Force attacks against SSH

A category for tips and tricks or off-topic things
Post Reply
jeanmarc
Posts: 2028
Joined: Thu Aug 29, 2013 7:16 am

Force attacks against SSH

Post by jeanmarc » Thu Nov 14, 2019 8:23 am

Hi,
Lately i've been amazed how much attacks i encounter against my SSH port.I've been look at various solution to calm those annoyings intruders :evil:

I come up with few goods things that you might also do to protect further your logger :
- SSH keys
- Sshguard or Fail2ban
- Port knocking

First, i explain how i setup a simple while powerful protection with SSH keys. The aim is to allow only recognized computers to access your logger.

You'll need to create SSH keys pair on your client : one will be public, the other one private which must be stored securely. The private key have a passphrase.

On a Linux system, it's simple to do so with ssh-keygen -b 4096
On a Windows system, read that guide about PuTTYgen.

Then, you must copy your public key on your logger. On linux you can do so with ssh-copy-id username@remote-logger.org.
On Windows, you should log in and edit vi ~/.ssh/authorized_keys. Paste the public key into the authorized_keys file.

Once you do that, you can systemctl restart sshd and test if all is ok with the new ssh authentication :
From Linux : just log as usual
From Windows : In PuTTY, put your keys into Connection > SSH > Auth. In WinSCP Advanded > SSH > Authentication.

Edit /etc/ssh/sshd_config and set PasswordAuthentication no and then again systemctl restart sshd.

:!: Beware, if you mess up you won't be able to remote access your logger, only a local access will be possible.
This would make your logger bullet proof to brute-force attacks :thumbup:

I'll explain Sshguard next.

jeanmarc
Posts: 2028
Joined: Thu Aug 29, 2013 7:16 am

Re: Force attacks against SSH

Post by jeanmarc » Thu Nov 14, 2019 10:06 am

Now for SSHGuard , it's another protection that will blocks repeating offenders during a limited amount of time. The default amount of time the offender is banned starts at 120 seconds and increases at each bad request. It can be also be configured to permanently ban.

Install sshguard (in arch pacman -S sshguard)
Then use iptables, see the status systemctl status iptables, if it is not ruuning systemctl enable iptables and systemctl start iptables.
Create a chain : iptables -N sshguard, this rule must be added before any other
Block whatever SSHGuard says be bad : iptables -A INPUT -j sshguard
Save the rule : iptables-save > /etc/iptables/iptables.rules

Restart systemctl restart iptables, and start SSHGuard systemctl enable sshguard, systemctl start sshguard.
You may see offenders : systemctl status sshguard and permanently banned are in /var/db/sshguard/blacklist.db

jeanmarc
Posts: 2028
Joined: Thu Aug 29, 2013 7:16 am

Re: Force attacks against SSH

Post by jeanmarc » Fri Dec 27, 2019 1:47 pm

:arrow: Edited :)
Time to Fail2ban, this one is more convenient than sshguard as you can create many rules for your needs.
If you use it, you better disable sshguard (systemctl stop sshguard & systemctl disable sshguard)

The first rule would obviously be to protect ssh, create as /etc/fail2ban/jail.d/custom.conf

Code: Select all

[DEFAULT]
ignoreip  = 127.0.0.1/8
port = 0:65535
#findtime  = 1d
findtime = 3600
#bantime   = 2w
bantime = 60
maxretry = 3
banaction = iptables-allports

[sshd]

enabled   = true
filter    = sshd
backend   = systemd
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
then systemctl enable fail2ban & systemctl start fail2ban.
you can see jails with fail2ban-client status and more details about ssh jail fail2ban-client status sshd.

Now, you can also activate other jail rules by enabling them see exemples in /etc/fail2ban/filter.d/

I wanted to protect HTTP authentication, i've create a new rule for those spammers. Since the nginx access log is populating way to much with mN/123s requests, i only redirect errors to an error.html file and log only 4xx errors.
In /etc/nginx/nginx.conf

Code: Select all

..
	error_page 400 404 401 403 /error.html;
..
			# log unauthorized
			location = /error.html {
 				internal;
				access_log /var/log/nginx/4xxerror.log;
			}
..
nginx -t & systemctl restart nginx

Now for the rule, in /etc/fail2ban/jail.d/custom.conf add

Code: Select all

..
[nginx-unauthorized]

enabled = true
filter = nginx-unauthorized
logpath = /var/log/nginx/4xxerror.log
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
As filter /etc/fail2ban/filter.d/nginx-unauthorized.conf

Code: Select all

[Definition]
#failregex = ^<HOST> -.*
failregex = ^<HOST>.*"(GET|POST).*" (401|404|444|403|400) .*$
ignoreregex =
:idea: I had an issue using latest Arch with iptables returning "iptables v1.8.3 (legacy): unknown option". I found the answer in /etc/fail2ban/action.d/iptables-common.conf, you need to set blocktype = DROP instead of REJECT..
You may do it for blocktype in ipv6.

systemctl restart fail2ban you may see status fail2ban-client status nginx-unauthorized and log tail -f /var/log/fail2ban.log.
I still need to play with it but so far, it's a real mandatory tool :)

jeanmarc
Posts: 2028
Joined: Thu Aug 29, 2013 7:16 am

Re: Force attacks against SSH

Post by jeanmarc » Mon Dec 30, 2019 1:37 pm

still playing with fail2ban, here's some more thoughts..
I notice sshd intruders weren't banned, i believe it was because MaxAuthTries was set to 1 in/etc/ssh/sshd_config. I have allow up to 3. (systemctl restart sshd)

I end-up with this as /etc/fail2ban/jail.d/custom.conf

Code: Select all

[DEFAULT]
ignoreip  = 127.0.0.1/8 192.168.1.0/24 192.168.0.0/24
port = 0:65535
findtime  = 1d
#bantime   = 2w
bantime = 3600
maxretry = 5
banaction = iptables-allports

[sshd]

enabled   = true
filter    = sshd
backend   = systemd
maxretry = 2
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

[nginx-unauthorized]

enabled = true
filter = nginx-unauthorized
logpath = /var/log/nginx/4xxerror.log
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
Also i changed ../filter.d/nginx-unauthorized.conf to

Code: Select all

[Definition]
failregex = ^<HOST>.*$
ignoreregex =
and i also follow the "Service hardening" part on Arch's wiki.

systemctl restart fail2ban, tail -f /var/log/fail2ban/fail2ban.log, iptables -L... waiting invaders :shh:

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests