SECURITY: Preventing Hacking Attempts

Novell Cool Solutions: Trench
By Chander Ganesan

Digg This - Slashdot This

Posted: 3 Nov 2005

PROBLEM: Messages such as the ones below constantly appear in system logs on my systems that are connected to the Internet. How can I prevent these hacking attempts?

Sep 19 04:25:20 fs1 sshd[24929]: Illegal user halt
from ::ffff:
Sep 19 04:25:28 fs1 sshd[24937]: Illegal user operator
from ::ffff:
Sep 19 04:25:31 fs1 sshd[24941]: Illegal user gopher
from ::ffff:
Sep 19 04:25:37 fs1 sshd[24947]: Illegal user rpm
from ::ffff:
Sep 19 04:25:43 fs1 sshd[24949]: Illegal user vcsa
from ::ffff:
Sep 19 04:25:44 fs1 sshd[24951]: Illegal user nscd
from ::ffff:
Sep 19 04:25:50 fs1 sshd[24955]: Illegal user rpc
from ::ffff:
Sep 19 04:25:52 fs1 sshd[24957]: Illegal user rpcuser
from ::ffff:
Sep 19 04:25:57 fs1 sshd[24959]: Illegal user nfsnobody
from ::ffff:

SOLUTION: These messages are generated by applications that hackers run. They are designed to exploit holes that are the result of systems where users have common usernames and weak passwords. Hackers write these applications and simply "scan" the internet for systems whose SSH ports are exposed. They then attempt to try a database of usernames/passwords to hack into accounts.

Dealing with these users is problematic for a few reasons:

  1. Sometimes they come from networks where your users might also be originating - meaning if you block the networks, you block the users.
  2. These requests happen regularly, but rarely from the same IP address. Blocking them should be effective, but shouldn't overload your systems routing table or other "blacklisting" mechanism.
  3. They happen at times when you sometimes wouldn't expect - such as a night, or when you are on vacation. No administrator can *constantly* watch logs, and dealing with these by hand would be problematic.
  4. A user "fat fingering" his/her userid and password shouldn't cause him/her to be blacklisted.

A few solutions are available to deal with these problems, below is a script that exemplifies one of them.

In this script we scan for "Illegal" users entered via SSH. We then look at the result and count the subsequent occurances of illegal logins. If there are 5 in a row (or more) we block the offending user by overwriting the "/etc/hosts.deny" file.

Rather than grow the list forever, we overwrite the whole file - every time. Since these requests seem to come from different addresses each time there is little value in keeping a growing list (and over time it would become unwieldy anyways). In this case, when system logs rotate, the file is started fresh.

The example script (when placed into a cron job) can run at regular intervals (I run it every minute) to block out offending requests - hackers get 1 minute to hack in - and then they are denied access.

This solution also cuts down on excessive network traffic.

EXAMPLE: See script below:


# Set MAXCOUNT to the maximum failures allowed before blacklisting

# The three lines below put the leading lines in /etc/hosts.allow
# Note: This script overwrites the entire /etc/hosts.allow file.

echo '
# /etc/hosts.deny
# See "man tcpd" and "man 5 hosts_access" as well as /etc/hosts.allow
# for a detailed description.
http-rman : ALL EXCEPT LOCAL' > /etc/hosts.deny

# Scan the /var/log/messages file for failed login attempts via ssh.
# Parse out the IP address, and count the failure occurances from that IP
# If the IP fails more than 5 times - deny further access

for IP in `/bin/grep sshd /var/log/messages|/bin/grep "Illegal user"|/bin/sed 's/^.*from :*[a-z]*://'`; do
  if [ ${LAST_IP} == ${IP} ]; then
     let COUNT=${COUNT}+1
     if [ ${COUNT} -ge ${MAXCOUNT} ]; then
        echo "ALL: ${LAST_IP}/32" >> /etc/hosts.deny

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© Micro Focus