Monday, June 20, 2011

Basic Linux Security - SSH

It's been some time since my Linode VPS has been up. Haven't been paying any attention to it since I've been busy coding a web application. Thought I'd do some housekeeping, starting with the logs files and guess what? There's quite a number of individuals who are keen on getting into the server. Keep trying as I need lots practice to keep you out. I get a couple of these unique visitors daily. Here's one. From the /var/log/auth.log,

Jun 19 10:13:03 debian sshd[327]: Invalid user mirain from 210.83.226.181
Jun 19 10:13:03 debian sshd[327]: pam_unix(sshd:auth): check pass; user unknown
Jun 19 10:13:03 debian sshd[327]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.83.226.181
Jun 19 10:13:05 debian sshd[327]: Failed password for invalid user mirain from 210.83.226.181 port 58621 ssh2
Jun 19 10:13:06 debian sshd[329]: reverse mapping checking getaddrinfo for reverse.gdsz.cncnet.net [210.83.226.181] failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 19 10:13:06 debian sshd[329]: Invalid user opt2 from 210.83.226.181
Jun 19 10:13:06 debian sshd[329]: pam_unix(sshd:auth): check pass; user unknown
Jun 19 10:13:06 debian sshd[329]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.83.226.181
Jun 19 10:13:08 debian sshd[329]: Failed password for invalid user opt2 from 210.83.226.181 port 58909 ssh2
Jun 19 10:13:10 debian sshd[331]: reverse mapping checking getaddrinfo for reverse.gdsz.cncnet.net [210.83.226.181] failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 19 10:13:10 debian sshd[331]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.83.226.181  user=root
Jun 19 10:13:12 debian sshd[331]: Failed password for root from 210.83.226.181 port 59144 ssh2
Jun 19 10:13:13 debian sshd[333]: reverse mapping checking getaddrinfo for reverse.gdsz.cncnet.net [210.83.226.181] failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 19 10:13:13 debian sshd[333]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.83.226.181  user=root
Jun 19 10:13:16 debian sshd[333]: Failed password for root from 210.83.226.181 port 59447 ssh2
Jun 19 10:13:17 debian sshd[335]: reverse mapping checking getaddrinfo for reverse.gdsz.cncnet.net [210.83.226.181] failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 19 10:13:17 debian sshd[335]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.83.226.181  user=root
Jun 19 10:13:19 debian sshd[335]: Failed password for root from 210.83.226.181 port 59763 ssh2
Jun 19 10:13:21 debian sshd[337]: reverse mapping checking getaddrinfo for reverse.gdsz.cncnet.net [210.83.226.181] failed

A quick google gives some simple tips for my ssh setup. I'll just list it here for future reference.

  • Disable root login. In /etc/ssh/sshd_config PermitRootLogin no
  • Change the port sshd is running on, e.g. Port 2229
  • Install fail2ban. Package description: bans IPs that cause multiple authentication errors
  • Change the shell for nobody to /bin/false or /bin/nologin

There's still others but these will do for now. Have to get back to coding.