Knock knock....who's there?

Knock knock....who's there? The world knocking at your door....all the time!!

As a house has doors, a computer has ports that can be opened and closed. Which ports are open to the world from your house? And how often do you check? Any new port opened recently? How long until hackers find your open doors and start attacks?

I wanted to do a little project where I sat up a little computer (raspberry pi) in my home network with just one open port (port 22) and check how long it took until hackers found it and started to attack it.
During the test period my ISP changed my IP twice.

A lot of people around the world scan the internet for ip's which leads to open services like e.g. ssh. One day in June 2015 I wanted to check out the auth log examining it for intrusion attempts on port 22 (ssh) to see if my harvesting was successful. I was quite shocked by how many failed root login attempts there were from others than myself and decided to do something about it.

This is a small example of what the log looked like:

Aug 16 06:57:33 raspberrypi sshd[7959]: Failed password for root from 43.229.53.xx port 58575 ssh2
Aug 16 06:57:35 raspberrypi sshd[7959]: Failed password for root from 43.229.53.xx port 58575 ssh2
Aug 16 06:57:37 raspberrypi sshd[7959]: Failed password for root from 43.229.53.xx port 58575 ssh2

Above you can see how a person from ip 43.229.53.xx started to scan for my root (admin) password and failed three times in a few seconds.

Imagine a bouncer that will let you in if you have the correct secret password, and then a guy comes 1000 times a day trying different but wrong passwords. Wouldn't it be great to toss him away after e.g. 3 wrong password attempts? Fail2ban will do this for you. There are a lot of good blogs on how to set this up, and it's quite easy too. I used this one. Fail2ban have a lot of filters checking for unexpected behaviour, but I'll only cover the ssh (port 22) part.

Fail2ban can easily be configured to trigger on this hammering behaviour and ban the offending IP address long enough to make it difficult to try to guess passwords - for example 10 minutes:

2015-08-16 11:55:28,296 fail2ban.actions: WARNING [ssh] Ban 43.229.53.xx
2015-08-16 12:05:28,323 fail2ban.actions: WARNING [ssh] Unban 43.229.53.xx

As shown above, fail2ban bans the IP in ten minutes, and then unbans it. With this time delay it will be next to impossible to brute force the, in this case, root password.

The logs for fail2ban is usually located in /var/log/fail2ban.log if you're running Debian and it'd quite fun to read to see all the banned IP's over time.

After running fail2ban from June 2015 until the end of August 2015 on my raspberry pi I checked out the fail2ban logs to examine the results.

From 09.08.2015 to 21.08.2015 I got 569 unique ip's from 28 different countries knocking on my door. Wouldn't it be great to examine which countries these IP's from? Lets try GeoIP.

GeoIP

Easy to install in Debian:

sudo apt-get install geoip-bin geoip-database

Tho check if it works try to give the program the IP of Google's dns using command:

pi@raspberrypi ~ $ geoiplookup 8.8.8.8
GeoIP Country Edition: US, United States

It worked!

According to geoiplookup, these are the results of my findings:

#    | Country
---- | --------
248  | Japan
143  | China
 19  | Ukraine
 18  | United States 
 17  | Netherlands
 16  | Korea, Republic of
 15  | Germany
 10  | France
  7  | Italy
  6  | Russian Federation
  5  | Croatia
  5  | Thailand
  4  | Brazil
  4  | India
  4  | Moldova, Republic of
  4  | Turkey
  3  | Bangladesh
  3  | Morocco
  3  | Taiwan
  3  | Vietnam
  2  | Bulgaria
  2  | Bolivia
  2  | Canada
  2  | Colombia
  2  | Ecuador
  2  | United Kingdom
  2  | Indonesia
  2  | Lao People's Democratic Republic
  2  | Sri Lanka
  2  | Poland
  2  | Portugal
  1  | Argentina
  1  | Australia
  1  | Estonia
  1  | Mexico
  1  | Norway
  1  | Romania
  1  | Syrian Arab Republic

Security tips

It can be smart to not allow to log in as root from outside your local network. You can configure this in /etc/ssh/sshd_config and set

PermitRootLogin no 

To disable root login, and then enable it for internal use only:

##Permit local root login 
Match Address 192.168.1.*,127.0.0.1
PermitRootLogin yes

It can be smart to configure ssh to use a port greater than 1024, however the port of your choosing then is not a privileged port which can be bad for security read this.
It can be smart to use ssh keys
It's time to get intimate with your ports and your logs, and have fun trying!

A simple but fun experiment making you more secure.