12

My webserver is constantly attacked by various IP addresses. They try five passwords and then change the IP address.

I have done various lockdowns like using ssh-keys and not permitting passwords, and not allowing remote root login.

Is there something I can do to get rid of these attack attempts? Failing that, are there specific defenses I should put up?

Improve this question
7
  • 1
    Flagging for a migrate to security.se where it is a bit more on-topic Commented Sep 27, 2011 at 7:36
  • 1
    @Rory There's a difference between "a bit more on-topic someone else" and "off-topic here" -- it seems pretty clearly on-topic here Commented Sep 27, 2011 at 8:14
  • No worries @Michael. Had a ping from Gilles to come and look at it as it was possibly offtopic here. Commented Sep 27, 2011 at 9:09
  • @Rory Ok, I'll ask him about it; he's usually pretty good at convincing me something I think is {off,on}topic is actually {on,off}topic Commented Sep 27, 2011 at 13:44
  • 1
    My question seems to have been changed beyond recognition. In my original question I was really trying to find out if it was common for every site to experience brute force attacks - i.e. is it a fact of life. This was answered by Matteo with "It is indeed a fact of life.". The second part of the question was asking what i could do to actively stop these attacks apart from putting up defences. This would have been a relevant secondary question if only certain sites suffered from brute force attacks. It was answered by Bruce with his tarpit idea. I didn't really ask for defensive tips. Commented Sep 27, 2011 at 17:09

8 Answers 8

Reset to default
15

I followed these instructions to add a 7-second delay to each wrong-password SSH login attempt. I made my sshd into a "tarpit" for the brute-force scanners.

I should also add that I have my modified, tarpit sshd log the failed passwords. This may not be entirely ethical, as it gives the root user a look at what regular users mis-type as their own passwords, but since I'm the only "real" user, I figure that's OK.

I don't have it run on a non-standard port, as the "tarpit" aspect would not waste anyone's time.

Improve this answer
2
  • Also, use a non-standard port and use keys instead of passwords. Then they have almost no hope (providing they don't get ahold of the keys, which should all be passworded anyway). Commented Sep 26, 2011 at 17:49
  • This is a nice answer because it has a bit of an 'offensive' approach rather than being purely 'defensive' which I think adds to moral. Commented Sep 27, 2011 at 4:24
14

It is indeed a fact of life. You can install tools to filter out hosts that are attacking you after a couple of failed attempts.

DenyHosts analyzes your log files and automatically adds attackers to your /etc/hosts.deny file.

Check the documentation on how to configure it for your needs.

Update: some important points suggested in the comments

  • be sure to properly configure tools as DenyHosts since you could lock yourself out (e.g., you can configure a machine or network that is never filtered)

  • DenyHosts does not increase your system security: it only filters attacks at the IP level (it might reduce the load on small machines and reduce the size of the log files but nothing more)

Improve this answer
5
  • 1
    Aaah. I was beginning to think that I was special. Thanks for putting me straight. Commented Sep 26, 2011 at 9:37
  • Extending on Matteo, your question is almost answered exactly refs Q1.3 denyhosts.sourceforge.net/faq.html#1_0 Commented Sep 26, 2011 at 16:37
  • @whoami Thanks for the link, a nice summary. Although one thing that always goes though my mind when I see the use a different port tip is 'how do you know that the alternative port that you choose is not used by something else already?' Commented Sep 26, 2011 at 17:20
  • 1
    Be careful with DenyHosts and similar tools, since they introduce additional complexity, i.e. they may create security issues on there own, cf. the 2nd comment on unix.stackexchange.com/questions/2942/… Commented Sep 26, 2011 at 18:26
  • 1
    Also be careful with DenyHosts because you might lock yourself out of your machine. A simple apt-get install denyhosts got me locked out of my machine. Commented Sep 26, 2011 at 20:58
9

If only a small number of people need to SSH to the system then consider moving SSH to a non-standard port (e.g. 6422, 8080, etc.) That alone will reduce the number of login attempts greatly (and possibly protect you from some unpatched SSH exploit based worm, for example).

Improve this answer
1
  • 4
    +1 Rather useful as it limits the annoyance, but do not mistake this for a security measure - this is a closer equivalent of a screen door against mosquitoes than of a security lock. Commented Sep 27, 2011 at 9:36
6

Concur with @Matteo's answer; what you're seeing is essentially thousands of zombie'd systems executing a distributed brute-force attack on your server because there is a website running on it, which means there may be users that might have a login account that might possibly be guessed with minimal effort on the part of the script kiddie - he's got a program that orders the thousands of zombies to make the bruteforce attempts on a few hundred website hosts at a time and just compile a list of the successful returns.

Similarly, you may sometimes see lots of permuations of "http://your.web.host/phpmyadmin/" in your /var/log/apache2/access.log files; these are automated scans for the most common ways of setting up PHPMyAdmin, and will attempt a number of known exploits if one is found (this, incidentally, is why I've started telling customers to please use the PMA site I personally set up and keep up to date rather than installing their own version and forgetting to keep it updated, but now we're off on a tangent).

Aside from sending out the original command, it doesn't even cost him time or bandwidth; it's fire and forget.

Another very useful bit of software for situations like this is fail2ban, which uses iptables to block connection attempts after multiple clearly false logon or other exploit attempts.

Improve this answer
4

Try to configure Fail2ban. It provides a very flexible way to search for failed attempts, and it has templates for SSH, HTTP and common services.

Fail2ban will update iptables according to your actions.. I love it.

Improve this answer
3

You can use IPTABLES to stop traffic without running a daemon like Fail2Ban or DenyHosts.

# Allows SSH connections (only 4 attempts by an IP every 3 minutes, drop the rest to prevent SSH attacks) -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
Improve this answer
2

If you can manage it, I find the best way to deal with stuff like this is to use a VPN. That way, the only thing they can target is the VPN. There shouldn't be any services open to the world at large, except those which are necessary for "everyone" to access, such as your web server. Everything else should be blocked by the firewall. Now the only thing you really have to worry about securing is your VPN. If you can, get a static IP for the computers you manage your servers from, and lock your VPN down to that specific IP address. This is really the only way to stop people from trying to brute-force the passwords.

Improve this answer
0

Sshguard works great. I'm using it together with iptables.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.