Prevent Brute-Force SSH Attacks Using iptables

Prevent (or at least slow down) a brute-force SSH attack.
By default, iptables on a CentOS 6 SSH server allows all inbound SSH traffic on port 22. See /etc/sysconfig/iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Modify /etc/sysconfig/iptables to the following in order to allow a particular IP to initiate 5 new SSH connections within a window of 60s. If additional new SSH connections are opened for that IP, then all packets from that IP will be dropped, and the incident will be logged to /var/log/messages. After 60s that IP will be able to open 5 new SSH connections, and so on. Please note that when I say that a new SSH connection is made that I do not mean to imply the SSH authentication was successful. Just that the two hosts initiated a new TCP/IP connection over port 22.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
-A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j LOG --log-prefix "BRUTE_FORCE_SSH"
-A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# service iptables stop && service iptables start

My System Configuration

  • CentOS 6.5 x86 64-bit

References

Installing DenyHosts on CentOS 6

DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses. Upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host. DenyHosts uses TCP Wrappers and not iptables.

Install DenyHosts

First, add the EPEL repository. Then simply install the package from the EPEL repository:

# yum install denyhosts

Configure DenyHosts

Before starting DenyHosts, configure a white list of IPs that DenyHosts should never block. Again, DenyHosts uses TCP Wrappers. Hence, edit /etc/hosts.allow and add IPs, entire subnets, etc. For example,

sshd: 12.34.56.78
sshd: 192.168.0.0/255.255.255.0

Start DenyHosts

# service denyhosts start

Configure the system to start DenyHosts at boot:

# chkconfig denyhosts on

Basic things to be aware of:

  • IPs to white list should be added to /etc/hosts.allow.
  • IPs that DenyHosts blocks will be added to /etc/hosts.deny.
  • The DenyHosts configuration file is /etc/denyhosts.conf.
  • DenyHosts logs everything that it does to /var/log/denyhosts.
  • DenyHosts watches /var/log/secure for SSH login attempts.
  • If a host is ever added to the block list by mistake, just remove it from /etc/hosts.deny. You can also manually add hosts you want to block.

Go through the DenyHosts configuration file (/etc/denyhosts.conf) and tune it to your liking. Be sure to restart DenyHosts (service denyhosts restart) if you change anything.

My System Configuration

  • CentOS 6.5 x86 64-bit
  • DenyHosts 2.6

References

Use Yum to List All of the Packages in a Single Repository

First, list all of your available repositories, and get the repository IDs

# yum repolist
repo id         repo name                                              status
base            CentOS-6 - Base                                            6,367
epel           Extra Packages for Enterprise Linux 6 - x86_64         10,142+82
extras          CentOS-6 - Extras                                             14
updates         CentOS-6 - Updates                                           287
repolist: 16,810

To see which packages are just in the “base” repository:

# yum --disablerepo="*" --enablerepo="base" list available
Available Packages
389-ds-base.x86_64                        1.2.11.15-29.el6                  base
389-ds-base-devel.i686                    1.2.11.15-29.el6                  base
389-ds-base-devel.x86_64                  1.2.11.15-29.el6                  base
389-ds-base-libs.i686                     1.2.11.15-29.el6                  base
389-ds-base-libs.x86_64                   1.2.11.15-29.el6                  base
ConsoleKit-devel.i686                     0.4.1-3.el6                       base
ConsoleKit-devel.x86_64                   0.4.1-3.el6                       base
ConsoleKit-docs.x86_64                    0.4.1-3.el6                       base
ConsoleKit-libs.i686                      0.4.1-3.el6                       base
ConsoleKit-x11.x86_64                     0.4.1-3.el6                       base
DeviceKit-power.i686                      014-3.el6                         base
DeviceKit-power.x86_64                    014-3.el6                         base
DeviceKit-power-devel.i686                014-3.el6                         base
DeviceKit-power-devel.x86_64              014-3.el6                         base
DeviceKit-power-devel-docs.noarch         014-3.el6                         base
ElectricFence.i686                        2.2.2-28.el6                      base
ElectricFence.x86_64                      2.2.2-28.el6                      base
GConf2.i686                               2.28.0-6.el6                      base
GConf2.x86_64                             2.28.0-6.el6                      base
GConf2-devel.i686                         2.28.0-6.el6                      base
GConf2-devel.x86_64                       2.28.0-6.el6                      base
GConf2-gtk.x86_64                         2.28.0-6.el6                      base
ImageMagick.i686                          6.5.4.7-6.el6_2                   base
ImageMagick.x86_64                        6.5.4.7-6.el6_2                   base
ImageMagick-c++.i686                      6.5.4.7-6.el6_2                   base
ImageMagick-c++.x86_64                    6.5.4.7-6.el6_2                   base
ImageMagick-c++-devel.i686                6.5.4.7-6.el6_2                   base
ImageMagick-c++-devel.x86_64              6.5.4.7-6.el6_2                   base
...

My System Configuration

  • CentOS 6.5 x86 64-bit

References

Migrate iTunes from Windows XP to Windows 7

Prepare the source Windows XP system:

  • In iTunes, Sync your iPod / iPhone / iPad as you normally would.
  • Go to File > Library > Organize Library > Check to organize library and to consolidate files.
  • Deauthorize your computer from iTunes by going to Store > Deauthorize This Computer
  • Quit iTunes

Prepare the destination Windows 7 system:

  • Install iTunes
  • In Explorer, go to Tools > Folder Options > View > Show hidden files, folders, and drives > press OK
  • Quit iTunes in case you opened it

Transfer files from the source Windows XP system to the destination Windows 7 system:

  • Copy “C:\Documents and Settings\username\My Documents\My Music\iTunes” to “C:\Users\username\Music\iTunes
  • Copy “C:\Documents and Settings\username\Application Data\Apple Computer\iTunes” to “C:\Users\username\AppData\Roaming\Apple Computer\iTunes
  • Copy “C:\Documents and Settings\username\Local Settings\Application Data\Apple Computer\iTunes” to “C:\Users\username\AppData\Local\Apple Computer\iTunes

Note: This does not transfer over device backups.
On the destination Windows 7 system:

  • Open iTunes and verify all of your data is there
  • Authorize your computer to iTunes by going to Store > Authorize This Computer
  • Sync your iPod / iPhone / iPad as you normally would.

My System Configuration

  • Windows XP SP3
  • Windows 7 Professional SP1
  • iTunes 11.1.3.8

References

Installing Windows 7 from Scratch Using the Upgrade CD

You should be able to install Windows 7 on a bare PC using the upgrade CD without any issue. That is, without having to first install an older version of Windows, and then upgrade. This arguably provides a cleaner install. However, a problem arises when you try to activate your Windows installation:

  1. Open Windows Activation by clicking the Start button, right-clicking Computer, clicking Properties, and then clicking Activate Windows now.‌
  2. If Windows detects an Internet connection, click Activate Windows online now. Administrator permission required. If you’re prompted for an administrator password, type the password.
  3. Type your Windows 7 product key when prompted, click Next, and then follow the instructions.

You should receive the activation error code 0xC004F061: “The Software Licensing Service determined that this specified product key can only be used for upgrade, not for clean installations.”

To resolve this, you must edit the Windows registry. Open up the start menu and type “regedit” into the search field, followed by enter. Navigate to: HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Setup/OOBE/ (or click Edit then Find and type “MediaBootInstall” into the search field, and press enter). Once found, double-click MediaBootInstall and change the “1” to a “0“. Click Ok and exit the Registry Editor.
Now you must “Re-Arm” the Windows activation sequence. First, you must open a command prompt as an administrator. To do this, open up the start menu and type “cmd” but instead of just pressing enter, you need to press “Ctrl” + “Shift” + “Enter” in order for it to run as an administrator. Alternatively, click the start menu, right-click on the command prompt application, and selecting Run as administrator.
From the command prompt, type “slmgr /rearm” and press enter. Then type “exit” and press enter. Then reboot.
Then activate Windows by performing the steps shown above again. This time it should work.

My System Configuration

  • Windows 7 Professional x86 64-bit

References