3rd September 2008 at 6:02 pm

Battoning Down the Hatches.

It’s time to take my internet security more seriously. I’ve been very casual about it up to now, but looking at my Mac’s security logs, I seem to be under constant attack and I need make sure my security is a tight as possible.

My existing security relied on my hardware firewall and strong passwords. Most ports were closed, with the exception of:

80 – For my Web server

22 – Secure Shell – so I can access my server remotely.

incoming access to all other computers and devices on my network is blocked, expect where allowed by rules set up by uPnP.

So looking at my security log, some nasty people are constantly trying to break into my server via Secure Shell (SSH) using two techniques:

1. Using common account names, like Root and Admin – a dictionary attack trying different combinations of words and numbers to try and guess a week password (like “password123” or “4thjuly”)

2. Using common real names with no or very week passwords

Each attack from a unique computer was typically lasting a day. Here’s a very small example:

Aug 31 17:34:28 wsprosys04 com.apple.SecurityServer[22]: checkpw() returned -2; failed to authenticate user root (uid 0).

Aug 31 17:34:28: — last message repeated 1 time —

Aug 31 17:34:28 wsprosys04 com.apple.SecurityServer[22]: Failed to authorize right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.

Aug 31 17:34:28 wsprosys04 sshd[73785]: Failed password for root from 200.210.22.30 port 3244 ssh2

Aug 31 17:34:33 wsprosys04 com.apple.SecurityServer[22]: checkpw() returned -2; failed to authenticate user root (uid 0).

Aug 31 17:34:33: — last message repeated 1 time —

Aug 31 17:34:33 wsprosys04 com.apple.SecurityServer[22]: Failed to authorize right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.

Aug 31 17:34:33 wsprosys04 sshd[73788]: Failed password for root from 200.210.22.30 port 3396 ssh2

Aug 31 17:34:37 wsprosys04 sshd[73791]: Invalid user admin from 200.210.22.30

Aug 31 17:34:37 wsprosys04 com.apple.SecurityServer[22]: getpwnam() failed for user admin, creating invalid credential

Aug 31 17:34:37: — last message repeated 1 time —

Aug 31 17:34:37 wsprosys04 com.apple.SecurityServer[22]: Failed to authorize right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.

Aug 31 17:34:37 wsprosys04 sshd[73791]: Failed password for invalid user admin from 200.210.22.30 port 3545 ssh2

Aug 31 17:34:41 wsprosys04 com.apple.SecurityServer[22]: checkpw() returned -2; failed to authenticate user root (uid 0).

Aug 31 17:34:41: — last message repeated 1 time —

 

These attempts are failing for two reasons:

Attempts to use user id “root” fail because they aren’t guessing the password correctly

Attempts to use user id “admin” fail because there is no such user.

As you can see from the time stamp these attempts are occurring at a rate of 1 every 4-5 seconds!

The simplest solution would be to close port 22 on the hardware firewall and stop any SSH logins reaching the computer in first place. But I want to have remote access so this is not a solution.

Another solution is to use a non-standard port for SSH (instead of 22) – this is not really an answer and is widely frowned upon as answer. These hackers are more than capable of port scanning to find the service on a non-standard port- it would only thwart the most casual of hacker.

So the situation is that hackers are attempting to gain access to my computer but my existing measures are thwarting them. However that’s no reason to rest on my laurels.

As a result I have instigated some new measures.

1. By default NO user ids have permission to log on remotely.

2. I have created a new user id with a non obvious name, and an even stronger password than I have used in the past. Only this user id is permitted to logon remotely.

3. I have activated the software firewall (IPFW)

4. I have added a script that monitors the security log and spots repeated attacks from the same IP address. It then adds a rule to the software firewall to block that IP address.

It’s been running 3 days so far and in that time it has blocked attacks from over 300 unique IP address.

The Security logs now look a little different:.

Sep 3 16:30:07 wsprosys04 sshd[10409]: error: PAM: Authentication failure for illegal user vpn from 122.255.3.35

Sep 3 16:30:07 wsprosys04 sshd[10409]: Failed keyboard-interactive/pam for invalid user vpn from 122.255.3.35 port 53244 ssh2

Sep 3 16:30:07 wsprosys04 sshdfilt[112]: Chanced valid user name from 122.255.3.35, 3 guesses out of 3

Sep 3 16:30:07 wsprosys04 sshdfilt[112]: Illegal user name, blocking 122.255.3.35 after 3 chances

Sep 3 16:33:52 wsprosys04 sshd[10419]: Did not receive identification string from 202.7.89.240

Sep 3 16:33:52 wsprosys04 sshdfilt[140]: No ssh id string from client, blocking 202.7.89.240 after 0 chances

So, it hasn’t stopped the attacks (nothing will) but are are a lot less frequent.

Of course that’s not the end of it. A far more likely method of successfully comprising my server, is to take advantage of security flaws in applications running on my server. The best I can do here is to closely follow the alerts when they are issued and try to keep my patches up to date!

  • Just surfing across a bit of an old post here, but I heartily recommend DenyHosts if you or other readers are looking for additional aid in thwarting these SSH dictionary attacks (which are a constant for anyone with an always-on connection these days…):

    http://denyhosts.sourceforge.net/

    I’ve used DenyHosts on linux systems in the past and had little trouble getting it running on OS X Leopard by following the documentation and setting up a launchd task. It currently has a blacklist of 200+ IPs, and those auto-expire occasionally πŸ™‚

  • Just surfing across a bit of an old post here, but I heartily recommend DenyHosts if you or other readers are looking for additional aid in thwarting these SSH dictionary attacks (which are a constant for anyone with an always-on connection these days…):

    http://denyhosts.sourceforge.net/

    I’ve used DenyHosts on linux systems in the past and had little trouble getting it running on OS X Leopard by following the documentation and setting up a launchd task. It currently has a blacklist of 200+ IPs, and those auto-expire occasionally πŸ™‚