I'm trying to defend my server (Ubuntu Lucid 10.04) from some brute force ssh attacks by configuring the iptables.
I want to log the matches to DROP rules, but it wasn't working, so I tried the very basic:
iptables -A INPUT -p tcp --dport 22 -j LOG --log-level info --log-prefix "TEST: "
But it doesn't log anything! I tried changing the log-level: debug or 7 and adding
kern.=debug -/var/log/firewall
to /etc/syslog.conf
but nothing gets written to/var/log/messages
or /var/log/firewall
The rule does get some matches:
$ iptables -L -v
pkts bytes target prot opt in out source destination
44 5543 LOG tcp -- any any anywhere anywhere tcp dpt:ssh LOG level debug prefix `TEST: '
iptables logging not working has a solution to update rsyslog to a newer version. However according to this source "this solution is messing with the default logging system"
Does anybody know a better solution?
If not, I could try updating rsyslog (compile from source), but how can I revert to the default rsyslog if it messes things up?
EDIT: rsyslog drops it's privileges, so it can't read /proc/kmesg. This should be solved in newer kernels but unfortunately, I'm stuck on 2.6.18.
"the fact it doesn't read kmsg on older kernels is DELIBERATE
and will not be fixed."
I tried to let rsyslog keep it's root privileges, by altering /etc/rsyslogd.conf
$PrivDropToUser root
$PrivDropToGroup root
But that doesn't work either, which confuses me. Why can't this root process read a file root owns?
Best Answer
You could install fail2ban and configure the ssh jail to automatically ban the IP addresses that are attacking your server based on the messages that sshd puts in the logs. This is a fairly standard way of doing what you want.
If you haven't already done so you should disable root logins via ssh as well as enabling and using key based authentication.