Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Oh oh - seems my Gentoo's been ransomwared!! Oh No!
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
eohrnberger
Apprentice
Apprentice


Joined: 09 Dec 2004
Posts: 169

PostPosted: Fri Mar 17, 2017 11:27 pm    Post subject: Oh oh - seems my Gentoo's been ransomwared!! Oh No! Reply with quote

Now this is really troubling. Seems that my Gentoo system has been ransomwared.

So, yeah, I'm looking for some pointer as to how to detect where it's sitting, and eradicate it.

Came home from work yesterday, logged into my Gentoo machine and was greeted with this message:
Code:

Using username "root".
****************************************!WARNING!**************************************
*************************************YOU ARE INFECTED**********************************
***********************WITH THE MOST CRYPTOGRAPHIC ADVANCED RANSOMWARE*****************
=======================================================================================
All your data of all your users, all your databases and all your Websites are encrypted
=======================================================================================
Send your UID to e-mail: johnmorcbw@seznam.cz
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
***************************************************************************************
***************************************************************************************

YOUR UUID IS : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx

****************************************!WARNING!**************************************

Come to find out that my home dir files were all encrypted with an '.enc' on the end of the file name. Yeah, they are binary (well no big deal there either, I have them under revision control).

Seems to have crawled through the file system, left most of the files alone (thank goodness), except the web site (no big deal, it was not being used), but still.

I noticed that there was a hugely high CPU python2 task running, so I killed that, and renamed

/usr/bin/python2.7 => python2.7.disabled (symlink to python-exec2c)
/usr/bin/python-exec2c => python-exec2c.disabled
/usr/lib/python-exec/python-exec2 => /usr/lib/python-exec/python-exec2.disabled

I also set the permissions for these files to 000 to prevent this thing from being able to run again, at least for now (this will stop it form running, won't it?)

But I want this out of my system (can you blame me?), but I have to admit that I've never faced this with a Gentoo system before, and I'm hoping that there's a good reference (or a set of good hints) that can help me eradicate this.

Please help.
Back to top
View user's profile Send private message
Schnulli
Guru
Guru


Joined: 25 Jun 2010
Posts: 316
Location: Bremen DE

PostPosted: Fri Mar 17, 2017 11:45 pm    Post subject: Reply with quote

Well, nearly same trouble here.....
YOU ARE HACKED !
Kick adobe-flash and take care what Websites you visit ^^
rkhunter and sharp firewall rules are usefull as well.
The firewall rules aoso should disable some outgoing ports whom arent used usually......
i disallowed all and only http, imap, ssh and ftp outgoing is allowed here, they hate it ^^
if destination port = 80 and so on allow and so on
I am trying to figure it since weeks out....
I gave up and installed on another drive a fresh Gentoo....
safed me alot greay hairs

Listen, you are not the only one who got hacked ^^
You can do also this.. safe your whole drive and send it to a Cybercrime Dapartment.... they will love to read out who and from where it was.....
Its well know that Gentoo is beeing attacked since a while also.... so take care and shutdown or lock your comp, shutdown net, when not at it

Regards


Last edited by Schnulli on Fri Mar 17, 2017 11:47 pm; edited 1 time in total
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 6930
Location: almost Mile High in the USA

PostPosted: Fri Mar 17, 2017 11:46 pm    Post subject: Reply with quote

It would be interesting on how they got in, but you do have a mess on your hands.

I'm not sure if python is your culprit program, it may just be the python interpreter which normally shows up whenever a python script is running - though it's still good to suspect that they are or have been trojaned. At this point you should assume everything is compromised and start a fresh build, copying the important stuff over. Especially when root has been compromised, this is the only way to safely eradicate this.

Note that you probably cannot run emerge, equery, etc. if you disabled python as they too require python. Equery is a good script to use as you can use it to check the integrity of files (provided the hacker did not muck with the checksums) -

# equery check packagename

and start from those files that fail checksum. Again, since they got root, these checksums may no longer be trustable.

Though adobe-flash is definitely an intrusion risk, unless they only took over your user account, it would be extremely unlikely they could take over root. My guess is it's one of those semi-recent bugs like shellshock or perhaps just those pesky bruteforce attacks that got your machines.

If you're not too embarrassed about it, curious how often/when was the last time the box was (completely) updated, along with which kernel you're using (like if you were vulnerable to dirtyc0w)? This would perhaps give some clues on what packages were used to exploit your box.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?


Last edited by eccerr0r on Fri Mar 17, 2017 11:55 pm; edited 1 time in total
Back to top
View user's profile Send private message
Schnulli
Guru
Guru


Joined: 25 Jun 2010
Posts: 316
Location: Bremen DE

PostPosted: Fri Mar 17, 2017 11:51 pm    Post subject: Reply with quote

hi eccerr0r

they use python and crash it locally later.... they also load code from external....
remember the DNS Problem when infected years ago.. seems to me the same weird idea is behind maybe same guys
whole portage is trash than.... and they try to redirect to "somewhere"

nothing new that they attac Gentoo too lately.....
Be warned with Adobe-Flash the the first Door they use..... Wrong permissions and the "got ya"

seemed to me that also some layman repos got infected as well....
Who?? no idea still.....
I´ll setup a transparent bridge in a few an log the whole traffic to figure out
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 6930
Location: almost Mile High in the USA

PostPosted: Fri Mar 17, 2017 11:59 pm    Post subject: Reply with quote

Well we don't know if this is Gentoo specific or any Linux could have been vulnerable.

I'm not surprised they had a "intrusion intrusion detector" and crash your box when you find out that you've been exploited and try to fix your machine. Best thing to do when dealing with this kind of stuff is disconnect the network, cold reboot off a livecd and and go from there.

I'll knock on wood that I haven't seen any adobe-flash exploits on my box yet...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
eohrnberger
Apprentice
Apprentice


Joined: 09 Dec 2004
Posts: 169

PostPosted: Sat Mar 18, 2017 12:30 am    Post subject: Reply with quote

Yeah, I'm guilty of running FireFox as root. Shame on me - I should have known better.

Well, pretty much flushed everything in the home directory, .mozilla, etc. figuring that it's not that important, and is already encrypted, so . . what am I going to do with it anyway?

Been thinking should be a list of file mtimes and see what's changed on the system as of a few days ago. See if that leads me to anything suspicious, although, that can easily programmatically be set backwards to any time desired. Still, you never know.

The Good News:
All the real important data is safe, as I'm using zfs, and have a grand-father-father-son snapshot script in cron (hourly, daily, weekly, monthly), and only very few files seem to have been encrypted, based on the ".enc" in the filename. If I find others, I have a year's worth of snapshots to restore from. Makes me think I need to learn how to configure a gentoo that uses zfs for the root file system as well. Been meaning to, just haven't had the time, because Gentoo just runs so reliably.

I have it's sister server (same patch config and software load), which appears to be non-infected, so I can clone that system disk and recover pretty quick, with some conf files I have in version control. Couple of hours I figure.

Interesting to note that another system, also a sister, seems to have caught the same, and I can't recall ever having run anything but VirtualBox VMs on that one, it's turned off right now until I figure out a recovery plan, so at least 2 systems to recover, and have one clean one to do so from.

The infected systems are internal systems, only access to the Internet is through a firewall, and yes, minimal ports open on the Linux firewall machine, and also an ssh port knocking log scan that injects an iptables drop for offending IPs (think a primitive fail2ban shell script).

So maybe not all that bad. Not sure as to the next step forward, but I appreciate the contribution and ideas.

Yeah, I know that the python interpreter is probably just running some code downloaded off of the Internet, and probably isn't a replaced binary, but that code that download the encrypter, that has to live someplace, if it's going to survive between reboots. Tracking that one down. Hmm.

Really sad to learn that there are Gentoo specific attackers. What'd Gentoo ever do to them? Guess there's no figuring some people out.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 6930
Location: almost Mile High in the USA

PostPosted: Sat Mar 18, 2017 1:04 am    Post subject: Reply with quote

Yeah shame shame, dont firefox as root.

However if it really is adobe-flash as the vector, this would not be Gentoo specific and would equally infect Ubuntu, Fedora, etc. -- but I don't know, is it really adobe-flash? Then again I don't know how pervasive firefoxing as root is...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?


Last edited by eccerr0r on Sat Mar 18, 2017 1:08 am; edited 1 time in total
Back to top
View user's profile Send private message
eohrnberger
Apprentice
Apprentice


Joined: 09 Dec 2004
Posts: 169

PostPosted: Sat Mar 18, 2017 1:05 am    Post subject: Reply with quote

Well, the message is coming from the /etc/motd file. That's simple stuff.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 6930
Location: almost Mile High in the USA

PostPosted: Sat Mar 18, 2017 1:15 am    Post subject: Reply with quote

Now what else did they edit to keep them in the machine?

Did they ssh in?

I wonder if they were using a python script to encrypt your files instead of some compiled binary, that could slow down the encryption to reduce the amount of damage done... ha.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
eohrnberger
Apprentice
Apprentice


Joined: 09 Dec 2004
Posts: 169

PostPosted: Sat Mar 18, 2017 1:21 am    Post subject: Reply with quote

eccerr0r wrote:
Now what else did they edit to keep them in the machine?

Did they ssh in?

I wonder if they were using a python script to encrypt your files instead of some compiled binary, that could slow down the encryption to reduce the amount of damage done... ha.


No, not ssh, I don't think so. But yeah, what'd they leave behind? That's the question.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 41710
Location: 56N 3W

PostPosted: Sat Mar 18, 2017 10:14 am    Post subject: Reply with quote

eohrnberger,

/etc/motd can only be edited by root. That means that they got root.
You can't clean that up, its a reinstall.

Either they gained access to root directly or broke in as another user and ran a privilege escalation exploit to gain root.
It doesn't matter much. Its a reinstall either way.

If you want to do forensics, make a disc image of the install and work on that. You need the filesystem free space too, as that's where the interesting stuff will be.

A few of these ransomware attacks have known decryption methods. If you are lucky, you might get the data back.
You can't salvage the install though.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 803

PostPosted: Sat Mar 18, 2017 10:48 am    Post subject: Reply with quote

The attack isn't Gentoo specific. The exploit works against many distros.

I'm curious about the vector too, how they malicious code made its way onto your system. One of the remarks here has me working to regulate outgoing IP traffic - heretofore, I'd been concerned about incoming, but not outgoing. But I can see where closing off outgoing ports might stifle an attack.

On that front, I'm stuck at ftp, which includes outgoing NEW packets aimed at random, unprivileged ports.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 41710
Location: 56N 3W

PostPosted: Sat Mar 18, 2017 12:04 pm    Post subject: Reply with quote

cboldt,

It helps to stop evil intruders phoning home if they do get in.
My firewall drops unwanted incoming packets and denies unwanted outgoing packets.
You need the logs to know what to allow out :)

I use shorewall and shorewall6 with similar rule sets.

For ftp, which is horribly insecure, you need to use passive mode.
sftp is preferred.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
eohrnberger
Apprentice
Apprentice


Joined: 09 Dec 2004
Posts: 169

PostPosted: Sat Mar 18, 2017 12:18 pm    Post subject: Reply with quote

NeddySeagoon wrote:
eohrnberger,

/etc/motd can only be edited by root. That means that they got root.
You can't clean that up, its a reinstall.

Either they gained access to root directly or broke in as another user and ran a privilege escalation exploit to gain root.
It doesn't matter much. Its a reinstall either way.

If you want to do forensics, make a disc image of the install and work on that. You need the filesystem free space too, as that's where the interesting stuff will be.

A few of these ransomware attacks have known decryption methods. If you are lucky, you might get the data back.
You can't salvage the install though.


I very much appreciate your post, NeddySeagoon. Many thanks.

While I've been running my various Linux flavors at home over the years, this is the first encounter with something like this on Linux.
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 308

PostPosted: Sat Mar 18, 2017 12:28 pm    Post subject: Reply with quote

It is worth trying to work out how you were compromised, a fresh install with identical configuration and use will probably have similar results in future ... surfing the net as root is not wise ... but you already know that :roll:
Knowing what binaries/logs were attacked would also be useful.

Was ssh open to the net with password access or key based?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 41710
Location: 56N 3W

PostPosted: Sat Mar 18, 2017 12:35 pm    Post subject: Reply with quote

eohrnberger,

Is your normal user in the disk group?
That's a very bad thing. It gives the user raw access to the block devices, so they can do what they want, avoiding filesystem restrictions.
Code:
ls /dev/sda -l
brw-rw---- 1 root disk 8, 0 May 12  2013 /dev/sda


That would effectively give them root access without ever being root.
It gives easy access to root, since they can modify /etc/passwd and /etc/shadow with a tool like hexedit, while the run as a normal user.

Being somewhat paranoid, I mount user writeable space with the noexec option, so a break in as a non root user can't execute random binaries.
/tmp and /home need to be their own partitions. That does not stop scripts being run, so
Code:
python27 encrypt_home
would still have worked.

All the .bash_history files on your system will make interesting reading.
Its especially informative if they appear to be truncated.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
eohrnberger
Apprentice
Apprentice


Joined: 09 Dec 2004
Posts: 169

PostPosted: Sat Mar 18, 2017 1:01 pm    Post subject: Reply with quote

jonathan183 wrote:
It is worth trying to work out how you were compromised, a fresh install with identical configuration and use will probably have similar results in future ... surfing the net as root is not wise ... but you already know that :roll:
Knowing what binaries/logs were attacked would also be useful.

Was ssh open to the net with password access or key based?

No, this machine is behind the firewall, and does not have an ssh route from the outside to it. You'd have to use ssh and jump through the firewall to get to it. I don't think that this is what happened. On the firewall, any ssh password knocking, even a single failed password attempt, injects an iptables drop rule for that source IP (think primitive fail2ban).
NeddySeagoon wrote:
eohrnberger,

Is your normal user in the disk group?
That's a very bad thing. It gives the user raw access to the block devices, so they can do what they want, avoiding filesystem restrictions.
Code:
ls /dev/sda -l
brw-rw---- 1 root disk 8, 0 May 12  2013 /dev/sda

This is as mine reads:
Code:
ls -l /dev/sda
brw-rw---- 1 root disk 8, 0 Mar 16 21:41 /dev/sda

What's recommended for this device node?
Quote:
That would effectively give them root access without ever being root.
It gives easy access to root, since they can modify /etc/passwd and /etc/shadow with a tool like hexedit, while the run as a normal user.

Being somewhat paranoid, I mount user writeable space with the noexec option, so a break in as a non root user can't execute random binaries.
/tmp and /home need to be their own partitions. That does not stop scripts being run, so
Code:
python27 encrypt_home
would still have worked.

The partician layout is really simple. A small /boot as sda1, swap as sda2, and root as sda3, the rest of sda, including /home, /var, etc... The important data in the zfs pools are mounted off of /, as this machine's primary role is to be something like a NAS.

Quote:
All the .bash_history files on your system will make interesting reading.
Its especially informative if they appear to be truncated.

Those were encrypted, including .bash_history, and since have been deleted, being useless, from my view.

I want to figure out what code is being run to encrypt, so I created shell script replacements for
Code:
/usr/lib/python-exec/python-exec2:
#!/bin/bash
echo "`date` $0 $*" >> /root/python-exec2.execution.log

and
Code:

/usr/bin/python2.7:
#!/bin/bash
echo "`date` $0 $*" >> /root/python2.7.execution.log


Really simple and primitive, but might capture something. Going to sit and watch for the next 24 hours, and see what happens. If I'm lucky, I can catch from where the encryption code is being run. Since python is never executed any python code on this system is rendered null, for now, but can easily be reverted by moving back the original binaries and symlinks to what they were.


Last edited by eohrnberger on Sat Mar 18, 2017 1:17 pm; edited 1 time in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 41710
Location: 56N 3W

PostPosted: Sat Mar 18, 2017 1:17 pm    Post subject: Reply with quote

eohrnberger,

The block device node is correct. What does groups say for your normal user?
Code:
$ groups
tty wheel uucp audio cdrom video games kvm cdrw users vboxusers scanner wireshark plugdev roy

Its important that disk is not there.

Is /root/.bash_history still there or it it encrypted too?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
eohrnberger
Apprentice
Apprentice


Joined: 09 Dec 2004
Posts: 169

PostPosted: Sat Mar 18, 2017 1:22 pm    Post subject: Reply with quote

NeddySeagoon wrote:
eohrnberger,

The block device node is correct. What does groups say for your normal user?
Code:
$ groups
tty wheel uucp audio cdrom video games kvm cdrw users vboxusers scanner wireshark plugdev roy

Its important that disk is not there.

Is /root/.bash_history still there or it it encrypted too?


Users are only in the group that is the same as their username. A user 'ted' would only belong to the group 'ted'. root, of course, contains the disk group.

The Windows clients access the zfs storage via samba, and that has it's own smbusers. Other Linux machines access the zfs storage via nfs.

/root/.bash_history was encrypted, and was deleted. Maybe that was a hasty decision on my part.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 41710
Location: 56N 3W

PostPosted: Sat Mar 18, 2017 1:32 pm    Post subject: Reply with quote

eohrnberger,

eohrnberger wrote:
/root/.bash_history was encrypted ..
.
Yes, change nothing if you want to do forensics.

As users don't have raw block device access, the attacker must have got root to encrypt /root/.bash_history.
That's another file that is only accessible to root, through the filesystem anyway.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 803

PostPosted: Sat Mar 18, 2017 2:02 pm    Post subject: Reply with quote

NeddySeagoon wrote:

It helps to stop evil intruders phoning home if they do get in.
My firewall drops unwanted incoming packets and denies unwanted outgoing packets.
You need the logs to know what to allow out :)

I use shorewall and shorewall6 with similar rule sets.

For ftp, which is horribly insecure, you need to use passive mode.
sftp is preferred.


Yes on the "stifle the call home" notion. And "you need the logs to know what to allow in" too, at least I did, because I forgot about half of the services!

My firewall is built with a combination of router, and a homebrew script that has been in use nd grown over the course of a decade of so.

