ssh log

I do this with iptables:

## SSH Scanners
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

iptables -A INPUT -p tcp --dport 22 -m state --state NEW \
        -m recent --update --seconds 60 --hitcount 5 --rttl \
        --name SSH -j LOG --log-prefix "SSH_brute_force "

iptables -A INPUT -p tcp --dport 22 -m state --state NEW \
        -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP

and get log entries like this:

Apr 1 10:47:34 edge kernel: [4823.100000] SSH_brute_force IN=eth0 OUT= MAC=00:00:00:00:00:00:00.... SRC=219.xx.xx.xx DST=81.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=57515 DF PROTO=TCP SPT=57013 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

In my opinion you are wasting your time. If you just move ssh to another port (like 2222) you will reduce this kind of probing down to pretty much nothing.

It's only security through obscurity, but it is effective for reducing these attacks.

I don't think diverting ssh to listen to port 2222 will solve the problem. However, I thank you all for your reply.

Have anyone tried AIDE (Advance Intrusion Detection Environment) suggested in this wiki http://wiki.linuxhelp.net/index.php/Debian_Log_Server ?

The only thing I kinda feel uncomfortable is that you have to open another port on your server just to get the log. I guess iptable might do just fine for me. But if anyone can has any suggestion on AIDE, I am all ear.

Moving SSH to some other port like 2222 reduces the number of attacks from many hundreds per day to zero. I would say that's pretty effective.

I have multiple SSH servers and they all run on non-22 ports, I monitor the logs daily, and in the few years they have been like that I have never had a single SSH probe.

I am not suggesting it is the only or best option, but to suggest that moving SSH to another port wont stop these logs appearing as a result of attacks is just wrong.

Other things that can be done include port-knocking and using tools such as fail2ban to block users who attempt to logon repeatedly.

Thanks Alan for your fast response. I have already placed some measures to prevent repeated unauthorized login attempts. The reason why I want to have a detail log is to be able to provide all the necessary info when/if I want to report one of those failed attempts to the user's ISP. I rarely do that. But it won't harm anybody to have the detail log handy just in case you need it,right? That's all the idea behind the detail log.

I'm gonna try AIDE and test it anyway just to see how well it can do its job.

Thank you guys. You guys are awesome!

Looks like i didn't mention it, but the latter of my iptables rules does block ips trying to connect more than 5 times in 60 seconds. You can of course tweak that to your liking.

Alright Forde.

You convince me that iptable will give me exactly what I want. Can you elaborate more on iptable or direct me to the right place ? I haven't a clue on how to set up iptable let alone how to pull the log.

I did this on my ssh "sudo iptables -A INPUT -m state --state NEW -p tcp dport 22 -m recent --update --seconds 60 --hitcount 5 --rttl -j LOG --log-prefix "SSH "

Basically, I just copied pretty much everything from your iptable rules and "sudo" them in console.

I don't know if it's gonna work or not.

http://iptables-tutorial.frozentux.net/iptables-tutorial.html - nice iptables howto / tutorial if you want to learn iptables.

Examples with notes and some information on what happens:
http://hostingfu.com/article/ssh-dictionary-attack-prevention-with-iptables
http://mwolf.net/archive/iptables-against-ssh/
http://www.debian-administration.org/articles/187

I think that'll get you started.

Enjoy the power of iptables.

- Frode

I read the tutorial last week and I have been googling since then. I still haven't found any info on how t edit iptables (may be I'm didn't realize that it's there ?).

Most of them give me the iptables rules and how to change them according to my needs by explaining iptables manual such as what -m means and what it will do etc. But they don't tell me how to get inside iptables or how I would edit it. So far, one of those sites mentioned about how to check whether iptables is already on my linux box, and I get this result "iptables v-1.3.5" after I run this command "iptables -V". I believe that it is telling me the iptables I have on my linux box is version 1.3.5.

I got a fairly good idea about the rules that I should add in the iptables. The question is HOW ? A lot of those rules seems to be in a certain configuration file where you can edit in one place just as you would edit ssh by editing /etc/ssh/sshd_config. At least that's my assumption on editing iptables instead of sudoing every rule in the console.

Can you tell me which file(s) should I be editing? Is it this file /etc/iptables ? I have tried a couples of those files just to see if I can edit them. So far all I can get is this after editing /etc/iptables.

sudo -e /etc/iptables (in console)

Then I added some rules.

iptables -ls
iptables v1.3.5: Unknown arg `iptables'
Try `iptables -h' or 'iptables --help' for more information.

I did this after adding some rules in iptables.

sudo /etc/init.d/iptables restart
sudo: /etc/init.d/iptables: command not found

sudo /etc/init.d/iptables start
sudo: /etc/init.d/iptables: command not found

sudo iptables start
Bad argument `start'
Try `iptables -h' or 'iptables --help' for more information.

I don't even know if iptables is already running or not.
Any more suggestion?

Hi.
First of all, I'm sorry about the delay in answering your post.

iptables is a command to manipulate the rules of the buildt in linux-kerenl firewall.

You can write your own file/script with your own rules.
I use /etc/rc.fw
for you it could look like this:

#!/bin/sh
## SSH Scanners
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW \
         -m recent --update --seconds 60 --hitcount 5 --rttl \
         --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m state --state NEW \
         -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP

# end of file.

Now, you need to trigger this script whenever you enable your network connection.
I do it in /etc/network/interfaces with a pre-up command. Make sure to make the script executable with 'sudo chmod +x /etc/rc.fw'
Example /etc/network/interfaces setup:

auto eth0
iface eth0 inet static
    pre-up /etc/rc.fw
    address 192.168.22.10
    netmask 255.255.255.0
    gateway 192.168.22.1

Hope this helps you.

Thanks Frode!

I have one last question. When you want to get the log, how would you get it? Just the plain old "grep" and type the iptables rule name like this? : grep SSH_BRUTE_FORCE just like in your example.

I use:
'grep -i ssh_brute_force /var/log/messages'

- Frode

I got this error after I did this "/etc/init.d/networking restart" to restart my network interface:

/etc/rc.fw: 4: --name: not found
/etc/rc.fw: 10: -j: not found

and I couldn't get proper IP. So the server basically is not accessible anymore. So I switched back to DHCP and get the IP again. Then I rebooted the server. Then I check if Iptables rule that I set up are there or not "iptables --list" and all the rules are there and accounted for.

So it sounds like Iptables started without "pre-up" ?

However, I found out just a few minutes ago that Iptables is not producing log anymore coz I saw a few failed access attempts to SSH by doing this : 'grep sshd /var/log/auth.log" . If I'm not mistaken, if I see some failed log in attempts in " ssh /var/log/auth.log", Iptables should produce the log for those attempts. But I don't see any log after 19 April although ( of course) there are quite a bit of failed attempts after April 19.

I even tried to login to my SSH server with wrong PW three times just to see if Iptables produces any log for those attempts and there was none. But I can see those failed attempts in 'var/log/auth.log'.

My iptables script is almost identical to yours (coz I copied your script :D) and I edited '/etc/network/interfaces" to trigger Iptables script (which gave me error). I made sure that I change the mode of /etc/rc.fw to be executable "chmod +x /etc/rc.fw".

So what do you think is the problem?

Thanks a lot for your help Frode.

STN

Hi.

I think the problem is that you're missing the '\' at the end of some lines.
Can that be true, if you compare your script to the one in the previous comment?

However, if that's not the case, please try this instead:
#!/bin/sh
 ## SSH Scanners
 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP
# end of file.

That is 3 long lines, all starting with 'iptables'.

- Frode