ComputerSecurityStudent (CSS) [Login] [Join Now]




|UNIX >> CentOS >> CentOS-6.6 >> Current Page |Views: 13607

(CentOS 6.6: Lesson 8)

{ Testing denyhosts and brutessh.py }


Section 0. Background Information
  1. What is denyhosts
    • DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
    • http://denyhosts.sourceforge.net/
     
  2. What is brutessh.py
    • Brutessh is a program that uses the paramiko ssh library, to launch bruteforce passwords attacks to the sshd service. The tools is multithreading and uses a dictionary for the passwords.
     
  3. Prerequisite  
  4. Lab Notes
    • In this lab we will how to do the following:
      1. We will use brutessh on Kali to attack the ssh daemon on CentOS.
      2. Will we install denyhosts on CentOS.
      3. CentOS will block Kali
      4. We will unblock Kali

  5. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2015 No content replication of any kind is allowed without express written permission.

 

Section 1. Configure CentOS-6.6 Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player
     
  2. Edit CentOS-6.6 Virtual Machine Settings
    • Instructions:
      1. Highlight CentOS-6.6
      2. Click Edit virtual machine settings

     

  3. Auto Detect Hard Drive
    • Instructions:
      1. Click on CD/DVD(IDE)
      2. Click the Use physical drive: radio button
      3. Make sure Auto detect is selected

     

  4. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click the OK Button

 

Section 2. Play Virtual Machine
  1. Start the CentOS-6.6 VM
    • Instructions:
      1. Click on the CentOS-6.6 VM
      2. Click on Play virtual machine

 

Section 3. Login to CentOS
  1. Login to CentOS
    • Note(FYI):
      1. Until you click the user, in this case Security Student, the Password field will not be displayed.
    • Instructions:
      1. Click on Security Student
        • This will display the password text box.
      2. Supply its' password
      3. Click the Log In Button
     
  2. Open a Terminal
    • Instructions:
      1. Applications --> System Tools --> Terminal

     

  3. Switch User to root
    • Instruction:
      1. su - root
      2. Supply the Root Password
    • Notes (FYI):
      1. su - root, this command allows the user student to switch user to user root, provided the root password can be supplied.

     

  4. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes (FYI):
      • As indicated below, my IP address is 192.168.1.116 for Network Interface eth1.
        • Please record your IP address
      • The Local Loopback Address is 127.0.0.1 for Network Interface lo.
        • The loopback device is a special, virtual network interface that your computer uses to communicate with itself.  When the network or wifi is disconnected the loopback exists so applications running on your computer can always connect to servers on the same machine.

 

Section 4. Set Easy Password
  1. Set Easy Password
    • Instruction:
      1. passwd student
      2. New password: abc123
      3. Retype new password: abc123
    • Note(FYI):
      1. Obviously, abc123 is a bad password.  Even the CentOS operating system warns against.  Later this lesson, brutessh.py will be use to launch a brute ssh account and will be successful.

     

Section 5. Start Kali
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        • Start --> All Programs --> VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on the Kali VM
      2. Click on Edit virtual machine settings

     

  3. Auto Detect Hard Drive
    • Instructions:
      1. Click on CD/DVD(IDE)
      2. Click the Use physical drive: radio button
      3. Make sure Auto detect is selected

     

  4. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click the OK Button

     

  5. Start the Kali VM
    • Instructions:
      1. Click on the Kali VM
      2. Click on Play virtual machine

 

Section 6. Login to Kali
  1. Supply Username
    • Instructions:
      1. Click Other
      2. Username: root
      3. Click the Login Button

     

  2. Supply Password
    • Instructions:
      1. Password: Provide the root password
      2. Click the Login Button

     

Section 7. Obtain IP Address Address
  1. Open a Terminal
    • Instructions:
      1. Applications --> Accessories --> Terminal

     

  2. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes (FYI):
      • As indicated below, my IP address is 192.168.1.115 for Network Interface eth0.
        • Please record your IP address
      • The Local Loopback Address is 127.0.0.1 for Network Interface lo.
        • The loopback device is a special, virtual network interface that your computer uses to communicate with itself.  When the network or wifi is disconnected the loopback exists so applications running on your computer can always connect to servers on the same machine.

