i got hacked. what were they up to?

[Bigun]

I feel left out: despite having had a static IP for nearly 2 and a half years, I've not had one failed SSH login appear in my logs that wasn't my own doing. I run chkrootkit periodically (i.e. when I'm logged in finding things to do) and have never found anything.

I expect this is because my boxes are always behind a router that denies all packets that aren't specifically permitted (HTTP, DNS et al). Do you guys all connect directly, or something? Wouldn't a hardware router - just a bog standard Netgear one - be a good idea?

I might be talking out of my backside and apologies if that's the case, but this seems to be something of an obvious step to take.

It depends, my box *IS* the router, therefore having a NetGear router in front of it is mundane and rickety.

Besides, I trust the security of a Gentoo box that I manage 10 fold over a homegrade NetGear router.

Yes, it's added security in the physical sense. But it's one more thing to break, one more thing to manage, and one more thing to go wrong. If your Gentoo box takes care of it, along with the added bonus of being able to log it, why put in a router at all?

[assaf]

I feel left out: despite having had a static IP for nearly 2 and a half years, I've not had one failed SSH login appear in my logs that wasn't my own doing. I run chkrootkit periodically (i.e. when I'm logged in finding things to do) and have never found anything.

I expect this is because my boxes are always behind a router that denies all packets that aren't specifically permitted (HTTP, DNS et al). Do you guys all connect directly, or something? Wouldn't a hardware router - just a bog standard Netgear one - be a good idea?

I might be talking out of my backside and apologies if that's the case, but this seems to be something of an obvious step to take.

If your router does not allow ssh then what's the point? You may as well not run sshd at all, or if you want to access it only from the LAN you could add a simple iptables rule.

[linuxgeekery]

Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof.

[MrUlterior]

Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof.

Which makes the assumption that I can't make sufficient connections to your machine in under a minute to bring it down ... worse still it means I could use YOU to make a DoS attack, all I have to do is poison your ARP cache to make you think that my IP is infact the desired target, and suddenly you're sending the contents of /dev/random to a complete inoccent. The puzzled expression on your face when your ISP annuls your contract & requests your presence in court will be priceless.

Getting the picture? Counter-measures you don't understand are more dangerous to you than the undesirables you're trying to dissuade from bothering you.

[MrUlterior]

Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof.

Or if you want to do this properly, see connection tarpitting. This is a method used often in anti-spam, which subtly alters the TCP response to an identified attacker effectively trapping them .. I'll leave you to do your research.

[erikstotle]

I have a hardware router and I still get those ssh attacks. They get incessently annoying. I suggesst that you install iptables and then use dynfw (it's not in portage, you can get it from http://www.gentoo.org/doc/en/articles/f ... .1.tar.bz2). Once you have that installed, you can block ips and limit the number of new connections per minute/hour/day on a port on the fly. For example, since I only use ssh for remote administration, I limit the number of new connections per minute on port 22 to 1. This does get annoying if you login incorrectly because you have to wait a minute before trying again, but it does make the ssh cracking scripts give up quite quickly. And even if it doesn't give up, only about 1/60th of it's login attempts get through.
For further reading go to this rather humerous article:
http://www.gentoo.org/doc/en/articles/d ... ewalls.xml

[Bigun]

~~snip~~

For further reading go to this rather humerous article:
http://www.gentoo.org/doc/en/articles/d ... ewalls.xml

I really like the ipdrop script, I'm going to start a thread in the programming forum to see if I can get it to run a bit better.

[minskpower]

To everybody complaining about ssh flooding - why don't you change the port to something else, you won't be bothered by those worms, they don't generally scan the upper ports, even if they do I doubt they can recognise it's running ssh (at this time). This solution applies if you are not limited by a third party firewall.

[Bigun]

The IPdrop script stops the attacks in their tracks. I only wish there was a script that ran in the background to detect such attacks and add the IP to the droplist automatically.

[dpetka2001]

hello just got back home and observed a strange in my computer...some files and directories were deleted and i found them in the Trash Can...the thing is that they were in different spots in my Desktop and is very unlikely that someone might accedentaly deleted them without having selected all of them on his own...i think i might have been hacked but am not really sure about it...how could i verify if i was hacked or not?? could you please show me the way to do this because i don't really know how to do it?? thanks in advance...

[Bigun]

Heh.... typically when your hacked, they don't move your icons or move stuff to your trash bin.

Try going to a more secure password and locking your bedroom door.

[dpetka2001]

well i don't think that anyone from my family would do such a thing...the don't know much of computers...anyway...is there something that i could check in order to find out if there was any attempt??

[jamapii]

Sorry, I was waiting for this to unload my thoughts...

They get incessently annoying.

Filter them in syslog

Seriously, I repeat I think this issue is overrated. Trying 1 to 3 possible passwords on 100 accounts is no threat to security unless you have users with passwords such as "12345", "hello" or username_spelled_backwards.

It would be a threat if there was a security hole in ssh. There will be a threat when there is a known security hole in ssh. To reduce the likelihood of a successful attack, I would recommend a nonstandard port, possibly disabling password logins, possibly portknocking. About any ratelimiting solutions with iptables, be careful, you might lock yourself out. The IP droplist might be good, too, for any attack, but also makes a DOS attack possible (with IP spoofing).

And start worrying about real security problems. Especially if you think WEP provides any security (it doesn't).

[jamapii]

hello just got back home and observed a strange in my computer...some files and directories were deleted and i found them in the Trash Can...the thing is that they were in different spots in my Desktop

looks more like some kind of "practical joke", nothing serious, but it might mean that you have a security hole. Maybe a weak password, maybe vnc or X server access to the world, maybe you left the computer for 5 minutes without xlock

There is a feature in Gnome, maybe called desktop sharing or something, which really is vnc access.

[linuxgeekery]

Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof.

Or if you want to do this properly, see connection tarpitting. This is a method used often in anti-spam, which subtly alters the TCP response to an identified attacker effectively trapping them .. I'll leave you to do your research.

This proves once again that I am very incompetent with creating honeypots and things of that sort. Thanks for the information. I read up on connection tarpitting. Seems interesting...

[dpetka2001]

looks more like some kind of "practical joke", nothing serious, but it might mean that you have a security hole. Maybe a weak password, maybe vnc or X server access to the world, maybe you left the computer for 5 minutes without xlock

There is a feature in Gnome, maybe called desktop sharing or something, which really is vnc access.

well a friend of mine checked on my system with Nessus and told me that it found only 2 services running...a pop server (freepops) and a web server (amuleweb)...i don't have any services running except from the above mentioned...i don't think i have a weak password as it is 9 characters long including numbers...there's no vnc running...i run KDE and am not aware of any such feature nor do i know if it's activitated by default...how can i activate xlock if there is such thing in KDE?? thanks...

[mpicklesimer]

I have an OpenBSD box running 'pf' for the firewall on my home network. I'm wondering if it would be worth the time to block all traffic coming from those ips? What would you suggest (if different) if I were talking about a business site? Not that much of this matters, cuz I'm using strong keys instead of passwords, but I'm just curious.

[Bigun]

I'm putting a honeypot on my server with the username/password test.

It basically logs the date and time the script is executed, then cats /dev/random to them until the bot forces the machine's RAM to spill over to SWAP and eventually DoS. Aside from wasting bandwidth that I have plenty to spare of, it should also help alert the server-admin to trouble.

And to cover my buttocks, there is a message in my sshd.motd that says unauthorized access is prohibited.