Novell Home

SECURITY: Preventing Hacking Attempts

Novell Cool Solutions: Trench
By Chander Ganesan

Rate This Page

Reader Rating  stars  from 13 ratings

Digg This - Slashdot This

Posted: 3 Nov 2005 		 

PROBLEM: Messages such as the ones below constantly appear in system logs on my systems that are connected to the Internet. How can I prevent these hacking attempts?

Sep 19 04:25:20 fs1 sshd[24929]: Illegal user halt
from ::ffff:207.192.9.249
Sep 19 04:25:28 fs1 sshd[24937]: Illegal user operator
from ::ffff:207.192.9.249
Sep 19 04:25:31 fs1 sshd[24941]: Illegal user gopher
from ::ffff:207.192.9.249
Sep 19 04:25:37 fs1 sshd[24947]: Illegal user rpm
from ::ffff:207.192.9.249
Sep 19 04:25:43 fs1 sshd[24949]: Illegal user vcsa
from ::ffff:207.192.9.249
Sep 19 04:25:44 fs1 sshd[24951]: Illegal user nscd
from ::ffff:207.192.9.249
Sep 19 04:25:50 fs1 sshd[24955]: Illegal user rpc
from ::ffff:207.192.9.249
Sep 19 04:25:52 fs1 sshd[24957]: Illegal user rpcuser
from ::ffff:207.192.9.249
Sep 19 04:25:57 fs1 sshd[24959]: Illegal user nfsnobody
from ::ffff:207.192.9.249

SOLUTION: These messages are generated by applications that hackers run. They are designed to exploit holes that are the result of systems where users have common usernames and weak passwords. Hackers write these applications and simply "scan" the internet for systems whose SSH ports are exposed. They then attempt to try a database of usernames/passwords to hack into accounts.

Dealing with these users is problematic for a few reasons:

  1. Sometimes they come from networks where your users might also be originating - meaning if you block the networks, you block the users.
  2. These requests happen regularly, but rarely from the same IP address. Blocking them should be effective, but shouldn't overload your systems routing table or other "blacklisting" mechanism.
  3. They happen at times when you sometimes wouldn't expect - such as a night, or when you are on vacation. No administrator can *constantly* watch logs, and dealing with these by hand would be problematic.
  4. A user "fat fingering" his/her userid and password shouldn't cause him/her to be blacklisted.

A few solutions are available to deal with these problems, below is a script that exemplifies one of them.

In this script we scan for "Illegal" users entered via SSH. We then look at the result and count the subsequent occurances of illegal logins. If there are 5 in a row (or more) we block the offending user by overwriting the "/etc/hosts.deny" file.

Rather than grow the list forever, we overwrite the whole file - every time. Since these requests seem to come from different addresses each time there is little value in keeping a growing list (and over time it would become unwieldy anyways). In this case, when system logs rotate, the file is started fresh.

The example script (when placed into a cron job) can run at regular intervals (I run it every minute) to block out offending requests - hackers get 1 minute to hack in - and then they are denied access.

This solution also cuts down on excessive network traffic.

EXAMPLE: See script below:

#!/bin/bash
LAST_IP=0.0.0.0
COUNT=1

# Set MAXCOUNT to the maximum failures allowed before blacklisting
MAXCOUNT=5

#
# The three lines below put the leading lines in /etc/hosts.allow
# Note: This script overwrites the entire /etc/hosts.allow file.
#

echo '
# /etc/hosts.deny
# See "man tcpd" and "man 5 hosts_access" as well as /etc/hosts.allow
# for a detailed description.
http-rman : ALL EXCEPT LOCAL' > /etc/hosts.deny

#
# Scan the /var/log/messages file for failed login attempts via ssh.
# Parse out the IP address, and count the failure occurances from that IP
# If the IP fails more than 5 times - deny further access
#

for IP in `/bin/grep sshd /var/log/messages|/bin/grep "Illegal user"|/bin/sed 's/^.*from :*[a-z]*://'` 0.0.0.0; do
  if [ ${LAST_IP} == ${IP} ]; then
     let COUNT=${COUNT}+1
  else
     if [ ${COUNT} -ge ${MAXCOUNT} ]; then
        echo "ALL: ${LAST_IP}/32" >> /etc/hosts.deny
     fi
     LAST_IP=${IP}
     COUNT=1
  fi
done

Reader Comments

  • Another item that can help would be to change how long the system waits to return the prompt after a bad login attempt. YaST -> Security Settings -> Custom -> [click next a few times here] -> Delay after incorrect login attempt.
  • very useful.. Amish
  • The SLES8 log is a different format , e.g. Nov 3 20:39:58 myhostname sshd[8972]: Failed password for illegal user admin from ::ffff:210.118.26.50 port 4541 ssh2 So the IP variable returns 210.118.26.50 port 4201 ssh2 Causing the LASTIP = IP test to fail, also note the the grep for "Illegal users" should be made case insensitive. What is the correct sed parameters to work with SLES8 format logs
  • I haven't seen what your log file looks like (sles8), However, you might try just sticking a "cut -f 1 -d" " at the end of the sed line. That should cut out everyting after the IP address. (for sles8).
  • Nice! I had to make an adjustment for FreeBSD as the log file is named auth.log and the format is: Aug 18 11:00:02 hostname sshd[63854]: Illegal user michell from 192.168.128.82
  • Since changing my SSH port I do not receive any brute force attempts.
  • I see attempts in my log file but the script isn't applying the offending ip address to hosts.deny. Using SUSE 10 OSS, changed "Illegal user" to "Invalid user" as it lists it in my log file but not sure what to change in the sed line to make work with SUSE 10. example: Nov 9 10:05:38 pavillion sshd[15574]: Invalid user homer from 66.70.159.21
  • i altered this script slightly because I found that on my fedora core 3 box, there was additional information after the IP i needed to remove. I changed it to look for failed password but in doing so had to add an additional sed statement. On my fedora box, Failed password is logged even for invalid users, also, in case some joker found a good shell account, and was attempting a dictionary hack, this script would prevent that action too. `/bin/grep sshd /var/log/secure|/bin/grep "Failed password"|/bin/sed ' s/^.*from :*[a-z]*://'|/bin/sed 's/ .*//'` This is a log: Failed password for invalid user bridg from ::ffff:64.251.25.85 port 41989 ssh2 If you grep "Faild password" with the orignal script, it returns: 64.251.25.85 port 41989 ssh2, I'm terrible at re's so I piped to a second sed command. Maybe someone could post a better sed re.
  • Here's how I modified the script for SuSE10 log format. Just replace the grep line with: for IP in `/bin/grep sshd /var/log/messages|/bin/grep "Invalid user"|/bin/sed 's/^.*from//'` 0.0.0.0; do I'm not sure for the /bin/sed arguments, but it works so far has expected. Now, how about populating the hosts.deny file with sensitive IP ranges, such as those reported in SafePeer list? How would you merge a remote txt list with the list created by this script?

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

Novell® Making IT Work As One

© 2009 Novell, Inc. All Rights Reserved.