While checking out /var/log/secure, I noticed that a particular IP address has been repeatedly trying to gain access to my system. The log is full of messages of the type:
Jan 25 23:53:50 admin sshd: refused connect from BAD.IP.ADD.RESS (BAD.IP.ADD.RESS)
In an attempt to make my server more secure, I did the following:
iptables -A INPUT -s BAD.IP.ADD.RESS -j DROP
/sbin/service iptables save
When I did a iptables -L, the system reported:
DROP all – BAD.IP.ADD.RESS anywhere
so all looks good, however, the log continues to show refused connections from this IP.
Did I take the right actions to block this IP address?
- If yes, then why am I continuing to see the log entries?
- If no, then what should I do?
This sound like someone is trying brute force against your server. I dont think blocking just one IP or even few does any good as person from the other side can easy change IP or in most cases use botnet with hundreds or even thousands of IP’s. I can tell you what i did with my server (clean/fresh Centos 7 with Webmin/Virtualmin) - first i removed SSH login with password and instead use keys.
- To do that you need to download PuTTY Key Generator (PuTTYgen.exe) from PuTTY website and start it.
- Once you start KeyGen be sure you have selected under "Type of key to generate": SSH-2 RSA
- Click on "Generate" and move your mouse over KeyGen window to generate random sequence for the key
- Once generated select entire key and c/p in notepad++ and save as TXT (e.g. myVPSprivatekey.txt) somewhere (you will need this again). I always use notepad++ so i'm sure my text editor will not break the line(s) or insert something i dont want but probably win notepad can do the same.
- Once done think for something nice and hard to guess for "Key passphrase". This is same as with password so you should go for 12 characters or even more. I personally use 20 for all my important stuff with AZ - az - 09 character combination.
- Fill that passphrase to "Key / Confirm passphrase"
- Once done click on "Save private key" and save it in place where will not get lost (you can do same with TXT file)
- Now start PuTTY, under "Saved Sessions" click on "Default Settings" and then "Load"
- From left menu find Connection -> SSH -> Auth and once there click on "Browse..."
- Now find your file with private key, e.g. myVPSprivatekey.ppk (not TXT file), and then "Open"
- On left menu back to Sessions, select "Default Settings" and then click on "Save" (dont forget to fill up your IP and port on same page). If you want you can save as new session, its up to you.
- Now log on your server in classic way with root and password
mkdir ~/.ssh; touch ~/.ssh/authorized_keys; chmod 700 ~/.ssh
- If you dont have nano it takes 2 sec to install or use any other text editor
- Once you open "authorized_keys" c/p the key from the TXT file, save and exit.
- Check if you did everything ok (please do that!!!)
- Once done open "/etc/ssh/sshd_config" with text editor and search for "PasswordAuthentication yes" and change that to "PasswordAuthentication no"
- Check if you have "ChallengeResponseAuthentication no" if it say "yes" change it to "no"
- Both lines must be uncommented
- Check if you have
# The default requires explicit activation of protocol 1
In case you dont have it or it say something else change to what you see here.
- Restart your server, log back and now it will ask you your name and passphrase, e.g. root and 12345 where 12345 is your passphrase and not your root password.
Another thing you can do is change default SSH port.
- Log into your Webmin
- Go to Webmin -> Servers -> SSH server -> Networking
- Change "Listen on port" to something else, e.g. port: 4851, click on "Save"
- On "SSH server" page click "Apply Changes"
- Dont forget to update your iptables with new SSH port
From now on you will use key to authenticate SSH on non-default port. Nothing is 100% safe but at least you made a lot harder for people to brute force your server.
To be sure you will not delete your two files with keys open your email (pref. new email on gmail) and send it to yourself. Use same email for similar things and just that, do not use it publicly or give to anyone.
You can use fail2ban but honestly i gave up as i encounter so many problems with Centos 7 that made me crazy (it was ok on Centos 6.6).
I dont think for myself as some sort of sysadmin guru so if you want wait and see what others have to say.
In addition to the above ideas, it’s good practice to install an “intrusion detection system” (IDS) on your server to automate protection against annoying attacks.
The IDS will detect common attacks and take appropriate measures to reduce the impact you face. In addition, if the attack is serious enough and potentially affecting other customers I’d report the matter to your provider to see if they can take measures higher in the network infrastructure.
A few IDS’ that come to mind are:
Ask me about my new support plans which include a FREE copy of Virtualmin Pro!!!