Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
i got hacked. what were they up to?
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3 ... 15, 16, 17, 18  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
bakaohki
Tux's lil' helper
Tux's lil' helper


Joined: 14 Jul 2005
Posts: 129
Location: Hungary

PostPosted: Sat Sep 10, 2005 8:58 pm    Post subject: Reply with quote

I shouldn't even bother to post, because what I'm saying is so trivial: USE A DEDICATED FIREWALL :evil:. Everyone out there. You can use Gentoo, Debian, whatever; I prefer FloppyFW with a fanless dumb P1 75mhz (put together from used garbage). And of course use strong passwords and iptables firewalls for the internal machines. Duh. Surfing on the net without a firewall is like walking around in the city without clothes; if you have weak passwords and opened ssh ports, then it means you're a hot babe without clothes in the worst area of the city at midnight waving a sign "kidnap me"...
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 5913

PostPosted: Tue Sep 13, 2005 12:27 pm    Post subject: Mystery logout Reply with quote

I think someone may have been trying to use my Gentoo box at my office, after hours. I had it up and running one day, screen locked, and logged out the next day. At best, someone hit the computer's reset button, but where would I look to find out exactly what happened? I know it's probably not a power failure because 1. another computer was still on the way I left it and 2. I don't think computer is not set up to reboot after a power failure.
Back to top
View user's profile Send private message
jamapii
Guru
Guru


Joined: 16 Sep 2004
Posts: 536

PostPosted: Sat Sep 17, 2005 6:58 pm    Post subject: Reply with quote

There is /var/log/syslog

If it was xlock, maybe it crashed.

Maybe someone switched it off for some reason, then changed their mind and switched it on again.

...
Back to top
View user's profile Send private message
trip
n00b
n00b


Joined: 10 May 2005
Posts: 6
Location: nineth plane of hell

PostPosted: Mon Sep 26, 2005 7:19 am    Post subject: Reply with quote

how do you turn of passwd-less logins? and is making a passwd-less acount as easy as not typing any when creating the acount? sorry for the noobs questions but i want to know exactly what to do in the litle time i have. :D
tnx in advance
_________________
using linux since may 2005
using gentoo since sept. 2005

Testing and
Research
In
Progress
Back to top
View user's profile Send private message
quantus
n00b
n00b


Joined: 30 Jul 2002
Posts: 60

PostPosted: Mon Sep 26, 2005 10:43 pm    Post subject: PAM... Reply with quote

trip wrote:
how do you turn of passwd-less logins? and is making a passwd-less acount as easy as not typing any when creating the acount? sorry for the noobs questions but i want to know exactly what to do in the litle time i have. :D
tnx in advance


I'm a littly fuzzy on your question... see if these this helps you out: Hardening PAM
Back to top
View user's profile Send private message
nhaggin
n00b
n00b


Joined: 15 Jun 2002
Posts: 74
Location: Illinois, USA

PostPosted: Wed Oct 05, 2005 3:40 pm    Post subject: Reply with quote

Reply a little late to this, but I didn't see it until now....

segedunum wrote:
Quote:
The simple fact is that running any service whatsoever, on any port, is a security hazard. The only truly secure network is the one you don't build, and the only truly secure computer is in a concrete bunker, under armed guard, with console access only, etc. Even then, there are various points of attack one could use to gain access, if one really wanted to.


That's the usual cop-out rubbish I'm afraid.


It might interest you to know that I'm not running a public SSH server, and that I do use OpenVPN to remotely administer my machine.

As to the rest of your reply: I was not attempting to ridicule your advice, nor was I making several of the assumptions you suggested I was; if my choice of language implied that, I apologize. I meant to indicate that, if one hardens one's SSH setup, one can expose it to the Internet, even on port 22, without immediate and grave danger, although there is still some danger present. IOW, it's not completely insane to have publicly-available SSH, although, as you have indicated, certain other systems are more secure.
_________________
Nick

A.M.D.G.
Back to top
View user's profile Send private message
robinmdh
n00b
n00b


Joined: 01 Oct 2005
Posts: 6

PostPosted: Wed Oct 05, 2005 7:14 pm    Post subject: Reply with quote

Code:
Oct  2 10:52:23 [sshd] Invalid user anna from 210.6.64.3
Oct  2 10:52:31 [sshd] Invalid user arthur from 210.6.64.3
Oct  2 10:52:38 [sshd] Invalid user aron from 210.6.64.3
Oct  2 10:52:42 [sshd] Invalid user austin from 210.6.64.3
Oct  2 10:52:46 [sshd] Invalid user barbara from 210.6.64.3
Oct  2 10:52:50 [sshd] Invalid user bart from 210.6.64.3
Oct  2 10:52:53 [sshd] Invalid user ben from 210.6.64.3
Oct  2 10:52:57 [sshd] Invalid user beny from 210.6.64.3
Oct  2 10:53:02 [sshd] Invalid user bert from 210.6.64.3
Oct  2 10:53:05 [sshd] Invalid user bill from 210.6.64.3
Oct  2 10:53:13 [sshd] Invalid user bind from 210.6.64.3
Oct  2 10:53:17 [sshd] Invalid user bob from 210.6.64.3
Oct  2 10:53:20 [sshd] Invalid user bobby from 210.6.64.3
Oct  2 10:53:24 [sshd] Invalid user bret from 210.6.64.3
Oct  2 10:53:27 [sshd] Invalid user brian from 210.6.64.3
Oct  2 10:53:31 [sshd] Invalid user bruce from 210.6.64.3
Oct  2 10:53:36 [sshd] Invalid user carl from 210.6.64.3
Oct  2 10:53:39 [sshd] Invalid user carol from 210.6.64.3
Oct  2 10:53:45 [sshd] Invalid user cesar from 210.6.64.3
Oct  2 10:53:48 [sshd] Invalid user clark from 210.6.64.3
Oct  2 10:53:51 [sshd] Invalid user clinton from 210.6.64.3
Oct  2 10:53:55 [sshd] Invalid user corinna from 210.6.64.3
Oct  2 10:53:59 [sshd] Invalid user craig from 210.6.64.3
Oct  2 10:54:02 [sshd] Invalid user daniel from 210.6.64.3
Oct  2 10:54:06 [sshd] Invalid user danny from 210.6.64.3
Oct  2 10:54:11 [sshd] Invalid user dave from 210.6.64.3
Oct  2 10:54:14 [sshd] Invalid user dexter from 210.6.64.3
Oct  2 10:54:18 [sshd] Invalid user dick from 210.6.64.3
Oct  2 10:54:21 [sshd] Invalid user earl from 210.6.64.3
Oct  2 10:54:26 [sshd] Invalid user ed from 210.6.64.3
Oct  2 10:54:30 [sshd] Invalid user eddie from 210.6.64.3
Oct  2 10:54:33 [sshd] Invalid user edgar from 210.6.64.3
Oct  2 10:54:37 [sshd] Invalid user ellen from 210.6.64.3
Oct  2 10:54:40 [sshd] Invalid user emil from 210.6.64.3
Oct  2 10:54:45 [sshd] Invalid user enzo from 210.6.64.3
Oct  2 10:54:48 [sshd] Invalid user felix from 210.6.64.3
Oct  2 10:54:52 [sshd] Invalid user fred from 210.6.64.3
Oct  2 10:54:57 [sshd] Invalid user francis from 210.6.64.3
Oct  2 10:55:02 [sshd] Invalid user harry from 210.6.64.3
Oct  2 10:55:06 [sshd] Invalid user ian from 210.6.64.3
Oct  2 10:55:10 [sshd] Invalid user ismail from 210.6.64.3
Oct  2 10:55:20 [sshd] Invalid user james from 210.6.64.3
Oct  2 10:55:24 [sshd] Invalid user jesse from 210.6.64.3


lol
don't think i've been hacked but will step up on security!
Back to top
View user's profile Send private message
pengatom
n00b
n00b


