How to fool and ban attackers using a fake sshd at port 22 (English)

(The copy at freiwuppertal.de/plone/sonstiges/fool might be easier to read because of the simple design of the main page)


Imagine the following realistic scenario: You are the administrator of a linux server and you are intelligent enough not to run your real OpenSSHd at Port 22. However, you wonder what to do with that free port. You already thought about using it for a SSH honeypot like Kojoney or Kippo, but you are not the kind of person who would actually let an attacker in to see what he does. You just want to ban anyone who tries to access port 22, including any portscanner.

Guess what, that’s actually really easy!
.
.
.


Warning: It is possible that you lock yourself out of your system because you ban your own IP. If this happens, you need physical console access or another way to run a script that unbans you again!


Another Warning: The automatic ban will also apply to any other running sshd, including your real one. If you want to change this behavior, change the „SyslogFacility“ in your real sshd’s config to „DAEMON“ instead of „AUTH“ or decrease the LogLevel so that it does not show failed logins anymore.


Remember that you have to restart any running sshd after you changed the configuration or even the banner!


.
.
.
The first thing you need is a sshd at port 22. This sshd should not have any valid user/password configuration to make sure that no cracker is ever able to get in. The best tool for this task is (yes!) OpenSSHd. You can simply run a second SSHd by specifying a different configuration file.

To get a working config file, copy the original one…

cp /etc/ssh/sshd_config ~/trap-sshd.conf

…and edit it, using any command line editor of your choice. I prefer nano:

nano ~/trap-sshd.conf

The following options are important, change them if needed:

Port 22
SyslogFacility AUTH
LogLevel VERBOSE
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
X11Forwarding no
Banner /home/yourhome/trap-sshd-banner
UsePAM yes
AllowUsers nobody

After you saved your configuration (using nano, Ctrl+X, y and Return), you might want to create a notice that is shown before the user is finally banned. You can use something like this:

You have been banned because you tried to get SSH access.
1. forget it.
2. to get unbanned, contact myemail@example.org
Have a nice day.

Or like this:

Q: What do you have when you have a cracker buried up to his neck in sand?
A: Not enough sand.

Another idea is to use any funny output of /usr/games/fortune if you have it installed. Save the message of your choice in the text-file /home/yourhome/trap-sshd-banner and it should work.


Now we have a working fake sshd that will run at port 22. You can start it whenever you want, using the start command I mentioned at the beginning. Create a script to run it manually or create an @reboot cronjob to run it when the server starts.

This is the command to run your fake sshd:

sudo /usr/sbin/sshd -f /home/yourhome/trap-sshd.conf


We’re not done yet.

To ban everyone who tries to access the sshd, we will use Fail2Ban. If you installed it using apt-get, you should be able to find the configuration files at /etc/fail2ban – cd to this directory and continue:

Edit the „jail.local“ file, NOT the .conf file. If you edit the .conf file, your changes will be overwritten during the next upgrade.

You have to set all lines that are „true“ like this:

[ssh]
enabled = true

to „false“. We do not want to use any of the default configurations.

When you did that, delete the [ssh] and the [ssh-ddos] part and replace them with the following:

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
banaction = iptables-trap
bantime = 86400
maxretry = 1

[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
banaction = iptables-trap
bantime = 86400
maxretry = 1

After you did that, save the file and close the editor. If you know how Fail2Ban works, you might wonder what „iptables-trap“ is. It is an action that does not exist yet, so we will create it:

cd action.d ; ls

We will simply copy the original „iptables“ action and modify it to fit our needs:

sudo cp ./iptables.conf ./iptables-trap.conf

Open iptables-trap.conf with your text editor. Look for the two lines containing the following string:

--dport <port>

and delete that string, ONLY THAT PART, not the whole lines. They should look like this now:

iptables -I <chain> -p <protocol> -j fail2ban-<name>actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>

Save the file, close the editor. Now you need to create a script that you can run when you banned yourself. Create the file „/help-fail2ban.sh“ using your text editor (you need to use sudo) and fill it with the following code:

#!/bin/bash
echo rotating logfiles,
logrotate -f /etc/logrotate.conf
echo clearing and restoring iptables,
/restore-iptables.sh
echo and restarting fail2ban.
/etc/init.d/fail2ban restart
echo done.

Save it, close it.

Now you should create/edit the file „/restore-iptables.sh“. Fill it with something like this:

#!/bin/bash
iptables -F

Add your „permanent“ iptables rules below the „iptables -F“, if you have some. All others will be deleted when you run the script.

Remember to run the following command from the console if you lock yourself out:

sudo bash /help-fail2ban.sh

Everything should work now. Any failed ssh connection attempt leads to a 24-hour ban of the IP and any portscan that hits port 22 will be useless.

To see what Fail2Ban does, you can always check the /var/log/fail2ban.log – you might want to add some permanent bans for some very annoying IPs.


EDIT: To allow portscans and only ban people who really try „ssh example.com“, simply change the „ssh-ddos“ option in jail.local to „false“.

To allow SSH attempts (just logging them) but to ban someone who does a „nmap -sS -A example.com“, do the same with „ssh“, but keep „ssh-ddos“ enabled.