My Server (Deb5 and Plesk10) is involved (causing) in brute force attacks

MartinM · 05-08-2011, 01:54 PM

So when I use this, which I used now to isolate the machine:

Code:

iptables -A INPUT -p tcp -m tcp -s <your-ip> --dport 22 -j ACCEPT
iptables -A INPUT -j DROP

You will also want to shut down port 22 on the output. Your SSH connection shouldn't use port 22 outbound
iptables -A OUTPUT ! -d <your ip> -j DROP # Blocks all packets NOT going to your IP

Your commands

Code:

#!/bin/bash

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

should reverse that?

Or should I follow the exact same route I took to isolate, but in the opposite direction, like:

Code:

iptables -A OUTPUT ! -d <your ip> -j ACCEPT
iptables -A INPUT -j ACCEPT

For argument sake let's say that this will be my last action after I have completely set up the server with all security measure are in place.

MartinM · 05-09-2011, 02:20 AM

Update:

I have requested a re-install of the machine, once I get the confirmation from my hoster that it has been finished, I will first isolate the machine again, apply the security tips discussed here and check with you guys if need be (and if you're still willing to lend me a hand

Noway2 · 05-09-2011, 04:33 AM

I am sure any of us would be more than happy to help you in getting the machine secured.

In the discussion on the iptables firewall, we failed to mention an important point. By default, iptables rules like those you applied to isolate the machine are not persistent in that the will not restore following a reboot. In order to get the to automatically apply on startup you need to call a script for this purpose. Thankfully, there are two standard scrips that come with iptables that do the job for you: iptables-save and iptables-restore. Once you have your firewall in place and configured how you want it, you can run the command:

Code:

iptables-save > /etc/iptables.rules (or some other name and location of your choice)

This will create a file called iptables.rules that will have the commands necessary to restore your settings. You can then use the command:

Code:

iptables-restore < /etc/iptables.rules

to restore it. Note the > and < and the direction. This is called input re-direction and is one of the most powerful and useful features of the CLI.

Where to place the restore command is a matter of some debate, but any of the good how-to documents on iptables will have recommendations. On my servers, running Ubuntu Server edition, which is similar to Debian, I have the following line in my /etc/network/interfaces for eth0

Code:

pre-up iptables-restore < /etc/iptables.rules

This puts the rules in place just before the ethernet port is activated.

I also would like to comment on your question about reversing the rules to undo them. You actually have the right idea and almost has the right syntax. When you want to delete a rule from iptables you use the same syntax as when you ADD a rule to iptables (e.g. iptables -A INPUT ...) except that instead of -A for add, it is -D for drop with everything else being the same. So a drop rule would be iptables -D INPUT ...

MartinM · 05-10-2011, 08:06 AM

Ok,

machine has had a low level (0 fill) format and a reinstall.

It has Debian Squeeze and Plesk 10.2 freshly installed.

I have logged in to Plesk and entered the IP-adresses which the machine is supposed to use, 8 in total.

I have logged out of Plesk and isolated the machine again using

Code:

iptables -A INPUT -p tcp -m tcp -s <your-ip> --dport 22 -j ACCEPT
iptables -A INPUT -j DROP

iptables -A OUTPUT ! -d <your ip> -j DROP

I reckon my first action now should be to prepare the machine for only accepting an SSH-connection from me, based on RSA authentication?
Next revoke the standard Root-rights when I log in through SSH, so that when I log in I will have to use sudo + password each time I need root-rights?
After that install one of those file-integrity checks.

And after these first three small steps I need to follow the rest of the tips to make it a secure hosting-server.

Am I thinking along the correct lines now?

Update:
Have set the RSA-key, though am confused now.....

I used this method to set the RSA-key and after that I went into /etc/ssh/sshd_config, toggled the setting for PasswordAuthentication to "no" and after that used /etc/init.d/ssh to restart the service.
Now when I login I get asked for my passphrase for the RSA-key, which is good, but after that I still get asked for a password to login, and that was the one I didn't see coming.
Is this normal behaviour?

Update 2:
I already get an idea what's going on. The command I used, restarted ssh and not sshd. But now I run into the problem that there is no sshd located in /etc/init.d/.
Why does this always happen to me?

Update 3:

Ok, current situation is close to what it's supposed to be I guess: I have made a new useraccount on the server by using

Code:

adduser "username"

.
It's a standard-account, so there should be no elevated rights if I'm correct.
Now, when I just use

Code:

ssh xxx.xxx.xxx.xxx

I get asked for my passphrase-RSA, after that my password and I am connected over SSH.
When I want to go to /root/ for example, access is denied. When I use "su" and fill out the root-password I can get access.

I think this is what I want.

But now there is still the possibility to login using

Code:

ssh root@xxx.xxx.xxx.xxx

, which gives me direct root-access after filling out the passphrase and the password. I think this is the one that needs to get disabled, correct?

No more updates for now, I will await some answers first

Noway2 · 05-10-2011, 11:25 AM

Getting prompted for a password after your RSA key password suggests that the RSA key may not have been working. Keep in mind, that you need to put the key in the folder for the user account you will be logging in as and that this should not be the root account. Being able to SSH in without a password is an indication that something has either been messed up in a major way or you have created and installed an SSH key without a password. If you have placed a key in the the .ssh folder under root, I suggest you remove it. The correct procedure would be to log in as a normal user and the su to root using a password. Restarting ssh, not sshd, should have worked. Do not turn off password authentication until you are sure you can login via the keys. If the key login is successful, you won't be asked for a password, except the one for the key.

I have attached what I typically use for an sshd_config which you can use to compare for your settings. Once you have the key based authentication and direct root login disabled (note the PermitRootLogin no line), then you can undo the iptables rules restricting access to your ip range only as you have dynamic IPs.

MartinM · 05-10-2011, 11:50 AM

I'm afraid I've really done it this time.....locked myself out.

I followed the steps as pointed out in the procedure:
- generated the key
- went to /home/my-username/.ssh/authorized_keys
- copied the id_rsa.pub into that directory

So far so good. At that time I got into the situation where while connecting I first got a request for the passphrase which belongs to the RSA-authentication, after that a request for the "normal" SSH-password.

At that time I decided to edit the sshd_config and re-uploaded it.

Restarted ssh, restarted the session and now I connot login anymore

Code:

MartCom-iMac:~ my-username$ ssh xx.xx.xxx.xx
Identity added: /Users/my-username/.ssh/id_rsa (/Users/my-username/.ssh/id_rsa)
Permission denied (publickey).

Attached is my sshd-config

An important extra remark is that I also installed OSSEC HID, install went fine, no remarks, no reports, all options default except for the Whitelist, I added my personal IP from my home-machine manually.

Update: important detail: thanks to the fact that I rebooted the machine in between, the Iptables-rule is removed and I do have Plesk as an point of entry. Don't know how to resolve it yet, but at least there still is an entrance. Hopefully it's a useful one.

Hangdog42 · 05-10-2011, 12:13 PM

Quote:

- went to /home/my-username/.ssh/authorized_keys
- copied the id_rsa.pub into that directory

Um, I think this is your problem in that authorized_keys needs to be a file containing the contents of any allowed keys, not a directory. On my server, my authorized_keys files contains a key for each of the computers I use to connect.

I'm not sure how to correct this one remotely, you may need to get someone local to log in and reset sshd to allow password logins. By the way, you can leave password logins enabled until you're sure that your keys are working correctly.

MartinM · 05-10-2011, 01:10 PM

Well, one thing's for sure, OSSEC HID is running

Code:

OSSEC HIDS Notification.
2011 May 10 19:50:04

Received From: mmn001->/var/log/auth.log
Rule: 5703 fired (level 10) -> "Possible breakin attempt (high number of reverse lookup errors)."
Portion of the log(s):

May 10 19:50:03 mmn001 sshd[12157]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.97.194] failed - POSSIBLE BREAK-IN ATTEMPT!
May 10 19:50:03 mmn001 sshd[12156]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.97.194] failed - POSSIBLE BREAK-IN ATTEMPT!
May 10 19:50:00 mmn001 sshd[12152]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.97.194] failed - POSSIBLE BREAK-IN ATTEMPT!
May 10 19:50:00 mmn001 sshd[12150]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.97.194] failed - POSSIBLE BREAK-IN ATTEMPT!
May 10 19:50:00 mmn001 sshd[12151]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.97.194] failed - POSSIBLE BREAK-IN ATTEMPT!



