Enterprise-Java.co.uk http://www.enterprise-java.co.uk From Debian to Java and everything inbetween Sat, 23 Aug 2008 21:20:21 +0000 http://wordpress.org/?v=2.6 en Monitoring and measuring bandwidth http://www.enterprise-java.co.uk/debian/managing-and-measuring-bandwidth/ http://www.enterprise-java.co.uk/debian/managing-and-measuring-bandwidth/#comments Sat, 16 Aug 2008 21:19:10 +0000 mark http://www.enterprise-java.co.uk/?p=26 True “unlimited” bandwidth is pretty much dead these days, and so it should be in my opinion. I would much rather have high speed and a fixed amount bandwidth than be forced to a limited amount of bandwidth by having a slow access speed.

Whether you have a shared hosting, a vps or a dedicated server you are most likely to have a fixed amount of bandwidth whether you know it or not.

I’ve decided to monitor and measure my bandwidth usage from the start. I think its generally good practice and I certainly don’t want to get stung by excess charges if I use more than my host allows. Also a sudden increase could be a sign of a security breach.

I installed a couple of applications, the first was a real time bandwidth monitoring tool.

# apt-get install bwm
sailes:/# bwm
Bandwidth Monitor 1.1.0
Iface        RX(KB/sec)   TX(KB/sec)   Total(KB/sec)

lo            0.000        0.000           0.000
eth0            5.497       21.489          26.9860

Total            5.497       21.489         26.9860

Hit CTRL-C to end this madness.

The second records and summaries my bandwidth usage by hour and day.

# apt-get install vnstat

Check your interfaces with ifconfig

# vnstat -u -i eth0

sailes:/# vnstat
Database updated: Sat Aug 16 22:20:01 2008
       eth0

           received:         895.92 MB (45.9%)
        transmitted:           1053 MB (54.1%)
              total:           1949 MB

                        rx     |     tx     |  total
        -----------------------+------------+-----------
        yesterday     12.75 MB |   83.79 MB |   96.54 MB
            today        25 MB |  104.73 MB |  129.74 MB
        -----------------------+------------+-----------
        estimated        26 MB |     111 MB |     137 MB
]]> http://www.enterprise-java.co.uk/debian/managing-and-measuring-bandwidth/feed/ Debian SSH Security http://www.enterprise-java.co.uk/debian/debian-ssh-security/ http://www.enterprise-java.co.uk/debian/debian-ssh-security/#comments Sat, 16 Aug 2008 20:26:43 +0000 mark http://www.enterprise-java.co.uk/?p=16 Within two days of having my out of the box Debian install exposed to the internet I realised something had to be done about my SSH security.

I was getting a large amount of attempts to access my server. This was logged to /var/log/auth.log.

Attempts ranging from guessing the system’s users:

Aug 12 19:01:04 sailes sshd[11017]: Invalid user alex from 221.11.123.149
Aug 12 19:01:04 sailes sshd[11017]: (pam_unix) check pass; user unknown
Aug 12 19:01:04 sailes sshd[11017]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.11.123.149
Aug 12 19:01:05 sailes sshd[11017]: Failed password for invalid user alex from 221.11.123.149 port 41122 ssh2
Aug 12 19:01:08 sailes sshd[11021]: Invalid user brett from 221.11.123.149
Aug 12 19:01:09 sailes sshd[11021]: (pam_unix) check pass; user unknown
Aug 12 19:01:09 sailes sshd[11021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.11.123.149
Aug 12 19:01:11 sailes sshd[11021]: Failed password for invalid user brett from 221.11.123.149 port 41238 ssh2
Aug 12 19:01:13 sailes sshd[11025]: Invalid user mike from 221.11.123.149
Aug 12 19:01:14 sailes sshd[11025]: (pam_unix) check pass; user unknown
Aug 12 19:01:14 sailes sshd[11025]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.11.123.149
Aug 12 19:01:16 sailes sshd[11025]: Failed password for invalid user mike from 221.11.123.149 port 41366 ssh2
Aug 12 19:01:19 sailes sshd[11029]: Invalid user alan from 221.11.123.149
Aug 12 19:01:19 sailes sshd[11029]: (pam_unix) check pass; user unknown
Aug 12 19:01:19 sailes sshd[11029]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.11.123.149

To attempting to brute force the root password:
Aug 16 21:05:12 sailes sshd[24111]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.75.189.67 user=root
Aug 16 21:05:14 sailes sshd[24111]: Failed password for root from 65.75.189.67 port 36171 ssh2
Aug 16 21:05:15 sailes sshd[24115]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.75.189.67 user=root
Aug 16 21:05:18 sailes sshd[24115]: Failed password for root from 65.75.189.67 port 36489 ssh2

Also alsorts of crazy other error messages which no doubt came from attempting to exploit various potential security flaws.

This was obviously not a good situation, luckily many people offered advice. Ideally what I should have done was to only allow management access to my own static ip address. But this doesn’t suit me, I like to be able to do anything from anywhere.

Another suggestion was to change the port ssh listens on. This is a very good suggestion, and one I would pass onto others. It seems like 99% of the attackers don’t bother to check for ssh listening on a non-standard port. I didn’t want to do this because that would mean I would have to remember yet another custom port, but also due to strict firewall policies I had to contend with.

Finally I decided on installing a piece of software called DenyHost

# apt-get install denyhost

This python application runs frequently throught the day monitoring my auth.log, when it sees suspicious behaviour it bans the ip address from the service.

Now my hosts.deny file is now increasing almost daily with naughty ip addresses.

sailes:/# cat /etc/hosts.deny
sshd: 221.11.123.149
sshd: 89.96.182.197
sshd: 211.239.157.222

Although this is not the most secure option, I feel it best suits my needs.

]]> http://www.enterprise-java.co.uk/debian/debian-ssh-security/feed/