     

Section 8. Test SSH Connectivity Between Kali and CentOS
  1. Test SSH from Kali to CentOS (On Kali)
    • Instructions:
      1. ssh student@192.168.1.116 "uptime"
        • If you do not have a student account on CentOS, replace it with the system account you created in Lab 1.
      2. connecting (yes/no)? yes
      3. Provide Password
    • Note(FYI):
      1. Replace 192.168.1.116 with CentOS's IP Address obtained from (Section 3, Step 4).

 

Section 9. Inspect CentOS Security Log
  1. View CentOS secure log (On CentOS)
    • Note(FYI):
      • Replace 192.168.1.115 with Kali's IP Address obtained from (Section 7, Step 2).
      • You will notice that password was accepted.
    • Instructions:
      1. grep -i "accepted password" /var/log/secure | grep "192.168.1.115"

 

Section 10. Inspect CentOS Security Log
  1. Using BruteSSH (On Kali)
    • Instructions:
      1. cd /pentest/brutessh/
      2. python brutessh.py -help
        • The -help flag produced the usage options.

     

  2. Using BruteSSH Against DenyHosts
    • Note(FYI):
      • Replace 192.168.1.116 with CentOS's IP Address obtained from (Section 3, Step 4).
      • In the case below, we are attacking the student account, because we set it to an easy to guess password(abc123).  Most of the time, attackers will often target the root account.
    • Instructions:
      1. python brutessh.py -h 192.168.1.116 -t 0 -u student -d password.txt
    • Note(FYI):
      1. Notice my Times: End(.15) and Init(.06), which means it took .09 seconds to discover the easy password.

 

Section 11. Investigate Authentication Failures
  1. Check CentOS secure log (On CentOS)
    • Note(FYI):
      • Replace 192.168.1.115 with Kali's IP Address obtained from (Section 7, Step 2).
    • Instructions:
      1. grep -i "failed password" /var/log/secure | grep "192.168.1.115"
    • Note(FYI):
      1. Notice all the failed login attempts for the student account, that occurred in less then a second.

     

  2. Change student password
    • Instructions:
      1. passwd student
      2. New password: <Supply a Strong Password>
      3. Retype new password: <Supply a Strong Password>

 

Section 12. Install DenyHosts
  1. Download DenyHosts (On CentOS)
    • Instructions:
      1. cd /var/tmp
      2. wget http://www.computersecuritystudent.com/UNIX/CENTOS/6/lesson8/DenyHosts-2.6.tar.gz
      3. tar zxovf DenyHosts-2.6.tar.gz

     

  2. Install DenyHosts
    • Instructions:
      1. cd DenyHosts-2.6
      2. python setup.py install

     

  3. Install DenyHosts
    • Instructions:
      1. cd /usr/share/denyhosts
      2. cp denyhosts.cfg-dist denyhosts.cfg
      3. cp daemon-control-dist daemon-control
      4. chown root daemon-control
      5. chmod 700 daemon-control
    • Note(FYI):
      1. By default the directory /usr/share/denyhosts will be created and a sample configuration file will be copied into it.
      2. denyhosts.cfg-dist is the sample configuration file.
      3. daemon-control-dist is the sample daemon configuration file.

     

Section 13. Configure Startup Scripts
  1. Create DenyHosts Start Up Scripts (On CentOS)
    • Instructions:
      1. cd /etc/init.d
      2. ln -s /usr/share/denyhosts/daemon-control denyhosts
      3. chkconfig --add denyhosts
      4. chkconfig --list | grep denyhosts
      5. find /etc/rc.d/rc* -print| grep -i denyhosts | xargs ls -l
    • Note(FYI):
      1. The /etc/init.d directory contains a number of start and stop scripts for various services on your system.
      2. Add the denyhosts startup script to /etc/init.d
      3. Add startup script to runlevel 2, 3, 4, and 5.
      4. Verify the start up scripts for runlevel 2, 3, 4, and 5 are turned on.
      5. List the denyhosts start up scripts for runlevel 2, 3, 4, and 5

     

  2. Let's start up the denyhosts daemon.
    • Instruction:
      1. service denyhosts start
      2. service denyhosts status
      3. ps -eaf | grep denyhosts | grep -v grep
    • Note(FYI):
      1. Start up the denyhosts service.
      2. Check the status of the denyhosts service, which shows the PID.
      3. ps -eaf | grep denyhosts | grep -v grep
        • You can use the (ps) command to view the actual denyhosts process.  Notice how my process IDs of 15104 match.  Do yours match?

