jump to navigation

Hardening Linux by Disabling SSH Password Authentication (allow only RSA) January 4, 2013

Posted by Tournas Dimitrios in Linux.
Tags:
trackback

If an attacker wants to break your server , he/she first needs to guess the username  and password combination  . We all know that a good password can limit the exposure to a brute force attack . The sentence “limit” is used intentionally, as technically speaking , a 100%  secured machine cannot be achieved with password-based authentication . A determined attacker would use any possible way to achieve his / her goal  . For instance , a well-known technique (dictionary attack) uses an exhaustive list of values  which are most likely to succeed , typically derived from a list of words (a dictionary or a bible etc …. ) . Many people ( yes , sysadmins included) have a tendency to choose passwords which are shorter than 8 characters  , like single words found in dictionaries or simple , easily predicted variations on words , such as appending a stream of incremental numbers (john1234)  . Common dictionary attacks are done to the root password , there is a reason to do it (almost all systems have a default root account) . Exceptions to this rule are , Ubundu  and Amazon’s Cloud-based Linux instances (which have root accounts disabled) . The following snapshots were taken from a Linux box which is hosted on an Amazon Cloud instance . For obvious reasons these logs were truncated , but it’s adequate to mirror two attacks (the first on a root account , while the second attack is trying to guess a username ) .

First demonstration : 

[root@aws-server]# cat /var/log/secure | grep -i root
Dec  3 20:53:27 ip-10-212-142-181 sshd[1845]: Failed password for invalid user root from 119.188.7.142 port 57398 ssh2
Dec  3 20:53:29 ip-10-212-142-181 sshd[1847]: User root from 119.188.7.142 not allowed because not listed in AllowUsers
Dec  3 20:53:29 ip-10-212-142-181 sshd[1848]: input_userauth_request: invalid user root
Dec  3 20:53:29 ip-10-212-142-181 sshd[1847]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.188.7.142  user=root
Dec  3 20:53:32 ip-10-212-142-181 sshd[1847]: Failed password for invalid user root from 119.188.7.142 port 57744 ssh2
Dec  3 20:53:34 ip-10-212-142-181 sshd[1849]: User root from 119.188.7.142 not allowed because not listed in AllowUsers
Dec  3 20:53:34 ip-10-212-142-181 sshd[1850]: input_userauth_request: invalid user root
Dec  3 20:53:34 ip-10-212-142-181 sshd[1849]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.188.7.142  user=root
Dec  3 20:53:36 ip-10-212-142-181 sshd[1849]: Failed password for invalid user root from 119.188.7.142 port 58100 ssh2
Dec  3 20:53:38 ip-10-212-142-181 sshd[1851]: User root from 119.188.7.142 not allowed because not listed in AllowUsers
Dec  3 20:53:38 ip-10-212-142-181 sshd[1852]: input_userauth_request: invalid user root
Dec  3 20:53:38 ip-10-212-142-181 sshd[1851]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.188.7.142  user=root
Dec  3 20:53:40 ip-10-212-142-181 sshd[1851]: Failed password for invalid user root from 119.188.7.142 port 58456 ssh2
Dec  3 20:53:42 ip-10-212-142-181 sshd[1853]: User root from 119.188.7.142 not allowed because not listed in AllowUsers
Dec  3 20:53:42 ip-10-212-142-181 sshd[1854]: input_userauth_request: invalid user root
Dec  3 20:53:42 ip-10-212-142-181 sshd[1853]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.188.7.142  user=root
Dec  3 20:53:44 ip-10-212-142-181 sshd[1853]: Failed password for invalid user root from 119.188.7.142 port 58774 ssh2
Dec  3 20:53:46 ip-10-212-142-181 sshd[1855]: User root from 119.188.7.142 not allowed because not listed in AllowUsers
Dec  3 20:53:46 ip-10-212-142-181 sshd[1856]: input_userauth_request: invalid user root
Dec  3 20:53:46 ip-10-212-142-181 sshd[1855]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.188.7.142  user=root
Dec  3 20:53:49 ip-10-212-142-181 sshd[1855]: Failed password for invalid user root from 119.188.7.142 port 59123 ssh2
Dec  3 20:53:51 ip-10-212-142-181 sshd[1857]: User root from 119.188.7.142 not allowed because not listed in AllowUsers
Dec  3 20:53:51 ip-10-212-142-181 sshd[1858]: input_userauth_request: invalid user root
Dec  3 20:53:51 ip-10-212-142-181 sshd[1857]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.188.7.142  user=root

Second demonstration : 


