open, 5121 (for the Neverwinter Nights game server) and 22 for ssh.

The problem I'm experiencing is probably very common. sshd is configured to reject all connection attempts unless they're using my RSA2 key; all passwords are rejected, and root login is turned off.

In /var/log/secure, however, I get lots of this kind of rubbish:

Code:

---

Mar 21 20:01:11 nwn sshd[31846]: Illegal user ldap from ::ffff:61.141.52.33
Mar 21 20:01:12 nwn sshd[31846]: Illegal user netdump from ::ffff:61.141.52.33
Mar 21 20:30:08 nwn sshd[31846]: Illegal user test from ::ffff:82.79.186.248
Mar 21 20:30:08 nwn sshd[31846]: Illegal user test from ::ffff:82.79.186.248

---

and so on.

What (other than posting their IP addresses to a public forum such as this one) can be done?

Is it possible to intercept such attack lines with a script, route the IP through 'whois' and send an automated report to their 'abuse@...' address for their ISP?

Is it possible to clamp down on these by limiting connections in IPtables to known IP addresses (I only ever connect from my primary static IP address anyway...)? This is an FC4 box, and I used the firewall tool (system-config-security) to turn off all access except ssh and the above mentioned port.

Is it possible (and this is my fave) to intercept multiple connection attempts, and immediately fire-back a stream of packets that melts their hard disk, fries their processor and video card, and sets fire to their monitor?

A few pointers here would be much appreciated.

if you set your INPUT policy to DROP and just add a -j ACCEPT rule for each ip you want to be allowed access to your ports you shouldn't see any of that rubbish anymore.

iptables -P INPUT DROP
iptables -A INPUT -s <allowed_ip> -p tcp --dport <allowed_port> -j ACCEPT

Thanks for the quick reply, marlowe.

Surely that change will prevent access to my public game server on port 5121 unless I know the IP of the people that are connecting? I think the solution is a little more complex than that.

Also, as I only have ssh access to the box (without digging it out of its hole in the basement) I'd rather not set the INPUT policy to DROP without first defining all the necessary rules. Any more pointers on how to do this?

You could be a bit more creative and use something like Port Knocking to secure your SSH connection.

basically with port knocking the SSH port is CLOSED. the only way to access it is to 'knock' (make connection attempts) specific ports in a specific order, at which point the SSH port will open up and allow you to connect to it..

If you don't know the 'secret handshake' you can't even find the door so to speak.

http://www.portknocking.org/

But why would you want to use the default port (22) for ssh? That's very unsecure.

Quote:

---

Originally Posted by antidrugue

But why would you want to use the default port (22) for ssh? That's very unsecure.

---

Dohhh! Yes, of course it is. That's probably the simplest solution to any of this. I'll just dump it on a different port - it's not actually insecure where it is, nobody can break in as such; I just want to stop these script kiddie tits from trying.

Thanks to all for your help.

Well, sorry then. I realize that is not the whole solution.

I just think of security as layers, and not using default port is generally a good idea.

I have 3 machines running sshd, none of them on default port, never had a breaking attemp.

hmm...i thought only you were supposed to use it. i wouldn't have recommended that policy thing otherwise.
how about just dropping all connections to ssh and allowing just one ip?
iptables -A INPUT -s <your_ip> -p tcp --dport <ssh> -j ACCEPT
iptables -A INPUT -s 0/0 -p tcp --dport <ssh> -j DROP

You may want to try this as well...

http://denyhosts.sourceforge.net/

From their site:

DenyHosts is a script intended to be run by Linux system administrators to help thwart ssh server attacks. If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?
DenyHosts attempts to address the above...