digg

Join DiggAbout

Donkeys and Elephants and Delegates,oh my!
Check out the most popular Elections 2008 content on Digg.

Ubuntu: Brute Force Attacks

kevin.vanzonneveld.net — How to Block Brute Force Attacks with only 2 iptables rules. Without it your server is a sitting duck waiting for a bot to guess the right combination and hit the jackpot.

Bury
show profanity settings
expand all
  • crashsystems, on 10/10/2007, -1/+35An even easyer way to block brute force attack:
    sudo apt-get install denyhosts
    Denyhosts is simpler to set up, and gives you more options through the config file (though the defaults work quite well).
    • jessejoedotcom, on 10/10/2007, -0/+3Agreed, Denyhosts is perfect for this.

      http://denyhosts.sourceforge.net/

      "DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

      If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?

      DenyHosts attempts to address the above... and more. "
    • jessekeys, on 10/10/2007, -0/+2http://digg.com/linux_unix/HOWTO_Five_steps_to_a_more_secure_SSH?t=3647652#c3647652
    • bigtomrodney, on 10/10/2007, -2/+4The first thing to do is to switch SSH to another port. Running on port 22 isn't a great idea because all of the bots are checking port 22. If you run on another random port then it has to be a direct and intentional attack as the attacker will have to portscan you first. So 99% of attacks are gone. I used to get 60-70 attempts a day on my SSH. I haven't had a single attempt in the 18 months since I switched to another port.
      • bigtomrodney, on 10/10/2007, -0/+1Also I sshd is not installed by default in Feisty. So this only applies to users who use ssh and not all Ubuntu users.
    • tommyboy180, on 10/10/2007, -0/+1How to install Denyhosts - http://www.mot.is-a-geek.com/web/walkthrough/denyhosts.html
  • kevmaster, on 10/10/2007, -0/+14fail2ban is nice too, each method has it's advantages in different situations but as stated in the article:
    The advantage of this method is that there is no log parsing involved which makes the banning instant.
    It's also faster because it all works on kernel level.
    • dlichteman, on 10/10/2007, -0/+1I have installed fail2ban on my server, it is EXTREMELY easy to set up and works perfectly with Ubuntu 6.10. One thing that I like with fail2ban vs this method is that it bans the IP addresses based on a certain amount of failed logins versus just plain logins. Sometimes I open multiple windows and if someone else is doing so we might accidentally ban ourselves.
    • maz2331, on 10/10/2007, -0/+1I use fail2ban on any server I setup that faces the Internet, and configure it in a draconian manner. After 5 failed logins, that host gets blackholed permanently from all connections on all services, not just SSH. After all, why accept mail or web hack requests from someone who tries to hack my box via SSH?
  • Salgat, on 10/10/2007, -2/+10I remember when I was testing a VNC server. After setting it up, I recieved several very random requests from people to view on desktop, although I never told anyone about it. Needless to say, I uninstalled it, although this story is pretty irrelevant.
    • Fartag, on 10/10/2007, -0/+2For vncserver make sure that sucker is an updated version! There was a ridiculous exploit (specify an invalid password method and it doesn't know how to do that so it just let people in!) for it about a year ago, if I'm remembering right. Also, if you run it in Linux it's probably nice to go ahead and just run it with the flags:
      -localhost
      and
      -nolisten tcp
      so it doesn't listen on any remotely accessible sockets anyway. That way you can ssh into the machine and run vncviewer there so it's tunneled safely through ssh (where ssh login has protections against brute force or other remote attacks). Seems pretty safe that way!
      • squeaker, on 10/10/2007, -0/+1That's definitely the only reasonable way to run VNC...

        A colocated server in my company's data center got pwn3d because the admin didn't think e needed to keep his server up to date.
  • rappermas, on 10/10/2007, -1/+1Can we have one that shows how this is done in IP Filter, IP Firewall, or Packet Filter?
  • t0ny, on 10/10/2007, -1/+10I dont care if they are trying to brute force my server.
    90% of the time you are trying to get in with default users and passwords.
    My solution to this is to block root, and I setup a group of allowed ssh users. So Its very rare they even try my account.
    • vfrex, on 10/10/2007, -1/+3Yeah. Even then, enforcing password strength will do the tric.
    • maino82, on 10/10/2007, -0/+1security through obscurity only works for so long. i learned that the hard way. ever since i've been fanatical about using denyhosts along with requiring ssh key pairs with a strong passphrase. don't learn the hard way like i did!
      • qwuinc, on 10/10/2007, -0/+0I'm not sure if disabling root login can be considered security through obscurity, I'd call it common sense myself :)
    • HearWa, on 10/10/2007, -1/+1Yes, because "they" are humans who chose your machine specifically...

