Cutting down sshd logs

 in Fedora / Linux / Security  tagged ddos attacks / dictionary searches / Fedora / Linux / logwatch / open ssh / script kiddies / ssh port / ssmtp / tcp wrappers

If you're like me and log into work from home, you should probably be using the AllowUsers option in your sshd_config at work.  This option allows you to specify IP addresses that are allowed to login to your system.  So, for example, I might have an entry like this:

myUserid@192.168.1.*

which means that the userid myUserid can login from any IP address on the 192.168.1.x network.  That's not a real IP you're likely to have on the Internet but it's useful for this example.  It also means that myUserid is not allowed from other IP addresses so script kiddies doing dictionary searches on your open ssh port won't get in.

Unfortunately, it also means that you get a log of every attempt from those same kiddies for each userid they try.  In some respects it's nice to know who is banging against your systems to try and gain access.  But you are really only interested in who actually gets in.  The others are just an annoyance (though they could possibly do ddos attacks on you, but that's another problem that AllowUsers won't address).

Still, if you have your LogWatch logs mailed to you every night (fedora does this automatically if you have sendmail set up correctly – see my article on ssmtp at Linux.com) and scan them for intrusions, it would be nice not to have to scan all the failed attempts to get in through ssh.  Fortunately, you can easily do this by blocking every incoming IP that isn't in the AllowUsers list.  You simply add entries to the hosts.allow and hosts.deny.  These files are used by the tcp_wrappers system to deny or allow access to network services.  That means that ssh never sees the login scanning attempts because tcp_wrappers denies those attempts before ssh ever sees them.

The allow file is processed first looking for matching permissions and then the deny file is checked.  If no match is found access is granted for the connection.  In our case, the default is to deny everybody.  We do that in the /etc/hosts.deny file like so:

All: All

This means no one can access anything on this machine when coming in from the network.  However, we grant connections via ssh with an entry in /etc/hosts.allow that looks like this:

ALL: 127.0.0.1

All: 192.168.1.

The first entry allows connections from the local machine.  The second entry allows it from the local network (behind our router).  The third allows access to ssh via key files (DSA or other) from specific hosts.  So not only do you have to connect from specific hosts to ssh, you have to do it without providing a password.  Otherwise you'll never even get to the ssh daemon.  Pretty nifty.

The end result is that the logs from logwatch are reduced to who got in and which IPs were refused a connection, along with the number of times they were refused a connection.  You still get to see who's banging against your system, but you don't have to see all the stupid userids they tried to get in.  And even better, they never even got a chance to try those userids.

Related posts

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.