Category Archives: Security

DDOS protection

Did you ever wondered what cloudflare [1] is? It is basically an protection against Distributed Denial of Service attack [2], where your server is attacked via a massive flood of incoming traffic, trying to overload your server.

But there is an easy and cost saving way to protect your server – of course if you are running it on Linux. Simply check DDoS Deflate from github [3]. After installing, the script checks frequently your incoming traffic. Once an IP address generates a critial mass of incoming traffic attempts, the IP address is blocked.

Just consider that you might want to whitelist certain IP addresses or domains – for that check the manual.

Update 2017/12/12:

After installing DDoS Deflate [3] on jvr.at, the impact can be seen on the statistics of the website. No more peak pointing out a DoS attack since beginning of December.

 

 

[1] Cloudflare.com

[2] Wikipedia, Denial of Service Attack

[3] Github, DDoS Deflate

 

Block SSH Brute Force Attacks

I already advised in one of my previous post [1] to disable the root log-in on your Linux host. Neither the less, sometimes – somebody will try to attack you with an SSH Brute Force Attack. For those who are not familiar with brute force attacks, these are attacks, where all possible passwords are tested [2]. Starting from single digit passwords going to an undefined length you can imagine how much possibilities you will have to try. Therefore brute-force – and you can imagine that this will consume network bandwith on one side, but also processor load.

So as suggested in [1], set the root password according to modern standards and definitley turn off your ssh root log-in. Neither the less at a certain point somebody will try to perform a SSH brute force attack.

An indication for a ssh brute force attack is definitley if you find something like that in your /var/log/auth.log:

Feb 17 05:57:26 lvps5-35-244-75 CRON[30441]: pam_unix(cron:session): session closed for user root
Feb 17 05:58:12 lvps5-35-244-75 sshd[17899]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:58:14 lvps5-35-244-75 sshd[17899]: Failed password for root from 115.239.228.15 port 39623 ssh2
Feb 17 05:58:19 lvps5-35-244-75 last message repeated 2 times
Feb 17 05:58:21 lvps5-35-244-75 sshd[17899]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:58:33 lvps5-35-244-75 sshd[17901]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:58:35 lvps5-35-244-75 sshd[17901]: Failed password for root from 115.239.228.15 port 40071 ssh2
Feb 17 05:58:41 lvps5-35-244-75 last message repeated 2 times
Feb 17 05:58:43 lvps5-35-244-75 sshd[17901]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:58:45 lvps5-35-244-75 sshd[17906]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:58:47 lvps5-35-244-75 sshd[17906]: Failed password for root from 115.239.228.15 port 52315 ssh2
Feb 17 05:58:56 lvps5-35-244-75 last message repeated 2 times
Feb 17 05:58:58 lvps5-35-244-75 sshd[17906]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:59:01 lvps5-35-244-75 CRON[17913]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 17 05:59:01 lvps5-35-244-75 CRON[17913]: pam_unix(cron:session): session closed for user root
Feb 17 05:59:02 lvps5-35-244-75 sshd[17911]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:59:04 lvps5-35-244-75 sshd[17911]: Failed password for root from 115.239.228.15 port 42931 ssh2
Feb 17 05:59:09 lvps5-35-244-75 last message repeated 2 times
Feb 17 05:59:11 lvps5-35-244-75 sshd[17911]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:59:21 lvps5-35-244-75 sshd[17916]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.15 user=root
Feb 17 05:59:23 lvps5-35-244-75 sshd[17916]: Failed password for root from 115.239.228.15 port 42738 ssh2 

So, what to do? Panic? No!

The solution is easy-cheesy: use iptables to slow down the flow of request. The idea is to drop any ssh connection coming from a single source which is trying to attempt 4 times in a minute. This can be done via the following command:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

If you watch your /var/log/auth.log, you will notice that the amount of connection attempts will decrease. So time to relax and having a cup of tee.

Please note that those rules are active until your next reboot. Actually I prefer to check out the rules first, before applying them permanently. If you are sure and you like to apply them permenently, please follow the official Ubuntu Howto [3].

Have a save day!

 

[1] jvr.at, Basic Security for Linux hosts

[2] Wikipedia, Brute Force Attach

[3] Ubuntu.com, iptables Howto