Joined: 04 Oct 2004
Posts: 14
Location: Norway

PostPosted: Fri Oct 07, 2005 9:08 pm    Post subject: Reply with quote

I've got 23 000 "Failed password" logins the laste 3 months... Changed the ssh port, hopfully it gets better :)

In my iptables I've written:

iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

would the "ssh" port number change to whatever I set i sshd_conf, or does "ssh" mean port 22?

btw, if I try to set a "easy" password on a user, gentoo tells me this, anyone know what this definition on a "BAD password" is?
Back to top
View user's profile Send private message
Malcolm
n00b
n00b


Joined: 11 Jul 2002
Posts: 59
Location: Ontario, Canada

PostPosted: Wed Oct 12, 2005 6:25 pm    Post subject: Reply with quote

I've gotten alot of these break-in attempts aswell, both through SSH and FTP. My suggestion is to setup an auto blacklisting script like ssh black.

I've had this setup on my system for 3 days now and the blacklist always has 5-10 IPs, rotating of course :)
Back to top
View user's profile Send private message
Errtu
Apprentice
Apprentice


Joined: 12 Nov 2002
Posts: 155
Location: Brazil

PostPosted: Thu Oct 13, 2005 10:06 am    Post subject: Reply with quote

I got tired of maintaining blacklists, scripts and other stuff to keep 'm out, so i just configured sshd to listen on a higher IP. Since i've done that i get no more of these attempts. And my logfile stays a bit cleaner too :)
Back to top
View user's profile Send private message
Bigun
Advocate
Advocate


Joined: 21 Sep 2003
Posts: 2070

PostPosted: Thu Oct 13, 2005 1:51 pm    Post subject: Reply with quote

I just grepped over my log and have about 2,000+ pages of attempts ranging back from August of this year.

All of them lame dictionary attempts. Does reporting these IP's to their respective ISP's help anything?
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim
Back to top
View user's profile Send private message
christsong84
Veteran
Veteran


Joined: 06 Apr 2003
Posts: 1003
Location: GMT-8 (Spokane)

PostPosted: Thu Oct 13, 2005 7:10 pm    Post subject: Reply with quote

bigun89 wrote:
I just grepped over my log and have about 2,000+ pages of attempts ranging back from August of this year.

All of them lame dictionary attempts. Does reporting these IP's to their respective ISP's help anything?


sometimes but not often. I generally report those IP's to them anyways...might as well, it can't hurt anything. I've gotten three ISP's who've actually done something and asked me to let them know if things happen again. :)
_________________
while(true) {self.input(sugar);} :twisted:
Back to top
View user's profile Send private message
oracleofmist
Apprentice
Apprentice


Joined: 19 Jun 2004
Posts: 235

PostPosted: Sat Oct 15, 2005 12:13 am    Post subject: Reply with quote

on top of being behind a router firewall that drops all incoming connections except to specified ports w/ specified protocols i've also take the libery of changing my ftp, ssh services to high port numbers. good practice?
_________________
Segmentation Fault
Back to top
View user's profile Send private message
Bigun
Advocate
Advocate


Joined: 21 Sep 2003
Posts: 2070

PostPosted: Sat Oct 15, 2005 2:55 pm    Post subject: Reply with quote

oracleofmist wrote:
on top of being behind a router firewall that drops all incoming connections except to specified ports w/ specified protocols i've also take the libery of changing my ftp, ssh services to high port numbers. good practice?


Ehh... that's more of security by obscurity... but at the very least will keep bot attempts out.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim
Back to top
View user's profile Send private message
chrispolderman
n00b
n00b


Joined: 12 Oct 2005
Posts: 14

PostPosted: Mon Oct 24, 2005 5:52 am    Post subject: Reply with quote

Is there a solid way to traceback the ip number in question and obtaining the abuse email address for the corresponding ISP or am I just speaking nonsense here?

Would be a nice script: more than 20 password tries logged and a process would automatically file a complaint to the corresponding ISP...

Is this possible (apart from spoofed IP's ofcourse)..?

Chris
Back to top
View user's profile Send private message
dsb
n00b
n00b


Joined: 09 Sep 2004
Posts: 30
Location: MO

PostPosted: Tue Oct 25, 2005 7:33 am    Post subject: Reply with quote

My traceroute shows they are coming from China
Back to top
View user's profile Send private message
shiggity s
n00b
n00b


Joined: 26 Oct 2005
Posts: 11

PostPosted: Wed Oct 26, 2005 7:03 am    Post subject: Reply with quote

Those crazy Chinese hackers
Back to top
View user's profile Send private message
Cinder6
l33t
l33t


Joined: 05 Aug 2004
Posts: 767
Location: California

PostPosted: Thu Oct 27, 2005 10:58 pm    Post subject: Reply with quote

I've been getting some from South Korea, and a couple that IP locators can't find :(
_________________
Knowledge is power.
Power corrupts.
Study hard.
Be evil.

Ugly Overload
Back to top
View user's profile Send private message
Monkeh
Veteran
Veteran


Joined: 06 Aug 2005
Posts: 1656
Location: England

PostPosted: Fri Oct 28, 2005 12:37 am    Post subject: Reply with quote

bigun89 wrote:
oracleofmist wrote:
on top of being behind a router firewall that drops all incoming connections except to specified ports w/ specified protocols i've also take the libery of changing my ftp, ssh services to high port numbers. good practice?


Ehh... that's more of security by obscurity... but at the very least will keep bot attempts out.


There's nothing wrong with security by obscurity, in fact it's a good practice. Just don't rely on it.
Back to top
View user's profile Send private message
heartburn
n00b
n00b


Joined: 18 Oct 2002
Posts: 40

PostPosted: Thu Nov 03, 2005 11:17 pm    Post subject: Reply with quote

I'm not sure if it's been mentioned yet on this thread (it's a very long thread). But you can configure sshd to use DSA authentication instead of PasswordAuthentication. Then, a cracker would need an existing user's private key to use ssh.

You can find the instructions here:
http://www.gentoo.org/doc/en/articles/openssh-key-management-p1.xml?style=printable

Also, logwatch makes a nice daily report of login attempts:

Code:
--------------------- SSHD Begin ------------------------

 
 Didn't receive an ident from these IPs:
    xxx.xxx.com (xxx.xxx.xxx.xxx): 1 Time(s)
    xxx.xxx.com (xxx.xxx.xxx.xxx): 1 Time(s)
    xxx.xxx.com (xxx.xxx.xxx.xxx): 1 Time(s)
 
 Failed logins from these:
    invalid user admin (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)
    invalid user administrator (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)
    invalid user carol (password) from ::ffff:xxx.xxx.xxx.xxx: 2 Time(s)
    invalid user jack (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)
    invalid user marvin (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)
    root/password from ::ffff:xxx.xxx.xxx.xxx: 31 Time(s)

 Users logging in through sshd:
    jblow:
       xxx.xxx.net (xxx.xxx.xxx.xxx): 4 times
 
 ---------------------- SSHD End ------------------------- 


I also have a script to page me when someone succefully logs on through ssh. That's not too practical if you have lots of users. But it's good if you aren't expecting any logins. I think I stole this script from somewhere else in this forum (my apologies to its author).

Code:

# Send a brief alert with connection details
#

when=`/usr/bin/date`
where=`echo $SSH_CONNECTION|cut -f1 -d' '|cut -f4 -d:`

if [ -z "$SSH_TTY" ] ; then
  what="Connect by $USER"
else
  what="Login by $USER on $SSH_TTY"
fi

mailto=""
cc_to=""
bcc_to=""

while read address mode
do
  if [ -z "$address" -o "${address:0:1}" = "#" ] ; then continue; fi

  if [ "x$mode" = "xcc" -o "x$mode" = "xCC" ] ; then
    cc_to=${cc_to:+${cc_to},}$address
  elif [ "x$mode" = "xbcc" -o "x$mode" = "xBCC" ] ; then
    bcc_to=${bcc_to:+${bcc_to},}$address
  else
    mailto=${mailto:+${mailto},}$address
  fi
done </etc/ssh/notify

mailto=${mailto:-operator}
cc_to=${cc_to:+"-c $cc_to"}
bcc_to=${bcc_to:+"-b $bcc_to"}
mail ${cc_to} ${bcc_to} -s "SSH Alert" ${mailto} >&2 <<-EOM
  ${what} from ${where} at ${when}
EOM

~~~~~EDIT~~~~~
I just did a search and it seems that I stole the script from timeBandit. He has written an excellent HOW-TO about it here:
https://forums.gentoo.org/viewtopic-t-393795-highlight-send+brief+alert+connection+details.html


Last edited by heartburn on Thu Nov 03, 2005 11:28 pm; edited 1 time in total
Back to top
View user's profile Send private message
abaelinor
n00b
n00b


Joined: 27 Aug 2005
Posts: 51

PostPosted: Tue Nov 08, 2005 4:58 am    Post subject: Reply with quote

aa

Last edited by abaelinor on Tue Oct 21, 2008 4:28 am; edited 1 time in total
Back to top
View user's profile Send private message
heartburn
n00b
n00b


Joined: 18 Oct 2002
Posts: 40

PostPosted: Tue Nov 08, 2005 5:39 am    Post subject: Reply with quote

like I said, I stole it from timeBandit. He deserves the credit. But I've been using it for about two weeks and it works great. I love hearing my phone make a satisfying chirp every time I log on. And I like hearing nothing when I'm not logging on even better :)
Back to top
View user's profile Send private message
d11wtq
Apprentice
Apprentice


Joined: 14 Jul 2005
Posts: 192
Location: Manchester, UK

PostPosted: Fri Nov 11, 2005 10:38 am    Post subject: Reply with quote

Hopefully I've not missed something... I just read 16 pages of thread very quickly. What a great thread!

I run a web server. I'm not being paranoid but this has made me think a lot about security considerations. One thing that worries me is that I have set up user accounts for friends & family on my server (shell accounts/ftp/virtualhost apache accounts) so they can host websites too.

Everyone seems to only be mentioning SSH attacks... all of my users (most know virtually nothing about *nix) have shell access by SSH. The worrying thing is that I'm relying upon them to use secure passwords too now. How can I force increased password security? I want them all to login and do a passwd, then I want passwd to make sure their passwords:

a) Contain at least 8 characters
b) Contain at least 2 numbers
c) Contain a mixture of uppercase and lowercase letters

passwd already forces at least *6* chars but the rest is perfectly allowed :(

I'm amazed we're only discussing SSH. Is FTP any security risk? It uses the same passwords as the shell access and all users are chrooted to their home directory. Hell... I've even been told you can compromise a box by telnetting to port 80 (HTTP) and doing some magic :?

I've already installed and changed a few configs during the course of this thread... I may as well do this extra thing with the passwords too. I'll run a "last" command every so often so that users who aren't using SSH have their access removed temporarily too. They'd just get a message upon successful login which says that they need to contact me to have their access re-enabled and then it disconnects again.

Password criteria help anyone?
Back to top
View user's profile Send private message
Errtu
Apprentice
Apprentice


Joined: 12 Nov 2002
Posts: 155
Location: Brazil

PostPosted: Fri Nov 11, 2005 1:19 pm    Post subject: Reply with quote

d11wtq:

Justdoing some searching on freshmeat gives these projects:

http://freshmeat.net/projects/pam_pwcheck/
- The pam_pwcheck is a PAM module for password strength checking

http://freshmeat.net/projects/pam_passwdqc/
- pam_passwdqc is a simple password strength checking module for PAM-aware password changing programs, such as passwd(1).


Maybe one of these could be of help?


Leon
Back to top
View user's profile Send private message
d11wtq
Apprentice
Apprentice


Joined: 14 Jul 2005
Posts: 192
Location: Manchester, UK

PostPosted: Fri Nov 11, 2005 10:21 pm    Post subject: Reply with quote

Thanks. I've emerged pam_passwdqc so that should help. I haven't set it up yet but it looks simple enough :D
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2, 3 ... 15, 16, 17, 18  Next
Page 16 of 18

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum