Find the answer to your Linux question:
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 11 to 20 of 28
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11

    I can't thank you enough for the excellent information you guys have provided here. I just set up my first home server with CentOS 4 and
    my server is already hammered with bunch of lame guys trying to hack into my system.

    One thing though, is I'm using SSH's sshd2 instead of OpenSSH Daemon.
    Is it possible to implement the dynamic firewalling with sshd2 as well?

    It seems like the line which contains hacker's IP is different from "invalid user blah blah" line, and I wasn't sure if there was a way to get around it.

    Any help is appreciated, otherwise I'll simply use OpenSSH and implement the code discussed here.

  2. #12
    I think I can do something like the following:

    In sshd2, the line looks like the one below.

    May 1 02:32:47 hostname sshd[2342]: connection from ""

    While this line doesn't tell which user this guy is going after, I can measure the frequency at which I see the line above. If I see it 5 times in a minute, it probably is a hacker since a legit user shouldn't try to connect that often.
    So, something like this should do:

    ignore /myip/
    watchfor /connection from/
    threshold 5:60
    exec "/sbin/iptables -A swatch_rejects -s $8 -j DROP",subject="swatch match: firewall rule added"

    I'd be more than willing to listen to any suggestions regarding this code/setup.

  3. #13
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    London, England
    i'd have it write the fact it added a rule into a log file with the ip, if you have it email you and someone decides to throw the dictionary at you, then your inbox is going to get pretty full

    edit: i realise the script is ment to stop someone trying an account more than a certain amount of times, but during a mass proxy attack this wouldn't have the desired effect and that's when you'll get your email account flooded

  4. $spacer_open
  5. #14
    comment out /etc/securetty

    a normal securetty file looks like this
    ~> cat /etc/securetty
    # This file contains the device names of tty lines (one per line,
    # without leading /dev/) on which root is allowed to login.
    # for devfs:
    by having these uncommented gives hackers 6 open logins where they can go straight to root.

    a good book to read is "hacking linux exposed".

    naturally a secure securetty file would have all or all but one commented out. by commenting it means to place a # at the start of the line.

    how much you want to comment out is up to you.

    some good firewalls are guarddog, firestarter, arno's firewall (a script) and ipkungfu.

    if you take the time to learn, you can do ip masking, and a whole lot of other things. google arround and you'll see what i mean.

  6. #15
    Has anyone succeeded in using the threshold option?
    With threshold 5:60, my swatch crashes at the very first
    match for some reason.

  7. #16

    Thank you for the post. I'm not too worried about getting my email
    account flooded...and I do not believe it will be flooded, anyway.

    What I was trying to accomplish with the script was...when someone is trying too many connections to my sshd, I drop the IP. Once it's dropped, it will no longer show up in the log. So basically I get one email per one banned IP.

    I'm no expert with proxy attacks but attacks coming from proxy is blocked just like normal attacks.

    I have disabled remote root login. Wouldn't this accomplish even stronger security, no?

  8. #17
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    London, England
    proxy attacks will get banned just like any other ip, but that wasn't the issue i was worried about, if it was some kid just trying his luck with a few proxies then yes the script would be sufficient, but if someone ment business and aimed a botnet at you then that's where the real trouble starts.

    yes disabled remote login of root will make it more secure as it removes the chance of access being gained to it by remote attack brute force, but if you have a sufficiently strong password in the first place then the risk of having the account brute forced is practically zero. also i'd remove all remote login access to all accounts unless absoloutely essential, and then so only to accounts that have sufficiently strong passwords.

    i speak from experience, someone tried to brute force me through ssh for 4 days and never gained access because i have good uncommon strong passwords, see here for the topic about it

  9. #18
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    London, England
    oh and btw the outcome of all that was i traced the ip back to an asian web server that was being used as the proxy to attack me, i contacted the company and had the account shut down

  10. #19
    The whole point of running firewalls and swatch and so forth is to run servers. Yes, if you disable all kinds of remote connections then nobody in the world can hack your machine; at the same time, it is no longer called a server.

    I only have port 22 open so I can control the machine remotely via SSH(got firewalled out of my system by accident right now but that's a different story).
    And I'm just trying to strengthen the defense by implementing swatch as well as no root remote login and so forth.

    As you pointed out, the botnet attack is a threat. Even then, implementing swatch would reduce the chance of a successful hack in a great deal.

    One headache right now is that the threshold option on swatch doesn't seem to be working. I was reading through the official page' forum and seems like the threshold function is not implemented as advertised in the manual.

  11. #20
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    London, England
    i wasn't sugesting to do what i did to deal with it, i was just showing that i've been in the same situation. as for the threshold situation, depending on how simple you want to keep it, you could use a database to keep track of how many failed attempts per ip and then use a variable integer with the value grabbed from a config file to set the number of failed attempts before a ban is placed, that's just a suggestion to keep things tidy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts