New Users Read Bad Blogs and Later Cannot SSH. There are many sysadmins, many Senior Software Engineers exist on this Earth who deliver server security mantras via their blogs to the newbie users. Needless to say, they are neither knowledgable sysadmins nor real Senior Software Engineers. Definitely we are not pointing towards Major Hayden, we agree that security should always be applied in layers, but factually he agreed with the arguments to change the default SSH Port and he is an established coder plus Senior Software Engineer. He talks about enterprise grade setup not a mere one server running a plain website.
Editing the default security setting of GNU/Linux is very dangerous to a new user. Flaw is the sequence of workflow. Here is How to Bypass Blocked SSH Port and Wrong iptables Rules. Swear Not to Do it Again. These methods are used for penetration testing and hacking a server. We will not mention all the ways, but only one practical way, otherwise you’ll attempt to run exploit on others’ servers. Web host console may not work for keyboard mapping and deny password.
Bypass Blocked SSH Port and Wrong iptables Rules : Where This Method Will Work
You must have installed PHP and a web server software like Nginx or Apache Running. Ideal situation is a WordPress website at the front-end – like we have complete guide to install WordPress with Nginx PHP5-FPM backend.
You must have the port of web server opened, the frontend web software login working.
Definitely you should know your IP address, root username and password.
Yes, it is possible to gain root access even with lesser factors but the above condition is normal when you edited /etc/ssh/sshd_config file to change the default SSH port and applied the wrong iptables policy. It is not normal to forget root username and password and side by side getting blocked to SSH.
Bypass Blocked SSH Port and Wrong iptables Rules : Situation
As example, I read from somewhere to allow port 80 and port 443 and drop/block all the ports first time in life. Then I edited the /etc/ssh/sshd_config file to change the default SSH port. I restarted SSH daemon and got kicked out of the server. Thereafter I am reading this guide.
Swear, Loudly
I will never read the bad blogs.
I have understood that I am a fool.
I will never try methods in future written in the bad blogs.
I have understood that I know nothing about server security.
I have understood that Console is not like SSH.
Do Not Your Webhost Flush the Firewall?
If you request your webhost, even in unmanaged plans, the Webhosts flush the firewall policies on request by mercy for the virtual servers and cloud servers. It is kept as last option. For the unmanaged dedicated servers and colocation servers it can be very pathetic situation. For such setup cPanel or Plesk like web hosting control panel is used even for one domain. Internal network and within the server ports are widely opened.
If the above methods work, there is no need to try the next steps.
Bypass Blocked SSH Port and Wrong iptables Rules : Run PHP Exploits
There are many PHP based Web Shells, they can not help you. As PHP is running as www-data, except few commands which can be run as if as root, nothing can be done. You can not run PHP Shell Execute function to delete /etc/ssh/sshd_config file on a standard setup. GNU/Linux is quite immune to such exploits.
Only way is to create PHP script to run FTP commands on browser via your IP address, do FTP towards localhost or 127.0.0.1, using your changed custom port, your root username, your root password. iptables will not reject such attempt. You can delete the /etc/ssh/sshd_config file, upload a fresh /etc/ssh/sshd_config file with SSH port which you kept open (port 80 or port 443) and reboot the server.
---
There are many WordPress plugin exists which allows to have FTP like features within WordPress like WordPress FileManager. Such plugin is good to upload or delete custom PHP script to run FTP commands on browser. Do not expect to delete /etc/ssh/sshd_config file on a standard setup via such plugin. If you can not upload custom PHP script on FTP’s public directory, then you installed WordPress with wrong permissions and file ownership.
Question is now WHERE is the custom PHP scripts to delete /etc/ssh/sshd_config file and upload a fresh /etc/ssh/sshd_config file?
First, your FTP credentials are now :
1 2 3 4 | username : root / what you use to SSH password : your password port : that one you applied on /etc/ssh/sshd_config, default is 22 host: 127.0.0.1 |
Actually, you need code yourself. We will not give such ready to use script for security reasons. You can read official website of PHP or find the whole Internet to find scripts. This is an example PHP script (same code is on GitHub as Gist) :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | <?php $conn = ftp_connect("127.0.0.1"); ftp_login($conn, "username_here", "password_here"); ftp_pasv($conn, true); ftp_chdir($conn, "/etc"); $files = ftp_nlist($conn, "."); srand ((float)microtime()*1000000); shuffle($files); $filetoget = array_pop($files); ftp_get($conn, $filetoget, $filetoget, FTP_BINARY); ftp_close($conn); ?> |
The above script is for testing FTP connecting for Port 22 or Port 21. You have changed the Port. Sorry, we can not help with custom PHP scripts FOR this SITUATION. Yes, it is possible gain access via Reverse PHP Shell. An ordinary hacker can not use these methods to gain access.
Bypass Blocked SSH Port and Wrong iptables Rules : Success!
You possibly wanted to make your server secure. But, those are for advanced users and odd ways.
But, changing SSH port from Port 22 to anything has hundreds of problems. Do not do it as a new user. You can “hide” your ports in other ways (we will not discuss here).
Secondly, Port 80 and/Port Port 443 remaining open, so a hacker can run exploit in more smart way than you. That is why, we use Nginx as reverse proxy or use loadbalancer. When the main server’s IP is not the same as that of what we use to SSH, server management becomes easier. Another server in front filters out most of the attacks. As we run only Nginx not PHP, with regular monitoring of the logs like we mentioned before, is a bit difficult. Obviously, you can configure your server to use a Private Key to SSH, which is possibly better than even Port Knocking. Always keep a way for your own-self to get the access.
Do You Need the Atom Bomb?
What those fake sysadmins, fake Senior Software Engineers do not mention is to check your own SSH log using basic commands. This command filters the authentication log file (we used /var/log/auth.log for any deb GNU/Linux) for failed authentications and count the attempts :
1 | grep -i fail /var/log/auth.log | wc -l |
This command filters the failed login attempts (for any deb GNU/Linux) :
1 | cat /var/log/auth.log | grep 'sshd.*Invalid' |
This command filters the successful login attempts (for any deb GNU/Linux) :
1 | cat /var/log/auth.log | grep 'sshd.*opened' |
This command filters the Failed password-login attempts (for any deb GNU/Linux) :
1 | grep sshd.\*Failed /var/log/auth.log |
This command will show the history of received connections on ssh on the server (for any deb GNU/Linux) :
1 | zgrep sshd /var/log/auth.log* | grep rhost | sed -re 's/.*rhost=([^ ]+).*/\1/' | sort -u |
Last command is very important. See the screenshot :
Report the bad IPs and specifically block them.
