Having problems with my server getting hacked and want to block all shh and ftp access except by me (kind of).
I’ve had my ftp passwords acquired via a security hole in Filezilla/Adobe reader and now my root password (not sure how that happened: https://www.virtualmin.com/node/13963).
I connect to the Internet via BSKYB which allocates a new IP each time, so can’t block all access except to one IP (used this method before when I had a static IP).
The IPs I connect from always start with 90 or 94 listed at http://www.ip-db.com/as5607
What I would like to do is block all access to SHH and FTP except from the 2 IP ranges above so only BSKYB customers can access SSH/ftp. Not 100% blocked, but better than what I have now.
I’ve got the Virtualmin GPL Linux Firewall module running and block IPs one by one. Could I use the module to block access as described above?
If I had the above in place both recent attacks would have failed or at least they wouldn’t have been able to access the server even with the passwords.
If this is possible detailed instructions would be appreciated
I might suggest starting via a simpler route, which would be to prevent users from remotely logging in as root.
Instead, you can login as another user, and then su or sudo to root.
Before making that change, make sure su works
Once you do that, to configure SSH to not allow root access, you can edit /etc/ssh/sshd_config, and tweak “PermitRootLogin”.
Setting it to “no” will disallow all remote root logins.
Setting it to “without-password” means that root can login, but only via an SSH key.
As far as FTP goes – root can’t login remotely over FTP by default.
If you still want to explore using a firewall, you can setup firewall rules in the Virtualmin GUI by going into Webmin -> Networking -> Linux firewall.
I’ll look into the above.
I’m going to try the instructions here http://wiki.centos.org/HowTos/Network/SecuringSSH#head-9c01429983dccbf74ade8674815980dc6434d3ba
- Use Public/Private Keys for Authentication
I’d still want to be able to limit FTP access to only BSKYB IPs as then if someone does get my FTP passwords again, they can’t use them unless they are a BSKYB ISP user.
Is it possible to do what I’ve suggested above?
I’ve been using the Linux Firewall module for a while to block IPs one by one that try to access the server by SHH or FTP that’s not me (I’m the only person that uses the server).
I’ve just added
-A INPUT -p tcp --dport 22 -m recent --set --name ssh --rsource
-A INPUT -p tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT
Two sets, one as above for those checking port 22 and a second set for the port I’m using for SHH.
Got the rules from http://wiki.centos.org/HowTos/Network/SecuringSSH#head-9c01429983dccbf74ade8674815980dc6434d3ba
- Filter SSH at the Firewall
That will block any IP that tries to login to SHH 4 times in a minute to port 22 and the port I now use for SHH. Would this work for FTP access and if so is this the rules?
-A INPUT -p tcp --dport 21 -m recent --set --name ftp --rsource
-A INPUT -p tcp --dport 21 -m recent ! --rcheck --seconds 60 --hitcount 4 --name ftp --rsource -j ACCEPT
I’ve changed shh to ftp and the port to 21. Don’t want to try it without knowing it will work since the FTP server is called ProFTPD so might be I have to use ProFTPD instead of ftp?
I’ve noticed when someone is checking for usernames on the server they’ll check the domain names on the server minus the tld. Didn’t know this when I started using dedicated servers and have some usernames that do match the domain names (I now add random characters to the usernames of new servers). Under Virtualmin is there a way to change a username without deleting the server and starting again?
There really should be easier ways to secure a server by now, along the lines of by default security is maximised. I suppose if it was easier it would be easier to hack as well!