--END OF NOTIFICATION

And since even I cannot get in on ssh, I guess his efforts will be useless as well :P

MartinM · 05-10-2011, 01:23 PM

Quote:

Originally Posted by Hangdog42

Um, I think this is your problem in that authorized_keys needs to be a file containing the contents of any allowed keys, not a directory. On my server, my authorized_keys files contains a key for each of the computers I use to connect.

I'm sure you're right, I misread the instructions.

Quote:

On each machine to which where you want to login, put /home/username/.ssh/id_rsa.pub into /home/username/.ssh/authorized_keys.

I read that as "you need to put the id_rsa.pub in the authorized_keys directory".

Now, when I look in a id_rsa.pub file, I see the contents starts with "ssh-rsa" and ends with an "account-name". In the instructions it says that if you want to use several keys, you need to "concatenate" them in that authorized_keys file. Could someone please explain what concatenate means in "English for Foreigners and n00bs"

Noway2 · 05-10-2011, 02:58 PM

"concatenate" means to join together into one unit. For example, two number strings: "123" and "456". If I were to concatenate them, the result would be "123456." Another way to think about it would be to say append the data to the end.

In a previous post I mentioned input and output redirection on the command line using > and <. When using output redirection > will overwrite the contents, while >> will append or concatenate the output. Before you make changes to your authorized_keys, be sure to make a temporary copy of it in case you make a mistake (been there done that).

MartinM · 05-10-2011, 03:14 PM

Ok, so if id_rsa.pub #1 is

Code:

ssh-rsa
blablablablablablabla
blablabla user1@mmn001.local

and id_rsa.pub #2 is

Code:

ssh-rsa
blibliblibliblibliblibli
bliblibli user2@mmn001.local

my authorized_keys file should simply be

Code:

ssh-rsa
blablablablablablabla
blablabla user1@mmn001.local
ssh-rsa
blibliblibliblibliblibli
bliblibli user2@mmn001.local

Is that correct?

Hangdog42 · 05-10-2011, 03:19 PM

Quote:

Originally Posted by Noway2

be sure to make a temporary copy of it in case you make a mistake (been there done that).

+1. That is one of those mistakes that is painful enough that you only make once. Unless you're me.

When I add a key, I always copy authorized_keys to authorized_keys.backup and then use:

cat authorized_keys.backup id_rsa.pub > authorized_keys

You probably don't want to use a text editor as some of them introduce line breaks that will screw up the key. The key has to be on a single line.

Quote:

Is that correct?

Yeah, just make sure the keys are all on a single line, no breaks.

MartinM · 05-10-2011, 03:52 PM

Ok,

I'll make a new authorized_keys file, with the correct id_rsa.pub's in it and ask the hoster to locally log in to the machine tomorrow and place that file in the correct location.

Quote:

Originally Posted by Hangdog42

You probably don't want to use a text editor as some of them introduce line breaks that will screw up the key. The key has to be on a single line.

Can I simply use nano for that in the future?

That should do the trick I guess and I should be able to login using RSA authentication from that moment on, since I believe that my sshd_config is correct the way it is now.

After that I will make new RSA-keys based on a different passphrase, since the hoster will be in possession of the current keys. Or am I being too suspicious now?

Hangdog42 · 05-10-2011, 04:33 PM

Quote:

Originally Posted by MartinM

Can I simply use nano for that in the future?

You probably could, but I use cat and redirects just to be safe.

Quote:

Originally Posted by MartinM

After that I will make new RSA-keys based on a different passphrase, since the hoster will be in possession of the current keys. Or am I being too suspicious now?

Well, as long as the hoster doesn't have access to the private key, you probably don't have to worry. Remember the point behind a public/private keypair is that the public key is for distribution and as long as the private key is secure, you're good. There isn't a way to get the private key from possession of the public one.

dman777 · 05-10-2011, 11:23 PM

If he is going to use keys for logging in, wouldn't AES encryption be best(instead of RSA)?

If decides to use passwords for logging in SSH...wouldn't ECC encryption be best?