Mageia forum

[isadora]

Hello, I am setting up a web server that is accessed remotely. I have allowed the firewall to permit SSH and set MSEC to 'Secure' via MCC GUI. I have also written a hosts.deny with just

Code: Select all

ALL: ALL

and hosts.allow so that I can only SSH in from specified IP addresses.

I thought this would be enough to enforce /etc/hosts.deny so that all remote login attempts from foreign IPs would be blocked. However, when I check the login attempts with

Code: Select all

grep "Failed password" /var/log/auth.log

I see that they are still happening several times per minute, including root login attempts. Shouldn't these be blocked by MSEC? For example, under the 'Secure' setting of MSEC one of the default options is ALLOW_REMOTE_ROOT_LOGIN set to 'no'. I can't figure why this isn't being enforced

Code: Select all

May 11 16:57:22 myserver sshd[369786]: Failed password for invalid user vbox from 165.227.142.62 port 58324 ssh2
May 11 16:57:45 myserver sshd[371196]: Failed password for invalid user cc from 104.248.140.201 port 60568 ssh2
May 11 16:57:50 myserver sshd[372568]: Failed password for root from 178.62.63.165 port 48988 ssh2
May 11 16:57:53 myserver sshd[372603]: Failed password for root from 157.230.1.224 port 59400 ssh2
May 11 16:58:05 myserver sshd[372610]: Failed password for invalid user dns from 165.227.142.62 port 39930 ssh2
May 11 16:58:06 myserver sshd[372608]: Failed password for root from 49.234.24.246 port 54290 ssh2

[doktor5000]

FWIW, just to clear up a few things. msec isn't really something like an active daemon. You use it to configure security-related settings, and it does regular reports about those settings, that's about it. Maybe have a look at https://wiki.mageia.org/en/Msec

IIRC hosts.deny belongs to tcp wrappers, which is an ancient thing. Also see the information at the top of hosts.deny for some context information. Our sshd isn't linked against libwrap anymore.
Maybe have a look at https://0pointer.net/blog/ip-accounting ... stemd.html or at https://unix.stackexchange.com/question ... ip-address for an example.

Apart from that, as your sshd is accessible from outside, you should definitely change it to a nonstandard port and not leave it at 22.
Also think about something like fail2ban or denyhosts for the sshd.

[jiml8]

I don't think hosts.allow and hosts.deny do anything anymore. They were associated with tcp_wrappers and I don't think that is used on Mageia any more.

I use blockhosts to secure my ssh connection, and it uses hosts.allow to store information...and used to run whenever a relevant entry appeared in the log. It stopped working in Mageia 7, and I posted about it here viewtopic.php?f=8&t=13241&p=77582&hilit=tcp_wrappers+blockhosts#p77582 . I turned blockhosts into a cron that runs every 2 minutes and still use it.

I guess tcp_wrappers is deprecated.

[superbee]

Thanks. So my understanding is that MSEC just applies secure configuration settings, permissions, ownership etc for various services (sshd, etc).

I think I managed to figure out how to accomplish my goal directly with shorewall. The MCC firewall GUI (drakfirewall) is a basic frontend for shorewall that just creates a file /etc/shorewall/rules.drakx. This file tells shorewall which ports and protocols to allow through the firewall from the internet. Unfortunately, the GUI doesn't seem to give the option to blacklist or whitelist specific IPs. For this I needed to also configure Shorewall directly

One can do this by editing /etc/shorewall/rules or /etc/shorewall/blrules to explicitly blacklist or whitelist certain IPs. In my case, if I want to SSH only from a specific IP and blacklist everything else, I can do the following in /etc/shorewall/blrules:

Code: Select all

WHITELIST       net:123.456.789.012 fw      tcp     22
DROP            net                     all


where 123.456.789.012 is my whitelisted IP address. This seems to stop the random login attempts I was getting. With this set up, I'm not sure it is necessary to use fail2ban or change the default port since only a small number of IPs are allowed and everything else explicitly dropped

[jiml8]

If whitelisting an IP works for you, then that really is all you need.

Note, though, that this scheme lacks any flexibility and should that other IP address change (which happens occasionally with residential dynamic addresses) you will no longer be able to connect from the location you want whitelisted.