Logwatch, Exim4 & SSH Attack Dictionary Prevention on Debian Lenny VPS

Logwatch, Exim4 & SSH Attack Dictionary Prevention on Debian Lenny VPS

Thanks to the excellent tutorials over at Slicehost, I got an idea of some the things you need to do to secure your brand new virtual private server (VPS) straight away.  To me, the main takeaways with regard to security would be:

1. create a privileged user with Sudo access

2. disable the root account login

3. use strong passwords e.g. a combination of letters in upper and lower case, numbers and other characters

4. setup iptables firewalls

I had no idea how well these steps were working though in preventing unauthorised access and I don’t really have the time to access the the system logs every day. Wouldn’t it be great if there were a way you could just receive a daily email summarising significant security-related server activities?

Well there is! You just need to setup Logwatch by following the steps in this tutorial

You won’t get any emails set to you however if your VPS hasn’t already been configured properly to send email. This excellent tutorial explains how to setup Exim4 to send emails from your VPS.

One thing I noticed about this method though is that you may not receive emails sent to your email account; apparently some email providers automatically discard emails sent from servers without proper reverse DNS records. So if you find yourself not getting emails from logwatch, you will need to set up reverse DNS on your VPS (which you usually can do in your VPS control panel – or ask your provider to help you). Alternatively, you can set your VPS to send emails via the Gmail SMTP server – which practically guarantees that sent emails reach your inbox.

The first times I received my Logwatch reports via email, I have to admit to being shocked at just how many intrusion attempts my VPS receives on a daily basis! Several thousand a day (why do so many people have so much free time?) I found out that you can tweak your iptables to limit the number of intrusion attempts. In my example below, any IP address that has more than 3 SSH login attempts over 10 minutes gets blocked for 10 minutes.

-N SSH_CHECK
-A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
-A SSH_CHECK -m recent --set --name SSH
-A SSH_CHECK -m recent --update --seconds 600 --hitcount 4 --name SSH -j DROP
-A SSH_CHECK -j ACCEPT

Note that this isn’t the most comprehensive guide to security on a VPS, but it’s a start!