[root@aws-server]# cat /var/log/secure | grep -i failed
Dec 13 09:28:49 ip-10-38-142-131 sshd[1722]: Failed password for invalid user gerard from 112.78.5.50 port 52540 ssh2
Dec 13 09:28:54 ip-10-38-142-131 sshd[1724]: Failed password for invalid user jean from 112.78.5.50 port 53006 ssh2
Dec 13 09:28:59 ip-10-38-142-131 sshd[1726]: Failed password for invalid user reno from 112.78.5.50 port 53499 ssh2
Dec 13 09:29:03 ip-10-38-142-131 sshd[1728]: Failed password for invalid user maia from 112.78.5.50 port 54038 ssh2
Dec 13 09:29:07 ip-10-38-142-131 sshd[1730]: Failed password for invalid user nicholas from 112.78.5.50 port 54517 ssh2
Dec 13 09:29:12 ip-10-38-142-131 sshd[1732]: Failed password for invalid user samuel from 112.78.5.50 port 54946 ssh2
Dec 13 09:29:16 ip-10-38-142-131 sshd[1734]: Failed password for invalid user jackson from 112.78.5.50 port 55405 ssh2
Dec 13 09:29:19 ip-10-38-142-131 sshd[1736]: Failed password for invalid user son from 112.78.5.50 port 55831 ssh2
Dec 13 09:29:24 ip-10-38-142-131 sshd[1738]: Failed password for invalid user jack from 112.78.5.50 port 56230 ssh2
Dec 13 09:29:28 ip-10-38-142-131 sshd[1740]: Failed password for invalid user ilizabeth from 112.78.5.50 port 56718 ssh2
Dec 13 09:29:32 ip-10-38-142-131 sshd[1742]: Failed password for invalid user angelica from 112.78.5.50 port 57155 ssh2
Dec 13 09:29:36 ip-10-38-142-131 sshd[1744]: Failed password for invalid user sydney from 112.78.5.50 port 57622 ssh2
Dec 13 09:29:40 ip-10-38-142-131 sshd[1746]: Failed password for invalid user stan from 112.78.5.50 port 58102 ssh2
Dec 13 09:29:45 ip-10-38-142-131 sshd[1748]: Failed password for invalid user maurice from 112.78.5.50 port 58541 ssh2
Dec 13 09:29:49 ip-10-38-142-131 sshd[1750]: Failed password for invalid user steafan from 112.78.5.50 port 59044 ssh2
Dec 13 09:29:52 ip-10-38-142-131 sshd[1752]: Failed password for invalid user leni from 112.78.5.50 port 59428 ssh2
Dec 13 09:29:57 ip-10-38-142-131 sshd[1754]: Failed password for invalid user nastassja from 112.78.5.50 port 59846 ssh2
Dec 13 09:30:01 ip-10-38-142-131 sshd[1756]: Failed password for invalid user lara from 112.78.5.50 port 60367 ssh2
Dec 13 09:30:06 ip-10-38-142-131 sshd[1760]: Failed password for invalid user joseph from 112.78.5.50 port 60770 ssh2
Dec 13 09:30:10 ip-10-38-142-131 sshd[1762]: Failed password for invalid user hans from 112.78.5.50 port 33026 ssh2
Dec 13 09:30:14 ip-10-38-142-131 sshd[1764]: Failed password for invalid user clarin from 112.78.5.50 port 33502 ssh2
Dec 13 09:30:18 ip-10-38-142-131 sshd[1766]: Failed password for invalid user klein from 112.78.5.50 port 33925 ssh2
Dec 13 09:30:22 ip-10-38-142-131 sshd[1768]: Failed password for invalid user madhukar from 112.78.5.50 port 34395 ssh2
Dec 13 09:30:26 ip-10-38-142-131 sshd[1770]: Failed password for invalid user leopold from 112.78.5.50 port 34873 ssh2
Dec 13 09:30:30 ip-10-38-142-131 sshd[1772]: Failed password for invalid user niklas from 112.78.5.50 port 35266 ssh2
Dec 13 09:30:34 ip-10-38-142-131 sshd[1774]: Failed password for invalid user friedrich from 112.78.5.50 port 35677 ssh2
Dec 13 09:30:38 ip-10-38-142-131 sshd[1776]: Failed password for invalid user luhmann from 112.78.5.50 port 36117 ssh2
Dec 13 09:30:42 ip-10-38-142-131 sshd[1778]: Failed password for invalid user koch from 112.78.5.50 port 36521 ssh2
Dec 13 09:30:46 ip-10-38-142-131 sshd[1780]: Failed password for invalid user gmelin from 112.78.5.50 port 36995 ssh2
Dec 13 09:30:51 ip-10-38-142-131 sshd[1782]: Failed password for invalid user fritz from 112.78.5.50 port 37450 ssh2
Dec 13 09:30:55 ip-10-38-142-131 sshd[1784]: Failed password for invalid user otto from 112.78.5.50 port 37896 ssh2
Dec 13 09:31:00 ip-10-38-142-131 sshd[1786]: Failed password for invalid user wilhelm from 112.78.5.50 port 38346 ssh2
Dec 13 09:31:04 ip-10-38-142-131 sshd[1788]: Failed password for invalid user hermann from 112.78.5.50 port 38868 ssh2
Dec 13 09:31:07 ip-10-38-142-131 sshd[1790]: Failed password for invalid user futermann from 112.78.5.50 port 39283 ssh2
Dec 13 09:31:11 ip-10-38-142-131 sshd[1792]: Failed password for invalid user heinrich from 112.78.5.50 port 39673 ssh2
Dec 13 09:31:15 ip-10-38-142-131 sshd[1794]: Failed password for invalid user guther from 112.78.5.50 port 40106 ssh2
Dec 13 09:31:19 ip-10-38-142-131 sshd[1796]: Failed password for invalid user hans from 112.78.5.50 port 40988 ssh2
Dec 13 09:31:23 ip-10-38-142-131 sshd[1798]: Failed password for invalid user max from 112.78.5.50 port 41785 ssh2
Dec 13 09:31:27 ip-10-38-142-131 sshd[1800]: Failed password for invalid user carl from 112.78.5.50 port 42662 ssh2
Dec 13 09:31:31 ip-10-38-142-131 sshd[1802]: Failed password for invalid user bosch from 112.78.5.50 port 43418 ssh2
Dec 13 09:31:35 ip-10-38-142-131 sshd[1804]: Failed password for invalid user johann from 112.78.5.50 port 44277 ssh2
Dec 13 09:31:38 ip-10-38-142-131 sshd[1806]: Failed password for invalid user rudolf from 112.78.5.50 port 45140 ssh2
Dec 13 09:31:42 ip-10-38-142-131 sshd[1808]: Failed password for invalid user kurt from 112.78.5.50 port 45975 ssh2
Dec 13 09:31:46 ip-10-38-142-131 sshd[1810]: Failed password for invalid user georg from 112.78.5.50 port 46687 ssh2
Dec 13 09:31:50 ip-10-38-142-131 sshd[1812]: Failed password for invalid user ziegler from 112.78.5.50 port 47532 ssh2

One might ask ,what are your top five rules to protect your boxes ? Answer :  Security is a non-stop procedure  , the following  list is certainly a good starting point .

  1. Use Encrypted Traffic only , instead of plain-text protocols (RSH , FTP , TELNET) , consider using RSYNC , SFTP or FTP/S (FTP over SSL) and SSH .
  2. Always create long passwords (8+) that contain upper and lower case letters , numbers and non alpha-numeric characters
  3. Regularly read your log files . Better approach would be to  install both a Network IDS (NIDS) and a Host Based IDS (HIDS) . NIDS’s are used to protect against malicious threats such as DOS and Port Scan Attacks . A popular HIDS system is  AIDE  , it is used to monitor file system changes such as an intruder replacing core system files like ls or ps with malicious ones that hide their Trojan from file or process lists . It will produce a report that tells you what files have been modified so you can repair or replace them .
  4. Make use of Public/Private SSH keys for login of remote users instead of passwords , this provides the benefit of turning off password authentication in SSH so that your server can’t be Brute-Force cracked .
  5. Disable the Root account from being able to login either via the console or remote SSH connections . Instead , restrict users (with Sudo)  to the absolute necessary , for programs  with root privileges . Once logged in as simple users , one should use “ su – ”  to acquire super-user privileges .
    There are two simple ways to avoid the possibility of an attack to the root account , both are made by configuring sshd’s configuration file ( /etc/ssh/sshd.conf) :
    a) PermitRootLogin no : Disable root access via ssh to your server
    b) PermitRootLogin without-password : Allow root access via ssh , but only with rsa key (public key authentication)

Related links :

Comments»

1. nildar - January 23, 2013

Today, I went to the beachfront with my kids. I found a sea
shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She put the
shell to her ear and screamed. There was a hermit crab inside and it
pinched her ear. She never wants to go back! LoL I know this is entirely
off topic but I had to tell someone!

2. casal - January 23, 2013

your website is like an encyclopaedia for me, thanks.

3. Clara - April 5, 2013

I am truly thankful to the owner of this web page who has shared this impressive paragraph at here.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s