Enterprise-Java.co.uk

Within two days of having my out of the box Debian install exposed to the internet I realised something had to be done about my SSH security.

I was getting a large amount of attempts to access my server. This was logged to /var/log/auth.log.

Attempts ranging from guessing the system’s users:

Aug 12 19:01:04 sailes sshd[11017]: Invalid user alex from 221.11.123.149
Aug 12 19:01:04 sailes sshd[11017]: (pam_unix) check pass; user unknown
Aug 12 19:01:04 sailes sshd[11017]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.11.123.149
Aug 12 19:01:05 sailes sshd[11017]: Failed password for invalid user alex from 221.11.123.149 port 41122 ssh2
Aug 12 19:01:08 sailes sshd[11021]: Invalid user brett from 221.11.123.149
Aug 12 19:01:09 sailes sshd[11021]: (pam_unix) check pass; user unknown
Aug 12 19:01:09 sailes sshd[11021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.11.123.149
Aug 12 19:01:11 sailes sshd[11021]: Failed password for invalid user brett from 221.11.123.149 port 41238 ssh2
Aug 12 19:01:13 sailes sshd[11025]: Invalid user mike from 221.11.123.149
Aug 12 19:01:14 sailes sshd[11025]: (pam_unix) check pass; user unknown
Aug 12 19:01:14 sailes sshd[11025]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.11.123.149
Aug 12 19:01:16 sailes sshd[11025]: Failed password for invalid user mike from 221.11.123.149 port 41366 ssh2
Aug 12 19:01:19 sailes sshd[11029]: Invalid user alan from 221.11.123.149
Aug 12 19:01:19 sailes sshd[11029]: (pam_unix) check pass; user unknown
Aug 12 19:01:19 sailes sshd[11029]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.11.123.149

To attempting to brute force the root password:
Aug 16 21:05:12 sailes sshd[24111]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.75.189.67 user=root
Aug 16 21:05:14 sailes sshd[24111]: Failed password for root from 65.75.189.67 port 36171 ssh2
Aug 16 21:05:15 sailes sshd[24115]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.75.189.67 user=root
Aug 16 21:05:18 sailes sshd[24115]: Failed password for root from 65.75.189.67 port 36489 ssh2

Also alsorts of crazy other error messages which no doubt came from attempting to exploit various potential security flaws.

This was obviously not a good situation, luckily many people offered advice. Ideally what I should have done was to only allow management access to my own static ip address. But this doesn’t suit me, I like to be able to do anything from anywhere.

Another suggestion was to change the port ssh listens on. This is a very good suggestion, and one I would pass onto others. It seems like 99% of the attackers don’t bother to check for ssh listening on a non-standard port. I didn’t want to do this because that would mean I would have to remember yet another custom port, but also due to strict firewall policies I had to contend with.

Finally I decided on installing a piece of software called DenyHost

# apt-get install denyhost

This python application runs frequently throught the day monitoring my auth.log, when it sees suspicious behaviour it bans the ip address from the service.

Now my hosts.deny file is now increasing almost daily with naughty ip addresses.

sailes:/# cat /etc/hosts.deny
sshd: 221.11.123.149
sshd: 89.96.182.197
sshd: 211.239.157.222

Although this is not the most secure option, I feel it best suits my needs.

Tags: debian, denyhost, security, ssh