      "...an attacker only needs 525 Zombies to scan the entire IP4 of today's public Internet in just one day."
      http://www.securityfocus.com/infocus/1876

      These attacks are more often than not completely random in nature. If you don't believe me, read any Linux box's auth.log that has ssh enabled.
  • cnowacek, on 10/10/2007, -2/+13The jackpot... a web server with no usable information. My life is boring and so is my data.
    • dicerandom, on 10/10/2007, -0/+16They don't want your data, they want a zombie to push out theirs.
    • timestar, on 10/10/2007, -0/+7Crackers and script kiddies don't care about your data - the less you have the more space there is for their scripts and warez.
  • chandler, on 10/10/2007, -4/+7Just use a 15 character password... it's uncrackable.

    Then cat /var/log/messages | grep sshd | awk '{print $5}' and release all known IPs to the other bots that browse your server for said information. Bots attacking bots. :)
    • sexybobo, on 10/10/2007, -1/+9nothing is uncrackable.
    • chandler, on 10/10/2007, -2/+3Given today's hardware it'll take approximately 30 years to be cracked--therefore deemed uncrackable. But yes, without the time frame it may be cracked.
    • chandler, on 10/10/2007, -1/+3This is for the math lovers -- 26 lower case chars, 26 upper case chars, 10 digits, 10 symbols = 72 chars 15^72 = 7244150201408990671659859968 (7,244,150,201,408,990,671,659,859,968)/500,000 guesses per second (2.3 quad core, 8 GB RAM) = 24147167338029968905532.86656 seconds, 402452788967166148425.547776 minutes, 6707546482786102473.7591296 hours, 279481103449420936.4066304 days or 765701653286084 years. This is not assuming the Moore's Law in which this is will be exponentially decreasing and cannot be done on Windows Calculator.
      • plncrzy, on 10/10/2007, -1/+0I'm not even going to point out all the things that are wrong about your assessment.
      • Salgat, on 10/10/2007, -0/+3I believe its 72^15 instead of 15^72, since you have 72 characters, and you multiply it by itself for the 15 slots, or 72*72*72...etc aka 72^15. Even then though, its very unlikely anyone would ever break a 15 char pass.
    • SEJeff, on 10/10/2007, -0/+4"Then cat /var/log/messages | grep sshd | awk '{print $5}'"

      Even better you might try to rip out the 100% useless use of cat and then use // in awk to do pattern matching:
      awk '/sshd/{print $5}' /var/log/messages

      Your command and ^ do the exact same thing and this one avoids 2 expensive fork() execs to echo and grep in a pipe.

      grep sshd /var/log/messages | awk '{print $5}' also works
  • blizzok, on 10/10/2007, -1/+17i just don't use plain text authentication. public keys ftw.
    • Niten, on 10/10/2007, -0/+7Seconded. All it takes to make password crackers completely irrelevant is:

      Protocol 2
      PasswordAuthentication no
      ChallengeResponseAuthentication no
      GSSAPIAuthentication no
      PubkeyAuthentication yes
  • maddud, on 10/10/2007, -3/+7... only Ubuntu?
    • sexybobo, on 10/10/2007, -0/+3really this has very little to do with ubuntu. People will usually only try to brute force your root account which by default isn't enabled and this is over ssh which is not installed by default. so this might be handy if you installed ssh but they can try to brute force my box all they want if they have to brute force the user name and password.
      • maddud, on 10/10/2007, -0/+0I am Slackware administrator. I just don't understand, why people try to tell us, that all the "tricks" are only for ubuntu. I'm afraid, that lots of people can be caught.
    • tehmoth, on 10/10/2007, -0/+5no, the ubuntu is only there so it reaches the frontpage.
  • JeanNarH, on 10/10/2007, -3/+2Shorewall / rules
    ACCEPT net $FW tcp ssh - - 2/min:4

    Anyone?

    JeanNarH
    • GothAlice, on 10/10/2007, -0/+0That's basically how I've got our VoIP server set up FTW:

      SSH/ACCEPT net $FW - - - - 2/minute:5
      Web/ACCEPT net:10.0.0.0/8 $FW
      Syslog/ACCEPT net:10.0.0.0/8 $FW
      TFTP/ACCEPT net:10.0.0.0/8 $FW
      Asterisk/ACCEPT net $FW
      Ping/ALLOW net:10.0.0.0/8 $FW
      Ping/REJECT net $FW
      ACCEPT $FW net icmp

      Add to that the fact that all SSH logins require a valid public/private keypair and that password-based attempts receive an instant IP ban.
  • castegere, on 10/10/2007, -1/+3Another thing, If you don't have a static IP address, no firewall rules will help you against brute force attacks. SSH 2 and some ingenuinty is all you need + a healthy dose of paranoia. (The truly paranoid may wish to place motion sensors in the air ducts... )
    • maz2331, on 10/10/2007, -0/+0Nah, the truly paranoid run 2120 VAC high voltage lines through the air ducts....
  • mauvehead, on 10/10/2007, -1/+2I go another route and simply filter port 22 by IP. I also have a VPN connection I can use. But, I do use fail2ban for vsftpd, postfix and sshd. fail2ban is far better then denyhosts when it comes to supported protocols, from what I recall.
  • coredump0x01, on 10/10/2007, -0/+3Try sshblack http://www.pettingers.org/code/sshblack.html If you're looking for good SSH brute force protection. Hasn't let me down yet. Requires Perl.
    • RCourtney, on 10/10/2007, -0/+1We've used sshblack for years on all of our highly visible linux boxes. I'm sure other similar scripts probably work just as well, but sshblack was one of the first to address this issue and we've never had to look into anything else for blocking brute force ssh attacks and keeping the logs free from the clutter.
  • quantumduck, on 10/10/2007, -3/+4Or you could just set ssh to listen on another port. I did that and stopped getting bogus login attempts pretty much immediately.
    • SEJeff, on 10/10/2007, -0/+3Here is pretty much how I find out where your sshd server is running:
      nmap -sV yourclasscsubnet.0/24

      Obscurity through obscurity will prevent lame bots and script kiddies from finding your sshd, but it won't protect you from someone who has the first bit of knowledge about how things work.
  • ekravchenko, on 10/10/2007, -0/+6Why does the title say Ubuntu: ...??? It affects every linux distro which has ssh enabled... Now to something that I think you'll really enjoy http://www.youtube.com/watch?v=1dmVU08zVpA
    • rogerbly, on 10/10/2007, -0/+0right, seems like Ubuntu == Linux and Linux == Ubuntu these days
  • krewemaynard, on 10/10/2007, -0/+1I set up OSSEC HIDS a while back, and it's been great. It blocks SSH attacks and monitors your system for suspicious logins and changes.

    http://www.ossec.net/
  • Krechet, on 10/10/2007, -0/+4I've been running this for some time on a couple of my servers (just home machines but often under fire from bots). For those of you savvy enough and vengeful enough to try to annoy these people: google iptables tarpit. This not only blocks the ip, but wastes the bot's time and resources for hours at no cost to you. What I actually did in my set up is I run a fake ssh server on port 22 (I'm behind a NAT router) and the aforementioned TARPIT rule. On something like 2200 or 2022 I usually run real ssh. Bots don't even bother looking that high if they see 22 open and then they get stuck for hours brining "productivity" down. It's like youtube or myspace for bots...
    • Krechet, on 10/10/2007, -0/+1If you are feeling real "malicious" google "annoying spammers" and "honeypot" and "scamming nigerian scammers 419".
  • rclay, on 10/10/2007, -1/+3Obviously this is applicable to all Linux. I've tried it on Red Hat and CentOS.
  • junml707, on 10/10/2007, -0/+5Stupid question...

    I've never used Linux before (I've only ever used Windows) (unless you count a little DOS action back in the day) and I'm thinking about trying Ubuntu for the first time. Do I need to worry about this configuration on my personal PC (that I use for general web surfing over cable internet), or is this article just for people running a server?
    • bobcrotch, on 10/10/2007, -0/+2haha even the Unbuntu zealots are trying to be elitists and digging you down.

      Your best security policies are going to be not running sshd, a web server, mail server, or any other public facing services you don't plan on using. That coupled with a secure password is pretty decent.

      Unfortunately in this case Linux provides a great deal of control over your system and in some cases that can be pretty dangerous. Setting up an open relay mistakenly would be a great example.
    • felyduw, on 10/10/2007, -1/+1Server.
    • Acglaphotis, on 10/10/2007, -2/+3Ubuntu doesnt come ssh by default.
      • gometro33, on 10/10/2007, -2/+1sudo apt-get install openssh-server
    • MatthewBlack, on 10/10/2007, -0/+1Yes, sort of. Most distros all the server applications (eg sshd) come on the install disk, or are at least very easy to install automatically over the internet using a package manager. So if you don't know what you are doing, you might decide to install the wrong thing and open yourself up.
    • trogdoor, on 10/10/2007, -0/+2No you do not, as Acglaphotis said and for some reason was dugg down, Ubuntu does not listen on any ports other than for ICMP ( ping ) and does not even have an ssh server installed by default, if you decide to install ssh and foreward it to your computer from your router then you should follow this, if not it will do absolutely nothing.
    • qwuinc, on 10/10/2007, -0/+0@trogdoor
      Sorry for being a nitpick, but ICMP packets don't actually have source/destination ports (http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Header) unlike TCP/UDP. ;-)

      Also, you can check what ports your box is listening on by running "netstat -nlpt" as root.
  • OrangeTide, on 10/10/2007, -1/+1I like the solution, except it doesn't have any exception IPs to prevent DoS attacks.
  • uberdesigner, on 10/10/2007, -11/+2Linux is even junkier than Windows. That's what happens when amateurs build an operating system.
    • Shdwdrgn, on 10/10/2007, -1/+3Yeah because Windows has a much more elegant solution for this problem when you run an SSH server. Oh wait, no it doesn't. Come to think of it, Windows doesn't have ANY solution for this problem.
      • FKnight, on 10/10/2007, -1/+1Hey, dumbass. It's called account lockout policies with lockout expiration timers. Person's password fails 5 times, the account is locked out for two hours (all configurable thresholds and timeouts). Try reading up on how Windows works before you make up some ***** ignorant crap about it.
        • thesarlacc, on 10/10/2007, -0/+0And here I was thinking Windows never worked.
        • nukem996, on 10/10/2007, -0/+3FKnight: How do you do things quickly and remotely by command line in Windows such as setup a web server move files and manager users? O wait you can't so I think its you who needs to STFU.
    • NinjitsuStylee, on 10/10/2007, -1/+2"Amateurs" eh? Provide evidence to your claim or abandon digg trolling forever. You'll never survive here.
  • HeyArnold, on 10/10/2007, -2/+1ok, where's the greasemonkey script that replaces "ubuntu" with LINUX?
    I swear, its like there arent 99e100 distros out.
    • lonniebiz, on 10/10/2007, -1/+2Just be glad that people are excited about Linux; let them call it Ubuntu if that's what they've started with. If find your complaint more annoying than their oversight.
    • NinjitsuStylee, on 10/10/2007, -0/+2I'm gonna have to agree with lonniebiz on this one.

      Be proud that even though there are 99e100 distros out there, at least one of them is finally getting the spotlight in the desktop OS world. (And FYI I'm well aware that there have been dozens of succesfull Linux distros out there, I'm just saying that Ubuntu is going more mainstream slowly and steadily, and we in the Linux world should appreciate that).
  • senfo, on 10/10/2007, -1/+1Ok, so a hacker would just have to slow down the rate at which a username/password combination is tried and this "fix" is rendered useless. You're better off enforcing keys and/or strong passwords, and permitting only certain users/groups.
    • Twelve-60, on 10/10/2007, -0/+3Yeah, I'm sure they would get far with 8 per minute you idiot.
    • Twelve-60, on 10/10/2007, -1/+1Yeah, I'm sure they would get far with 8 per minute you idiot.
  • portviper, on 10/10/2007, -4/+0lmao @ uberdesigner.... Nix is a "thinking man's" OS which no doubt leaves you out anyway. The Amateurs say pfffffffffft!
  • mwyres, on 10/10/2007, -1/+2hmmm - how's about moving SSH away from port 22??? I run mine on a completely different port, and I don't get any brute force attempts...at all...
  • javaroast, on 10/10/2007, -1/+3Buried for lame use of Ubuntu in the title
    • DiggFight, on 10/10/2007, -1/+1The article doesn't really have anything to do with Ubuntu. Dugg because it's a good article and the author got on the front page by outsmarting retarded Ubuntu fanboys.
    • dasunst3r, on 10/10/2007, -0/+2Agreed -- Even though I use Ubuntu, I am burying anything with "Ubuntu" in the title. This does not apply exclusively to Ubuntu -- it applies for all Linux.
  • Ausome1, on 10/10/2007, -0/+1Here's a little iptable rule set to use http://2020code.com/story.php?title=Block-SSH-Brute-Force-Attempts- It Basically forces a two second pause between ssh connections and after five connections from the same IP in the span of a minute it automatically blacklists them. The block doesn't expire until a full hour elapses with no connection attempts.
  • evilgold, on 10/10/2007, -0/+1so iptables is exclusive to ubuntu now? I just dont get why people find it necessary to replace the word linux with ubuntu... I think we should implement a filter on digg to automatically change the word ubuntu to linux...hell make it completly right and say gnu/linux. I think i have yet to see one tutorial with ubuntu in the title that actually only applied to ubuntu.
    • nukem996, on 10/10/2007, -0/+2Now you know how Richard Stallman feels.
  • sybesis, on 10/10/2007, -2/+1Holy *****...i just looked at my logs and damn....lol my server is constantly receiving connection try in ssh....

    Lol this is usefull
  • FKnight, on 10/10/2007, -4/+1All I do is setup a policy in Active Directory to lock an account after 5 failed attempts and auto unlock it a few hours later. It takes about 7 clicks, after which every machine on my WAN that allows logins (about another 5 clicks to configure which ones do) can deal with attempts of brute force. Then I go home and have sex while you geeks are screwing with firewalls and packet filters to block an application level attack. *****' newbz. Windows rules.
    • daftman, on 10/10/2007, -2/+1> "Then I go home and have sex'
      Go home? Idiot, Linux people can do all this ***** remotely from your home under 2 minutes while screwing your wife/gf. You on the other hand are still stuck in traffic. ***** noob.
      • FKnight, on 10/10/2007, -2/+1Hey, dumbass, out here in the real world, people have meetings to go to. I guess you wouldn't know that, though, because you're the free software dork in the back who gets pissed off and fumes when an end-user doesn't know the difference between a CPU and a system bus.
      • daftman, on 10/10/2007, -1/+1Hey dumbass, if you have meetings to go to, then why the ***** are you the one who doing Active Directory *****? That's job is left for an administrator unless you're one of those one man company who also cleans the toilet as well. So obviously, you're talking about a ***** administrator in which case a Linux admin can do his job much more efficiently than a windows admin. Now shut the ***** up and go die quietly while I screw your wife/gf.
  • Zotter, on 10/10/2007, -0/+0Not bad at all! Another layer to add in! But - obviously, it's an iptables method - not just an Ubuntu method

    If you'd like to be preemptive and lock out known attackers even before they start on your box - try Denyhosts and use the shared database options.

    http://denyhosts.sourceforge.net

    Think along the lines of a DNSRBL for ssh brute forcers. But one where the attackers pretty much have to prove themselves as attackers to get listed.
  • Neorio, on 10/10/2007, -0/+1OpenBSD's pf filter goes the extra mile by allowing you to blacklist IPs who brute force you. You can find pf in FreeBSD as well.
  • rmillan, on 10/10/2007, -0/+0My root password is 30 characters long, combining high and low caps with numbers, and without using any word from the dictionary.

    This means that it will take roughly 17324272922341479351919144385642496 times longer than the average 8-char password to guess. I don't think I have enough money to even afford the bandwidth a bot would spend to "guess the jackpot".
  • beermad, on 10/10/2007, -1/+1A simpler way to stop brute-force password cracks through SSH:
    Make sure /etc/ssh/sshd_config has a line saying:

    "PasswordAuthentication no"

    And now SSH will only allow connections to visitors with private keys matching those in your ~/.ssh/authorized_keys file. Even if you give them your password they still can't get in.
  • DesuKN, on 10/10/2007, -2/+1Protip: change the ssh port.
  • Krechet, on 10/10/2007, -0/+1To be fair! The RECENT target is not enabled in some kernels by default. So no this does NOT apply to all Linux distributions, although it applies to many. YMMV.
  • iapx, on 10/10/2007, -0/+0As I understand these rules, they all lead to enable an attacker to forge DoS attacks on a server, disabling administrator to login using SSH! NICE!
    That often the case with "smart" rules: they could do more damage than anything else, and raise threat level in the hand of good hackers!

    The best security is to rely on popular models, with STRONG passwords or real secure keys...
  • snowb1tch, on 10/22/2007, -0/+0ive just had an attack of brute force, stupidly was talkin to someone on msn and they started repeating convos i'd had months back on my msn history, every convo i'd had, kindly they told me it was done by brute force. wot i wanted to ask is are they still in my pc? am i permantly hacked now? or does it only last as long as i was on msn with them? thanks for any answers, im not clued up on hackers, they were also kind enough to inform me my firewall was rubbish an i should get a better one. i do love kind hackers! NOT! can anyone help with info? i got out of them it was a programme that scans then uses brute force to gain entry thru a port, is this correct?
  • ianwate, on 03/07/2008, -0/+0Bruteforce is useless if you have a strong character combination of passwords. :D
    http://ithaven.blogspot.com
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.