Blog de programación, errores, soluciones

Brute Force Attacks on linux

If you have a server online that could be a VPS(virtual private server) or dedicated server you probably are asking ¿how probable is to be my server being attacked?

Brute force attack are more common than you could think, an example is this web, in a week receives attacks from 135 different ips from different places in the globe.

¿How could I know if I’m being attacked?

Well generally all the time you are being attacked, the fact is that the majority of attackers are not person, they are crowlers or robots that try to gain access to your server by brute force.

Think about it, doesn’t matter if your web is big, small, is a business or what ever you are making. You will be attacked all the time.

You may know if you are being attacked checking the logs i your server, you can do this with a simple comand in console:

sudo tail -f /var/log/messages

In log folder you have more logs diferent than only message that you could check with sudo tail

Let’s take a look of what is happening right now:

Mar  4 17:09:30 xserver sshd[5367]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.181.185.19  user=root
Mar  4 17:09:32 xserver sshd[5367]: Failed password for root from 221.181.185.19 port 51842 ssh2
Mar  4 17:09:37 xserver sshd[5367]: message repeated 2 times: [ Failed password for root from 221.181.185.19 port 51842 ssh2]
Mar  4 17:09:37 xserver sshd[5367]: Received disconnect from 221.181.185.19 port 51842:11:  [preauth]
Mar  4 17:09:37 xserver sshd[5367]: Disconnected from authenticating user root 221.181.185.19 port 51842 [preauth]
Mar  4 17:09:37 xserver sshd[5367]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.181.185.19  user=root
Mar  4 17:09:39 xserver sshd[5369]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.181.185.19  user=root
Mar  4 17:09:41 xserver sshd[5369]: Failed password for root from 221.181.185.19 port 16148 ssh2
Mar  4 17:09:45 xserver sshd[5369]: message repeated 2 times: [ Failed password for root from 221.181.185.19 port 16148 ssh2]
Mar  4 17:09:45 xserver sshd[5369]: Received disconnect from 221.181.185.19 port 16148:11:  [preauth]
Mar  4 17:09:45 xserver sshd[5369]: Disconnected from authenticating user root 221.181.185.19 port 16148 [preauth]
Mar  4 17:09:45 xserver sshd[5369]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.181.185.19  user=root
Mar  4 17:09:47 xserver sshd[5371]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.181.185.19  user=root
Mar  4 17:09:49 xserver sshd[5371]: Failed password for root from 221.181.185.19 port 18175 ssh2
Mar  4 17:09:54 xserver sshd[5371]: message repeated 2 times: [ Failed password for root from 221.181.185.19 port 18175 ssh2]
Mar  4 17:09:54 xserver sshd[5371]: Received disconnect from 221.181.185.19 port 18175:11:  [preauth]
Mar  4 17:09:54 xserver sshd[5371]: Disconnected from authenticating user root 221.181.185.19 port 18175 [preauth]
Mar  4 17:09:54 xserver sshd[5371]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.181.185.19  user=root
Mar  4 17:09:56 xserver sshd[5373]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.181.185.19  user=root
Mar  4 17:09:59 xserver sshd[5373]: Failed password for root from 221.181.185.19 port 24404 ssh2
Mar  4 17:10:03 xserver sshd[5373]: message repeated 2 times: [ Failed password for root from 221.181.185.19 port 24404 ssh2]
Mar  4 17:10:03 xserver sshd[5373]: Received disconnect from 221.181.185.19 port 24404:11:  [preauth]
Mar  4 17:10:03 xserver sshd[5373]: Disconnected from authenticating user root 221.181.185.19 port 24404 [preauth]
Mar  4 17:10:03 xserver sshd[5373]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.181.185.19  user=root
Mar  4 17:10:05 xserver sshd[5375]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.181.185.19  user=root
Mar  4 17:10:06 xserver sshd[5375]: Failed password for root from 221.181.185.19 port 27519 ssh2
Mar  4 17:10:11 xserver sshd[5375]: message repeated 2 times: [ Failed password for root from 221.181.185.19 port 27519 ssh2]
Mar  4 17:10:11 xserver sshd[5375]: Received disconnect from 221.181.185.19 port 27519:11:  [preauth]
Mar  4 17:10:11 xserver sshd[5375]: Disconnected from authenticating user root 221.181.185.19 port 27519 [preauth]
Mar  4 17:10:11 xserver sshd[5375]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.181.185.19  user=root

As you can see we have attacks here, that’s are really quick to the server trying to enter the server with the username root(default name), proving passwords.

¿What could I do to not being hacked?

If you are using root as your user, if it’s allowed to you change it.

Second, use a long key at least 15 character alphanumeric with symbols.

Third block know IPs that are attacking you, you can do this with the following code in console:

 iptables -A INPUT -s {ip to be blocked} -j DROP

Do not block a port block the entire ip.

Example, the following IP is attacking us, lets see if it’s a known IP as abuser

221.181.185.19

Check the IP in https://www.abuseipdb.com/

Well is a Chinese attacker, and was reported as an attacker 42,640 times so we can block it.

To block this ip we will run:

iptables -A INPUT -s 221.181.185.19 -j DROP

Now our attacker could do nothing, all packages from that IP will be dropped.

Another good command is the following and permit us to know what IPs are blocked.

 iptables -L INPUT -v -n

¿Is there a way to automatize this or block IPs automatically?

There are ways to block automatically with some programs, we will se fail2ban that helps to block IPs that are trying to enter on the server.

Here is the fail2ban definition:

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2ban

To use fail2ban we will need python installed

One time you have python we could install fail2ban:

sudo apt-get install fail2ban

Once installed we could create a file called jail.local( recommended)

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

The fail2ban program read .config file first then .local and overwrite the commands, the .config is a good file for reference.

In .local file change ignoreip line, descomment it.

ignoreip = 127.0.0.1/8

Remember that 127.0.0.1 and :: are localhost ips and you wont this ips blocked. You can add others ips to ignore serparated by spaces this is a good option if you are owner of a static ip, or your workplace has static ip.

After save changes you can run in console:

service fail2ban restart

This will run fail2ban with the new changes.

Another options configurable in .local file are: bantime, maxretry and findtime.

Podemos chequear cuantas ips ha bloqueado con:

fail2ban-client status
Somethig wrong? If you found an error or mistake on the content you can contact me on twitter | @luisg2249_luis.
Last 4 post in same category