OVH Community, your new community space.

How to monitor a secure Linux server for hacks?


KViSR
13-01-2010, 11:28
SSHBlack
The sshblack script is a real-time security tool for secure shell (ssh). It monitors *nix log files for suspicious activity and reacts appropriately to aggressive attackers by adding them to a "blacklist" created using various firewalling tools -- such as iptables -- available in most modern versions of Unix and Linux. The blacklist is simply a list of source IP addresses that are prohibited from making ssh connections to the protected host. Once a predetermined amount of time has passed, the offending IP address is removed from the blacklist.

It is written in Perl but requires no special modules or libraries.

What defines an "attack" is determined by a variable in the source code. This is usually a character string like "Failed password" or "Illegal user" but can be anything that the administrator deems as an undesirable activity. I have heard from many users who are using it for many things other than ssh, including website monitoring, proxy server watchdog, and generalized network monitoring for prohibited activities (e.g. peer-to-peer filesharing).
http://www.pettingers.org/code/sshblack.html
gregoryfenton
13-01-2010, 10:32
I use fail2ban as well as a cron job scanning for certain strings in my apache server log.

The code can be extended to check for other strings easily.

Hope it helps.

cron (once per minute):
Code:
* * * * * /bin/scanlog
/usr/bin/scanlog
Code:
#!/bin/bash
for n in `zgrep "\"GET /w00tw00t" /var/log/apache2/access.log* | grep " HTTP/1.1\" 400 " | awk '{ print $1; }' | awk '{ split ($0,a,":"); print a[2]; }' | sort -n | uniq`
do
    ban $n
done
/usr/bin/ban
Code:
#!/bin/bash
if [ "$1" == "" ]
   then
       echo $0 IP
       echo eg: $0 11.22.33.44
       exit
fi

# in the next line put your own IP so you can't block yourself
if [ "$1" == "77.103.248.9" ]
           then
               exit
fi
if [ "$1" == "127.0.0.1" ]
   then
       exit
fi

if [ "`grep "$1" /etc/rc.local | wc -l`" == "0" ]
then
echo IP "$1" not found, permanently banning IP "$1"
echo "iptables -A INPUT -s $1 -j DROP" >> /etc/rc.local
/sbin/iptables -A INPUT -s $1 -j DROP
else
echo $1 already exists, skipping
fi
yatesco
11-01-2010, 16:40
Quote Originally Posted by Myatu
I like to use Fail2ban, which works very well alongside Shorewall (the firewall setup I've described on my blog - yep, still using it )
Hey me too! I found your blog very very helpful.

Thanks, I will try fail2ban - although the name doesn't exactly inspire confidence. I should have learnt after I put all that money in the 'fail to get rich quick' scheme...
Razakel
11-01-2010, 14:43
Oh, if you have cPanel installed, it has an anti-brute-forcing daemon called cphulkd. Check that out if you're running it.
Myatu
11-01-2010, 14:40
Quote Originally Posted by yatesco
How do you server dudes monitor your machine for remote hack attempts?
I like to use Fail2ban, which works very well alongside Shorewall (the firewall setup I've described on my blog - yep, still using it )

I don't want to lock the accounts after N incorrect logins as that would mean my server can be disabled. I

...

Ideally, something that will give me a daily overview (HTML/email as these are headless servers) of activity:

- how many correct logins (and what names/machines)
- how many incorrect logins (and what names/machines)
- what services were accessed (tried to be accessed)
Well, in my setup fail2ban does lock an IP out after the Nth attempt, but this is something you can set to never do if you wish. A lock out lasts for about 30 minutes, which makes it generally tedious for manual attempts (from China mainly it seems). A bot will just keep on hammering...

Fail2ban will send you an e-mail as soon as someone's been locked out (and you can also see it from the command interface, though I haven't used in so long I forgot how It's set-and-forget really!). The e-mail contains the IP, the time, what service (ie. SSH) and the details from the whois so you know who to contact. OVH accepts these log files at abuse@ovh.net, resulting in quick resolution if the bot/hacker comes from within OVH itself.

Nice thing is that it isn't for just SSH. It can do this for anything that logs to a regular file. You just have to tell it what to look for and it'll do the rest. Some default templates, besides SSH are Apache, Courier, Exim, Postfix, Qmail, vsftp, Webmin, etc.
yatesco
11-01-2010, 11:23
Mine (today, one the 1 of 12 or so servers I looked at) are from server56.dubhosting.com (94.23.203.221)
Razakel
11-01-2010, 11:10
Quote Originally Posted by gigabit
Just an FYI: brute logins are normal, every server gets them...
Mostly from RPSes and Kimsufis. :P

Just an example:
root ssh:notty server56.dubhost Mon Jan 11 06:33 - 06:33 (00:00)
root ssh:notty server56.dubhost Mon Jan 11 06:33 - 06:33 (00:00)
test ssh:notty server56.dubhost Mon Jan 11 06:33 - 06:33 (00:00)
test ssh:notty server56.dubhost Mon Jan 11 06:33 - 06:33 (00:00)
admin ssh:notty server56.dubhost Mon Jan 11 06:33 - 06:33 (00:00)
admin ssh:notty server56.dubhost Mon Jan 11 06:33 - 06:33 (00:00)
lp ssh:notty 94-23-157-158.ov Sun Dec 27 18:25 - 18:25 (00:00)
lp ssh:notty 94-23-157-158.ov Sun Dec 27 18:25 - 18:25 (00:00)
lp ssh:notty 94-23-157-158.ov Sun Dec 27 18:25 - 18:25 (00:00)
proxy ssh:notty 94-23-157-158.ov Sun Dec 27 18:25 - 18:25 (00:00)
proxy ssh:notty 94-23-157-158.ov Sun Dec 27 18:25 - 18:25 (00:00)
root ssh:notty ks27225.kimsufi. Sun Dec 27 09:52 - 09:52 (00:00)
root ssh:notty ks27225.kimsufi. Sun Dec 27 09:52 - 09:52 (00:00)
root ssh:notty ks27225.kimsufi. Sun Dec 27 09:52 - 09:52 (00:00)
root ssh:notty ks27225.kimsufi. Sun Dec 27 09:52 - 09:52 (00:00)
root ssh:notty ks27225.kimsufi. Sun Dec 27 09:52 - 09:52 (00:00)
acegolf ssh:notty rps7139.ovh.net Sat Dec 26 15:00 - 15:00 (00:00)
acegolf ssh:notty rps7139.ovh.net Sat Dec 26 15:00 - 15:00 (00:00)
wszyscy ssh:notty rps7139.ovh.net Sat Dec 26 15:00 - 15:00 (00:00)
wszyscy ssh:notty rps7139.ovh.net Sat Dec 26 14:59 - 14:59 (00:00)
tomek ssh:notty rps7139.ovh.net Sat Dec 26 14:59 - 14:59 (00:00)
Dunno if these have been dealt with yet?
MicroChip123
11-01-2010, 11:09
the best option is to use non-standard port numbers and disable root.
gigabit
11-01-2010, 11:07
Just an FYI: brute logins are normal, every server gets them...
yatesco
11-01-2010, 11:02
thanks both
Razakel
11-01-2010, 10:45
Typing "last" will give you a list of all successful logins. "lastb" gives you a list of failed ones.
jonlewi5
11-01-2010, 10:35
I used to use a combination of webmin and this http://sourceforge.net/projects/sentrytools/

You could likely set it all up without webmin though

But i may be way off your needs
yatesco
11-01-2010, 10:09
Hi,

How do you server dudes monitor your machine for remote hack attempts?

I noticed that one of my machines had sustained a number of incorrect logins for random user names (and well known ones) from a server I have nothing to do with.

Is there a nice bit of software that will email me of such an attempt? My servers are relatively low impact - less than a 100 valid interactions a day really.

I don't want to lock the accounts after N incorrect logins as that would mean my server can be disabled. I don't want to restrict by MAC as that is a PITA Ideally, something that will give me a daily overview (HTML/email as these are headless servers) of activity:

- how many correct logins (and what names/machines)
- how many incorrect logins (and what names/machines)
- what services were accessed (tried to be accessed)

If there was a monitoring aspect that would email on failed attempts, that would be ace?

Something in debian's lenny repository would be top!

Many thanks,

Col