Protecting Linux against automated attackers

文章作者：Ryan Twomey
原始连接：http://security.linux.com/article.pl?sid=05/09/15/1655234

As many systems administrators will tell you, attacks from automated login scripts specifically targeting common account names with weak passwords have become a substantial threat to system security, especially via SSH (a popular program that allows remote users to log in to a Linux computer and execute commands locally). Here are some common-sense rules to follow that can greatly improve security, as well as several scripts to cut down on the computing resources wasted by these attacks.



Brute-force attackers use so-called dictionary attacks, attempting many different login/password combinations in an attempt to hit on one that matches. In most cases, these scripts use a pre-programmed "dictionary" of often-used account names (such as www, admin, test, or guest). These scripts then attempt common passwords (often just the name of the account or an empty string). When one attempt fails, the script continues on, attempting other entries in its dictionary, until it has exhausted every pair (which can total hundreds of login attempts).

One of the most popular scripts attackers have employed has been the "haita" script, often paired with a fast port scanner. The port scanner first scans blocks of IP addresses, checking for an open SSH port (22). When the scanner finds a potential target, it stores the address in a database for later. Usually within a few hours of the initial scan, the brute-force script will begin attempting dictionary attacks on each of the IP addresses within this database. Once it finds a successful login/password combination, the script alerts a human operator and hands off login access to the machine. This attacker can then log into the breached system and employ it for his own nefarious purposes.

What happens once a computer system has been compromised? According to many systems administrators, attackers first use the compromised box to begin additional attacks on other computer systems, attempting to gain access to even more machines. Many of these systems are employed as "zombies," used to deliver hundreds of thousands of spam emails to unsuspecting inboxes. Or, if the compromised system particularly juicy, the attacker may install a keystroke logger to capture passwords for bank accounts and other information. The attacker may also attempt to gather company information, perhaps for blackmail purposes.

How to protect yourself

With so many attacks occurring on a daily basis -- even to everyday home users -- how can you protect yourself?

Always choose good passwords. A good password is one that is not easy to guess, has both numbers and letters in it, and is usually more than six characters long. Also, use different passwords for different accounts; that way, if one password is ever compromised, you can decrease the fallout.
Disable SSH access unless you really need it. If you must have it, try to set up restricted access lists, denying every IP address that's not on your list. This isn't always feasible, which is why the scripts listed in this article are so useful.
Disable root logins via SSH. There are few reasons why this should be turned on in the first place, so make sure it's off. In addition, you can specify which users are allowed to log into the system via SSH with the AllowUsers option (followed by a list of user name patterns, separated by spaces).
Regularly update your system's software. If it's ever compromised, you'll be able to reduce the effectiveness of rootkits and other privilege-escalation software by eliminating known security vulnerabilities.
Creating a strong password

Many people have created rules for strong passwords, and different organizations have different policies regarding strong passwords. Following these seven common-sense rules can go a long way toward preventing even determined attackers from guessing their way into your account:

Do not use dictionary words.
Do not use names.
Do not use dates.
Do not use the same password elsewhere.
Do mix upper-lower case.
Do use at least six characters.
Do change your password now and then.
These rules, along with other helpful information regarding Linux passwords, can be found in the Linux.com article "CLI Magic: passwd and passwords".

In addition to the basic practices above, several programs exist to help reduce the number of attacks against your computer systems. These scripts are designed to look for brute-force attackers and automatically ban them after a certain number of attempts in a specified window of time.

Daemon Shield

Daemon Shield is a small Python script that is started at boot time and continuously monitors a syslog file (usually /var/log/messages) for login attempts (including SSH, FTP, and other services). The configuration file specifies the amount of time to wait between processing the syslog file for changes (a greater interval can improve performance), the number of acceptable attempts within a specified period of time, and what to do if an address is found that violates this policy.

In general, the script has some good features (such as the ability to block an address for a specified period of time). It uses iptables to handle the blocklist (which, when combined with an iptables firewall-type rule set, gives administrators good control over the network security of their computer system). However, Daemon Shield suffers greatly when parsing long syslog files; it may not block an address until many attempts into the attack (or until after the attack is complete). Having a good log-rolling policy for your syslog file is crucial to getting the best performance out of Daemon Shield.

Once the software is installed, you'll need to configure it for your installation. First, make sure you have an /etc/sysconfig/iptables file (some distributions, notably Mandriva, do not create this file by default). Iptables can generate this file automatically. Under Red Hat, you can try:

service iptables save

Under Mandrake and several other distributions, use the iptables-save program if it's available in your PATH:

iptables-save

Once you've created the /etc/sysconfig/iptables file, configure it to begin using the Daemon Shield rules. According to the Daemon Shield install file:

Add the following line to the list of iptables chains:

:Kiddies - [0:0]

Then add the following lines to the end of the file:

-A Kiddies -j LOG --log-level info --log-prefix "Dropped IP: " -m limit --limit -A Kiddies -j DROP

These options instruct iptables to consult the auto-generated Daemon Shield block list before allowing each TCP connection (remember that Daemon Shield can monitor login attempts for services other than just SSH).

Now that iptables is configured to use the Daemon Shield service, the next step is to begin editing the Daemon Shield configuration file, /usr/local/etc/daemonshield.conf, to suit your installation. I found working with the configuration file to be confusing. For instance, the syntax of the ignorestring option, which allows you to set Daemon Shield to automatically ignore any logins made from the specified set of IP addresses or ranges, is certainly a little confusing. Here's the entry I used to automatically ignore (and thereby always allow) addresses originating from 10.*.*.* and 192.168.*.* networks:

ignorestring=10\.\d{1,3}\.\d{1,3}\.\d{1,3} 192\.168\.\d{1,3}\.\d{1,3}

I then edited the set of commands relating to the time intervals that Daemon Shield uses. First, I adjusted the expireblocktime option, which is the length of time an IP address should be blocked from attempting to log into the system after Daemon Shield has determined it to be a brute-force attacker. I used the value 180 (in minutes, so three hours), which seemed like a reasonable amount of time: not too long that