My Server (Deb5 and Plesk10) is involved (causing) in brute force attacks
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So when I use this, which I used now to isolate the machine:
Code:
iptables -A INPUT -p tcp -m tcp -s <your-ip> --dport 22 -j ACCEPT
iptables -A INPUT -j DROP
You will also want to shut down port 22 on the output. Your SSH connection shouldn't use port 22 outbound
iptables -A OUTPUT ! -d <your ip> -j DROP # Blocks all packets NOT going to your IP
I have requested a re-install of the machine, once I get the confirmation from my hoster that it has been finished, I will first isolate the machine again, apply the security tips discussed here and check with you guys if need be (and if you're still willing to lend me a hand
I am sure any of us would be more than happy to help you in getting the machine secured.
In the discussion on the iptables firewall, we failed to mention an important point. By default, iptables rules like those you applied to isolate the machine are not persistent in that the will not restore following a reboot. In order to get the to automatically apply on startup you need to call a script for this purpose. Thankfully, there are two standard scrips that come with iptables that do the job for you: iptables-save and iptables-restore. Once you have your firewall in place and configured how you want it, you can run the command:
Code:
iptables-save > /etc/iptables.rules (or some other name and location of your choice)
This will create a file called iptables.rules that will have the commands necessary to restore your settings. You can then use the command:
Code:
iptables-restore < /etc/iptables.rules
to restore it. Note the > and < and the direction. This is called input re-direction and is one of the most powerful and useful features of the CLI.
Where to place the restore command is a matter of some debate, but any of the good how-to documents on iptables will have recommendations. On my servers, running Ubuntu Server edition, which is similar to Debian, I have the following line in my /etc/network/interfaces for eth0
Code:
pre-up iptables-restore < /etc/iptables.rules
This puts the rules in place just before the ethernet port is activated.
I also would like to comment on your question about reversing the rules to undo them. You actually have the right idea and almost has the right syntax. When you want to delete a rule from iptables you use the same syntax as when you ADD a rule to iptables (e.g. iptables -A INPUT ...) except that instead of -A for add, it is -D for drop with everything else being the same. So a drop rule would be iptables -D INPUT ...
machine has had a low level (0 fill) format and a reinstall.
It has Debian Squeeze and Plesk 10.2 freshly installed.
I have logged in to Plesk and entered the IP-adresses which the machine is supposed to use, 8 in total.
I have logged out of Plesk and isolated the machine again using
Code:
iptables -A INPUT -p tcp -m tcp -s <your-ip> --dport 22 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT ! -d <your ip> -j DROP
I reckon my first action now should be to prepare the machine for only accepting an SSH-connection from me, based on RSA authentication?
Next revoke the standard Root-rights when I log in through SSH, so that when I log in I will have to use sudo + password each time I need root-rights?
After that install one of those file-integrity checks.
And after these first three small steps I need to follow the rest of the tips to make it a secure hosting-server.
Am I thinking along the correct lines now?
Update:
Have set the RSA-key, though am confused now.....
I used this method to set the RSA-key and after that I went into /etc/ssh/sshd_config, toggled the setting for PasswordAuthentication to "no" and after that used /etc/init.d/ssh to restart the service.
Now when I login I get asked for my passphrase for the RSA-key, which is good, but after that I still get asked for a password to login, and that was the one I didn't see coming.
Is this normal behaviour?
Update 2:
I already get an idea what's going on. The command I used, restarted ssh and not sshd. But now I run into the problem that there is no sshd located in /etc/init.d/.
Why does this always happen to me?
Update 3:
Ok, current situation is close to what it's supposed to be I guess: I have made a new useraccount on the server by using
Code:
adduser "username"
.
It's a standard-account, so there should be no elevated rights if I'm correct.
Now, when I just use
Code:
ssh xxx.xxx.xxx.xxx
I get asked for my passphrase-RSA, after that my password and I am connected over SSH.
When I want to go to /root/ for example, access is denied. When I use "su" and fill out the root-password I can get access.
I think this is what I want.
But now there is still the possibility to login using
Code:
ssh root@xxx.xxx.xxx.xxx
, which gives me direct root-access after filling out the passphrase and the password. I think this is the one that needs to get disabled, correct?
No more updates for now, I will await some answers first
Last edited by MartinM; 05-10-2011 at 09:32 AM.
Reason: Updates
Getting prompted for a password after your RSA key password suggests that the RSA key may not have been working. Keep in mind, that you need to put the key in the folder for the user account you will be logging in as and that this should not be the root account. Being able to SSH in without a password is an indication that something has either been messed up in a major way or you have created and installed an SSH key without a password. If you have placed a key in the the .ssh folder under root, I suggest you remove it. The correct procedure would be to log in as a normal user and the su to root using a password. Restarting ssh, not sshd, should have worked. Do not turn off password authentication until you are sure you can login via the keys. If the key login is successful, you won't be asked for a password, except the one for the key.
I have attached what I typically use for an sshd_config which you can use to compare for your settings. Once you have the key based authentication and direct root login disabled (note the PermitRootLogin no line), then you can undo the iptables rules restricting access to your ip range only as you have dynamic IPs.
I'm afraid I've really done it this time.....locked myself out.
I followed the steps as pointed out in the procedure:
- generated the key
- went to /home/my-username/.ssh/authorized_keys
- copied the id_rsa.pub into that directory
So far so good. At that time I got into the situation where while connecting I first got a request for the passphrase which belongs to the RSA-authentication, after that a request for the "normal" SSH-password.
At that time I decided to edit the sshd_config and re-uploaded it.
Restarted ssh, restarted the session and now I connot login anymore
An important extra remark is that I also installed OSSEC HID, install went fine, no remarks, no reports, all options default except for the Whitelist, I added my personal IP from my home-machine manually.
Update: important detail: thanks to the fact that I rebooted the machine in between, the Iptables-rule is removed and I do have Plesk as an point of entry. Don't know how to resolve it yet, but at least there still is an entrance. Hopefully it's a useful one.
Last edited by MartinM; 05-10-2011 at 12:05 PM.
Reason: Update
- went to /home/my-username/.ssh/authorized_keys
- copied the id_rsa.pub into that directory
Um, I think this is your problem in that authorized_keys needs to be a file containing the contents of any allowed keys, not a directory. On my server, my authorized_keys files contains a key for each of the computers I use to connect.
I'm not sure how to correct this one remotely, you may need to get someone local to log in and reset sshd to allow password logins. By the way, you can leave password logins enabled until you're sure that your keys are working correctly.
Um, I think this is your problem in that authorized_keys needs to be a file containing the contents of any allowed keys, not a directory. On my server, my authorized_keys files contains a key for each of the computers I use to connect.
I'm sure you're right, I misread the instructions.
Quote:
On each machine to which where you want to login, put /home/username/.ssh/id_rsa.pub into /home/username/.ssh/authorized_keys.
I read that as "you need to put the id_rsa.pub in the authorized_keys directory".
Now, when I look in a id_rsa.pub file, I see the contents starts with "ssh-rsa" and ends with an "account-name". In the instructions it says that if you want to use several keys, you need to "concatenate" them in that authorized_keys file. Could someone please explain what concatenate means in "English for Foreigners and n00bs"
"concatenate" means to join together into one unit. For example, two number strings: "123" and "456". If I were to concatenate them, the result would be "123456." Another way to think about it would be to say append the data to the end.
In a previous post I mentioned input and output redirection on the command line using > and <. When using output redirection > will overwrite the contents, while >> will append or concatenate the output. Before you make changes to your authorized_keys, be sure to make a temporary copy of it in case you make a mistake (been there done that).
I'll make a new authorized_keys file, with the correct id_rsa.pub's in it and ask the hoster to locally log in to the machine tomorrow and place that file in the correct location.
Quote:
Originally Posted by Hangdog42
You probably don't want to use a text editor as some of them introduce line breaks that will screw up the key. The key has to be on a single line.
Can I simply use nano for that in the future?
That should do the trick I guess and I should be able to login using RSA authentication from that moment on, since I believe that my sshd_config is correct the way it is now.
After that I will make new RSA-keys based on a different passphrase, since the hoster will be in possession of the current keys. Or am I being too suspicious now?
You probably could, but I use cat and redirects just to be safe.
Quote:
Originally Posted by MartinM
After that I will make new RSA-keys based on a different passphrase, since the hoster will be in possession of the current keys. Or am I being too suspicious now?
Well, as long as the hoster doesn't have access to the private key, you probably don't have to worry. Remember the point behind a public/private keypair is that the public key is for distribution and as long as the private key is secure, you're good. There isn't a way to get the private key from possession of the public one.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.