Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ssh distributed dictionary attack... how many requests/sec?
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
axl
l33t
l33t


Joined: 11 Oct 2002
Posts: 908
Location: Romania

PostPosted: Sat Jan 18, 2020 12:56 am    Post subject: Reply with quote

Jan 18 02:50:45 ruja postfix/smtpd[4845]: NOQUEUE: reject: RCPT from unknown[88.133.135.163] 450 4.7.1 Client host rejected: cannot find your reverse hostname, [88.133.135.163]; from=<geceho@dale.ro> to=<geceho@dale.ro> proto=ESMTP helo=<[88.133.135.163]>


the relevant part is the ip rcpt from unknown. it's never the same ip. I have logs. over 65535 TOOOOOday.

dale.ro. that seems obvious at this point. bit these sorts of requests.

turn this off.

i can't turn off the domain itself.

this. exactly this. i have been bombarded with these all day. which is weird coz most days ... nothing happens. and then some days ... everything happens.


personally I'm less moved by that day or the other. but why. why does this happen?

You can hide everything. can you hide legacy tcp 25 port?
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7414
Location: almost Mile High in the USA

PostPosted: Sat Jan 18, 2020 1:36 am    Post subject: Reply with quote

probably someone found you to have an open relay at some point and trying to prank someone. I wouldn't call this hacking your machine to gain privileges, this is simply exploiting your machine...and failing!
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
axl
l33t
l33t


Joined: 11 Oct 2002
Posts: 908
Location: Romania

PostPosted: Sat Jan 18, 2020 1:39 am    Post subject: Reply with quote

no.

it's not like a clown thing. u're the worst. haha.


i'm doing everything right.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7414
Location: almost Mile High in the USA

PostPosted: Sat Jan 18, 2020 2:02 am    Post subject: Reply with quote

not saying you're doing anything wrong, but everyone gets this time to time, though it's been a long time since i got that. Most machines don't open relay anymore, but they're hoping they hit one that's open. But in any case, chances of privilege escalation of doing the same thing over and over again is none (unless they figured some race condition...)

That seems like something easy to fail2ban anyway.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
erm67
l33t
l33t


Joined: 01 Nov 2005
Posts: 601
Location: EU

PostPosted: Sat Jan 18, 2020 7:14 am    Post subject: Reply with quote

axl wrote:
Jan 18 02:50:45 ruja postfix/smtpd[4845]: NOQUEUE: reject: RCPT from unknown[88.133.135.163] 450 4.7.1 Client host rejected: cannot find your reverse hostname, [88.133.135.163]; from=<geceho@dale.ro> to=<geceho@dale.ro> proto=ESMTP helo=<[88.133.135.163]>


https://www.abuseat.org/lookup.cgi
The IP address is listed as being part of a large botnet, maybe a compromised router
https://en.wikipedia.org/wiki/Botnet


A couple of years ago my internet connection became very slow all at once, I checked and there was an ongoig massive attack on the smtp server that lasted probably 30 minutes or more .... it was a researcher working for one of those blocking lists that was checking if my ip was an open relay .
_________________
Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7414
Location: almost Mile High in the USA

PostPosted: Sat Jan 18, 2020 3:11 pm    Post subject: Reply with quote

That's messed up, people doing "research" should ask for permission to do so...unless the intent was malicious, then it really is...

Anyway, my logfile on my burdened machine as of now:
Code:
-rw-r----- 1 root wheel 162055925 Jan 18 08:08 messages

Code:
-rw-r----- 1 root wheel 164487361 Jan 19 11:16 messages

(That's with kernel logging of blocked ssh attempts, ... file size expected to continue growing with people still trying despite not getting any packets back.)
Down to about a meg a day-ish, a bit better.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
axl
l33t
l33t


Joined: 11 Oct 2002
Posts: 908
Location: Romania

PostPosted: Sun Jan 19, 2020 11:23 pm    Post subject: Reply with quote

https://www.pastiebin.com/5e24b79b87fc5

Code:
[root@sanziana:~]# wc -l /etc/firewall/block_ip/list
3024 /etc/firewall/block_ip/list



most days, everybody leaves me alone. or if there are attacks, it's easy to point out where is the attack originating from, and most times you just cut the access to their dns... and the attack stops :)

but not this. i don't know how others might react to this. I really don't like to be fished like this.

What bothers me is who the hell has manage to compromise this many ip's and with what? why?

I really don't like how I handle these things. iptables -j DROP. just doesn't seem like a good policy.

The sheer number of them scares me. The fact that they are persistent, is even scarier.

And I'll be looking into a honeypot soon. A server that accepts all traffic. All requests. All users and passwords. All mails and all queries. Because I'm dying of curiosity to know who would invest so much resources and why. Doesn't seem fair to just DROP everything. Much rather redirect to a good old honeypot.

I've done this before, a few years back, I had someone very persistent who kept trying passwords on smtp. and I hacked sasl to just output the passwords and users it was trying. I didn't diverge with another server, just sent the info to syslog.

But I feel this deserves a whole new machine. one without rbl and checking if a host a fqdn. which is how I got the list in the first place. I use postfix. And postfix has a looser_relay. hmm. I think you can wildcard postfix to * relay to account x. hmmm. I'm dying to know who has so many resources and what they are using it for.

Thing is, I already blocked most of the bad internet. If you look at most of these ip's, you would notice 95% of them are in EU or the US. I already blocked out everyone else. these are our own countries ip's... which for me is 3 times scary.

PS Sorry for moving the subject to smtp, but I can't even imagine having the courage to expose ssh to internet directly. I prefer exposing a vpn first. and sure, that might be pointless, or even wrong in the long run, but you can't hide smtp. smtp is smtp. either you expose it and have mail, or you don't. there is no work around for that.

PS2. I really would like to do something about this. I wrestled with the idea of posting the list of ip's. a list of shame.

If MY ip would be in the list, and someone would post my ip on the internet I would be pissed. None the less, if they attack 82.78.3.64/27(me), I will publish the list.

But I would really like to do more. Especially since some of these... you can't explain it. And you wonder... what is this computer running? and it's in the EU. Or the US. And I feel an obligation to notify these people. I feel like the time has passed when we can just turn a blind eye to ip's in EU or US going against other computers in the EU and US. when that happens... tell someone. I simply just can't DROP anymore. I don't want to turn a blind eue to this.

Am open to suggestions.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7414
Location: almost Mile High in the USA

PostPosted: Mon Jan 20, 2020 12:36 am    Post subject: Reply with quote

As for shame lists, I was thinking about some new publish list of these sshd spammers:

Have a website that you can upload your list... but you can't download the list people upload.

The website isn't a simple collation of the lists it receives - the collator will do some massaging like aging the list as needed so people don't stay there if the attacks stop. Perhaps any one host needs to be on more than one person's upload list before it gets published. That number may be something else or perhaps a number of things together (time, number of attempts, etc.)

The collation should help against false positives for someone mistaking fubarring their password. But not sure how well this would work.

I'd be tempted to code something up but I don't know of an easy way to collect data and verify authenticity. Perhaps this needs to be community based of a more tight-knit group of concerned people instead of public access.

Alas DROP is probably the best solution for me and those who are bandwidth limited. I wish I had unlimited large bandwidth that I could redirect to a honey pot, or just have a honey pot, would be interesting to frustrate the hackers.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
erm67
l33t
l33t


Joined: 01 Nov 2005
Posts: 601
Location: EU

PostPosted: Mon Jan 20, 2020 9:59 am    Post subject: Reply with quote

Do you really believe that you have the real ip address of a bad guy in your drop list? Are youy so naive to believe that hackers are so naive to use their real IP address while attacking you? It would be too easy just whois and send an email to their isp ..... your list of shame is probably a list of victims, all the ip you see are just compromised hosts belonging to innocent people. Shaming them publically might be a real crime since none of the ip addresses belongs to a bad guy, all you can do is find out the abuse email address of the ISP where the ip is located and send a complaint to them. They have not commited any crime since they did not actually hack your host so the police is useless.

When I worked for an ISP a few years ago I cleaned several infected servers, of course hackers don't want to be catched and, apart from some stupid script kiddies, never use their IP directly. The first reaction of a lot of customers was we have the ip send the police and have them arrested and explaining them thet it wasn't so easy was just adding another problem to the problem.

Bad guys are a lot mor phobic than you because they risk consequences IRL and don't want to be catched, clearly, being hackers they know that if they use their real IP address even by mistake they will be arrested so they hide behind layers and layers of encrypted connection, a round or 2 of tor, irc chat, C&C malware .... they even use emails to control their malware. Only after an infected host was in their total control for a long time it will be moved up in the control chain, otherwise it will just be used to attack their targets or find other computers/servers to zombifie.

For smtp there another solution, force the use of tls and enforce certificates validation, at that point hackers will also need a valid server SSL certificate and, unless some geniuses @Microsoft decide to trust fake ECDSA certificates, SMTP will be safer. There are a series of problems for that, for example emergency email should be accepted even if tls validation fails, maybe some new future standard will fix that.
For the moment you could create an enforcing MTA-STS TXT record, a TLSRPT TXT, a CAA record for your domain or dnssec, a HTTPS server for MTA-STS policy and allow only tls connections from valid certificates to your server. I say you could because after all that work a lot of good emails would be bounced back; mails coming from big sites like google, yahoo, hotmail etc. comes in but a lot of small ISP don't have a proper TLS setup, and, for example, a lot of mailing lists are sent directly with programs that doesn't implement properly all the TLS stuff etc.

The best working solution for the moment is to allow non tls connections and use ACL rules to drop unencrypted or self signed messages you don't really need (whitelist postmaster@yourdomain abuse@yourdomain stupid ML mailer that doesnt do TLS etc...):
with exim:
Quote:
Exim’s ACLs can detect whether the current SMTP session is encrypted or not, and if so, what cipher suite is in use, whether the client supplied a certificate, and whether or not that certificate was verified. This makes it possible for an Exim server to deny or accept certain commands based on the encryption state.

See here for some examples:
https://serverfault.com/questions/780125/how-to-force-starttls-in-exim
_________________
Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net
Back to top
View user's profile Send private message
forrestfunk81
Guru
Guru


Joined: 07 Feb 2006
Posts: 504
Location: münchen.de

PostPosted: Tue Jan 21, 2020 12:49 pm    Post subject: Reply with quote

For completeness sake I want to mention fail2ban. But of course this also results in itpables rules only.

I've an internet exposed virtual server running since some years and despite following best practices (non standard ports, key only, fail2ban ... ) I never felt safe. If I got hacked, I probably never would have noticed, because I don't have time to analyze tons of logs every day.

So I started having a look at metrics with Grafana, Influx and Telegraf. You can get some security relevant informations out of the box (i.e. netstat and iptables) or write short scripts pushing own metrics to the database. For example sent metrics for each ssh login via /etc/ssh/sshrc or /etc/profile.d/ script. With proper designed Grafana boards you can check your systems state within minutes instead of hours.
_________________
# cd /pub/
# more beer
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7414
Location: almost Mile High in the USA

PostPosted: Tue Jan 21, 2020 5:57 pm    Post subject: Reply with quote

IMHO I'm not that worried about being hacked, I'm assuming that if my machine was successfully attacked, most likely others would be too as I'd be using the same software and assumedly same bad passwords as other people. I suspect people hack my machine only because they want another machine for their botnet, otherwise unless it's an easy hack, there's no sense to hack my machine.

However these attack packets are a good portion of my network bandwidth and I want to reduce that as much as possible.

I had a virtually baremetal exposed server running. Standard ports, several standard services (http, smtp, dns), and ssh password authentication. Seems this attracts a lot of attention. I hadn't been blocking a lot of attempts and thus people have been "appreciating" this and thus find it interesting.

Now blocking these packets seems to make it less interesting and hopefully fewer useless-to-me packets get transmitted/received over my IP link.
Code:
-rw-r----- 1 root wheel 166684083 Jan 21 10:56 messages

Oooh! nice! notable reduction in my logfile ds/dt.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
msst
Apprentice
Apprentice


Joined: 07 Jun 2011
Posts: 241

PostPosted: Tue Jan 21, 2020 8:28 pm    Post subject: Reply with quote

I also use fail2ban and it does reduce the load of these scans quite a bit.

