Tag Archive for ‘Linux’ at T. Longren

Tag Archive for 'Linux'

More SSH Brute Force Protection

Published

on August 23, 2006

in Internet, Linux, Noteworthy, Personal and Security

. 1 Comment Tags: breakinguard, code, coding, denyhosts, hacking, help, how-to, howto, Linux, Open Source, programming, Security, ssh.fail2ban.

Stopping SSH Brute Force Attacks resulted in some really great comments and suggestions from readers.

So, this is a follow up to the last SSH brute force post. I didn’t realize there was such a wide selection of applications for dealing with this, but there is! The two best looking options in my opinion are Fail2ban and DenyHosts.

I’ve actually started using DenyHosts on two machines now, and it’s working very well. I chose to go with DenyHosts for a very simple reason. Community stats. I love stats.

Anyway, if you’re looking for something to protect against ssh brute force attacks, go with Fail2ban or DenyHosts, they’re still being actively developed. I can’t say the same for Breakinguard, as it appears to have been abandoned about 1 year ago. And like I said, DenyHosts does it’s job extremely well, I couldn’t ask for anything more.

If you’re looking for another solution, try using cryptographic keys instead of passwords. A tutorial on configuring SSH to look for keys instead of passwords can be found here. This was suggested by commenter pwyll.

Oh, and this is the 700th post. yay!

Popularity: 7% [?]

Stopping SSH Brute Force Attacks

Published

Tyler

on August 21, 2006

in Internet, Linux, Noteworthy, Personal and Security

. 9 Comments Tags: breakinguard, code, coding, hacking, help, how-to, howto, Linux, Open Source, programming, Security, ssh.

A few weeks ago at work, I noticed a bunch of failed login attempts to one of our Linux servers. After doing some investigation, I found that no intrusion had actually been made, which is excellent. Lines similar to this were filling my /var/log/messages log file:

Aug 20 23:31:26 elixer sshd[22526]: Failed password for invalid user alias from 66.166.22.186 port 26217 ssh2

Notice they’re trying to login with the username “alias”, which doesn’t exist on that system. In fact, all the usernames attempted don’t exist, which makes me feel a little safer. Still, I don’t like seeing my boxes actively attacked. So, to stay on top of these breakin attempts, I installed Breakinguard.

Breakinguard basically watches your log file for any failed login attempts. You can set a pre-defined number of attempts that can be executed before breakinguard will block the IP.

The Package itself does a ‘tail -f’ of your syslog, and when it identifies a matching line within your logs, it logs this ‘attempt’. If more than the pre-defined number of attempts from the same IP address are received it triggers the iptables (or any other block method defined) block and also emails you notification.

I’ve never been able to get the configure script to work for me, simply because the perl module installation always fails. So, to get around that I simply installed these perl modules manually and commented out these lines in the configure script:

$PERL -MCPAN -e "install File::Tail"
$PERL -MCPAN -e "install IO::Socket"

Those two lines execute perl and try to install the File::Tail module and the IO::Socket module. After manually installing the perl modules below and commenting out the lines above in the configure script, the configure script should run and do it’s thing without error.

File::Tail
IO::Socket

After the configuration script has run, you should have a couple new files, /etc/breakinguard.conf and /etc/rc.d/breakinguard. Now, the /etc/breakinguard.conf file stores the breakinguard configuration. This is where you tell breakinguard which log file to monitor and how many incorrect login attempts are defined as a breakin.

I’m not going to bother going through all the options in breakinguard.conf, simply because they’re all explained pretty well within the conf file.

The other “new file”, /etc/rc.d/breakinguard is the script used to launch breakinguard. Run “/etc/rc.d/breakinguard start” to start breakinguard.

Once breakinguard is running, it will monitor whichever log file you specified in /etc/breakinguard.conf (/var/log/messages in my case). When it sees a failed login attempt, it will be noted. Now, when an IP fails a certain number of logins, iptables will be called to block all traffic from the IP.

Below is an example email that’s generated by Breakinguard when it blocks an IP:

BreakinGuard has blocked an IP based on suspicious activity
Please review this server.

Detail:
Hostname: elixer.hostname
IP Blocked: 202.82.16.180
Last log entry that caused the block:
Aug 22 06:17:05 elixer sshd[25591]: Failed password for invalid user alias from 202.82.16.180 port 45340 ssh2

Popularity: 7% [?]

Slackware 11 Feeling Official

Published

Tyler

on August 18, 2006

in Internet, Linux and Personal

. 1 Comment Tags: Linux, Open Source, operating-system, slackware, slackware-11, tech, technology.

Slackware 11.0.0 is really feeling “official” now for me. Yesterday, Patrick made an update to the -current ChangeLog stating he had bumped the /etc/slackware-version number up to 11.0.0. I had been waiting for him to bump that version number up. Now that he’s done so, I know Slackware 11.0 will be out soon. I am excited.

Popularity: 3% [?]

Slackware Blog Changes

Published

Tyler

on August 16, 2006

in Internet, Linux and Personal

. 1 Comment Tags: blog, bloggging, Linux, Open Source, slackware, slackware-blog.

On Monday, I made a post on the Slackware Blog, asking for volunteers to help me with posting. I got two emails and two comments to the post offering assistance, much better turnout than I expected.

Anyway, I’ve added three new bloggers so far: James Bowling, lssantaanna, and some guy whose name I don’t exactly know yet.

James has already started posting, which is totally awesome. I was trying to find some time to post about the recent changelog updates but James beat me to it. I think the four of us should be able to generate some pretty good content, but we’ll just have to wait and see.

Traffic to the Slackware Blog has been growing steadily. Especially since the release of Slackware 11.0 Release Candidate 1. The site gets pretty good placement on Google for a number of slackware related terms.

Popularity: 3% [?]

Ubuntu Billboard

Published

Tyler

on August 3, 2006

in Linux, Open Source and Personal

. 0 Comments Tags: billboard, highway, Linux, opensource, photo, pictures, slackware, travel, ubuntu, ubuntu-billboard.

Look at the beautiful Ubuntu Billboard WildBill got a photo of as he was driving by.

Pretty neat huh? I’m not a huge Ubuntu fan, but I do appreciate it. If I wasn’t such an avid Slackware user, Ubuntu would be my distro of choice. In fact, I just used the Ubuntu LiveCd yesterday at work to get some needed files off a dying hard drive. Pretty neat, I expect Microsoft billboards, but not Ubuntu. Wonder what it’d take to get a Slackware billboard put up somewhere?

Oh, and as you’d expect, the Ubuntu Blog author is pretty excited about the billboard too.

Popularity: 4% [?]

Slackware 11 Beta

Published

Tyler

on July 31, 2006

in Linux, Open Source and Personal

. 0 Comments Tags: Linux, Open Source, opensource, operating-systems, slackware, slackware-11, tech, technology.

Isn’t it about time for Beta 1 of Slackware 11 to be released? I’d surely think so, especially with all the updates being made to the slackware-current changelog lately. I was thinking that Patrick would take a chance and make 2.6 the default kernel in Slackware 11, I don’t think that’ll happen now. 2.4.32 or 2.4.33 will most likely be the default kernel found in Slackware 11. I say this due to the changes that have been made to the kernel 2.4.32 packages in -current.

I’ll continue waiting patiently for Slackware 11 Beta 1…

Popularity: 4% [?]