No ftp service running on any machine - sftp is available locally as one means to use the local cloud, which aims to give the family a place to offload phone/camera and music.

So, the "ftp problem" for me is just outgoing ftp, which starts with a packet to the server's port 21 (DPT=21), followed by a NEW packet to an unprivileged port. I get this hourly on one machine that visits a noaa website to get solar activity data, and on a different machine that fetches packages for the system, that is, the "fetch" part of "emerge -u @world" uses ftp in addition to http.

wget is using passive ftp for this.

Code:
 Active FTP :
     command : client >1023 -> server 21
     data    : client >1023 <- server 20

 Passive FTP :
     command : client >1023 -> server 21
     data    : client >1024 -> server >1023


I'm still pondering how to handle this. For now the connections are just logged, so at least I have a chance to detect something abonrmal. Yesterday, when I first "closed" OUTPUT (actually, changed to allow certain packets and log the rest), I noticed those packets headed out to high port numbers, had a "WTF?" moment, then figured out the source.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1707

PostPosted: Sat Mar 18, 2017 2:07 pm    Post subject: Reply with quote

Quote:
It helps to stop evil intruders phoning home if they do get in.
Easier said than done.
Source ports are usually randomized and they provide no information regarding the service in use. Destination ports are controlled by the attacker, so they can have the exploit pretend to be a legitimate user of some common service like www, and you're not going to block THAT.
DPI can be fooled too, even accidentally. Especially in case of ransomware which only needs to send a few bytes, so the connection is already over by the time you discover you should have shut it down.
You could try blocking by destination IP, but this would require prompting for user input every time something tries to reach an unknown machine. A lot of work to train it to your needs.
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 803

PostPosted: Sat Mar 18, 2017 2:13 pm    Post subject: Reply with quote

Quote:
On the firewall, any ssh password knocking, even a single failed password attempt, injects an iptables drop rule for that source IP (think primitive fail2ban).


The firewall doesn't know if there was even a password attempt. I run a honeypot here, and the number of hits vs. port 22 is amazing, hundreds of different IP's per day. I let a given IP "hit it" half a dozen times before banning. Port 23 is even busier. On the machine that does have sshd open to the outside (different port), there are occasional intrusion attempts that include password. A user gets multiple password attempts on a single connection. The only way to know a password attempt was made is to watch the sshd activity log (auth.log).

Nobody gets into sshd here with a password. That method is closed off. Funny assortment of usernames. I'd guess on the order of 1 intrusion attempt per day, there.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2685
Location: Illinois, USA

PostPosted: Sat Mar 18, 2017 2:24 pm    Post subject: Reply with quote

eohrnberger wrote:
The Windows clients access the zfs storage via samba, and that has it's own smbusers. Other Linux machines access the zfs storage via nfs.
Can samba access any root owned files? I try to keep samba restricted to one directory, but others make the whole machine accessible. Maybe the malware got in via Windows and samba?

If your users only belong to their own group they can't do much. Maybe that's why you were web surfing as root? I have fired the browser up as root, but only to access my modem, not the internet.

My apologies for intruding. I am in no way an expert. Listen to Neddy, he is.
Back to top
View user's profile Send private message
eohrnberger
Apprentice
Apprentice


Joined: 09 Dec 2004
Posts: 169

PostPosted: Sat Mar 18, 2017 2:28 pm    Post subject: Reply with quote

cboldt wrote:
Quote:
On the firewall, any ssh password knocking, even a single failed password attempt, injects an iptables drop rule for that source IP (think primitive fail2ban).


The firewall doesn't know if there was even a password attempt. I run a honeypot here, and the number of hits vs. port 22 is amazing, hundreds of different IP's per day. I let a given IP "hit it" half a dozen times before banning. Port 23 is even busier. On the machine that does have sshd open to the outside (different port), there are occasional intrusion attempts that include password. A user gets multiple password attempts on a single connection. The only way to know a password attempt was made is to watch the sshd activity log (auth.log).

Nobody gets into sshd here with a password. That method is closed off. Funny assortment of usernames. I'd guess on the order of 1 intrusion attempt per day, there.


The firewall doesn't allow 23 to the Internet. That's silently dropped. While the firewall doesn't log everything, it is configured to log the banned traffic. sshd is configured to logs to the secure log (at least on this configuration), and the secure log is scanned, offensive IPs gathered, and iptables rules injected.

Yeah, I'm seeing tons of traffic knocking on the ssh port. Not exactly sure when I setup the banning script, must have been years ago, but seems that such port knocking has increased as of late.


Last edited by eohrnberger on Sat Mar 18, 2017 3:04 pm; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2, 3, 4, 5  Next
Page 1 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum