Shulou(Shulou.com)06/02 Report--

In the recent process of cloud launch, a CVM bound to a public network floating IP was frequently subjected to external SSH brute force cracking * * and users setting weak passwords. The resulting security problems caused thoughts on how to prevent SSH brute force cracking.

SSH brute force cracking

Hydra and medusa are the world's top brute force password cracking tools, which support online password cracking of almost all protocols. Whether the password can be cracked depends on whether the cracking dictionary is strong enough. In the process of network security, hydra and medusa are necessary testing tools, and social engineering with the social work library can sometimes achieve unexpected results. The figure shows the process of two tools using a password dictionary to enumerate SSH passwords.

Iptables restricts ssh access frequency

In the face of violent cracking, according to its working principle, it is an effective preventive means to reduce the frequency of trial and error and increase the number of trial and error, so as to increase the cracking time to an intolerable degree.

Increasing the number of trial and error is nothing more than increasing the length of the password, expanding the complexity of the password, and changing the password on a regular basis. And reducing the frequency of trial and error is also a defense worthy of a try.

The frequency limit of SSH access is realized by calling state module and recent module of iptables. Here we focus on explaining the less commonly used recent extension modules.

Recent module

Recent, an extension that dynamically creates IP address lists for later matching in many different forms. The extension supports the following options:

Content of iptables rules

To control the access frequency of SSH, there are two iptables rules:

# if the SSH access is made and the source IP is in the recent access list, and the number of visits within 60 seconds is greater than or equal to 3, it will be discarded.

Iptables-I INPUT-p tcp-- dport 22-m state-- state NEW-m recent-- name SSH_RECENT-- rcheck-- seconds 60-- hitcount 3-j DROP

# for SSH access, add the source IP to the recent access list.

Iptables-I INPUT-p tcp-dport 22-m state-- state NEW-m recent-- name SSH_RECENT-set

Realize the effect

The implementation effect is shown in the following figure. High-frequency password trial and error will be terminated and will not be able to restart until one minute has timed out.

In the / proc/net/xt_recent directory, there is a log file named SSH_RECENT. The file records the source IP information and access time of the most recent access to the SSH service recorded by the iptables rules entered above. The default recorded oldest_pkt is 20, which can be zoomed up through modprobe ipt_recent ip_pkt_list_tot=50. The default source IP for records is 100, and the number of records can be expanded through modprobe ipt_recent ip_list_tot=1024.

Iptables realizes remote opening of ssh function

Any reliable network starts with network investigation. If the * does not find the target to enable the SSH login service during the network reconnaissance phase, it will also frustrate its plan to launch * against SSH. The common operation here is to change the default port 22 of SSH to another port number to confuse the port scanning software. The specific services bundled on the port can actually be scanned through tools such as nmap, as shown in the following figure. Here, through a tricky method, the ICMP of the specified message length is used as the key to open the SSH service on the host. Hide the SSH service port in this way.

Content of iptables rules

The ICMP message of the specified packet length is used as the key to open the peer SSH service. The specific iptables rules are shown below.

# add the source IP to the SSH whitelist iptables-An INPUT-p icmp--icmp-type 8-m length-- length 78-m recent-- name SSH_ALLOW-- set-j ACCEPT using a 78-byte icmp packet as the key (including 20 bytes of IP header and 8 bytes of ICMP header)

# check whether the source IP accessing the SSH service is in the whitelist, and the IP in the whitelist is valid for 15 seconds. If you are on the whitelist, release the communication.

Iptables-An INPUT-p tcp-- dport 22-m state-- state NEW-m recent-- name SSH_ALLOW-- rcheck-- seconds 15-j ACCEPT

# release established SSH connections

Iptables-An INPUT-p tcp-- dport 22-m state-- state ESTABLISHED-j ACCEPT

# reject all other SSH irrelevant matches

Iptables-An INPUT-p tcp-- dport 22-j DROP

Realize the effect

Finally, the effect shown in the following figure can be achieved. The SSH service is not accessible until the specified packet length ICMP is used (step 1). After using the specified packet length ping (step 2), you can connect normally using SSH (step 3). In this way, the designated packet length ICMP is used as the key to open the SSH communication service. Its principle is consistent with the principle of limiting the communication frequency of SSH in the previous section.

Fail2ban prevents SSH from brute force cracking

Installation:

It can be installed directly through yum install fail2ban-y on Centos. After the installation is complete, you can find the corresponding file where the program is running under the / etc/fail2ban path. All the filters supported by fail2ban are stored in the filter.d directory and all the actions supported by fail2ban are stored in the action.d directory. Various custom defense functions (not limited to SSH protection) can be achieved by combining a variety of filters and actions in the jail configuration file.

Configuration and operation:

For fail2ban, each .conf configuration file can be overridden by a .local file with the same name. The program reads the .conf file first, and then the .local file. The configuration in .local has higher priority. Defend against SSH brute force cracking by creating a new jail.local, adding the following configuration, and running fail2ban-client start.

[DEFAULT]

# whitelist

Ignoreip = 127.0.0.1 Compact 8

# time for lifting the ban

Bantime = 600,

# trial and error window time

Findtime = 600,

# allowable number of trial and error

Maxretry = 3

[ssh-iptables]

# enable

Enabled = true

# Select filter

Filter = sshd

# Select Defense Action

Action = iptables [name=SSH, port=ssh, protocol=tcp]

# email Notification

Sendmail-whois [name=SSH,dest=yang.hongyu@99cloud.net, sender=test@email.com]

# SSH log path

Logpath = / var/log/secure

# allowed number of trial and error (priority is higher than default)

Maxretry = 1

Running effect:

Through the SSH trial and error of the target host, the SSH login error message is recorded in the / var/log/secure log. Through the analysis of the file, fail2ban recognizes that it is currently experiencing the brute force cracking of SSH, which then triggers the defense function. The fail2ban-client status command can view the running status of the current fail2ban. After being cracked by SSH, the identified * IP is added to the Banned IP list. The actual blocking function is achieved by fail2ban issuing blocking rules for * IP in iptables.

Denyhost prevents SSH from brute force cracking

The working principle of Denyhost is basically the same as that of Fail2ban. It also analyzes the log files of SSH and locates repeated brute force to crack IP. Unlike Fail2ban, which blocks the access of * IP by writing iptables rules, Denyhost blocks * IP's access to SSH by recording * IP to the hosts.deny file.

Denyhost installation:

Wget "downloads.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz"

Tar-xzf DenyHosts-2.6.tar.gz

Cd DenyHosts-2.6

Python setup.py install

Denyhost configuration and operation:

# generate a copy of the configuration file

Cd / usr/share/denyhosts/

# generate a copy of the configuration file

Cp denyhosts.cfg-dist denyhosts.cfg

# generate a copy of the execution file

Cp daemon-control-dist daemon-control

Chmod 700 daemon-control

# Custom profile denyhosts.cfg

# SSH log path

SECURE_LOG = / var/log/secure

# configuration file path to store SSH reject host information

HOSTS_DENY = / etc/hosts.deny

# rejection time, configured as 10 minutes here

PURGE_DENY = 10m

# limit on the number of login retries for invalid users

DENY_THRESHOLD_INVALID = 5

# limit on the number of login retries for valid users

DENY_THRESHOLD_VALID = 10

# limit on the number of login retries for ROOT users

DENY_THRESHOLD_ROOT = 1

# start and run

. / daemon-control start

Denyhost effect:

From the running log of Denyhost, it can be seen that multiple trial and error of SSH password on the target host triggered the defense function of Denyhost. The IP of the * * user is added to the hosts.deny file, and SSH access under the IP is also denied.

Network security, how can there be a fresh trick?

Some people may want to say that logging in with a key can perfectly solve the problem of SSH brute force cracking. Here is a piece of history. An interesting thing happened in the 2006 Debian Linux release when the software automatic analysis tool found a line of code commented out by the developer. This line of commented code is used to ensure that the amount of information used to create the SSH secret key is large enough. After the code is commented, the entropy of the key space size is reduced to 215. This means that no matter which algorithm and key length, the total number of keys generated is only 32767, which is less complex than a pure 6-digit password. The error was not discovered until two years later, and there is no doubt that a considerable number of servers take advantage of this flawed weak key. (quote from: Violent Python:A Cookbook for Hackers)

There is nothing new about network security. The four security reinforcement methods listed above are also unable to resist the weak passwords set by the operation and maintenance personnel and the social worker password library of the operators. Operation and maintenance personnel can ensure network security only by improving their own security awareness and making rational use of security tools.

One last word: there are thousands of roads, safety first. The operation is not standard, and the operation and maintenance staff have two lines of tears.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.