Improving security on OpenSSH

After just one day that I am leaving my linux server online, I've detected intrusions checking logs (/var/log/auth.log). Here you find how an intrusion attempt looks like:

...
Aug 31 23:21:25 localhost sshd[4558]: User root not allowed because not listed in AllowUsers
Aug 31 23:21:28 localhost sshd[4560]: Illegal user admin from ::ffff:206.113.121.118
Aug 31 23:21:31 localhost sshd[4562]: Illegal user test from ::ffff:206.113.121.118
Aug 31 23:21:36 localhost sshd[4564]: Illegal user guest from ::ffff:206.113.121.118
Aug 31 23:21:39 localhost sshd[4566]: Illegal user webmaster from ::ffff:206.113.121.118
Aug 31 23:21:44 localhost sshd[4568]: Illegal user mysql from ::ffff:206.113.121.118
Aug 31 23:21:47 localhost sshd[4570]: Illegal user oracle from ::ffff:206.113.121.118
Aug 31 23:21:49 localhost sshd[4572]: Illegal user library from ::ffff:206.113.121.118
Aug 31 23:21:52 localhost sshd[4574]: Illegal user info from ::ffff:206.113.121.118
Aug 31 23:21:55 localhost sshd[4576]: Illegal user shell from ::ffff:206.113.121.118
Aug 31 23:21:59 localhost sshd[4578]: Illegal user linux from ::ffff:206.113.121.118
Aug 31 23:22:01 localhost sshd[4580]: Illegal user unix from ::ffff:206.113.121.118
Aug 31 23:22:05 localhost sshd[4582]: Illegal user webadmin from ::ffff:206.113.121.118
Aug 31 23:22:08 localhost sshd[4584]: Illegal user ftp from ::ffff:206.113.121.118
Aug 31 23:22:12 localhost sshd[4586]: Illegal user test from ::ffff:206.113.121.118
Aug 31 23:22:15 localhost sshd[4588]: User root not allowed because not listed in AllowUsers
Aug 31 23:22:18 localhost sshd[4590]: Illegal user admin from ::ffff:206.113.121.118
Aug 31 23:22:21 localhost sshd[4592]: Illegal user guest from ::ffff:206.113.121.118
Aug 31 23:22:25 localhost sshd[4594]: Illegal user master from ::ffff:206.113.121.118
Aug 31 23:22:28 localhost sshd[4596]: Illegal user apache from ::ffff:206.113.121.118
Aug 31 23:22:33 localhost sshd[4598]: User root not allowed because not listed in AllowUsers
Aug 31 23:22:37 localhost sshd[4600]: User root not allowed because not listed in AllowUsers
Aug 31 23:22:40 localhost sshd[4602]: User root not allowed because not listed in AllowUsers
...

I've already taken some precautions against this, but today I've checked further on sshd_config manual page to look if I can do more.
It would be really nice if sshd would be able to automatically black-list an IP address that fails for a given number of attempts.
I find it really strange it does not have this feature.

Anyway, in my previous post Security Paranoia I've already mentioned an option called MaxStartups. Man page say:

MaxStartups
Specifies the maximum number of concurrent unauthenticated connections
to the sshd daemon.
Additional connections will be dropped until authentication succeeds or 
the LoginGraceTime expires for a connection.  The default is 10.

Alternatively, random early drop can be enabled by specifying the three 
colon separated values ``start:rate:full'' (e.g., "10:30:60").  
sshd will refuse connection attempts with a probability
of ``rate/100'' (30%) if there are currently ``start'' (10) 
unauthenticated connections.  The probability increases linearly and 
all connection attempts are refused if the number of unauthenticated
connections reaches ``full'' (60).

Really explicative.
So I decided for this setting:

MaxStartups 1:100:1

I forgot to say that, after modifying the file /etc/ssh/sshd_config, you have to restart the ssh daemon with: /etc/init.d/ssh restart

Only one connection per time. After one (the first) unauthenticated connection, you have 100% probability to be disconnected, and the maximum unauthenticated connection allowed are 1. In other words: one try per time, and no more. So multithreaded bots, should have some more difficulties next time.

If someone knows how to tell sshd (or the firewall) to ban ip address after -let's say- 3 failed attempt, I would really appreciate.


2 Responses to “Improving security on OpenSSH”  

  1. 1 andb

    http://denyhosts.sourceforge.net/ will blacklist IPs with too many failed connection attempts

    or use ‘hashlimit’ in ‘iptables’
    iptables -I INPUT -m hashlimit -m tcp -p tcp –dport 22 –hashlimit 1/min
    –hashlimit-mode srcip –hashlimit-name ssh -m state –state NEW -j ACCEPT

  1. 1 Linux PAM Automatic Blacklisting - NewInstance


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



Calendar

September 2005
M T W T F S S
« Aug   Oct »
 1234
567891011
12131415161718
19202122232425
2627282930  

Follow me

twitter flickr LinkedIn feed

Subscribe by email

Enter your email address:

Archives


Categories

Tag Cloud


Listening