You can set this up to report ssh scans to a blocklist and it is also possible to DL the blocklist and apply it to iptables. Which is slow but means their bot IPs loose their value fast.
Back to top
View user's profile Send private message
axl
l33t
l33t


Joined: 11 Oct 2002
Posts: 908
Location: Romania

PostPosted: Tue Jan 21, 2020 8:35 pm    Post subject: Reply with quote

erm67 wrote:
Do you really believe that you have the real ip address of a bad guy in your drop list? Are youy so naive to believe that hackers are so naive to use their real IP address while attacking you? It would be too easy just whois and send an email to their isp ..... your list of shame is probably a list of victims, all the ip you see are just compromised hosts belonging to innocent people. Shaming them publically might be a real crime since none of the ip addresses belongs to a bad guy, all you can do is find out the abuse email address of the ISP where the ip is located and send a complaint to them. They have not commited any crime since they did not actually hack your host so the police is useless.

When I worked for an ISP a few years ago I cleaned several infected servers, of course hackers don't want to be catched and, apart from some stupid script kiddies, never use their IP directly. The first reaction of a lot of customers was we have the ip send the police and have them arrested and explaining them thet it wasn't so easy was just adding another problem to the problem.

Bad guys are a lot mor phobic than you because they risk consequences IRL and don't want to be catched, clearly, being hackers they know that if they use their real IP address even by mistake they will be arrested so they hide behind layers and layers of encrypted connection, a round or 2 of tor, irc chat, C&C malware .... they even use emails to control their malware. Only after an infected host was in their total control for a long time it will be moved up in the control chain, otherwise it will just be used to attack their targets or find other computers/servers to zombifie.

For smtp there another solution, force the use of tls and enforce certificates validation, at that point hackers will also need a valid server SSL certificate and, unless some geniuses @Microsoft decide to trust fake ECDSA certificates, SMTP will be safer. There are a series of problems for that, for example emergency email should be accepted even if tls validation fails, maybe some new future standard will fix that.
For the moment you could create an enforcing MTA-STS TXT record, a TLSRPT TXT, a CAA record for your domain or dnssec, a HTTPS server for MTA-STS policy and allow only tls connections from valid certificates to your server. I say you could because after all that work a lot of good emails would be bounced back; mails coming from big sites like google, yahoo, hotmail etc. comes in but a lot of small ISP don't have a proper TLS setup, and, for example, a lot of mailing lists are sent directly with programs that doesn't implement properly all the TLS stuff etc.

The best working solution for the moment is to allow non tls connections and use ACL rules to drop unencrypted or self signed messages you don't really need (whitelist postmaster@yourdomain abuse@yourdomain stupid ML mailer that doesnt do TLS etc...):
with exim:
Quote:
Exim’s ACLs can detect whether the current SMTP session is encrypted or not, and if so, what cipher suite is in use, whether the client supplied a certificate, and whether or not that certificate was verified. This makes it possible for an Exim server to deny or accept certain commands based on the encryption state.

See here for some examples:
https://serverfault.com/questions/780125/how-to-force-starttls-in-exim


I know I can't see the real hacker's IP. I might accidentally catch the IP of his DNS if he's stupid and / or careless, but his real IP I am aware I wont see. I say I may be able to see his DNS ip because I host my own zone, and I watch the logs. Usually, prior to a web access, or a mail access, it's usually a DNS query first.

On the other hand, I didn't publish their entrusted data to me. I published my firewall. And I can back that up with logs. I realize it's a not so fun situation for either party. There's two reasons I published, 1, to see how many are actually in UE & US, and 2. to see how persistent they are.

I can't enforce SSL on smtp as it will break compatibility with servers I do trust, which are not under my control but which don't have SSL. I thought about that. Which I think they should... I think with letsencrypt certbot everyone should do that... yet they don't.

And It's true, most bad traffic is non-encrypted. Like brute-force attacks, spam, that sort of thing. But it's not all of it. I wouldn't rely on that alone. I can tell you that from the other side, scripting a socket with ssl is just like scripting one without. They are not using it because they don't need it yet, as most places are to lazy to implement them. But from an attacker perspective ... the ssl is not going to hold you back one bit.

as for the last thing, curious enough, I don't think my postfix can do that. once a server wide policy has been established (like don't accept from hosts which are not fqdn, dont accept from hosts listed)... you can't make another policy just for another user. I tried that, as it seems you should be able to receive to
postmaster@ or abuse@ even if the host is not fqdn or is listed. Yet in postfix you can't do that. I looked it up but didn't find a way to do it. Not that I care about that, less spam for me.
Back to top
View user's profile Send private message
axl
l33t
l33t


Joined: 11 Oct 2002
Posts: 908
Location: Romania

PostPosted: Tue Jan 21, 2020 8:52 pm    Post subject: Reply with quote

forrestfunk81 wrote:
For completeness sake I want to mention fail2ban. But of course this also results in itpables rules only.

I've an internet exposed virtual server running since some years and despite following best practices (non standard ports, key only, fail2ban ... ) I never felt safe. If I got hacked, I probably never would have noticed, because I don't have time to analyze tons of logs every day.

So I started having a look at metrics with Grafana, Influx and Telegraf. You can get some security relevant informations out of the box (i.e. netstat and iptables) or write short scripts pushing own metrics to the database. For example sent metrics for each ssh login via /etc/ssh/sshrc or /etc/profile.d/ script. With proper designed Grafana boards you can check your systems state within minutes instead of hours.


I concatenate logs from multiple hosts. I was always afraid to use fail2ban because it seemed to be too cluncky and big. seemed always simpler to me to whip some script in perl or python or php or bash or whatever, to just either cron, or run in screen, or integrate into the init system to do exactly what fail2ban does but only the parts that I needed. without any of the uncertainty.

It's not that I have something against fail2ban. It's prolly great. But for me, between running like 1000 lines of code, when you only need like 3... just seems undesirable. I can make my own 3 without all the others.

Same thing is true about that other part. Grafana, Influx and Telegraph. Cool. So many dependencies. Too many.

I replaced everything. I used to use net-snmp, with cacti + rrdtool. Which I'm assuming does kinda the thing you wanna do. Graphs about general usage.

I replaced all that with my own stuff. Its' written in C. It gets the data directly from /proc. Could be made to run at any interval. I use it to run it every second. And it uses less resources than top. All the data goes through network as encrypted udp packets. There's a udp server where the mysql server is (written in php), where these packets are decrypted and pushed into mysql. well... mariadb. and finally apache, again, with a custom graph library, again, written in php, which mimics rrdtool. From start to bottom, every single byte of the code is written by me, and only used by me. And it has 2-3 dependencies. C, php and mariadb.

I'm kinda proud of it. I recently discovered builder, gnome builder, and made a conscious effort to try to put this stuff in such an order that maybe other people could look at it and perhaps even use it. It was made over 20 years. It's terribly incoherent, but it was made in such a way that speed and parallelism were the only two considerations. And it's quite good. I don't know how grafana influx and telegraph are doing, but my thing blows net-snmp/cacti/rrd out of the water in ALL categories. And if you have to use ssh... already lost.
Back to top
View user's profile Send private message
axl
l33t
l33t


Joined: 11 Oct 2002
Posts: 908
Location: Romania

PostPosted: Tue Jan 21, 2020 9:04 pm    Post subject: Reply with quote

eccerr0r wrote:
IMHO I'm not that worried about being hacked, I'm assuming that if my machine was successfully attacked, most likely others would be too as I'd be using the same software and assumedly same bad passwords as other people. I suspect people hack my machine only because they want another machine for their botnet, otherwise unless it's an easy hack, there's no sense to hack my machine.

However these attack packets are a good portion of my network bandwidth and I want to reduce that as much as possible.

I had a virtually baremetal exposed server running. Standard ports, several standard services (http, smtp, dns), and ssh password authentication. Seems this attracts a lot of attention. I hadn't been blocking a lot of attempts and thus people have been "appreciating" this and thus find it interesting.

Now blocking these packets seems to make it less interesting and hopefully fewer useless-to-me packets get transmitted/received over my IP link.
Code:
-rw-r----- 1 root wheel 166684083 Jan 21 10:56 messages

Oooh! nice! notable reduction in my logfile ds/dt.


I don't know where you are, but you seem to take a very relaxed view. Like, the systems are already very multi-user, and just getting into an user account doesn't mean network wide intrusion. I only seen this type of attitude in academia. Or in universities.

Interesting. Uhm, I've been blessed with places of work where fortunately I get to make the rules. And take all the responsibility. It's both good and bad. My OCD would just explode if at this point in my life I would just have to accept rampant hacking around me. I would go insane. I don't allow even the slightest errors of any kind.

I don't know how much of it is just my OCD, how much of it's the fact that it's no longer fun and games. It's not... kids playing around. Governments... BAD governments & the ones in the west... are playing in this field. The internet is no longer the romantic hacker park I would like to remember from years past. Now it's a battlefield. And we're the collateral. At least, this is the reason I take this stuff very seriously and would like to stand on top of it as much as I can.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7414
Location: almost Mile High in the USA

PostPosted: Tue Jan 21, 2020 9:22 pm    Post subject: Reply with quote

The only thing I have to say about "being hacked" is that I do care about detection. Once detection occurs then cleanup will need happen.

It seems for the most part people are dealing with CYA over convenience. It indeed is OCD. These attempts are merely that, attempts. As long as the attempts don't succeed, it's no different than block any attempts from occurring - either way they still don't succeed in logging in.

Except that there's a convenience cost. Whether that be you need to have a certain hardware/software device handy to login remotely or not. I have been thinking about requiring myself (yes this is a home machine we're dealing with, not some company machine) to login to VPN to login remote, but I found that there are still too many networks out there that drop VPN packets (port or udp drop or something) after getting OpenVPN set up and working. *sigh* truly annoying.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
axl
l33t
l33t


Joined: 11 Oct 2002
Posts: 908
Location: Romania

PostPosted: Tue Jan 21, 2020 9:47 pm    Post subject: Reply with quote

eccerr0r wrote:
The only thing I have to say about "being hacked" is that I do care about detection. Once detection occurs then cleanup will need happen.

It seems for the most part people are dealing with CYA over convenience. It indeed is OCD. These attempts are merely that, attempts. As long as the attempts don't succeed, it's no different than block any attempts from occurring - either way they still don't succeed in logging in.

Except that there's a convenience cost. Whether that be you need to have a certain hardware/software device handy to login remotely or not. I have been thinking about requiring myself (yes this is a home machine we're dealing with, not some company machine) to login to VPN to login remote, but I found that there are still too many networks out there that drop VPN packets (port or udp drop or something) after getting OpenVPN set up and working. *sigh* truly annoying.



2 different things.

1 when your domain and your class of ip addresses are static, and a target on your back.

the other... get better. perhaps openvpn is not for you. maybe udp is not for you. maybe you need to try another port. or a wrapper.

I can't prove it, but I think my ISP is using some sort of udp randomizer of some sort so that when you try to use UDP for like a tunnel or smth... packets always arrive, but in the wrong order. and anyone that did any programming with this, you know, order matters. or timing. I can use udp tunnels, but pretty much everyone else that uses my ISP can't. Well, basically because of an old contract. I am basically on old equipment that can't do that. But new locations, with new equipment... nothing udp works. It comes scrambled.

The solution is simple. Dont use udp.

Could also come with a "know it's a tunnel" coz it's port 1194. change it. could also know it's openvpn coz openvpn always meets and greets the same way. change it. wrap it in a ssh stream.

And finally, the best middle finger against ISPs. They could shape your traffic. https://forums.gentoo.org/viewtopic-t-1103538-highlight-bond+tunnel.html

I could bond my tunnels. I don't know what kinda uncooperative ISP's people might face. Personally I bonded my tunnel for more throughput when using more cores for compression. But could be used for a lot of things.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7414
Location: almost Mile High in the USA

PostPosted: Wed Jan 22, 2020 1:22 am    Post subject: Reply with quote

Remember that UDP has no guarantee of packets transferred in order (or even arrival). If your program can't handle out of order UDP packets, that's a bug in that program. TCP the packets will be reordered by the kernel and will not pass packets to the client programs until all packets before it have arrived.

UDP is actually the closest ideal datagram packets for VPNs because it's almost bare IP. Just encapsulate the regular IP packet and send it as UDP, let the endpoints deal with problems, and you have no roaming problems. VPN over TCP was made because of the NAT traversal problem, because NAT wants to be lazy and not keep track of UDP packets -- it's an unsolvable problem when memory isn't infinite. ("almost" ideal because people in the past have used VPN encapsulated in raw IP packets to make it even more like IP, and this REALLY makes routers unhappy, and will happily drop your VPN packets.)

My ISP has no problems with UDP surprisingly enough, but when I'm remote, I do notice many services tend to block UDP because of the NAT problem. I've come across several places that indeed allows UDP to arrive intact and that's what I prefer using if possible. But at least on my own side, it's my own gear that has issues with UDP traversal if any at all. If you have any sort of NAT, that would explain a lot of UDP issues.

(BTW I'm aware of the static+domain name problem and is probably another reason why hackers likes my home machine so much.)
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
axl
l33t
l33t


Joined: 11 Oct 2002
Posts: 908
Location: Romania

PostPosted: Wed Jan 22, 2020 3:14 am    Post subject: Reply with quote

https://preview.redd.it/duv11av99nm11.png?width=960&crop=smart&auto=webp&s=e936ab3a84fd270493fa2dc504821aad12bb7a39

I really hope the links I'm posting are working. At least for a while.

https://media.giphy.com/media/PAujV4AqViWCA/giphy.gif

Now... i'm gonna go in a corner a laugh my ass off.

It's not that I don't like UDP. I do. But man... it's funny.
Back to top
View user's profile Send private message
erm67
l33t
l33t


Joined: 01 Nov 2005
Posts: 601
Location: EU

PostPosted: Wed Jan 22, 2020 9:18 am    Post subject: Reply with quote

eccerr0r wrote:
The only thing I have to say about "being hacked" is that I do care about detection. Once detection occurs then cleanup will need happen.


A lot of times that is exactly what they want you to do, because they installed a rootkit that will be activated after reboot .... If they break in there will be multiple backdoor installed, they always stage something that is easy to detect so that even a naive user can detect and clean it. the real backdoor will be really well hidden elsewhere. Maybe it's even in your backups ..... And how do you know that your precious logs have not been tampered with? The first thing they do once they own your box is clean traces behind them. Is that crypto signed stored on a central server or how do you protect it? If see something in the logs it might be because you interrupted them, but more likely it is because they want that you see it and reboot.

axl wrote:


I know I can't see the real hacker's IP. I might accidentally catch the IP of his DNS if he's stupid and / or careless, but his real IP I am aware I wont see. I say I may be able to see his DNS ip because I host my own zone, and I watch the logs. Usually, prior to a web access, or a mail access, it's usually a DNS query first.

c'mon even script kiddies know what dsn resolution is, now you're not really the only with a DNS server :-) even socks5 proxies do dns resolution in the proxy ;-)


https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
https://github.com/cybozu-go/transocks
_________________
Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net
Back to top
View user's profile Send private message
Amity88
Apprentice
Apprentice


Joined: 03 Jul 2010
Posts: 243
Location: Third planet from the Sun

PostPosted: Wed Jan 22, 2020 3:07 pm    Post subject: Reply with quote

erm67 wrote:

When I worked for an ISP a few years ago I cleaned several infected servers, of course hackers don't want to be catched and, apart from some stupid script kiddies, never use their IP directly. The first reaction of a lot of customers was we have the ip send the police and have them arrested and explaining them thet it wasn't so easy was just adding another problem to the problem.

Bad guys are a lot mor phobic than you because they risk consequences IRL and don't want to be catched, clearly, being hackers they know that if they use their real IP address even by mistake they will be arrested so they hide behind layers and layers of encrypted connection, a round or 2 of tor, irc chat, C&C malware .... they even use emails to control their malware. Only after an infected host was in their total control for a long time it will be moved up in the control chain, otherwise it will just be used to attack their targets or find other computers/servers to zombifie.


Since you've done autopsies on several infected machines, any experiences on the matter would be very useful!

How do they usually get in? shouldn't a box that only open SSH with pub key authentication be impervious to these attacks?

How did you figure that they were infected? how'd you detect the rootkits and RATs?
_________________
Ant P. wrote:
The enterprise distros sell their binaries. Canonical sells their users.


Also... Be ignorant... Be happy! :)
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7414
Location: almost Mile High in the USA

PostPosted: Thu Jan 23, 2020 3:33 am    Post subject: Reply with quote

erm67 wrote:
A lot of times that is exactly what they want you to do, because they installed a rootkit that will be activated after reboot ....

They want me to detect it and reinstall the OS?

No, they do not want me to detect their rootkit, plain and simple. Confuse, yes; but detect no. Reboot is minimal during a reinstall which would clear their rootkit. They may want me to reboot because they installed a new kernel, but if I install a fresh kernel, that would defeat their purpose.

The problem is that detection may not be simple because they go under great lengths to hide intrusion. However having multiple orthogonal detection techniques helps immensely.

