Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
i got hacked. what were they up to?
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3 ... 16, 17, 18  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Bigun
Advocate
Advocate


Joined: 21 Sep 2003
Posts: 2057

PostPosted: Tue Feb 14, 2006 4:36 pm    Post subject: Reply with quote

RBH wrote:
I feel left out: despite having had a static IP for nearly 2 and a half years, I've not had one failed SSH login appear in my logs that wasn't my own doing. I run chkrootkit periodically (i.e. when I'm logged in finding things to do) and have never found anything.

I expect this is because my boxes are always behind a router that denies all packets that aren't specifically permitted (HTTP, DNS et al). Do you guys all connect directly, or something? Wouldn't a hardware router - just a bog standard Netgear one - be a good idea?

I might be talking out of my backside and apologies if that's the case, but this seems to be something of an obvious step to take.


It depends, my box *IS* the router, therefore having a NetGear router in front of it is mundane and rickety.

Besides, I trust the security of a Gentoo box that I manage 10 fold over a homegrade NetGear router.

Yes, it's added security in the physical sense. But it's one more thing to break, one more thing to manage, and one more thing to go wrong. If your Gentoo box takes care of it, along with the added bonus of being able to log it, why put in a router at all?
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim
Back to top
View user's profile Send private message
assaf
Apprentice
Apprentice


Joined: 14 Feb 2005
Posts: 152
Location: http://localhost

PostPosted: Tue Feb 14, 2006 5:19 pm    Post subject: Reply with quote

RBH wrote:
I feel left out: despite having had a static IP for nearly 2 and a half years, I've not had one failed SSH login appear in my logs that wasn't my own doing. I run chkrootkit periodically (i.e. when I'm logged in finding things to do) and have never found anything.

I expect this is because my boxes are always behind a router that denies all packets that aren't specifically permitted (HTTP, DNS et al). Do you guys all connect directly, or something? Wouldn't a hardware router - just a bog standard Netgear one - be a good idea?

I might be talking out of my backside and apologies if that's the case, but this seems to be something of an obvious step to take.


If your router does not allow ssh then what's the point? You may as well not run sshd at all, or if you want to access it only from the LAN you could add a simple iptables rule.
Back to top
View user's profile Send private message
linuxgeekery
n00b
n00b


Joined: 07 Jun 2005
Posts: 27

PostPosted: Sat Feb 25, 2006 3:53 am    Post subject: Script update Reply with quote

Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof.
_________________
Workstation: Athlon 64 4000+X2 | 160GBx2 HD | 1.5GB RAM
(\ /)
(O.o)
(> <)
This is Bunny. Copy Bunny into your signature to help him on his way to world domination
Back to top
View user's profile Send private message
MrUlterior
Guru
Guru


Joined: 22 Mar 2005
Posts: 511
Location: Switzerland

PostPosted: Mon Feb 27, 2006 10:07 am    Post subject: Re: Script update Reply with quote

linuxgeekery wrote:
Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof.


Which makes the assumption that I can't make sufficient connections to your machine in under a minute to bring it down ... worse still it means I could use YOU to make a DoS attack, all I have to do is poison your ARP cache to make you think that my IP is infact the desired target, and suddenly you're sending the contents of /dev/random to a complete inoccent. The puzzled expression on your face when your ISP annuls your contract & requests your presence in court will be priceless.

Getting the picture? Counter-measures you don't understand are more dangerous to you than the undesirables you're trying to dissuade from bothering you.
_________________

Misanthropy 2.0 - enough hate to go around
Back to top
View user's profile Send private message
MrUlterior
Guru
Guru


Joined: 22 Mar 2005
Posts: 511
Location: Switzerland

PostPosted: Mon Feb 27, 2006 10:11 am    Post subject: Re: Script update Reply with quote

linuxgeekery wrote:
Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof.


Or if you want to do this properly, see connection tarpitting. This is a method used often in anti-spam, which subtly alters the TCP response to an identified attacker effectively trapping them .. I'll leave you to do your research.
_________________

Misanthropy 2.0 - enough hate to go around
Back to top
View user's profile Send private message
erikstotle
n00b
n00b


Joined: 07 Mar 2006
Posts: 5
Location: Holland, MI

PostPosted: Tue Mar 07, 2006 2:28 am    Post subject: Reply with quote

I have a hardware router and I still get those ssh attacks. They get incessently annoying. I suggesst that you install iptables and then use dynfw (it's not in portage, you can get it from http://www.gentoo.org/doc/en/articles/files/dynfw-1.0.1.tar.bz2). Once you have that installed, you can block ips and limit the number of new connections per minute/hour/day on a port on the fly. For example, since I only use ssh for remote administration, I limit the number of new connections per minute on port 22 to 1. This does get annoying if you login incorrectly because you have to wait a minute before trying again, but it does make the ssh cracking scripts give up quite quickly. And even if it doesn't give up, only about 1/60th of it's login attempts get through.
For further reading go to this rather humerous article:
http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml
Back to top
View user's profile Send private message
Bigun
Advocate
Advocate


Joined: 21 Sep 2003
Posts: 2057

PostPosted: Tue Mar 07, 2006 3:29 pm    Post subject: Reply with quote

~~snip~~
erikstotle wrote:
For further reading go to this rather humerous article:
http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml


I really like the ipdrop script, I'm going to start a thread in the programming forum to see if I can get it to run a bit better.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim
Back to top
View user's profile Send private message
minskpower
Tux's lil' helper
Tux's lil' helper


Joined: 16 Jun 2005
Posts: 94
Location: /dev/null

PostPosted: Tue Mar 14, 2006 2:19 am    Post subject: Reply with quote

To everybody complaining about ssh flooding - why don't you change the port to something else, you won't be bothered by those worms, they don't generally scan the upper ports, even if they do I doubt they can recognise it's running ssh (at this time). This solution applies if you are not limited by a third party firewall.
Back to top
View user's profile Send private message
Bigun
Advocate
Advocate


Joined: 21 Sep 2003
Posts: 2057

PostPosted: Tue Mar 14, 2006 4:27 pm    Post subject: Reply with quote

The IPdrop script stops the attacks in their tracks. I only wish there was a script that ran in the background to detect such attacks and add the IP to the droplist automatically.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim
Back to top
View user's profile Send private message
dpetka2001
l33t
l33t


Joined: 04 Mar 2005
Posts: 804

PostPosted: Sat Mar 18, 2006 8:01 pm    Post subject: Reply with quote

hello just got back home and observed a strange in my computer...some files and directories were deleted and i found them in the Trash Can...the thing is that they were in different spots in my Desktop and is very unlikely that someone might accedentaly deleted them without having selected all of them on his own...i think i might have been hacked but am not really sure about it...how could i verify if i was hacked or not?? could you please show me the way to do this because i don't really know how to do it?? thanks in advance...
Back to top
View user's profile Send private message
Bigun
Advocate
Advocate


Joined: 21 Sep 2003
Posts: 2057

PostPosted: Sat Mar 18, 2006 9:29 pm    Post subject: Reply with quote

Heh.... typically when your hacked, they don't move your icons or move stuff to your trash bin.

Try going to a more secure password and locking your bedroom door.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim
Back to top
View user's profile Send private message
dpetka2001
l33t
l33t


Joined: 04 Mar 2005
Posts: 804

PostPosted: Sun Mar 19, 2006 12:05 pm    Post subject: Reply with quote

well i don't think that anyone from my family would do such a thing...the don't know much of computers...anyway...is there something that i could check in order to find out if there was any attempt??
Back to top
View user's profile Send private message
jamapii
Guru
Guru


Joined: 16 Sep 2004
Posts: 535

PostPosted: Sun Mar 19, 2006 3:26 pm    Post subject: Reply with quote

Sorry, I was waiting for this to unload my thoughts...
erikstotle wrote:
They get incessently annoying.

Filter them in syslog ;)

Seriously, I repeat I think this issue is overrated. Trying 1 to 3 possible passwords on 100 accounts is no threat to security unless you have users with passwords such as "12345", "hello" or username_spelled_backwards.

It would be a threat if there was a security hole in ssh. There will be a threat when there is a known security hole in ssh. To reduce the likelihood of a successful attack, I would recommend a nonstandard port, possibly disabling password logins, possibly portknocking. About any ratelimiting solutions with iptables, be careful, you might lock yourself out. The IP droplist might be good, too, for any attack, but also makes a DOS attack possible (with IP spoofing).

And start worrying about real security problems. Especially if you think WEP provides any security (it doesn't).
Back to top
View user's profile Send private message
jamapii
Guru
Guru


Joined: 16 Sep 2004
Posts: 535

PostPosted: Sun Mar 19, 2006 3:31 pm    Post subject: Reply with quote

dpetka2001 wrote:
hello just got back home and observed a strange in my computer...some files and directories were deleted and i found them in the Trash Can...the thing is that they were in different spots in my Desktop


looks more like some kind of "practical joke", nothing serious, but it might mean that you have a security hole. Maybe a weak password, maybe vnc or X server access to the world, maybe you left the computer for 5 minutes without xlock

There is a feature in Gnome, maybe called desktop sharing or something, which really is vnc access.
Back to top
View user's profile Send private message
linuxgeekery
n00b
n00b


Joined: 07 Jun 2005
Posts: 27

PostPosted: Sun Mar 19, 2006 6:57 pm    Post subject: Re: Script update Reply with quote

MrUlterior wrote:
linuxgeekery wrote:
Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof.


Or if you want to do this properly, see connection tarpitting. This is a method used often in anti-spam, which subtly alters the TCP response to an identified attacker effectively trapping them .. I'll leave you to do your research.



This proves once again that I am very incompetent with creating honeypots and things of that sort. :wink: Thanks for the information. I read up on connection tarpitting. Seems interesting...
_________________
Workstation: Athlon 64 4000+X2 | 160GBx2 HD | 1.5GB RAM
(\ /)
(O.o)
(> <)
This is Bunny. Copy Bunny into your signature to help him on his way to world domination
Back to top
View user's profile Send private message
dpetka2001
l33t
l33t


Joined: 04 Mar 2005
Posts: 804

PostPosted: Sun Mar 19, 2006 9:15 pm    Post subject: Reply with quote

jamapii wrote:
looks more like some kind of "practical joke", nothing serious, but it might mean that you have a security hole. Maybe a weak password, maybe vnc or X server access to the world, maybe you left the computer for 5 minutes without xlock

There is a feature in Gnome, maybe called desktop sharing or something, which really is vnc access.
well a friend of mine checked on my system with Nessus and told me that it found only 2 services running...a pop server (freepops) and a web server (amuleweb)...i don't have any services running except from the above mentioned...i don't think i have a weak password as it is 9 characters long including numbers...there's no vnc running...i run KDE and am not aware of any such feature nor do i know if it's activitated by default...how can i activate xlock if there is such thing in KDE?? thanks...
Back to top
View user's profile Send private message
mpicklesimer
n00b
n00b


Joined: 22 Mar 2006
Posts: 59
Location: Boston, MA

PostPosted: Wed Mar 22, 2006 5:50 pm    Post subject: Stupid question Reply with quote

I have an OpenBSD box running 'pf' for the firewall on my home network. I'm wondering if it would be worth the time to block all traffic coming from those ips? What would you suggest (if different) if I were talking about a business site? Not that much of this matters, cuz I'm using strong keys instead of passwords, but I'm just curious.
Back to top
View user's profile Send private message
Bigun
Advocate
Advocate


Joined: 21 Sep 2003
Posts: 2057

PostPosted: Thu Mar 23, 2006 5:50 pm    Post subject: Reply with quote

I'm putting a honeypot on my server with the username/password test.

It basically logs the date and time the script is executed, then cats /dev/random to them until the bot forces the machine's RAM to spill over to SWAP and eventually DoS. Aside from wasting bandwidth that I have plenty to spare of, it should also help alert the server-admin to trouble.

And to cover my buttocks, there is a message in my sshd.motd that says unauthorized access is prohibited.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2, 3 ... 16, 17, 18
Page 18 of 18

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum