RedHat Security Tightening; Tale of One System

Posted on 2013/02/19 by pauljohn

The default RedHat install is possibly more secure than some Linux distributions, but it is also not as tight as we might need.

On one KU RedHat system that I did not fine tune--so the default setup was in place--we saw an effort to attack yesterday. Somebody was running scripts to randomly guess names, passwords, and services.

No security breach occurred, but the massive number of attempts got the domain login server pissed off and now it seems as if nobody can authenticate against the home domain from the one particular machine that was targeted. Well, I'm not sure that's the reason why all our users are unrecognized by the login server now, but the correlation is pretty clear. We were able to log in yesterday, all of these ssh attacks occurred, and now we are blocked from authentication.

While I wait to hear how to fix that, let me illustrate the problem and how I'm fixing it.

The /var/log/secure was full of these, 1000s of them:


Feb 19 10:31:49 CRMDA-009 sshd[17959]: Invalid user jaqueline from 200.222.91.18
Feb 19 10:31:49 CRMDA-009 sshd[17960]: input_userauth_request: invalid user jaqueline
Feb 19 10:31:49 CRMDA-009 sshd[17959]: pam_unix(sshd:auth): check pass; user unknown
Feb 19 10:31:49 CRMDA-009 sshd[17959]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.222.91.18
Feb 19 10:31:49 CRMDA-009 sshd[17959]: pam_krb5[17959]: error resolving user name 'jaqueline' to uid/gid pair
Feb 19 10:31:49 CRMDA-009 sshd[17959]: pam_krb5[17959]: error getting information about 'jaqueline'
Feb 19 10:31:51 CRMDA-009 sshd[17959]: Failed password for invalid user jaqueline from 200.222.91.18 port 38534 ssh2
Feb 19 10:31:52 CRMDA-009 sshd[17960]: Received disconnect from 200.222.91.18: 11: Bye Bye
Feb 19 10:31:54 CRMDA-009 sshd[17961]: Address 200.222.91.18 maps to mailserver.abolicao.com.br, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 19 10:31:54 CRMDA-009 sshd[17961]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.222.91.18  user=root
Feb 19 10:31:54 CRMDA-009 sshd[17961]: pam_krb5[17961]: authentication fails for 'root' (root@HOME.KU.EDU): User not known to the underlying authentication module (Client not found in Kerberos database)
Feb 19 10:31:56 CRMDA-009 sshd[17961]: Failed password for root from 200.222.91.18 port 38798 ssh2
Feb 19 10:31:56 CRMDA-009 sshd[17962]: Received disconnect from 200.222.91.18: 11: Bye Bye
Feb 19 10:31:58 CRMDA-009 sshd[17963]: Address 200.222.91.18 maps to mailserver.abolicao.com.br, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 19 10:31:58 CRMDA-009 sshd[17963]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.222.91.18  user=root
Feb 19 10:31:58 CRMDA-009 sshd[17963]: pam_krb5[17963]: authentication fails for 'root' (root@HOME.KU.EDU): User not known to the underlying authentication module (Client not found in Kerberos database)
Feb 19 10:32:00 CRMDA-009 sshd[17963]: Failed password for root from 200.222.91.18 port 39078 ssh2
Feb 19 10:32:00 CRMDA-009 sshd[17964]: Received disconnect from 200.222.91.18: 11: Bye Bye
Feb 19 10:32:02 CRMDA-009 sshd[17965]: Address 200.222.91.18 maps to mailserver.abolicao.com.br, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 19 10:32:02 CRMDA-009 sshd[17965]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.222.91.18  user=root
Feb 19 10:32:02 CRMDA-009 sshd[17965]: pam_krb5[17965]: authentication fails for 'root' (root@HOME.KU.EDU): User not known to the underlying authentication module (Client not found in Kerberos database)
Feb 19 10:32:04 CRMDA-009 sshd[17965]: Failed password for root from 200.222.91.18 port 39309 ssh2
Feb 19 10:32:04 CRMDA-009 sshd[17966]: Received disconnect from 200.222.91.18: 11: Bye Bye
Feb 19 10:32:06 CRMDA-009 sshd[17967]: Address 200.222.91.18 maps to mailserver.abolicao.com.br, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Feb 19 10:32:06 CRMDA-009 sshd[17967]: Invalid user src from 200.222.91.18
Feb 19 10:32:06 CRMDA-009 sshd[17968]: input_userauth_request: invalid user src
Feb 19 10:32:06 CRMDA-009 sshd[17967]: pam_unix(sshd:auth): check pass; user unknown
Feb 19 10:32:06 CRMDA-009 sshd[17967]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.222.91.18
Feb 19 10:32:06 CRMDA-009 sshd[17967]: pam_krb5[17967]: error resolving user name 'src' to uid/gid pair
Feb 19 10:32:06 CRMDA-009 sshd[17967]: pam_krb5[17967]: error getting information about 'src'
Feb 19 10:32:08 CRMDA-009 sshd[17967]: Failed password for invalid user src from 200.222.91.18 port 39541 ssh2
Feb 19 10:32:09 CRMDA-009 sshd[17968]: Received disconnect from 200.222.91.18: 11: Bye Bye
Feb 19 10:32:10 CRMDA-009 sshd[17969]: Address 200.222.91.18 maps to mailserver.abolicao.com.br, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

After that problem started, then users could not log in anymore, the domain rejects the requests thusly (from /var/log/secure):

Feb 19 11:40:06 CRMDA-009 pam: gdm-password[18264]: pam_unix(gdm-password:auth): check pass; user unknown
Feb 19 11:40:06 CRMDA-009 pam: gdm-password[18264]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Feb 19 11:40:06 CRMDA-009 pam: gdm-password[18264]: pam_krb5[18264]: error resolving user name 'pauljohn' to uid/gid pair
Feb 19 11:40:06 CRMDA-009 pam: gdm-password[18264]: pam_krb5[18264]: error getting information about 'pauljohn'
Feb 19 11:40:06 CRMDA-009 pam: gdm-password[18264]: gkr-pam: error looking up user information for: pauljohn

How I'm fixing this on RedHat.

1. Install the RPM denyhosts, edit the config to make at least one change. in /etc/denyhosts.cfg, change the file where it lists banned systems. The reason for this is that we don't want the denyhosts program to obliterate our existing hosts.deny file, we want it to create its own enemy list and then we take not of it in hosts.allow.

# Most operating systems:
HOSTS_DENY = /etc/denyhosts.blocked

2. Edit /etc/hosts.deny, insert 1 line

ALL:ALL

That means we are blocking access to all services on all ports from all places, by default.

3. Edit /etc/hosts.allow, insert lines to make it so that we ONLY offer ssh service on this system, and we ONLY offer it to a trusted domain. We want to allow in users who have IP numbers such as 10.222.xxx.xxx, for example. In this example code,

portmap: 10.222.
ALL: 127.0.0.1
sshd : /etc/denyhosts.blocked : deny

sshd: 10.222.
sshdfwd-X11: 10.222.

If users from more IP ranges have to be let in, OK. Add them.

Even users who are within the valid range can be blocked by denyhosts.

About pauljohn

Paul E. Johnson is a Professor of Political Science at the University of Kansas. He is an avid Linux User, an adequate system administrator and C programmer, and humility is one of his greatest strengths.
This entry was posted in Linux. Bookmark the permalink.