Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
am I been hack ?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
reup
Guru
Guru


Joined: 13 May 2005
Posts: 419
Location: Nederland

PostPosted: Sat Sep 08, 2012 4:54 pm    Post subject: am I been hack ? Reply with quote

hello all,

I am not too good with security and was wondering if this means that the hacker succeeded in loggin in or not :

Code:
Sep  8 18:00:38 myhost sshd[25129]: SSH: Server;Ltype: Authname;Remote: 178.141.52.64-1981;Name: root [preauth]
Sep  8 18:00:38 myhost sshd[25129]: Received disconnect from 178.141.52.64: 11: Goodbye [preauth]
Sep  8 18:00:39 myhost sshd[25136]: SSH: Server;Ltype: Version;Remote: 178.141.52.64-2023;Protocol: 2.0;Client: libssh2_1.0
Sep  8 18:00:39 myhost sshd[25136]: SSH: Server;Ltype: Kex;Remote: 178.141.52.64-2023;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]
Sep  8 18:00:39 myhost sshd[25136]: SSH: Server;Ltype: Authname;Remote: 178.141.52.64-2023;Name: root [preauth]
Sep  8 18:00:39 myhost sshd[25136]: Received disconnect from 178.141.52.64: 11: Goodbye [preauth]
Sep  8 18:00:39 myhost sshd[25143]: SSH: Server;Ltype: Version;Remote: 178.141.52.64-2056;Protocol: 2.0;Client: libssh2_1.0
Sep  8 18:00:39 myhost sshd[25143]: SSH: Server;Ltype: Kex;Remote: 178.141.52.64-2056;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]
Sep  8 18:00:40 myhost sshd[25143]: SSH: Server;Ltype: Authname;Remote: 178.141.52.64-2056;Name: root [preauth]
Sep  8 18:00:40 myhost sshd[25143]: Received disconnect from 178.141.52.64: 11: Goodbye [preauth]


I do not know this hostname :
Code:
nslookup 178.141.52.64
Server:      4.2.2.4
Address:   4.2.2.4#53

Non-authoritative answer:
64.52.141.178.in-addr.arpa   name = dynamic-178-141-52-64.kirov.comstar-r.ru.


normally, ny host has only ssh http and ftp enable using iptables and I use denyhosts to protect against ssh attack

if someone could help me to interpret this, it would be great

thx

reup
_________________
reup

"Don't wiggle the tail of the frog in the oil of the frying peanuts"
Back to top
View user's profile Send private message
roravun
Tux's lil' helper
Tux's lil' helper


Joined: 05 Sep 2012
Posts: 82

PostPosted: Sat Sep 08, 2012 8:17 pm    Post subject: Reply with quote

No it does not. If someone broke in, you would see something like
Quote:
pam_unix(sshd:session): session opened

Try 'last' to see a list of past logins.
These messages are just sign of ssh bots bruteforcing your host. This happens to almost every machine connected to internet. (At least that is my experience). I strongly recommend you install sshguard, which can blacklist IPs, when it detects bruteforce attempt.
Back to top
View user's profile Send private message
reup
Guru
Guru


Joined: 13 May 2005
Posts: 419
Location: Nederland

PostPosted: Sat Sep 08, 2012 8:23 pm    Post subject: Reply with quote

thanks Roravun for your reply

I use denyhosts, it also blacklist ips with 3 failed attend

I will try sshguard

thanks again, I will sleep better tonight
_________________
reup

"Don't wiggle the tail of the frog in the oil of the frying peanuts"
Back to top
View user's profile Send private message
kimmie
Guru
Guru


Joined: 08 Sep 2004
Posts: 531
Location: Australia

PostPosted: Sun Sep 09, 2012 12:46 pm    Post subject: Reply with quote

reup,

Change the port you run ssh on, that will stop 99.99% of hack attempts. It's in /etc/ssh/sshdconfig... change "Port 22" to "Port <random>", where <random> is a port you pick randomly between 10000 and 65000, say. Then you can use "ssh -p <random>" from your clients.

Soon you will decide it's totally crap typing that at your clients instead of just "ssh", so you put it in ~/.ssh/config like this:

Code:

Host <all aliases you reach your host by>
# eg. Host homer homer.dyndns.org homer.lan
Port <random>


If you do that, and use public key identification instead of passwords, you can just forget about running denyhosts or whatever.
Back to top
View user's profile Send private message
reup
Guru
Guru


Joined: 13 May 2005
Posts: 419
Location: Nederland

PostPosted: Sun Sep 09, 2012 12:51 pm    Post subject: Reply with quote

thanks kimmie,

good advice

I am already using public key identification so it will be an easy move
_________________
reup

"Don't wiggle the tail of the frog in the oil of the frying peanuts"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum