| View previous topic :: View next topic |
| Author |
Message |
mpalladi
n00b
Joined: 16 Apr 2003
Posts: 47
|
 Posted: Mon Sep 06, 2004 4:06 am Post subject: |
 |
|
I've just been 'done over' using a test:test account.
https://forums.gentoo.org/viewtopic.php?t=218822
What I can say is this:
I usually run ssh on a different port, and only had port 22 open and the test account created for a short time, a few hours whilst I was trying to get freenx working.
What I can't understand is even iff somone *did* get into my test account, how did they root me ? It must have been an exploit of some sort, but I am pretty up to date with emerge sync's and emerge -u system
Mark |
|
| Back to top |
|
 |
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
| Posted: Tue Sep 07, 2004 9:01 pm Post subject: |
|
|
| dat wrote: | | rtn wrote: | | dat wrote: | | BlinkEye wrote: | he wasn't using anything. these are logs from his system because someone tried (and failed) to login.
this line is special though:
| Code: | | Aug 13 20:09:29 [sshd] reverse mapping checking getaddrinfo for dialup686.gent.skynet.be failed - POSSIBLE BREAKIN ATTEMPT! |
which means, that he uses some security software. |
Yeah, that was the line that caught my eye too. I figured he was using some different system logger than I use and that was adding those entries in there. Anyone know what added security software he might be using? Or more importantly, a good add-on to use? (Hopefully not too OT) |
That's actually from OpenSSH. If you look in the file canohost.c in the
openssh sources:
| Code: | if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
logit("reverse mapping checking getaddrinfo for %.700s "
"failed - POSSIBLE BREAKIN ATTEMPT!", name);
return xstrdup(ntop);
} |
--rtn |
Weird.. I use openssh and it doesn't log anything like that on failed login attempts.
UPDATE: nm, it's there..  |
i'm still very much interested in that feature because i use openSSH too! any hint?
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
| Back to top |
|
|
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
| Posted: Tue Sep 07, 2004 9:07 pm Post subject: |
|
|
| mpalladi wrote: | I've just been 'done over' using a test:test account.
https://forums.gentoo.org/viewtopic.php?t=218822
What I can say is this:
I usually run ssh on a different port, and only had port 22 open and the test account created for a short time, a few hours whilst I was trying to get freenx working.
What I can't understand is even iff somone *did* get into my test account, how did they root me ? It must have been an exploit of some sort, but I am pretty up to date with emerge sync's and emerge -u system
Mark |
well, i don't understand that neither. but what makes you so sure he got root access? if he really did, we all got a problem
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
| Back to top |
|
|
indanet
n00b
Joined: 05 Sep 2004
Posts: 54
|
| Posted: Tue Sep 07, 2004 10:43 pm Post subject: Re: ssh worms, cont.d |
|
|
Thanks for this thread, very informative!
| nok wrote: | Consider forbidding ssh root logins -- a very good idea, since root is one username that no-one needs to guess.
If you really only want to use ssh frrom a few known addresses, try limiting access by address. |
That's a good point. Is it possible configure OpenSSHd in a way that allows root login from local network, but not from outside? I did not find information on the internet how to do that.
My problem is, that my server has no keyboard attached, so it would be very handy if root login would be possible from the local network (although I could live without it).
EDIT: Could this goal be accomplished with /etc/login.access? If I only wanted root to be able to login only from 192.168.0.2, 192.168.0.4, 192.168.0.5 and e.g. keyboard I would write the following line into my login.acces file:
| Code: | # /etc/login.access
-:root:ALL EXCEPT 192.168.0.2 192.168.0.4 192.168.0.5 LOCAL |
Would this file be valid?
Best regards
indanet
Last edited by indanet on Tue Sep 07, 2004 11:00 pm; edited 1 time in total |
|
| Back to top |
|
|
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
| Posted: Tue Sep 07, 2004 10:59 pm Post subject: |
|
|
use a key (RSA for example)
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
| Back to top |
|
|
Zepp
Veteran
Joined: 15 Mar 2004
Posts: 1246
Location: Ontario, Canada
|
| Posted: Tue Sep 07, 2004 11:45 pm Post subject: Re: ssh worms, cont.d |
|
|
| indanet wrote: | Thanks for this thread, very informative!
| nok wrote: | Consider forbidding ssh root logins -- a very good idea, since root is one username that no-one needs to guess.
If you really only want to use ssh frrom a few known addresses, try limiting access by address. |
That's a good point. Is it possible configure OpenSSHd in a way that allows root login from local network, but not from outside? I did not find information on the internet how to do that.
My problem is, that my server has no keyboard attached, so it would be very handy if root login would be possible from the local network (although I could live without it).
EDIT: Could this goal be accomplished with /etc/login.access? If I only wanted root to be able to login only from 192.168.0.2, 192.168.0.4, 192.168.0.5 and e.g. keyboard I would write the following line into my login.acces file:
| Code: | # /etc/login.access
-:root:ALL EXCEPT 192.168.0.2 192.168.0.4 192.168.0.5 LOCAL |
Would this file be valid?
Best regards
indanet |
don't allow root login and just have a regular user in wheel group so you can ssh in as whatever user is then su to get root access on your server. |
|
| Back to top |
|
|
indanet
n00b
Joined: 05 Sep 2004
Posts: 54
|
| Posted: Tue Sep 07, 2004 11:56 pm Post subject: Re: ssh worms, cont.d |
|
|
| Zepp wrote: | | indanet wrote: | If I only wanted root to be able to login only from 192.168.0.2, 192.168.0.4, 192.168.0.5 and e.g. keyboard I would write the following line into my login.acces file:
| Code: | # /etc/login.access
-:root:ALL EXCEPT 192.168.0.2 192.168.0.4 192.168.0.5 LOCAL |
Would this file be valid? |
don't allow root login and just have a regular user in wheel group so you can ssh in as whatever user is then su to get root access on your server. |
Thanks for the info. I know that, but would the above login.access file be valid? IMHO this would be a tad bit more comfortable. (I could simply try it out, but I don't want to end up being locked out of my server  ) |
|
| Back to top |
|
|
rav
Tux's lil' helper
Joined: 24 Nov 2003
Posts: 114
|
| Posted: Wed Sep 08, 2004 12:14 pm Post subject: |
|
|
I think I'm pretty safe, considering that even if I was running a sshd I wouldn't even be able to get to it my self due to this crapy modem. However I was wondering why root isn't blocked by default in the configs? Also has anyone got a script to automaticaly blacklist any remote address which tries to login with root, w/o just parseing the logs?
Btw, '/var/log/messages' is for syslog-ng right? what's the equivelent log file for metalog? /var/log/everyting/[date]? |
|
| Back to top |
|
|
indanet
n00b
Joined: 05 Sep 2004
Posts: 54
|
| Posted: Wed Sep 08, 2004 12:33 pm Post subject: |
|
|
| rav wrote: | | Btw, '/var/log/messages' is for syslog-ng right? what's the equivelent log file for metalog? /var/log/everyting/[date]? |
If you want to see the logs for sshd, look into /var/log/sshd. |
|
| Back to top |
|
|
nyteryda
Guru
Joined: 26 Jul 2003
Posts: 337
Location: London
|
| Posted: Wed Sep 08, 2004 3:36 pm Post subject: |
|
|
| evoweiss wrote: |
Unfortunately, I managed to accidently delete the email. Did anybody else receive something similar and how did they know I use a zywall router/firewall (lucky guess?).
|
Obviously I don't know for sure as your router/firewall is a different make to mine, but on my router its pretty easy to tell who makes it...
| Code: | | nmap -sS -O -PI -PT <ROUTER-IP-ADDRESS> |
_________________
| Code: | #include "forums.h"
int main() {while (bollox) postcount++;}
|
Last edited by nyteryda on Wed Sep 08, 2004 4:20 pm; edited 1 time in total |
|
| Back to top |
|
|
nyteryda
Guru
Joined: 26 Jul 2003
Posts: 337
Location: London
|
| Posted: Wed Sep 08, 2004 3:58 pm Post subject: |
|
|
| kalisphoenix wrote: |
I'm sure that there's some way to fuck someone up over ssh. I mean, the connection goes both ways, right?
|
Create a user with next to no rights (chroot ssh, just in case) , called test with password test, in his home directory, create a windows exe file that deletes his C:\ Drive and call it my-hardcore-pornlinks.exe 
_________________
| Code: | #include "forums.h"
int main() {while (bollox) postcount++;}
|
|
|
| Back to top |
|
|
Koon
Retired Dev
Joined: 10 Dec 2002
Posts: 518
|
| Posted: Wed Sep 08, 2004 4:08 pm Post subject: |
|
|
| mpalladi wrote: | | What I can't understand is even iff somone *did* get into my test account, how did they root me ? It must have been an exploit of some sort, but I am pretty up to date with emerge sync's and emerge -u system |
Privilege escalation can be done through SUID-packages bugs and (more often) kernel bugs. emerge -u system won't upgrade your kernels. Advice : follow GLSAs and upgrade kernels too.
--
Koon
Gentoo Linux Security Team |
|
| Back to top |
|
|
amne
Bodhisattva
Joined: 17 Nov 2002
Posts: 6378
Location: Graz / EU
|
| Posted: Wed Sep 08, 2004 6:35 pm Post subject: |
|
|
| rav wrote: | | Btw, '/var/log/messages' is for syslog-ng right? what's the equivelent log file for metalog? /var/log/everyting/[date]? |
/var/log/everything/current is the one used at the moment, the ones with a date are older versions (Usually one for every day).
_________________
Dinosaur week! (Ok, this thread is so last week) |
|
| Back to top |
|
|
WhimpyPeon
Apprentice
Joined: 18 Oct 2003
Posts: 158
Location: Columbus, Nebraska
|
| Posted: Wed Sep 08, 2004 6:36 pm Post subject: Home Network Security |
|
|
Good thread. I am far from the expert on security, however I finally just broke down and got a firewall/router/switch at the local store. I shelled out about $150 and got an 8 port switch with router and firewall functions. In advance it was a Netgear FVS318 but other vendors have similar things out there.
By the time you take into consideration the time spent tweaking your firewall rules it is worth that much to me. I ssh from work to an obscure port and the firewall redirects it to the standard ssh port on my gentoo box. The firewall ignores (stealth) any requests not from my work ip.
Gentoo can do bout anything, but in the end I thought it was money well spent. |
|
| Back to top |
|
|
PaV
Apprentice
Joined: 28 Jan 2004
Posts: 176
Location: Poland
|
| Posted: Wed Sep 08, 2004 8:37 pm Post subject: |
|
|
| you can always try some iptables script, like ipkungfu (which im using). i find iptables much easier to configure that way. |
|
| Back to top |
|
|
evoweiss
Veteran
Joined: 07 Sep 2003
Posts: 1678
Location: Edinburgh, UK
|
| Posted: Wed Sep 08, 2004 11:59 pm Post subject: Re: Home Network Security |
|
|
| WhimpyPeon wrote: | | Gentoo can do bout anything, but in the end I thought it was money well spent. |
I thought the same thing when deciding how to secure my system, i.e., buying a router made security one less thing to worry about and provided the extra ports in case I had company, etc.
Also, I had a lot of hits on port 22 today (~120 from the same IP address). Thankfully, I am careful about passwords and accounts and nothing happened. However, I am beginning to think that I'd like to take the extra step and switch ssh over to some obscure port. Would I be right in assuming that I need to modify the sshd_config file by uncommenting the port line and giving it another port?
Also, is there a way I can determine which ports are not in use?
Best,
Alex |
|
| Back to top |
|
|
electric_hamster
n00b
Joined: 06 Jun 2004
Posts: 13
|
| Posted: Thu Sep 09, 2004 12:25 am Post subject: |
|
|
| kalisphoenix wrote: | | I'm sure that there's some way to fuck someone up over ssh. I mean, the connection goes both ways, right? |
Doesn't actually fuck them up, but I've used it a few times on people who've annoyed me:
| Code: | | cat /dev/urandom | write USER |
It certainly results in a "WTF" moment for them |
|
| Back to top |
|
|
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
| Posted: Thu Sep 09, 2004 12:40 am Post subject: Re: Home Network Security |
|
|
| evoweiss wrote: | | WhimpyPeon wrote: | | Gentoo can do bout anything, but in the end I thought it was money well spent. |
I thought the same thing when deciding how to secure my system, i.e., buying a router made security one less thing to worry about and provided the extra ports in case I had company, etc.
Also, I had a lot of hits on port 22 today (~120 from the same IP address). Thankfully, I am careful about passwords and accounts and nothing happened. However, I am beginning to think that I'd like to take the extra step and switch ssh over to some obscure port. Would I be right in assuming that I need to modify the sshd_config file by uncommenting the port line and giving it another port?
Also, is there a way I can determine which ports are not in use?
Best,
Alex |
this is done easily with
there are quite a lot more options you might wanna use (type nmap --help), for example to spy out the operating system, or to narrow the search. two things to remember:
1. nmap-ing some host is called portknocking, which some or even most of the user consider as an attack. it's comparable on checking someone's house to see if a door is open - although you're not entering it (yet). but you see, in fact it's really unpolite and would cause a sensation in real life
2. if you or someone else uses some sort of firewall (for example iptables) you may simply drop or prohibit "pings" => it takes VERY long to scan a host (i recently had iptables which took 70 minutes to scan my box - i'm not at all an expert in that field and don't use these rules anymore - it's just for the record). so, for your box, ssh into it and do a
for your question about changing the port sshd runs on: yes, you may simply change
to whatever you want to (i suggest a really high number, i.e. <= 2^16)
[EDIT]nmap is a tool you'll have to emerge: net-analyzer/nmap[/EDIT]
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
| Back to top |
|
|
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
| Posted: Thu Sep 09, 2004 12:41 am Post subject: |
|
|
| electric_hamster wrote: | | kalisphoenix wrote: | | I'm sure that there's some way to fuck someone up over ssh. I mean, the connection goes both ways, right? |
Doesn't actually fuck them up, but I've used it a few times on people who've annoyed me:
| Code: | | cat /dev/urandom | write USER |
It certainly results in a "WTF" moment for them |
that's a good idea. but i don't like the idea having someone logged in i don't want to at all
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
| Back to top |
|
|
ReneeTeunissen
n00b
Joined: 29 Aug 2004
Posts: 27
Location: Zevenaar, The Netherlands
|
| Posted: Thu Sep 09, 2004 11:04 am Post subject: |
|
|
| evoweiss wrote: | | Over the past few weeks I've noticed a similar pattern of hack attempts against my box (ssh'ing in and attempting to log in with things like "test", "NOUSER", and "root"). |
Well, first thing I do is to ADD a second account "root" (eg toor or something like that and remove the shell from th real root. eg a small script as login shell which will email you or /bin/false.
| evoweiss wrote: | | Another thing I did was invest in a hardware firewall (Zywall 1 model) which will send me an email whenever there are any events whether legitimate (me ssh'ing into my system from work) or illegitimate (attacks on my system, other attempt to gain access via ssh). I highly recommend the same to others. |
guess what the firewall is running. There are no such things as hardware firewalls. You bought a small single board PC like device with some network in and outputs - with linux, bsd or any embedded OS on it - which just does IP filtering as ipfilter/netfilter does.
Because these things run - mostly - on a non-intel CPUs it is probably more secure agains trojans and other other precompileed hacker-stuf, but thats about all.
Running an old box with linux and two networkcards in it and just doing IP filtering and forwarding - gives you about the same security level, probably even better. Except if you start running applications on it which can be exploited. If you add tools line snort you can detect and reject ssh-sessions on non-standard ports. Anyway, having a nicee backbox af firewall does not make you safer than a well configured linux box.
_________________
Renee Teunissen - Embedded Software Developer - Linux - VxWorks - WinCE - OpenVMS - http://ReneeTeunissen.nl and http://www.pts.nl |
|
| Back to top |
|
|
WhimpyPeon
Apprentice
Joined: 18 Oct 2003
Posts: 158
Location: Columbus, Nebraska
|
| Posted: Thu Sep 09, 2004 11:45 am Post subject: |
|
|
evoweiss
You can change the port sshd listens on in /etc/ssh/sshd_conf.
I use ports used by other services not used by me (i.e. kazaa, morpheus...). |
|
| Back to top |
|
|
echo6
Guru
Joined: 04 Jan 2003
Posts: 587
|
| Posted: Thu Sep 09, 2004 10:55 pm Post subject: |
|
|
A couple of things.
/etc/hosts.allow is only appropriate if you are using tcp-wrappers, so emerge that.
There has been a brute force ssh password checker released to the wild which does exactly what is being seen here, that is checking root, test and guest accounts and using a dictionary attack. So make sure that you have strong passwords and frequently change them. Disable root login and use a non default account.
I used to bind my ssh port to a non default port, but personally I don't think it makes that much of a difference, you can usually tell if a port is expecting a ssh connection. |
|
| Back to top |
|
|
coutts99
Apprentice
Joined: 19 Sep 2002
Posts: 171
Location: Sunderland, UK
|
| Posted: Fri Sep 10, 2004 12:56 pm Post subject: Re: Home Network Security |
|
|
| Quote: | | 1. nmap-ing some host is called portknocking, which some or even most of the user consider as an attack. it's comparable on checking someone's house to see if a door is open - although you're not entering it (yet). but you see, in fact it's really unpolite and would cause a sensation in real life |
No it isn't, this is portknocking -:
Port knocking is a method of establishing a connection to a networked computer that has no open ports. Before a connection is established, ports are opened using a port knock sequence, which is a series of connection attempts to closed ports. A remote host generates and sends an authentic knock sequence in order to manipulate the server's firewall rules to open one or more specific ports. These manipulations are mediated by a port knock daemon, running on the server, which monitors the firewall log file for connection attempts which can be translated into authentic knock sequences. Once the desired ports are opened, the remote host can establish a connection and begin a session. Another knock sequence may used to trigger the closing of the port. |
|
| Back to top |
|
|
BlinkEye
Veteran
Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums
|
| Posted: Fri Sep 10, 2004 1:02 pm Post subject: |
|
|
i knew someone's gonna say that. i know what portknocking is, i tried to make an allegory, but i shouldn't have used a word already existing. i compared it with "the real life" as nmap-ing really is a port-knocking, i.e. a method to find open/closed door.
for further infos about portknocking (the method mentioned by coutts99), see this thread (which i'm following myself): https://forums.gentoo.org/viewtopic.php?p=1462199#1462199
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick |
|
| Back to top |
|
|
darkcoder
Apprentice
Joined: 09 May 2003
Posts: 253
Location: Lynchburg, VA
|
| Posted: Sat Sep 11, 2004 6:29 am Post subject: |
|
|
| bcore wrote: | | /var/log/messages with some serious grep action. |
I got a system with metalog which do not create /var/log/messages. I only got /var/log/everything. That's the place I need to look at in my case?
_________________
Not bleeding edge.... No pain no game  |
|
| Back to top |
|
|
|
Networking & Security
