Raspberry pi security - autorooters


6 posts
by drdevil44 » Fri May 03, 2013 9:09 am
Dear all

Looks like the pi has been added to the autorooters used by script kiddies - found this in my log today - clearly scanning for the pi user:

May 3 06:20:03 piserver sshd[5708]: Invalid user pi from 186.103.144.18
May 3 06:20:03 piserver sshd[5708]: input_userauth_request: invalid user pi [preauth]
May 3 06:20:03 piserver sshd[5708]: pam_unix(sshd:auth): check pass; user unknown
May 3 06:20:03 piserver sshd[5708]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=186.103.144.18
May 3 06:20:05 piserver sshd[5708]: Failed password for invalid user pi from 186.103.144.18 port 35844 ssh2
May 3 06:20:05 piserver sshd[5708]: Received disconnect from 186.103.144.18: 11: Bye Bye [preauth]
May 3 06:20:07 piserver sshd[5712]: reverse mapping checking getaddrinfo for 186-103-144-18.static.tie.cl [186.103.144.18] failed - POSSIBLE BREAK-IN ATTEMPT!

Best
Gareth
Posts: 39
Joined: Sun Mar 04, 2012 8:56 pm
by pluggy » Fri May 03, 2013 7:43 pm
Its probably a safe bet they'll find a few. It won't get them into mine though.
Don't judge Linux by the Pi.......
User avatar
Posts: 2313
Joined: Thu May 31, 2012 3:52 pm
Location: Barnoldswick, Lancashire,UK
by xenoist » Fri May 10, 2013 11:23 am
Install denyhosts and fail2ban if you have build in iptables modules in the kernel.
denyhosts just looks for false logins and add the hosts to hosts.deny.
Don't forget to set white lists: Your incoming IP if it's a fixed to hosts allow.

I accept only sshkey login and no password for login too on my servers.
To use this the user ssh must have a sshkey from the client to connect with on the remote machine:
http://www.linuxproblem.org/art_9.html

The .ssh dir for the user must have 700 permission.
chmod 700 ~/.ssh
In "/etc/ssh/sshd_config" set "PasswordAuthentication no" now only keylogin is accepted.
But test it before you kick off your self.
I also changed the fail2ban settings for sshd to keep of sshkey only logins with fails:

/etc/fail2ban/filter.d/sshd.conf
failregex
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
^%(__prefix_line)sReceived disconnect from <HOST>: 11: Bye Bye\s*$
https://it-shamans.eu GPG: 1024D/F96BC5FD xenoist at web.de
User avatar
Posts: 13
Joined: Fri Apr 26, 2013 8:33 am
Location: Germany
by gstreeter » Fri May 10, 2013 5:01 pm
Modify your SSH server port in sshd_config to something other than the default 22 as they don't usually probe for alternative ports. Note it has to be above 1024. Since doing this I've not had a single attempt at SSH break ins. As already noted earlier, using public key-only authentication denies external password based access and renders such attempts futile.
Posts: 97
Joined: Sun Sep 02, 2012 11:11 am
Location: UK
by jojopi » Fri May 10, 2013 9:31 pm
xenoist wrote:Install denyhosts and fail2ban if you have build in iptables modules in the kernel.
If you have not changed the default pi password then these theatrical scripts will not help you, because the attacker will be in first attempt. If you have changed the password then they are not necessary.

They should never be your first advice, especially when you have better suggestions with real security advantages later in your post.
The .ssh dir for the user must have 700 permission.
chmod 700 ~/.ssh
That is a myth. 0755 is absolutely fine.
User avatar
Posts: 1966
Joined: Tue Oct 11, 2011 8:38 pm
by sprinkmeier » Sat May 11, 2013 1:30 pm
jojopi wrote:
xenoist wrote:
The .ssh dir for the user must have 700 permission.
chmod 700 ~/.ssh
That is a myth. 0755 is absolutely fine.


Security is about 'defence in depth', aka 'belts and suspenders'.

755 might be OK, but 700 is better and shouldn't cause any problems, so use it.

An example:
The known_hosts file used to list plaintext hostnames for other hosts.
An attacker who gained a toe-hold on your system could use it to map out which other systems you visited, aiding their attack plan.
The more accessible this file, the greater the risk.

Also...if you change the SSH port on a server you can use ~/.ssh/config to automatically override the default port when connecting to that box:
Code: Select all
host paranoid
        hostname paranoid.example.com
        user bob
        port 54321


Now you can
Code: Select all
ssh paranoid
instead of
Code: Select all
ssh -l bob -p 54321 paranoid.example.com

Automagcally works for scp, sftp, git/rsync over ssh, etc.

Note that you're now leaving clues around for an attacker ala. the old known_hosts file, so remember to "chmod 700 ~/.ssh ; chmod 600 ~/.ssh/*"
Posts: 269
Joined: Mon Feb 04, 2013 10:48 am