How to stop people trying to hack your root logon
A sometimes neverending hassle for a Unix Administrator is how to stop people from trying to hack your root logon. There are many approaches to this, none of which are particularly difficult to do, so here is a checklist of some of the methods I have used.
Firstly you need to be aware HOW to find out someone is trying to hack your root logon (or other logon actually). This can easily be found on Centos 6 (in fact every Linux distribution) in the /var/log/btmp
file.
Slightly strange however is that you cannot simply do a ‘more
‘ or ‘cat
‘ of this file. To see its contents you do this –
strings /var/log/btmp
The other slightly annoying thing is you cannot see date and timestamps in it. Oh well, you know the attempt was made which is the main thing. You can also see from the output of ‘strings’ the usernames that were attempted. Now bear in mind the ip addresses or hostnames it shows COULD BE YOURS, so dont just go ahead and block them all on your office firewall (or your server iptables) without being sure that you are not about to block yourself or your staff.
So anyway here is my quick checklist of things you can do once you have identified ip addresses or hostnames that are undesirables.
1) BLOCK THEM IN IPTABLES
The sledgehammer approach is to add a rule similar to this to your /etc/sysconfig/iptables
file –
-A INPUT -s 1.2.3.4 -j DROP
and then restart iptables to take effect.
The potential issue with this is you could be being attacked by multiple servers on a network (can be catered for with the above line 1.2.3.4/32
to drop a standard class C ip network), or even an undesirable hacker datacentre with multiple ip addresses
2) CHANGE YOUR SSH PORT
A cleverer method to disrupt at least the less sophisticated hack attempts is to change your server from using the standard ssh port 22 to something different. One thing to note here is just to be a bit careful when doing this as a mistake in changing SSH could stop you from accessing your server.
So the file you need to edit is /etc/ssh/sshd_config
Quite near the top you will see a line like this –
#Port 22
And yes it is normally commented as shown above. So remove the comment, and change your port to be something else (try and use a higher number over 1024 I suggest to stay away from other system reserved ports). Use something like 22222, 22111, 11122
or something else that you can remember.
Once you have edited and saved that file restart sshd like this –
service sshd restart
Now when you log in your server remember to use your new port in your terminal client.
3) DISABLE DIRECT ROOT ACCESS
In my view this is by far the most subtle method, and your attackers wone even know you have done it, and will continue to try and try and try, and keep getting ‘invalid password’, ‘invalid password’, ‘invalid password’, while you laugh to yourself knowing they stand no chance.
Once again this method involves editing /etc/ssh/sshd_config
if you scroll down you will find something like this –
#PermitRootLogin yes
And yes its once again commented, which basically is just showing you the default value. Uncomment it, and change to no like this –
PermitRootLogin no
and save the file.
IMPORTANT – What you now need to do is to make sure you have a seperate logon for yourself to be able to log in your server with !!! To create a user do this –
useradd -d /home/user1 user1
and set a good password on it like this –
passwd user1
Then restart sshd like this –
service sshd restart
Now you can log in as your new user and then do ‘su -
‘ to take you to root. Then you can watch your /var/log/btmp file and not worry that anyone can log in as root any more.
SUMMARY –
So there are my most used methods to add that little bit of extra security to your server. If you are interested to learn more hints and tips then check out my other Linux or Bash tutorials HERE or subscribe to my email list in the sidebar to get new tips to your inbox as I write them!