View previous topic :: View next topic |
Author |
Message |
reup Guru
Joined: 13 May 2005 Posts: 419 Location: Nederland
|
Posted: Sat Sep 08, 2012 4:54 pm Post subject: am I been hack ? |
|
|
hello all,
I am not too good with security and was wondering if this means that the hacker succeeded in loggin in or not :
Code: | Sep 8 18:00:38 myhost sshd[25129]: SSH: Server;Ltype: Authname;Remote: 178.141.52.64-1981;Name: root [preauth]
Sep 8 18:00:38 myhost sshd[25129]: Received disconnect from 178.141.52.64: 11: Goodbye [preauth]
Sep 8 18:00:39 myhost sshd[25136]: SSH: Server;Ltype: Version;Remote: 178.141.52.64-2023;Protocol: 2.0;Client: libssh2_1.0
Sep 8 18:00:39 myhost sshd[25136]: SSH: Server;Ltype: Kex;Remote: 178.141.52.64-2023;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]
Sep 8 18:00:39 myhost sshd[25136]: SSH: Server;Ltype: Authname;Remote: 178.141.52.64-2023;Name: root [preauth]
Sep 8 18:00:39 myhost sshd[25136]: Received disconnect from 178.141.52.64: 11: Goodbye [preauth]
Sep 8 18:00:39 myhost sshd[25143]: SSH: Server;Ltype: Version;Remote: 178.141.52.64-2056;Protocol: 2.0;Client: libssh2_1.0
Sep 8 18:00:39 myhost sshd[25143]: SSH: Server;Ltype: Kex;Remote: 178.141.52.64-2056;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]
Sep 8 18:00:40 myhost sshd[25143]: SSH: Server;Ltype: Authname;Remote: 178.141.52.64-2056;Name: root [preauth]
Sep 8 18:00:40 myhost sshd[25143]: Received disconnect from 178.141.52.64: 11: Goodbye [preauth]
|
I do not know this hostname :
Code: | nslookup 178.141.52.64
Server: 4.2.2.4
Address: 4.2.2.4#53
Non-authoritative answer:
64.52.141.178.in-addr.arpa name = dynamic-178-141-52-64.kirov.comstar-r.ru.
|
normally, ny host has only ssh http and ftp enable using iptables and I use denyhosts to protect against ssh attack
if someone could help me to interpret this, it would be great
thx
reup _________________ reup
"Don't wiggle the tail of the frog in the oil of the frying peanuts" |
|
Back to top |
|
|
roravun Tux's lil' helper
Joined: 05 Sep 2012 Posts: 82
|
Posted: Sat Sep 08, 2012 8:17 pm Post subject: |
|
|
No it does not. If someone broke in, you would see something like Quote: | pam_unix(sshd:session): session opened |
Try 'last' to see a list of past logins.
These messages are just sign of ssh bots bruteforcing your host. This happens to almost every machine connected to internet. (At least that is my experience). I strongly recommend you install sshguard, which can blacklist IPs, when it detects bruteforce attempt. |
|
Back to top |
|
|
reup Guru
Joined: 13 May 2005 Posts: 419 Location: Nederland
|
Posted: Sat Sep 08, 2012 8:23 pm Post subject: |
|
|
thanks Roravun for your reply
I use denyhosts, it also blacklist ips with 3 failed attend
I will try sshguard
thanks again, I will sleep better tonight _________________ reup
"Don't wiggle the tail of the frog in the oil of the frying peanuts" |
|
Back to top |
|
|
kimmie Guru
Joined: 08 Sep 2004 Posts: 531 Location: Australia
|
Posted: Sun Sep 09, 2012 12:46 pm Post subject: |
|
|
reup,
Change the port you run ssh on, that will stop 99.99% of hack attempts. It's in /etc/ssh/sshdconfig... change "Port 22" to "Port <random>", where <random> is a port you pick randomly between 10000 and 65000, say. Then you can use "ssh -p <random>" from your clients.
Soon you will decide it's totally crap typing that at your clients instead of just "ssh", so you put it in ~/.ssh/config like this:
Code: |
Host <all aliases you reach your host by>
# eg. Host homer homer.dyndns.org homer.lan
Port <random>
|
If you do that, and use public key identification instead of passwords, you can just forget about running denyhosts or whatever. |
|
Back to top |
|
|
reup Guru
Joined: 13 May 2005 Posts: 419 Location: Nederland
|
Posted: Sun Sep 09, 2012 12:51 pm Post subject: |
|
|
thanks kimmie,
good advice
I am already using public key identification so it will be an easy move _________________ reup
"Don't wiggle the tail of the frog in the oil of the frying peanuts" |
|
Back to top |
|
|
|