[SGVLUG] ssh breakins

Jeff Carlson jeff at ultimateevil.org
Tue Aug 8 20:42:07 PDT 2006 

Don Saxton wrote:
> I thought when I switched to rsa these break in attempts would be 
> discouraged. What more can I do?
> 
> It has nothing of value to anyone other than the users. Messing it up 
> would mess up one non-profit.
> 
> --------------------- SSHD Begin ------------------------
> 
> Failed logins from:
>    66.253.169.114 (mr-min-169-114.dmisinetworks.net): 14 times
> 
> Illegal users from:
>    66.253.169.114 (mr-min-169-114.dmisinetworks.net): 24 times

First, thanks for reporting this IP as a source of break-in attempts.  I 
have blocked it.

Here's how I protect sshd.

I have a pretty standard sshd configuration.  It runs on port 22 and 
allows passwords.  The root user is NOT allowed to log in, though.

PermitRootLogin no

I do not block access to port 22 with IPtables.  However, I do block it 
with tcp_wrappers.  Additionally, I use a program called DenyHosts which 
adds attackers to tcp_wrappers automatically.  Usually, the most they 
get to try to attack is about six times before their IP is blocked. 
Here's my configuration.

First, /etc/hosts.deny just blocks everything:

ALL: ALL

Next, /etc/hosts.allow accepts my local LAN and certain services are 
allowed connections from everywhere.  However, because of the order in 
which tcp_wrappers accepts connections, I add include files for blocking 
other sources:

ALL: 192.168.1.0/255.255.255.0

sshd: /etc/hosts.deny.sshd : DENY
sshd: /etc/hosts.allow.sshd
sshd: ALL : DENY

So, anything that appears in /etc/hosts.deny.sshd is not allowed to 
connect to sshd.  I got a list of IP ranges that are assigned to 
providers in the US from blackholes.us.  So I only accept sshd 
connections from the US.  Anything else gets denied.

The format of an include file to the tcp_wrappers configuration is one 
IP or host name per line, no other comments or service names.  However, 
DenyHosts defaults to appending lots of details to /etc/hosts.deny, with 
service name "sshd" and a comment about the date and time it was added. 
  So I had to modify its config file not to add all that.  Here are the 
relevant changes I made to /etc/denyhosts.conf:

HOSTS_DENY = /etc/hosts.deny.sshd
PURGE_DENY =
note that this means once the IP is blocked it doesn't get removed; it's 
permanent.
BLOCK_SERVICE =
this prevents it from appending "sshd: " to every line it inserts.
#DAEMON_PURGE = 1h
commented out because I don't want purging.

I have found once attackers start getting those rather immediate FIN 
packets, they stop trying.  Only one attacker ever tried to connect a 
second time after getting blocked.  I used to get anywhere from 30 to 
700 break-in attempts from single hosts, but since I set up DenyHosts, 
that number has been reduced significantly.  And then they aren't 
allowed to come back, ever.  So far I think I've only ever seen one IP 
try to come back a day or a week later.

I also used to manually enter the attackers into /etc/hosts.deny.sshd, 
and I even shared the list between home and work, but since implementing 
DenyHosts, it hasn't been necessary.  However, I still do think about 
publishing the list of blocked IPs on my web server.  I haven't done it yet.

http://denyhosts.sourceforge.net/

I haven't looked at it in quite a while.  Apparently it now supports 
synchronization among multiple hosts/contributors.  So now I have 
something new to work on tonight.

More information about the SGVLUG mailing list