But all of this is really going off topic, I still am curious to see if I've somehow gotten more attention to my home machine than perhaps some school server with sshd running. Or have most educational institutions banned all off site connections now because of this? Instead of blaming users for using the same password on multiple sites?
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
axl
l33t
l33t


Joined: 11 Oct 2002
Posts: 908
Location: Romania

PostPosted: Thu Jan 23, 2020 3:42 am    Post subject: Reply with quote

I have been hacked once. You didn't ask me directly, but I could share my experience.

Should be noted that: it was a stranger, it was a fluke, it wasn't serious.

It happened in 2010ish I think. A old client which refused updates on the base that it hinders operations. So, over time, someone found a simple openssh remote hack. and that's how they got in in the first place.

Later, while installing a new machine, by ways of chroot as per gentoo handbook, in a remote session, I got careless with my key. I uploaded my key on the remote machine, without knowing it was compromised. The attacker took my key and then got on my network. all my machines. I don't think he was a particular good gentoo guy. He only knew how to compromise openssh. and only a specific version.

later analysis revealed that he would wget his own ssh tar, and just copy the binary over the system binary.

So I think It was openssh 6.6. or around that version. which was vulnerable on its' own, but the guy had a special version of the sourcecode, modified in such a way that it would keep a log of users and passwords hidden as a file in /opt.

took me like forever to find out why that server was infected. and at the end of it... omg... this asshole infected me too. but at the end of it, the big thing he was running was just some irc clients. nothing very nefarious or scary. nothing a good reinstall wont fix.


None the less , with that open bleed ssl bug, and specter and meltdown, you kinda have to ask yourself, would you actually know if you are being hacked? I obsess thinking about that. how would you know. I take crazy measures. like... I have my own piece of code, that counts the memory of every other piece of code happening to run on that vm. And it's a good thing I got a handle on servers and daemons and vm's and stuff.

Coz:

Code:
[axl@magdalina:~]$ ps axw|wc -l
331



I don't even know how to begin to sort these things. usually they are upward of 500. on a desktop is just a chaotic system.


What I'm saying is: it's great when you can compartmentalize. I love my worker VM's. It's kernel... and daemon. No pid runs on that thing that I don't know about. But then on the other end of the spectrum... I have NO idea what my desktop is doing. And very little interest to find out. And I fear terribly that my ssh key will do it again. same key. and the same intersection of ... things.


Anyway, if there is one thing that I would like to say, is that the scariest hack is the one you don't know about. You just go on your daily activities. Everything works. No complaints. And you don't know. that's ... that what is scaring me.

And there are rootkit detectors. you can... yeah... there's a lot of things to talk about there. there's a lot of ways to just confuse and corrupt the kernel. with like bash. and ... we got better at it over the years. Still...


How the hell do you approach the task of having an impregnable system when there is something like intel me?
Back to top
View user's profile Send private message
erm67
l33t
l33t


Joined: 01 Nov 2005
Posts: 601
Location: EU

PostPosted: Thu Jan 23, 2020 2:57 pm    Post subject: Reply with quote

eccerr0r wrote:


But all of this is really going off topic, I still am curious to see if I've somehow gotten more attention to my home machine than perhaps some school server with sshd running. Or have most educational institutions banned all off site connections now because of this? Instead of blaming users for using the same password on multiple sites?


Nobody allows password authentication, we always receive a key to log in. Maybe they target your server because it allows password authentication :-)

There are also bios rootkits, and most importatly they know you will reinstall the os from a fresh copy but keep whatever application the server is running so they will try to infect it starting from custom init scripts used to launch it, or plant nasty .htaccess/php/(whatever can be executed from outside) files in hidden places but most certainly you will not clean user home dirs, so the .bashrc in your home or in the root home dir are a good target.
Usually the best option is to get a new server (wipe the enrtire disk) and reinstall from scratch keeping only data not just restore full backups. They will also install multiple backdoors, some very easy to find and other well hidden.
You think that reading the log of the failed hacking attempts will help detecting the attacks that succeds instead?
_________________
Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net
Back to top
View user's profile Send private message
erm67
l33t
l33t


Joined: 01 Nov 2005
Posts: 601
Location: EU

PostPosted: Thu Jan 23, 2020 4:27 pm    Post subject: Reply with quote

axl wrote:
I the big thing he was running was just some irc clients. nothing very nefarious or scary

Well the irc clients were probably controlling a botnet :-)
_________________
Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page Previous  1, 2, 3, 4  Next
Page 2 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum