i got hacked. what were they up to?

[bakaohki]

I shouldn't even bother to post, because what I'm saying is so trivial: USE A DEDICATED FIREWALL . Everyone out there. You can use Gentoo, Debian, whatever; I prefer FloppyFW with a fanless dumb P1 75mhz (put together from used garbage). And of course use strong passwords and iptables firewalls for the internal machines. Duh. Surfing on the net without a firewall is like walking around in the city without clothes; if you have weak passwords and opened ssh ports, then it means you're a hot babe without clothes in the worst area of the city at midnight waving a sign "kidnap me"...

[audiodef]

I think someone may have been trying to use my Gentoo box at my office, after hours. I had it up and running one day, screen locked, and logged out the next day. At best, someone hit the computer's reset button, but where would I look to find out exactly what happened? I know it's probably not a power failure because 1. another computer was still on the way I left it and 2. I don't think computer is not set up to reboot after a power failure.

[jamapii]

There is /var/log/syslog

If it was xlock, maybe it crashed.

Maybe someone switched it off for some reason, then changed their mind and switched it on again.

...

[trip]

how do you turn of passwd-less logins? and is making a passwd-less acount as easy as not typing any when creating the acount? sorry for the noobs questions but i want to know exactly what to do in the litle time i have.
tnx in advance

[quantus]

how do you turn of passwd-less logins? and is making a passwd-less acount as easy as not typing any when creating the acount? sorry for the noobs questions but i want to know exactly what to do in the litle time i have. :D
tnx in advance

I'm a littly fuzzy on your question... see if these this helps you out: Hardening PAM

[nhaggin]

Reply a little late to this, but I didn't see it until now....

The simple fact is that running any service whatsoever, on any port, is a security hazard. The only truly secure network is the one you don't build, and the only truly secure computer is in a concrete bunker, under armed guard, with console access only, etc. Even then, there are various points of attack one could use to gain access, if one really wanted to.

That's the usual cop-out rubbish I'm afraid.

It might interest you to know that I'm not running a public SSH server, and that I do use OpenVPN to remotely administer my machine.

As to the rest of your reply: I was not attempting to ridicule your advice, nor was I making several of the assumptions you suggested I was; if my choice of language implied that, I apologize. I meant to indicate that, if one hardens one's SSH setup, one can expose it to the Internet, even on port 22, without immediate and grave danger, although there is still some danger present. IOW, it's not completely insane to have publicly-available SSH, although, as you have indicated, certain other systems are more secure.

[robinmdh]

Code: Select all

Oct  2 10:52:23 [sshd] Invalid user anna from 210.6.64.3
Oct  2 10:52:31 [sshd] Invalid user arthur from 210.6.64.3
Oct  2 10:52:38 [sshd] Invalid user aron from 210.6.64.3
Oct  2 10:52:42 [sshd] Invalid user austin from 210.6.64.3
Oct  2 10:52:46 [sshd] Invalid user barbara from 210.6.64.3
Oct  2 10:52:50 [sshd] Invalid user bart from 210.6.64.3
Oct  2 10:52:53 [sshd] Invalid user ben from 210.6.64.3
Oct  2 10:52:57 [sshd] Invalid user beny from 210.6.64.3
Oct  2 10:53:02 [sshd] Invalid user bert from 210.6.64.3
Oct  2 10:53:05 [sshd] Invalid user bill from 210.6.64.3
Oct  2 10:53:13 [sshd] Invalid user bind from 210.6.64.3
Oct  2 10:53:17 [sshd] Invalid user bob from 210.6.64.3
Oct  2 10:53:20 [sshd] Invalid user bobby from 210.6.64.3
Oct  2 10:53:24 [sshd] Invalid user bret from 210.6.64.3
Oct  2 10:53:27 [sshd] Invalid user brian from 210.6.64.3
Oct  2 10:53:31 [sshd] Invalid user bruce from 210.6.64.3
Oct  2 10:53:36 [sshd] Invalid user carl from 210.6.64.3
Oct  2 10:53:39 [sshd] Invalid user carol from 210.6.64.3
Oct  2 10:53:45 [sshd] Invalid user cesar from 210.6.64.3
Oct  2 10:53:48 [sshd] Invalid user clark from 210.6.64.3
Oct  2 10:53:51 [sshd] Invalid user clinton from 210.6.64.3
Oct  2 10:53:55 [sshd] Invalid user corinna from 210.6.64.3
Oct  2 10:53:59 [sshd] Invalid user craig from 210.6.64.3
Oct  2 10:54:02 [sshd] Invalid user daniel from 210.6.64.3
Oct  2 10:54:06 [sshd] Invalid user danny from 210.6.64.3
Oct  2 10:54:11 [sshd] Invalid user dave from 210.6.64.3
Oct  2 10:54:14 [sshd] Invalid user dexter from 210.6.64.3
Oct  2 10:54:18 [sshd] Invalid user dick from 210.6.64.3
Oct  2 10:54:21 [sshd] Invalid user earl from 210.6.64.3
Oct  2 10:54:26 [sshd] Invalid user ed from 210.6.64.3
Oct  2 10:54:30 [sshd] Invalid user eddie from 210.6.64.3
Oct  2 10:54:33 [sshd] Invalid user edgar from 210.6.64.3
Oct  2 10:54:37 [sshd] Invalid user ellen from 210.6.64.3
Oct  2 10:54:40 [sshd] Invalid user emil from 210.6.64.3
Oct  2 10:54:45 [sshd] Invalid user enzo from 210.6.64.3
Oct  2 10:54:48 [sshd] Invalid user felix from 210.6.64.3
Oct  2 10:54:52 [sshd] Invalid user fred from 210.6.64.3
Oct  2 10:54:57 [sshd] Invalid user francis from 210.6.64.3
Oct  2 10:55:02 [sshd] Invalid user harry from 210.6.64.3
Oct  2 10:55:06 [sshd] Invalid user ian from 210.6.64.3
Oct  2 10:55:10 [sshd] Invalid user ismail from 210.6.64.3
Oct  2 10:55:20 [sshd] Invalid user james from 210.6.64.3
Oct  2 10:55:24 [sshd] Invalid user jesse from 210.6.64.3

lol
don't think i've been hacked but will step up on security!

[pengatom]

I've got 23 000 "Failed password" logins the laste 3 months... Changed the ssh port, hopfully it gets better

In my iptables I've written:

iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

would the "ssh" port number change to whatever I set i sshd_conf, or does "ssh" mean port 22?

btw, if I try to set a "easy" password on a user, gentoo tells me this, anyone know what this definition on a "BAD password" is?

[Malcolm]

I've gotten alot of these break-in attempts aswell, both through SSH and FTP. My suggestion is to setup an auto blacklisting script like ssh black.

I've had this setup on my system for 3 days now and the blacklist always has 5-10 IPs, rotating of course

[Errtu]

I got tired of maintaining blacklists, scripts and other stuff to keep 'm out, so i just configured sshd to listen on a higher IP. Since i've done that i get no more of these attempts. And my logfile stays a bit cleaner too

[Bigun]

I just grepped over my log and have about 2,000+ pages of attempts ranging back from August of this year.

All of them lame dictionary attempts. Does reporting these IP's to their respective ISP's help anything?

[christsong84]

I just grepped over my log and have about 2,000+ pages of attempts ranging back from August of this year.

All of them lame dictionary attempts. Does reporting these IP's to their respective ISP's help anything?

sometimes but not often. I generally report those IP's to them anyways...might as well, it can't hurt anything. I've gotten three ISP's who've actually done something and asked me to let them know if things happen again.

[oracleofmist]

on top of being behind a router firewall that drops all incoming connections except to specified ports w/ specified protocols i've also take the libery of changing my ftp, ssh services to high port numbers. good practice?

[Bigun]

on top of being behind a router firewall that drops all incoming connections except to specified ports w/ specified protocols i've also take the libery of changing my ftp, ssh services to high port numbers. good practice?

Ehh... that's more of security by obscurity... but at the very least will keep bot attempts out.

[chrispolderman]

Is there a solid way to traceback the ip number in question and obtaining the abuse email address for the corresponding ISP or am I just speaking nonsense here?

Would be a nice script: more than 20 password tries logged and a process would automatically file a complaint to the corresponding ISP...

Is this possible (apart from spoofed IP's ofcourse)..?

Chris

[dsb]

My traceroute shows they are coming from China

[shiggity s]

Those crazy Chinese hackers

[Cinder6]

I've been getting some from South Korea, and a couple that IP locators can't find

[Monkeh]

on top of being behind a router firewall that drops all incoming connections except to specified ports w/ specified protocols i've also take the libery of changing my ftp, ssh services to high port numbers. good practice?

Ehh... that's more of security by obscurity... but at the very least will keep bot attempts out.

There's nothing wrong with security by obscurity, in fact it's a good practice. Just don't rely on it.

[heartburn]

I'm not sure if it's been mentioned yet on this thread (it's a very long thread). But you can configure sshd to use DSA authentication instead of PasswordAuthentication. Then, a cracker would need an existing user's private key to use ssh.

You can find the instructions here:
http://www.gentoo.org/doc/en/articles/o ... =printable

Also, logwatch makes a nice daily report of login attempts:

Code: Select all

--------------------- SSHD Begin ------------------------ 

 
 Didn't receive an ident from these IPs:
    xxx.xxx.com (xxx.xxx.xxx.xxx): 1 Time(s)
    xxx.xxx.com (xxx.xxx.xxx.xxx): 1 Time(s)
    xxx.xxx.com (xxx.xxx.xxx.xxx): 1 Time(s)
 
 Failed logins from these:
    invalid user admin (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)
    invalid user administrator (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)
    invalid user carol (password) from ::ffff:xxx.xxx.xxx.xxx: 2 Time(s)
    invalid user jack (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)
    invalid user marvin (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)
    root/password from ::ffff:xxx.xxx.xxx.xxx: 31 Time(s)

 Users logging in through sshd:
    jblow:
       xxx.xxx.net (xxx.xxx.xxx.xxx): 4 times
 
 ---------------------- SSHD End -------------------------  

I also have a script to page me when someone succefully logs on through ssh. That's not too practical if you have lots of users. But it's good if you aren't expecting any logins. I think I stole this script from somewhere else in this forum (my apologies to its author).

Code: Select all

# Send a brief alert with connection details
#

when=`/usr/bin/date`
where=`echo $SSH_CONNECTION|cut -f1 -d' '|cut -f4 -d:`

if [ -z "$SSH_TTY" ] ; then
  what="Connect by $USER"
else
  what="Login by $USER on $SSH_TTY"
fi

mailto=""
cc_to=""
bcc_to=""

while read address mode
do
  if [ -z "$address" -o "${address:0:1}" = "#" ] ; then continue; fi

  if [ "x$mode" = "xcc" -o "x$mode" = "xCC" ] ; then
    cc_to=${cc_to:+${cc_to},}$address
  elif [ "x$mode" = "xbcc" -o "x$mode" = "xBCC" ] ; then
    bcc_to=${bcc_to:+${bcc_to},}$address
  else
    mailto=${mailto:+${mailto},}$address
  fi
done </etc/ssh/notify

mailto=${mailto:-operator}
cc_to=${cc_to:+"-c $cc_to"}
bcc_to=${bcc_to:+"-b $bcc_to"}
mail ${cc_to} ${bcc_to} -s "SSH Alert" ${mailto} >&2 <<-EOM
  ${what} from ${where} at ${when}
EOM

~~~~~EDIT~~~~~
I just did a search and it seems that I stole the script from timeBandit. He has written an excellent HOW-TO about it here:
http://forums.gentoo.org/viewtopic-t-39 ... tails.html

[abaelinor]

aa

[heartburn]

like I said, I stole it from timeBandit. He deserves the credit. But I've been using it for about two weeks and it works great. I love hearing my phone make a satisfying chirp every time I log on. And I like hearing nothing when I'm not logging on even better

[d11wtq]

Hopefully I've not missed something... I just read 16 pages of thread very quickly. What a great thread!

I run a web server. I'm not being paranoid but this has made me think a lot about security considerations. One thing that worries me is that I have set up user accounts for friends & family on my server (shell accounts/ftp/virtualhost apache accounts) so they can host websites too.

Everyone seems to only be mentioning SSH attacks... all of my users (most know virtually nothing about *nix) have shell access by SSH. The worrying thing is that I'm relying upon them to use secure passwords too now. How can I force increased password security? I want them all to login and do a passwd, then I want passwd to make sure their passwords:

a) Contain at least 8 characters
b) Contain at least 2 numbers
c) Contain a mixture of uppercase and lowercase letters

passwd already forces at least *6* chars but the rest is perfectly allowed

I'm amazed we're only discussing SSH. Is FTP any security risk? It uses the same passwords as the shell access and all users are chrooted to their home directory. Hell... I've even been told you can compromise a box by telnetting to port 80 (HTTP) and doing some magic

I've already installed and changed a few configs during the course of this thread... I may as well do this extra thing with the passwords too. I'll run a "last" command every so often so that users who aren't using SSH have their access removed temporarily too. They'd just get a message upon successful login which says that they need to contact me to have their access re-enabled and then it disconnects again.

Password criteria help anyone?

[Errtu]

d11wtq:

Justdoing some searching on freshmeat gives these projects:

http://freshmeat.net/projects/pam_pwcheck/
- The pam_pwcheck is a PAM module for password strength checking

http://freshmeat.net/projects/pam_passwdqc/
- pam_passwdqc is a simple password strength checking module for PAM-aware password changing programs, such as passwd(1).


Maybe one of these could be of help?


Leon

[d11wtq]

Thanks. I've emerged pam_passwdqc so that should help. I haven't set it up yet but it looks simple enough