How do you protect your system?

[yosepht]

I think I have a good UID and Password set up for my system but look all
the failed attempts that some body has made to access my system. One
of these days it is going to succeed. Is there a way to prevent these types
of multiple attempts, like 5 attempts and your IP address is locked out or something.

Dec 20 11:06:56 ubuntu sshd[26386]: pam_unix(sshd:auth): check pass; user unknown
Dec 20 11:06:56 ubuntu sshd[26386]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=74.126.176.133
Dec 20 11:06:58 ubuntu sshd[26386]: Failed password for invalid user spam from 74.126.176.133 port 49583 ssh2
Dec 20 11:06:59 ubuntu sshd[26388]: Invalid user virus from 74.126.176.133
Dec 20 11:06:59 ubuntu sshd[26388]: pam_unix(sshd:auth): check pass; user unknown
Dec 20 11:06:59 ubuntu sshd[26388]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=74.126.176.133
Dec 20 11:07:01 ubuntu sshd[26388]: Failed password for invalid user virus from 74.126.176.133 port 50165 ssh2
Dec 20 11:07:02 ubuntu sshd[26392]: Invalid user cyrus from 74.126.176.133
Dec 20 11:07:02 ubuntu sshd[26392]: pam_unix(sshd:auth): check pass; user unknown
Dec 20 11:07:02 ubuntu sshd[26392]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=74.126.176.133
Dec 20 11:07:04 ubuntu sshd[26392]: Failed password for invalid user cyrus from 74.126.176.133 port 50753 ssh2
Dec 20 11:07:05 ubuntu sshd[26394]: Invalid user oracle from 74.126.176.133
Dec 20 11:07:05 ubuntu sshd[26394]: pam_unix(sshd:auth): check pass; user unknown
Dec 20 11:07:05 ubuntu sshd[26394]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=74.126.176.133
Dec 20 11:07:08 ubuntu sshd[26394]: Failed password for invalid user oracle from 74.126.176.133 port 50900 ssh2
Dec 20 11:07:09 ubuntu sshd[26396]: Invalid user michael from 74.126.176.133
Dec 20 11:07:09 ubuntu sshd[26396]: pam_unix(sshd:auth): check pass; user unknown
Dec 20 11:07:09 ubuntu sshd[26396]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=74.126.176.133
Dec 20 11:07:11 ubuntu sshd[26396]: Failed password for invalid user michael from 74.126.176.133 port 51482 ssh2
Dec 20 11:07:12 ubuntu sshd[26398]: Invalid user ftp from 74.126.176.133
Dec 20 11:07:12 ubuntu sshd[26398]: pam_unix(sshd:auth): check pass; user unknown
Dec 20 11:07:12 ubuntu sshd[26398]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=74.126.176.133
Dec 20 11:07:14 ubuntu sshd[26398]: Failed password for invalid user ftp from 74.126.176.133 port 52063 ssh2
Dec 20 11:07:15 ubuntu sshd[26400]: Invalid user test from 74.126.176.133
Dec 20 11:07:15 ubuntu sshd[26400]: pam_unix(sshd:auth): check pass; user unknown
Dec 20 11:07:15 ubuntu sshd[26400]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=74.126.176.133
Dec 20 11:07:16 ubuntu sshd[26400]: Failed password for invalid user test from 74.126.176.133 port 52221 ssh2
Dec 20 11:07:17 ubuntu sshd[26402]: Invalid user webmaster from 74.126.176.133
Dec 20 11:07:17 ubuntu sshd[26402]: pam_unix(sshd:auth): check pass; user unknown
Dec 20 11:07:17 ubuntu sshd[26402]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=74.126.176.133
Dec 20 11:07:19 ubuntu sshd[26402]: Failed password for invalid user webmaster from 74.126.176.133 port 52780 ssh2
Dec 20 11:07:20 ubuntu sshd[26404]: Invalid user postmaster from 74.126.176.133
Dec 20 11:07:20 ubuntu sshd[26404]: pam_unix(sshd:auth): check pass; user unknown
Dec 20 11:07:20 ubuntu sshd[26404]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=74.126.176.133
Dec 20 11:07:22 ubuntu sshd[26404]: Failed password for invalid user postmaster from 74.126.176.133 port 52935 ssh2
Dec 20 11:07:23 ubuntu sshd[26406]: Invalid user postfix from 74.126.176.133
Dec 20 11:07:23 ubuntu sshd[26406]: pam_unix(sshd:auth): check pass; user unknown
Dec 20 11:07:23 ubuntu sshd[26406]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=74.126.176.133
Dec 20 11:07:25 ubuntu sshd[26406]: Failed password for invalid user postfix from 74.126.176.133 port 53516 ssh2
Dec 20 11:07:26 ubuntu sshd[26408]: Invalid user postgres from 74.126.176.133
Dec 20 11:07:26 ubuntu sshd[26408]: pam_unix(sshd:auth): check pass; user unknown
Dec 20 11:07:26 ubuntu sshd[26408]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=74.126.176.133
Dec 20 11:07:28 ubuntu sshd[26408]: Failed password for invalid user postgres from 74.126.176.133 port 53678 ssh2
Dec 20 11:07:29 ubuntu sshd[26410]: Invalid user paul from 74.126.176.133

[glum]

I use a couple of things. I have my iptables to block connections to no more than two connections per minute to slow down brute force attacks and to allow local account

Code: Select all

*filter
:INPUT ACCEPT [19422:4819133]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10064:2038008]
# Only the following sources are allowed to connect to the server
#-s 213.146.159.254            # Work's External IP
#-s 5.0.0.0/255.0.0.0          # Himachi
#-s 192.168.1.0/255.255.255.0  # internal network
#

# Accept local connect traffic through 127.0.0.1
-A INPUT -i lo -j ACCEPT

# Allow established and related connections through
-A INPUT  -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#  Brute force prevention - prevents more than two SSH connections per minute to slow down SSH scans
-A INPUT -p tcp --dport 22 -m recent --update --hitcount 2 --seconds 60 --name SSHIN -j REJECT
-A INPUT -p tcp --dport 22 -m recent --set --name SSHIN -j ACCEPT

#  Allow ftp access from local hosts only
#-A INPUT  -s 192.168.1.0/255.255.255.0  -p tcp -m multiport --dports 20,21 -j ACCEPT
#-A OUTPUT -s 192.168.1.0/255.255.255.0  -p tcp -m multiport --dports 20,21 -j ACCEPT

# Allow NFS access for the allowed hosts
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m multiport --dports 111,53706 -j ACCEPT

# Allow samba access for the allowed hosts
-A INPUT -s 192.168.1.0/255.255.255.0 -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m multiport --dports 139,145 -j ACCEPT

#  Allow ssh from allowed hosts only
-A INPUT -s 192.168.1.0/255.255.255.0  -p tcp --dport 22 -j ACCEPT

#  Allow itunes (bonjour) for local traffic only
-A INPUT  -s 192.168.1.0/255.255.255.0  -p tcp --dport 3689 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0  -p tcp --dport 3689 -j ACCEPT

#  Allow twonky for local traffic only
-A INPUT  -s 192.168.1.0/255.255.255.0  -p tcp -m multiport --dports 9000,5053 -j ACCEPT
-A INPUT  -s 192.168.1.0/255.255.255.0  -p udp -m multiport --dports 1030,1900,9080 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0  -p tcp -m multiport --dports 9000,5053 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0  -p udp -m multiport --dports 1030,1900,9080 -j ACCEPT

# Allow VNC from selected hosts
-A INPUT  -s 192.168.1.0/255.255.255.0 -p tcp -m multiport --dports 5900,5901 -j ACCEPT

# Allow DNS lookups out
-A OUTPUT -p udp --dport 53 -j ACCEPT

# Allow web browsing from this server
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# Allow MLdonkey connections from a GUI from allowed hosts only
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 4001 -j ACCEPT
# for now dont allow the http connection on 4080

# open the bitTorent incoming port
-A INPUT -p tcp -m multiport --dports 6881,6882 -j ACCEPT

# Allow inbound/outbound SMTP
-A INPUT  -p tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp --dport 25 -j ACCEPT

# Allow inbound/outbound POP3
-A INPUT  -s 192.168.1.0/255.255.255.0  -p tcp --dport 110 -j ACCEPT
-A OUTPUT                               -p tcp --dport 110 -j ACCEPT

# Allow outbound NTP
-A OUTPUT -p tcp --dport 123 -j ACCEPT

#if we get here reject the packet
#-A INPUT -j REJECT

COMMIT

I also use a service called denyhosts. Its a daemon running on the box that contacts a central server to get a list of know bots or hacker IPs. Additionally any dos attacks on my machine are uploaded to the server to share hack attempts on my server - currently have 2566 disallowed IPs in my list at the mo - http://denyhosts.sourceforge.net/

[cordel]

[Since ssh is not specific to ZM I moved the post here.]

One easy way to avoid this type of issue is to change from the default port for sshd to something else like 1022 for example. This will thwart bots and is simple to do.

For added security you can add one of the following:

fail2ban
pam_abl
or the mentioned "denyhost" by the poster above are all good and will help against attacks.

[whatboy]

Fail2ban set it to fail after 3 attempts and ban'em for a whole day... and disable root access...

Password make combination letters and numbers...

[nerbonne]

CSF will make denyhosts look silly. You need CSF (ConfigServer Firewall). It amazingly powerful and it's free. It does alot more than firewall though, it can alert you and/or kill processes when server loads go to high. It will ban hacking attempts (sometimes temp ban based on criteria).

http://www.configserver.com/cp/csf.html

[devlista]

http://www.fail2ban.org

http://www.fail2ban.org/wiki/index.php/HOWTOs

[Flasheart]

Even simpler method - change the port ssh listens to.

99% of these bruteforce attacks will simply disappear since they're scripted or viral.