| View previous topic :: View next topic |
| Author |
Message |
madmango
Guru
Joined: 15 Jul 2003
Posts: 507
Location: PA, USA
|
 Posted: Wed Nov 10, 2004 12:09 am Post subject: |
 |
|
Please. I wasn't getting any of these attacks until I was an idiot and pinged one of the addresses. Now I'm getting brute-forced all the time. Nobody's gotten in though.
Has somebody looked into WHEN these attacks are occuring? I get scanned around 7:10 PM (GMT-5).
Logs:
| Code: | Nov 9 19:00:06 10.152.3.1 sshd[13095]: Did not receive identification string from 220.95.232.52
Nov 9 19:03:04 10.152.3.1 syslog-ng[6432]: STATS: dropped 90
Nov 9 19:06:14 10.152.3.1 sshd[13100]: Illegal user patrick from 220.95.232.52
Nov 9 19:06:16 10.152.3.1 sshd[13102]: Illegal user patrick from 220.95.232.52
Nov 9 19:06:28 10.152.3.1 sshd[13114]: Illegal user rolo from 220.95.232.52
Nov 9 19:06:31 10.152.3.1 sshd[13116]: Illegal user iceuser from 220.95.232.52
Nov 9 19:06:33 10.152.3.1 sshd[13118]: Illegal user horde from 220.95.232.52
Nov 9 19:06:37 10.152.3.1 sshd[13122]: Illegal user www from 220.95.232.52
Nov 9 19:06:39 10.152.3.1 sshd[13124]: Illegal user wwwrun from 220.95.232.52
Nov 9 19:06:41 10.152.3.1 sshd[13126]: Illegal user matt from 220.95.232.52
Nov 9 19:06:43 10.152.3.1 sshd[13128]: Illegal user test from 220.95.232.52
Nov 9 19:06:45 10.152.3.1 sshd[13130]: Illegal user test from 220.95.232.52
Nov 9 19:06:47 10.152.3.1 sshd[13132]: Illegal user test from 220.95.232.52
Nov 9 19:06:49 10.152.3.1 sshd[13134]: Illegal user test from 220.95.232.52
Nov 9 19:06:51 10.152.3.1 sshd[13136]: Illegal user www-data from 220.95.232.52
Nov 9 19:07:01 10.152.3.1 sshd[13146]: Illegal user irc from 220.95.232.52
Nov 9 19:07:03 10.152.3.1 sshd[13148]: Illegal user irc from 220.95.232.52
Nov 9 19:07:13 10.152.3.1 sshd[13158]: Illegal user jane from 220.95.232.52
Nov 9 19:07:15 10.152.3.1 sshd[13160]: Illegal user pamela from 220.95.232.52
Nov 9 19:07:27 10.152.3.1 sshd[13172]: Illegal user cosmin from 220.95.232.52Nov 9 19:08:44 10.152.3.1 sshd[13248]: Illegal user cip52 from 220.95.232.52
Nov 9 19:08:46 10.152.3.1 sshd[13250]: Illegal user cip51 from 220.95.232.52
Nov 9 19:08:50 10.152.3.1 sshd[13254]: Illegal user noc from 220.95.232.52
Nov 9 19:09:00 10.152.3.1 sshd[13264]: Illegal user webmaster from 220.95.232.52
Nov 9 19:09:02 10.152.3.1 sshd[13266]: Illegal user data from 220.95.232.52
Nov 9 19:09:04 10.152.3.1 sshd[13268]: Illegal user user from 220.95.232.52
Nov 9 19:09:06 10.152.3.1 sshd[13270]: Illegal user user from 220.95.232.52
Nov 9 19:09:08 10.152.3.1 sshd[13272]: Illegal user user from 220.95.232.52
Nov 9 19:09:10 10.152.3.1 sshd[13274]: Illegal user web from 220.95.232.52
Nov 9 19:09:12 10.152.3.1 sshd[13276]: Illegal user web from 220.95.232.52
Nov 9 19:09:14 10.152.3.1 sshd[13278]: Illegal user oracle from 220.95.232.52
Nov 9 19:09:16 10.152.3.1 sshd[13280]: Illegal user sybase from 220.95.232.52
Nov 9 19:09:18 10.152.3.1 sshd[13282]: Illegal user master from 220.95.232.52
Nov 9 19:09:20 10.152.3.1 sshd[13284]: Illegal user account from 220.95.232.52
Nov 9 19:09:22 10.152.3.1 sshd[13286]: Illegal user backup from 220.95.232.52
Nov 9 19:09:24 10.152.3.1 sshd[13288]: Illegal user server from 220.95.232.52
Nov 9 19:09:26 10.152.3.1 sshd[13290]: Illegal user adam from 220.95.232.52
Nov 9 19:09:28 10.152.3.1 sshd[13292]: Illegal user alan from 220.95.232.52
Nov 9 19:09:30 10.152.3.1 sshd[13294]: Illegal user frank from 220.95.232.52
Nov 9 19:09:32 10.152.3.1 sshd[13296]: Illegal user george from 220.95.232.52
Nov 9 19:09:34 10.152.3.1 sshd[13298]: Illegal user henry from 220.95.232.52
Nov 9 19:09:36 10.152.3.1 sshd[13300]: Illegal user john from 220.95.232.52
|
the list goes on.
Notice he's first portscanning my port 22 to ask if i've got a server up.
_________________
word. |
|
| Back to top |
|
 |
befa
Apprentice
Joined: 28 Oct 2004
Posts: 208
Location: rennes
|
| Posted: Wed Nov 10, 2004 1:52 am Post subject: |
|
|
if you wanna be more secure, edit your sshd.config and put that
| Code: | | ListenAddress 192.168.0.1 |
i mean the ip adress from the interface turned to your network...
omg! my english...forgive me....
_________________
Open Minds! Open Sources! Open Future!
think_tux@jabber.org |
|
| Back to top |
|
|
unicolet
n00b
Joined: 27 Oct 2004
Posts: 7
|
| Posted: Wed Nov 10, 2004 10:50 am Post subject: |
|
|
| revertex wrote: |
-edit your sshd_config, disallow passwordless logins, root logins, and if possible allow login only for one user or group.
|
I would suggest disabling ssh protocol version 1 too. It is insecure and flawed.
| revertex wrote: |
-install something like chkrootkit, integrit, snort, configure once and run forever, no excuses.
|
reinstall chkrookit after you think you have been rooted. Do not use a single rootkit checker. Try http://www.rootkit.nl/projects/rootkit_hunter.html too.
aide is an excellent Open Source tool (works like tripwire) for detecting less evident intrusions than yours. Configuration is easy and will check the integrity of your filesystem. Keep the database, config and binary in read-only media (like a floppy or a cdrom).
Logwatch is a tool that will allow you to monitor your log files and deliver daily/hourly/5mins reports into your mail. Once upon a time there was the great logcheck. If you find a copy of that use logcheck, it is MUCH better event tough it can be quite verbose.
run
as root and disable all unnecessary services (usually all those you don't what they are for)
And yes, install a firewall (even MS got this by now...  ) |
|
| Back to top |
|
|
vdboor
Guru
Joined: 03 Dec 2003
Posts: 592
Location: The Netherlands
|
| Posted: Thu Nov 11, 2004 4:49 pm Post subject: Re: automated log scanners |
|
|
| dsegel wrote: | | braverock wrote: |
I hope that someone will whip up a script to look for the 'illegal user xxx' strings in the log and respond with the appropriate iptables DROP command.
- Brian |
You'd better also hope that the script allows at least 2 failed attempts or you'll find yourself locked out the first time you type your username or password wrong by accident. |
Perhaps this is a start:
| Code: | #!/bin/sh
grep "Failed password for illegal user" /var/log/current/info.auth \
| sed -e 's/.*user [^\ ]\+ from //' -e 's/ port.*//' \
| sort \
| uniq \
| grep -v '^127\.0\.0' |
I visited a Linux security workshop once, and I've been told there are standard (spam) blacklists available at the Internet somewhere. That sysadmin blocked new IP addresses for 3 days, and if they appeared more often on these spammer-lists, he eventually blocked them forever.
The reason for the 3 day block: e-mail servers try to deliver e-mail for 5 days, blocking an IP 3 days make sure the e-mail server would eventually deliver the message if the IP got on the list by accident.
| DaveHope wrote: | | Been looking into this, and it appears that there's an IRC channel full of these drones. (Machines which have been hacked, and are running a client which leaves them in an IRC channel). Not 100% yet, but am looking into it. I'm also tempted to setup a small honeypot and let them play for as long as need be. |
Hmz.. reminds me of this: http://www.grc.com/dos/grcdos.htm
_________________
The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer
[ screenies | Coding on KMess ] |
|
| Back to top |
|
|
oog
n00b
Joined: 18 Oct 2003
Posts: 22
|
| Posted: Fri Nov 12, 2004 5:11 pm Post subject: |
|
|
| I read through this whole thread and while I think I'm doing the right things to secure my ssh connections (I use a key, disabled root logins, enabled only my own account, turned off all other forms of authentication), I still haven't found a way to force a person to wait for a period of time before they can try another ssh connection. I saw a number of people suggest that in this thread. Does someone know how to do this? |
|
| Back to top |
|
|
GenKreton
l33t
Joined: 20 Sep 2003
Posts: 828
Location: Cambridge, MA
|
| Posted: Fri Nov 12, 2004 5:46 pm Post subject: |
|
|
| oog wrote: | | I read through this whole thread and while I think I'm doing the right things to secure my ssh connections (I use a key, disabled root logins, enabled only my own account, turned off all other forms of authentication), I still haven't found a way to force a person to wait for a period of time before they can try another ssh connection. I saw a number of people suggest that in this thread. Does someone know how to do this? |
I have searched very briefly for an acceptable way of doing this, it would be very useful to have it as an option in sshd itself. |
|
| Back to top |
|
|
revertex
l33t
Joined: 23 Apr 2003
Posts: 806
|
| Posted: Fri Nov 12, 2004 8:07 pm Post subject: |
|
|
i changed the default ssh port (22) to a higher port (2222).
now the only connections attempt that i see in my logs are mine.
all these attempts seems be produced by linux boxes compromissed by a fool script that only looks for servers with port 22 open.
some dumbass sysadmins must be empaled, how someone with a linux knowledge let your boxes be infected by that stupid worm/script?
i guess they are MSCE forced to deploying linux, then they make it most insecure as possible to blame linux as a unsafe system. |
|
| Back to top |
|
|
ARC2300
Apprentice
Joined: 30 Mar 2003
Posts: 267
|
| Posted: Mon Nov 15, 2004 3:42 am Post subject: |
|
|
Don't know about anyone else, but I do think that if you get hammered enough on these tries, it can crash your box, or at least drop it offline. I've had my server up for 120 days, no problem. This started, and my box crashes almost every 5 days until I changed ports. And no, there aren't any strange directories or users, and netstat shows only my local IPs causing traffic.
http://home.insightbb.com/~arcruea/attempts.log << Lots of attempts on my IP from 5 log files.
I must say, though, that this is REALLY pissing me off. I've emailed countless abuse@ISP addresses now, and finally gave up. I should write a script, though, that does it for me.
And I looked at one of the address in that attempt log in a web browser. . .it's an HTTP debian server with default install. 
_________________
It's fun to take a trip
Put acid in your veins |
|
| Back to top |
|
|
jkroon
Tux's lil' helper
Joined: 15 Oct 2003
Posts: 110
Location: South Africa
|
| Posted: Mon Nov 15, 2004 8:31 pm Post subject: |
|
|
Aha, weird thread.
Anyway, when these were at their peaks I picked up to 7 or 8 attempts up per day over a period of about 3 months, still getting a few every now and again. Mostly from taiwan and surrounding area...
port knocking was mentioned a few times, so http://www.kroon.co.za/portknock.php - let me know what you think. I've put this together a while back on request from a system administrator. Afaik there is no problems with it and I've used it for a while until I decided that ssh really is secure enough.
And about the iptables firewall, the following small set of rules should do:
| Code: | #! /bin/bash
EXT=eth0
INT=eth1
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -m state --state related,established -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INT -p tcp -m multiport -dports 22,25,80,139,445 --syn -j ACCEPT
iptables -A INPUT -i $EXT -p tcp --destination-port 22 --syn -j ACCEPT
iptables -A INPUT -i $INT -p udp -m multiport 53,137,138 -j ACCEPT
iptables -A FORWARD -m state --state related,established -j ACCEPT
iptables -A FORWARD -i $INT -o $EXT -p tcp -m multiport -dports 22:80:110:143:443:6667 --syn -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE |
You can of course restrict OUTPUT too  . Also, remember to adjust those port numbers to your needs. Be warned, nmblookup '*' breaks with this ruleset.
_________________
There are 10 kinds of people in the world,
those who understand binary and who don't |
|
| Back to top |
|
|
rex123
Apprentice
Joined: 21 Apr 2004
Posts: 272
|
| Posted: Tue Nov 16, 2004 11:04 am Post subject: |
|
|
| revertex wrote: | some dumbass sysadmins must be empaled, how someone with a linux knowledge let your boxes be infected by that stupid worm/script?
i guess they are MSCE forced to deploying linux, then they make it most insecure as possible to blame linux as a unsafe system. |
It's obviously a fallacy to assume any of these:
- Linux users are excellent sysadmins (just look at these forums :) )
- Windows users hate Linux (again, see how many people here use both)
- The fact that a Linux vulnerability can be exploited is somehow down to Microsoft-lovers with a grudge (this is amazingly irrational) |
|
| Back to top |
|
|
jkroon
Tux's lil' helper
Joined: 15 Oct 2003
Posts: 110
Location: South Africa
|
| Posted: Tue Nov 16, 2004 11:53 am Post subject: |
|
|
Well put.
No, I'm afraid as the masses convert (if they ever do) we will see many, many, many more of these types of problems.
I've also had a few "Administrator" attempts, probably aimed at OpenSSH running on Windows ...
Also, I've actually heard of quite a number of successful breakins based on these test type users...
_________________
There are 10 kinds of people in the world,
those who understand binary and who don't |
|
| Back to top |
|
|
vdboor
Guru
Joined: 03 Dec 2003
Posts: 592
Location: The Netherlands
|
| Posted: Tue Nov 16, 2004 6:58 pm Post subject: |
|
|
| rex123 wrote: | It's obviously a fallacy to assume any of these:
- Linux users are excellent sysadmins (just look at these forums )
- Windows users hate Linux (again, see how many people here use both)
- The fact that a Linux vulnerability can be exploited is somehow down to Microsoft-lovers with a grudge (this is amazingly irrational) |
No, I believe there are a lot of dumb linux users out there.. perhaps not at these forums, but I wouldn't be surprised to notice how many kids/students playing with Linux, run a nice desktop without knowing what ssh exactly is. ...or run ssh without changing the sshd_config file.
I think the following comment proves this theory:
| jkroon wrote: | | Also, I've actually heard of quite a number of successful breakins based on these test type users... |
_________________
The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer
[ screenies | Coding on KMess ] |
|
| Back to top |
|
|
ai
Apprentice
Joined: 21 Mar 2004
Posts: 227
Location: Poland, Krk
|
| Posted: Tue Nov 16, 2004 8:27 pm Post subject: |
|
|
| ARC2300 wrote: | Don't know about anyone else, but I do think that if you get hammered enough on these tries, it can crash your box, or at least drop it offline. I've had my server up for 120 days, no problem. This started, and my box crashes almost every 5 days until I changed ports. And no, there aren't any strange directories or users, and netstat shows only my local IPs causing traffic.
http://home.insightbb.com/~arcruea/attempts.log << Lots of attempts on my IP from 5 log files.
I must say, though, that this is REALLY pissing me off. I've emailed countless abuse@ISP addresses now, and finally gave up. I should write a script, though, that does it for me.
And I looked at one of the address in that attempt log in a web browser. . .it's an HTTP debian server with default install. |
A script, that adds the ip of an supposed abuser (lets say 3 failed attempts) to host.deny would be great ;] something like portsentry which additionally monitors sshd logs.
_________________
just nothing |
|
| Back to top |
|
|
flickerfly
l33t
Joined: 08 Nov 2002
Posts: 677
Location: Lanham, MD
|
| Posted: Wed Nov 17, 2004 6:16 pm Post subject: |
|
|
Is anyone using tenshi to do reports on the logs for you? I'm curios what your config would look like. I've been meaning to get into that prog and this seems like a good test subject.
I don't care that they fail to log in on I shant try to block them, but I can learn from their efforts. 
_________________
An Evil Genious' Guide to Sheeple and How To Avoid Becoming One | 0x4C9EF4A |
|
| Back to top |
|
|
ARC2300
Apprentice
Joined: 30 Mar 2003
Posts: 267
|
| Posted: Thu Nov 18, 2004 2:02 am Post subject: |
|
|
| ai wrote: | | ARC2300 wrote: | Don't know about anyone else, but I do think that if you get hammered enough on these tries, it can crash your box, or at least drop it offline. I've had my server up for 120 days, no problem. This started, and my box crashes almost every 5 days until I changed ports. And no, there aren't any strange directories or users, and netstat shows only my local IPs causing traffic.
http://home.insightbb.com/~arcruea/attempts.log << Lots of attempts on my IP from 5 log files.
I must say, though, that this is REALLY pissing me off. I've emailed countless abuse@ISP addresses now, and finally gave up. I should write a script, though, that does it for me.
And I looked at one of the address in that attempt log in a web browser. . .it's an HTTP debian server with default install. |
A script, that adds the ip of an supposed abuser (lets say 3 failed attempts) to host.deny would be great ;] something like portsentry which additionally monitors sshd logs. |
Yes, that would be great, but I have a few legit users that have failed to log in within 3 tries either due to forgetting their password or because they don't know about the 10 second limit I've imposed for logging into the machine.
I just decided to bump the port way, way up. Hopefully that'll fix problems.
_________________
It's fun to take a trip
Put acid in your veins |
|
| Back to top |
|
|
jkroon
Tux's lil' helper
Joined: 15 Oct 2003
Posts: 110
Location: South Africa
|
| Posted: Thu Nov 18, 2004 5:15 am Post subject: |
|
|
You really do not a lot of these attempts per second before it should start becoming a serious issue, as in to the degree of slowing down your host. There should be no way for it to crash your machine. It might take it "offline" due to all your bandwidth being absorbed, but there are more effective, stealthier ways to achieve that, such as smurf attacks, or even simple SYN flooding from a spoofed address.
A quick question to ARC2300, you say your box crashed when this started? What exactly crashes, OpenSSH, the kernel, or some other subsystem?
_________________
There are 10 kinds of people in the world,
those who understand binary and who don't |
|
| Back to top |
|
|
gigel
Guru
Joined: 14 Jan 2003
Posts: 370
Location: .se/.ro
|
| Posted: Thu Nov 18, 2004 9:53 am Post subject: |
|
|
after seeing the texts and where they hosted the files i suspect(i mean,i'm sure) there are just another bunch of romanian lamers...
| bcore wrote: | | but I'm thinking I'm gonna set sshd up to only allow key logins, since I use keychain from work. I've already also got it set up do disallow root logins, so I figure I should be reasonably safe... |
this is a good thing to do in these case of attacks,but if one is trying to exploit a pre authentification bug than you're compromised...
i suggest you filter from iptables(or any other method) to allow only ssh logins only from trusted IP's
_________________
$emerge sux
|
|
| Back to top |
|
|
vdboor
Guru
Joined: 03 Dec 2003
Posts: 592
Location: The Netherlands
|
| Posted: Thu Nov 18, 2004 11:45 am Post subject: |
|
|
| ARC2300 wrote: | | Don't know about anyone else, but I do think that if you get hammered enough on these tries, it can crash your box, or at least drop it offline. I've had my server up for 120 days, no problem. This started, and my box crashes almost every 5 days until I changed ports. |
This gives me the impression one of your services or kernel already crashed on an exploit attempt. I can hardly believe sshd would crash your machine because it rejects normal login attempts, something else is happening here.
Note that the difference between a application crash and successful exploit are very subtile. If an application crashes on incorrect input, it is likely there is also a way to send data that doesn't crash the app, nevertheless corrupts memory (and exploits your app in the process).
_________________
The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer
[ screenies | Coding on KMess ] |
|
| Back to top |
|
|
bware
n00b
Joined: 23 Mar 2004
Posts: 22
Location: Amsterdam
|
| Posted: Thu Nov 18, 2004 4:32 pm Post subject: |
|
|
In general simply run some rootkit checkers to detirmine wether you've been rooted
On a side note... most virus scanners (including the windows variants) are able to detect most rootkits/exploited files.
If you suspect your machine, disconnect it from the net - to keep others from being abused - and check to see if it is so running rootkit checkers, virus scanners, etc. by booting from unwritable media (livecd).
Programs to check are useradd, ps, ls, grep - most rootkitcheckers will do this for you - examine timestamps (simple ls -la will suffice). If you're victim, I'd suggest a clean install, but then again it's up to you
_________________
Regards,
BWare |
|
| Back to top |
|
|
ARC2300
Apprentice
Joined: 30 Mar 2003
Posts: 267
|
| Posted: Fri Nov 19, 2004 6:09 pm Post subject: |
|
|
Actually, I know it hasn't been rooted, as not strange directories have shown up, as well as nothing strange in the logs, and netstat -a shows up nothing out of the ordinary.
And it just crashed after I've switched the port to one much higher, so I'm thinking it's something else. That motherboard has been giving me issues for some time, such as not wanting to take on the other 80GB HDD I just put in (that works fine everywhere else), and losing BIOS information occasionally.
_________________
It's fun to take a trip
Put acid in your veins |
|
| Back to top |
|
|
vdboor
Guru
Joined: 03 Dec 2003
Posts: 592
Location: The Netherlands
|
| Posted: Sat Nov 20, 2004 11:35 am Post subject: |
|
|
| ARC2300 wrote: | | Actually, I know it hasn't been rooted, as not strange directories have shown up, as well as nothing strange in the logs, and netstat -a shows up nothing out of the ordinary. |
Note that your kernel could be trojaned (with a new module loaded) that hides these files from "ls", and "netstat". These binaries can be trojaned too off course to hide the rootkit..
| Quote: | | And it just crashed after I've switched the port to one much higher, so I'm thinking it's something else. That motherboard has been giving me issues for some time |
Sounds more logical in this case indeed...
mod edit: removed doublepost.
amne
_________________
The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer
[ screenies | Coding on KMess ] |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Sat Nov 20, 2004 6:27 pm Post subject: |
|
|
| Quote: | braverock wrote:
I hope that someone will whip up a script to look for the 'illegal user xxx' strings in the log and respond with the appropriate iptables DROP command.
- Brian |
You may want to look into snortsam plugin for snort. You can append snortsam plugin to specific rule which will add a chain to iptables. You can have it block for x number of minutes, etc. You can also protect yourself from self DoS, by adding your networks and/or DNS servers, etc from the 'exclude' list.
Snortsam is in portage:
net-analyzer/snortsam-2.24
If you use the bleeding -rules and add SSH Scan rule to your existing snort rule, you can spot these SSH attempts
http://www.bleedingsnort.com/
Here is the SSH Scan signature/rule:
alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, seconds 120; classtype:attempted-dos; sid:2001219; rev:6; )
HTH
hanji |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Sat Nov 20, 2004 6:44 pm Post subject: |
|
|
| Quote: | flickerfly wrote:
Is anyone using tenshi to do reports on the logs for you? I'm curios what your config would look like. I've been meaning to get into that prog and this seems like a good test subject. |
You could set up tenshi or swatch to monitor your logs and report on failed connections or successful connections to ssh..here is my tenshi config piece dealing with sshd
| Code: |
group ^sshd(?:\(pam_unix\))?:
critical ^sshd: fatal: Timeout before authentication for (.+)
critical ^sshd: Illegal user
report ^sshd: Connection from (.+)
report ^sshd: Connection closed (.+)
report ^sshd: Closing connection (.+)
report ^sshd: Found matching (.+) key: (.+)
report ^sshd: Accepted publickey (.+)
report ^sshd: Accepted rsa for (.+) from (.+) port (.+)
report ^sshd: Accepted keyboard-interactive/pam for (.+) from (.+) port (.+)
root ^sshd\(pam_unix\): session opened for user root by root\(uid=0\)
root ^sshd\(pam_unix\): session opened for user root by \(uid=0\)
report ^sshd\(pam_unix\): session closed for user (.*)
root ^sshd\(pam_unix\): session opened for user (.*)
critical ^sshd\(pam_unix\): authentication failure; logname=
critical ^sshd: Failed password for
report ^passwd\(pam_unix\)\[(.*)\]:
root ^sshd: Accepted password for
group_end |
You can do something very similar with swatch, but tenshi is much more robust. All critical and root items are emailed to me immediately, reports are sent in every 8 hours.
HTH
hanji |
|
| Back to top |
|
|
ARC2300
Apprentice
Joined: 30 Mar 2003
Posts: 267
|
| Posted: Sat Nov 20, 2004 6:45 pm Post subject: |
|
|
| vdboor wrote: | | ARC2300 wrote: | | Actually, I know it hasn't been rooted, as not strange directories have shown up, as well as nothing strange in the logs, and netstat -a shows up nothing out of the ordinary. |
Note that your kernel could be trojaned (with a new module loaded) that hides these files from "ls", and "netstat". These binaries can be trojaned too off course to hide the rootkit..
| Quote: | | And it just crashed after I've switched the port to one much higher, so I'm thinking it's something else. That motherboard has been giving me issues for some time |
Sounds more logical in this case indeed...
mod edit: removed doublepost.
amne |
AFAIK, you can't change the date/time a file was written, though. I don't use modules whatsoever for this reason, and my bzImage has the same date and time since last compile.
_________________
It's fun to take a trip
Put acid in your veins |
|
| Back to top |
|
|
Chris W
l33t
Joined: 25 Jun 2002
Posts: 972
Location: Brisbane, Australia
|
| Posted: Sun Nov 21, 2004 2:19 am Post subject: |
|
|
Thou shalt not allow tunnelled, clear-text password authentication over SSH Public key authentication or no access. | Code: | # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PasswordAuthentication no
|
For you: carrying around a private key with a good passphrase is a small price to pay.
For the cracker: no amount of guessing is going to yield a useful key in a reasonable amount of time.
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
