If you have a server on the internet, the chances are that someone will attempt to gain entry. I have seen cases where the server was live on the internet for as little as 2 minutes before some bot launched an attack. There are various programs out there that will do brute force dictionary hacks on your machines. Hackers know that there are standard user names that always exist on your server, especially if it is using the default configuration. User names include (but are not limited to) root, mail, news, mysql, lp. You can check your /etc/passwd file for the rest. The attack involves trying to login to the user names using a dictionary of commonly used passwords. The best thing you can do is to rename those user names. For example renaming the root user name to rootuser will always mean that the hacker will never gain entry because the user name doesn’t even exist! However some start up scripts rely on the top level user being root instead of checking the top user id is zero. It is definitely more difficult to rename the lp user because its user id is not fixed and so the name is relied upon. In cases like mysql you can rename the user name because it is created my you, so as long as all the permissions are set correctly you should be fine. Another problem with someone attacking your server is that they are stealing your bandwidth to do it! You have to pay for traffic that comes to your site and it all adds up. Fear not, there is a way to stop this, but first you have to know what you are looking for. The system log will give you an idea of how many times hackers have tried to gain access to your system. It is located at
/var/log/messages. When an attack is in progress you will see something along the lines of:
Mar 8 19:23:28 myhostname sshd(pam_unix): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=evil.hacker.host.name Mar 8 19:23:38 myhostname sshd(pam_unix): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=evil.hacker.host.namerhost specifies the remote machine that is talking to you. From these log entries we can see that the attacker is using ssh to try and log in. You will see this message even if it is you that has accidentally typed the password in wrong, so be very careful about the action you take. You don’t want to lock yourself out! If it is a real attack then there will be pages and pages of these messages, cycling through the standard user names mentioned above. If you are watching then you can block the remote host from talking to you. You can add rules to your firewall to drop their incoming packets on the floor. This is better than replying with unknown address, because the attacking machine will hang around waiting for it’s pre-set timeout which could be a couple of seconds. For those couple of seconds the attackers aren’t attacking you (or anyone else). After a couple of time outs they generally stop. So to send their machine into a blackhole add a firewall rule to drop their host’s packets on the floor:
iptables -I INPUT -s evil.hacker.host.name -j DROPto see who you have in your blackhole, list the current firewall rules:
iptables -Land to unblock a host, remove it from the drop list:
iptables -D INPUT -s evil.hacker.host.name -j DROPIt is important to only keep the evil.hacker.host.name in your blackhole for about 30 minutes. The attacking program should have given up by then and if the remote host is a firewall or a proxy server you could be blocking access to your server to potentially thousands of innocent people. You may not be able to watch your servers all the time so there are several programs out there to watch your log files and block would-be attackers for you. One of the most popular of these is called Sentry Tools and can be found on SourceForge. The project hasn’t changed for ages, but it is as current now as it was 5 years ago. When I get a chance I’ll write a blog about how to install and configure it.