 

Section 16. Testing Brutessh.py against Denyhost
  1. Attempt Brutessh.py against Denyhosts  (On Kali)
    • Note(FYI):
      • Replace 192.168.1.116 with CentOS's IP Address obtained from (Section 3, Step 4).
    • Instruction:
      1. python brutessh.py -h 192.168.1.116 -t 0 -u student -d password.txt
      2. ssh student@192.168.1.116
      3. echo "^]" | telnet 192.168.1.116 22
    • Note(FYI):
      1. Attempt a brute force ssh attack against the CentOS machine.
      2. Notice the ssh connection is closed by the CentOS machine.
      3. Notice you can connect to port/22, but that is about it.

 

Section 17. How to Unblock a host from Denyhosts
  1. Check CentOS secure log (On CentOS)
    • Instructions:
      1. fuser /var/log/secure
        • The command fuser identifies Process IDs (PID)s that have open sockets to a file.
        • In my case, PIDs 1659(rsyslogd) and 6697(denyhosts) currently have open sockets to the secure file.
      2. ps -eaf | grep -v grep | grep 1659
        • This is the PID for rsyslog
      3. ps -eaf | grep -v grep | grep 6697
        • This is the PID for denyhosts
      4. service rsyslog stop
      5. service denyhosts stop
      6. fuser /var/log/secure
        • Notice no Process IDs are returned because rsyslogd and denyhosts were stopped.
    • Note(FYI):
      1. fuser is a utility that identifies processes using files or sockets.
      2. Rsyslogd is a system utility that provides support for message logging.

     

  2. Scrub the hosts.deny file
    • Note(FYI):
      • Replace 192.168.1.115 with your Kali IP Address obtained from (Section 7, Step 2).
    • Instructions:
      1. cd /etc
      2. grep -v "192.168.1.115" hosts.deny > hosts.deny.new
      3. grep "192.168.1.115" hosts.deny.new | wc -l
      4. mv hosts.deny hosts.deny.old
      5. mv hosts.deny.new hosts.deny

     

  3. Scrub the secure file
    • Note(FYI):
      • Replace 192.168.1.115 with your Kali IP Address obtained from (Section 7, Step 2).
    • Instructions:
      1. cd /var/log/
      2. grep -v "192.168.1.115" secure > secure.new
      3. grep "192.168.1.115" secure.new | wc -l
      4. mv secure secure.old
      5. mv secure.new secure

     

  4. Scrub the denyhosts file
    • Note(FYI):
      • Replace 192.168.1.115 with your Kali IP Address obtained from (Section 7, Step 2).
    • Instructions:
      1. cd /var/log/
      2. grep -v "192.168.1.115" denyhosts > denyhosts.new
      3. grep -v "192.168.1.115" denyhosts.new | wc -l
      4. mv denyhosts denyhosts.old
      5. mv denyhosts.new denyhosts

     

  5. Verify Services are running
    • Instructions:
      1. service rsyslog start
      2. ps -eaf | grep -v grep | grep rsyslog
      3. service denyhosts start
      4. ps -eaf | grep -v grep | grep denyhosts

 

Section 18. Test if host is unblocked
  1. Check CentOS secure log (On Kali)
    • Note(FYI):
      • Replace 192.168.1.116 with CentOS's IP Address obtained from (Section 3, Step 4).
    • Instructions:
      1. ssh student@192.168.1.116 "hostname"
    • Note(FYI):
      • If you successfully unblock the Kali Host, you should now see the CentOS hostname.

 

Section 19. Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. cd /usr/share/denyhosts/data
      2. ls -l hosts-restricted
      3. cat hosts-restrictedcat hosts-restricted
      4. md5sum hosts-restricted
      5. date
      6. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Paste into a word document
      3. Upload to Moodle
     

 



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth