ComputerSecurityStudent (CSS) [Login] [Join Now]


|UNIX >> Fedora >> Current Page |Views: 14055

(Fedora: Lesson 17)

{ Installing and Testing denyhosts and brutessh.py }

Section 0. Background Information
  1. What is denyhosts
    • DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
    • http://denyhosts.sourceforge.net/
     
  2. What is brutessh.py
    • Brutessh is a program that uses the paramiko ssh library, to launch bruteforce passwords attacks to the sshd service. The tools is multithreading and uses a dictionary for the passwords.

  3. Prerequisite
  4. Lab Notes
    • In this lab we will how to do the following:
      1. We will install denyhosts on Fedora.
      2. We will install brutessh.py on BackTrack.
      3. We will use brutessh on BackTrack to attack Fedora.

  5. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.

 

Section 1: Start Fedora
  1. Start Fedora
    • Instructions
      1. For Windows 7
        • Start --> All Programs --> VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player

     

  3. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight fedora14
      2. Click Edit virtual machine settings

     

  4. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click on the OK Button.

 

Section 2: Login to your Fedora14 server
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14
      3. Play virtual machine

     

  2. Login to Fedora14
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

 

Section 3: Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes:
      • As indicated below, my IP address is 192.168.1.106.
      • Please record your IP address.

 

Section 4: Installing denyhosts
  1. Search for DenyHosts
    • Instructions
      1. yum list denyhosts

     

  2. Install DenyHosts
    • Instructions
      1. yum install denyhosts
      2. Is this ok [y/N]: y

     

  3. Verify Installation Results
    • Notes:
      1. Once a command line is returned you will hopefully see a "Complete!" like below.

     

Section 5: Starting DenyHosts
  1. Starting DenyHosts
    • Instructions
      1. ps -eaf | grep -v grep | grep denyhosts | wc -l
        • A "0" is returned, because denyhosts is NOT currently running.
      2. cd /etc/init.d/
      3. ./denyhosts strat
      4. ps -eaf | grep -v grep | grep denyhosts | wc -l
        • A "1" is returned, because denyhosts IS currently running.
      5. ps -eaf | grep -v grep | grep denyhosts
        • This actually lists the denyhosts process.

 

Section 6: Startup Script for denyhosts
  1. Create Start Up Scripts
    • Instructions
      1. chkconfig --list | grep denyhosts
        • Notice that all run level start up scripts are OFF.
      2. chkconfig denyhosts --level 2345 on
        • We are turning on start up scripts for run levels 2, 3, 4, and 5.
      3. chkconfig --list | grep denyhosts
        • Notice that run level start up scripts are ON for 2, 3, 4, and 5.

     

  2. Startup Script for denyhosts
    • Instructions
      1. ls -l /etc/init.d/denyhosts
        • As part of the denyhosts installation, the denyhosts startup script is placed in /etc/init.d/denyhosts.
      2. find /etc/rc*.d/* -print | xargs ls -l | grep denyhosts
        • Identifies start up and kill scripts for denyhosts.
      3. runlevel
        • Identifies the current run level.
          • 0 Halt
          • 1 Single-User Mode
          • 2 User Definable (unused)
          • 3 Multi-User Mode
          • 4 Not Used
          • 5 Full Multi-User Mode (X-based logins)
          • 6 Reboot

     

  3. Stopping and Starting denyhosts with /etc/init.d/denyhosts
    • Instructions
      1. cd /etc/init.d
      2. ./denyhosts stop
      3. ps -eaf | grep -v grep | grep denyhosts | wc -l
        • Notice, that a "0" is returned, because denyhosts is NOT running.
      4. ./denyhosts start
      5. ps -eaf | grep -v grep | grep denyhosts | wc -l
        • Notice, that a "1" is returned, because denyhosts IS running.

     

  4. Stopping and Starting DENYHOSTS with the "service" command
    • Instructions
      1. service denyhosts status
        • This will show a PID if denyhosts is running.
      2. ps -eaf | grep -v grep | grep denyhosts
        • This will show the denyhosts process.
      3. service denyhosts stop
        • This command will stop the denyhosts daemon.
      4. ps -eaf | grep -v grep | grep denyhosts | wc -l
        • Notice, that a "0" is returned, because denyhosts is NOT running.
      5. service denyhosts start
        • This will start the denyhosts daemon/service.
      6. ps -eaf | grep -v grep | grep denyhosts
        • This will show the denyhosts process.

     

Section 7: Configure BackTrack Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player

     

  2. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight BackTrack5R1
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Do not Click on the OK Button.

 

Section 8: Login to BackTrack
  1. Start BackTrack VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select BackTrack5R1
      3. Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 9: Open Console Terminal and Retrieve IP Address
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal

     

  2. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes:
      • As indicated below, my IP address is 192.168.1.105.
      • Please record your IP address.

 

Section 10: Test SSH Between BackTrack and Fedora
  1. Test SSH from Backtrack to Fedora
    • Notes:
      • Issue the below commands from the BackTrack Terminal.
    • Instructions:
      1. ssh student@192.168.1.106 "uptime"
        • If you do not have a student account on Fedora, replace it with the system account you create in Lab 1.
        • Replace 192.168.1.106 with Fedora's IP address you obtained in (Section 3, Step 3).
      2. connecting (yes/no)? yes
      3. Provide Password

     

  2. Check Fedora's secure log
    • Notes:
      • Issue the below commands from the Fedora Terminal.
    • Instructions:
      1. grep "Accepted password" /var/log/auth.log | grep "192.168.1.105"
        • Replace 192.168.1.105 with BackTrack's IP Address obtained in (Section 9, Step 2).

 

Section 11: Install and run BruteSSH.py against Fedora
  1. Search for BruteSSH.py
    • Notes:
      • Issue the below commands from the BackTrack Terminal.
      • IF BRUTESSH IS ALREADY INSTALLED, THEN CONTINUE TO SECTION 12.
    • Instructions:
      1. cd /pentest/passwords/
        • In BackTrack, the password cracking programs are typically located in this directory.
      2. ls -l
      3. ls -l | grep -i brute
        • Here we are checking to see if BruteSSH is already installed.
        • Our search for brute does not return results.

     

  2. Start Firefox
    • Instructions:
      1. Applications --> Internet --> Firefox Web Browser

     

  3. Download brutessh
    • Instructions:
      1. Place the below URL in the address box and Press Enter
        • http://www.computersecuritystudent.com/UNIX/UBUNTU/lesson13/brutessh-0.5.tar.bz2
      2. Click the Save File radio button
      3. Click OK

     

  4. Save to /pentest/passwords
    • Instructions:
      1. Click on Browse for other folders
      2. Click on File System
      3. Navigate to /pentest/passwords
      4. Click Save

     

  5. Unzip brutessh-0.5.tar.bz2
    • Instructions:
      1. cd /pentest/passwords/
      2. ls -l brutessh-0.5.tar.bz2
      3. bunzip2 brutessh-0.5.tar.bz2
      4. ls -l brutessh-0.5.tar
      5. tar xovf brutessh-0.5.tar

     

  6. BruteSSH House Cleaning
    • Instructions:
      1. cd /pentest/passwords/
      2. rm brutessh-0.5.tar
        • We no longer need the tar file.
      3. cd brutessh/
      4. ls -la
      5. cat /pentest/passwords/john/password.lst | grep -v "^#" | head -50 > password.txt
        • I grabbed the first 50 passwords from John the Ripper to create enough future brute force ssh traffic for denyhosts to block.

     

  7. Using BruteSSH
    • Instructions:
      1. python brutessh.py -help
        • The -help flag produced the usage options.

     

  8. Using BruteSSH Against DenyHosts
    • Instructions:
      1. python brutessh.py -h 192.168.1.106 -u root -d password.txt
        • 192.168.1.106 is the IP address of the victim Fedora machine in my case.  Refer to (Section 3, Step 3) to obtain Fedora IP Address.

 

Section 12: Testing Blocked SSH Traffic from BackTrack to Fedora
  1. Testing Blocked SSH Connection
    • Instructions:
      1. ssh student@192.168.1.106
        • If you do not have a student account on Fedora, replace it with the system account you created in Lab 1.
        • Replace 192.168.1.106 with Fedora's IP address you obtained in (Section 3, Step 3).
        • Note: DenyHosts on the Fedora server is now blocking the ssh protocol from connecting to port 22.
      2. telnet 192.168.1.106 22
        • Here I am testing to see if IP Addressed is really blocked or if just SSH traffic is blocked.
        • Note: Although BackTrack SSH traffic is now blocked, it is still possible to connect use TCP over port 22.

 

Section 13: Proof of Lab
  1. Analyzing Fedora Deny Host Logs
    • Notes:
      • Make sure you are on the Fedora Server.
      • You will be analyzing Fedora log files.
    • Instructions:
      1. grep sshd /etc/hosts.deny
        • The hosts.deny file contains all the ports that have been blocked by the denyhosts daemon.
      2. grep -i "Failed password" /var/log/secure | grep "192.168.1.105"
        • Replace 192.168.1.105 with BackTrack's IP Address obtained in (Section 9, Step 2).
      3. date
      4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle

     

Section 14: Unblock BackTrack
  1. Stop rsyslog and denyhosts
    • Notes:
      • Make sure you are on the Fedora Server.
    • Instructions:
      1. fuser /var/log/auth.log
        • The command fuser identifies process IDs (PID)s that have open sockets to a file.
        • Notice that PIDs 2692 and 2715 currently have open sockets to the secure file.
      2. ps -eaf | grep -v grep | egrep '(2692|2715)'
        • Replace 2692 and 2715 with the PIDs that fuser lists in your session.
      3. service rsyslog stop
      4. service denyhosts stop

     

  2. Scrub the hosts.deny file
    • Instructions:
      1. cd /etc
      2. grep -v "192.168.1.105" hosts.deny > hosts.deny.new
        • Replace 192.168.1.105 with BackTrack's IP Address obtained in (Section 9, Step 2).
      3. grep "192.168.1.105" hosts.deny.new | wc -l
        • Replace 192.168.1.105 with BackTrack's IP Address obtained in (Section 9, Step 2).
      4. mv hosts.deny hosts.deny.old
      5. mv hosts.deny.new hosts.deny

     

  3. Scrub the auth.log file
    • Instructions:
      1. cd /var/log/
      2. grep -v "192.168.1.105" auth.log > auth.log.new
        • Replace 192.168.1.105 with BackTrack's IP Address obtained in (Section 9, Step 2).
      3. grep "192.168.1.105" auth.log.new | wc -l
        • Replace 192.168.1.105 with BackTrack's IP Address obtained in (Section 9, Step 2).
      4. mv auth.log auth.log.old
      5. mv auth.log.new auth.log

     

  4. Scrub the denyhosts file
    • Instructions:
      1. cd /var/log/
      2. grep -v "192.168.1.105" denyhosts > denyhosts.new
        • Replace 192.168.1.105 with BackTrack's IP Address obtained in (Section 9, Step 2).
      3. mv denyhosts denyhosts.old
      4. mv denyhosts.new denyhosts

     

  5. Start syslog and denyhosts
    • Instructions:
      1. service rsyslog start
      2. service denyhosts start

     

  6. Test SSH Connection from BackTrack to Fedora
    • Notes:
      • Make sure you are on the BackTrack Server.
    • Instructions:
      1. ssh student@192.168.1.106 "hostname"
        • If you do not have a student account on Fedora, replace it with the system account you created in Lab 1.
        • Replace 192.168.1.106 with Fedora's IP address you obtained in (Section 3, Step 3).
      2. Provide Password.

 


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth