View previous topic :: View next topic |
Author |
Message |
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Thu Jan 23, 2020 11:41 pm Post subject: |
|
|
erm67 wrote: | eccerr0r wrote: |
But all of this is really going off topic, I still am curious to see if I've somehow gotten more attention to my home machine than perhaps some school server with sshd running. Or have most educational institutions banned all off site connections now because of this? Instead of blaming users for using the same password on multiple sites? |
Nobody allows password authentication, we always receive a key to log in. |
More offtopic.
And (~You) != nobody.
Quote: | There are also bios rootkits, |
BIOS rootkits are quite difficult to install when you firmware's !WE is disabled. But once again this is convenience versus security, convenience of not having to desolder your ROMs for upgrading firmware. I highly doubt most of these script kiddie ssh dictionary attackers even can detect what kind of system they broke into, because reflashing an ARM machine with exploited amd64 firmware doesn't do very good. Even flashing hacked Dell firmware on a Sony likely will not do any good either, and certainly flashing hacked IBM firmware on a Virtualbox would be even more entertaining.
Quote: | and most importatly they know you will reinstall the os from a fresh copy but keep whatever application the server is running so they will try to infect it starting from custom init scripts used to launch it, or plant nasty .htaccess/php/(whatever can be executed from outside) files in hidden places but most certainly you will not clean user home dirs, so the .bashrc in your home or in the root home dir are a good target.
Usually the best option is to get a new server (wipe the enrtire disk) and reinstall from scratch keeping only data not just restore full backups. They will also install multiple backdoors, some very easy to find and other well hidden. |
No matter what you do, unless you airgap, there's always a potential for getting hacked, and worst off is an internal hack. So this is irrelevant to the problem at hand, you need a clean up policy whether or not you disable ssh entirely.
Quote: | You think that reading the log of the failed hacking attempts will help detecting the attacks that succeds instead? |
The failed hack attempts is solely used for detection of how much of my network/drop table memory is being wasted due to attack attempts, not for determining method of entry. Again the whole problem is not security here - brute force guessing a password at a guess per minute will take an unreasonable amount of time, but it's waste of resources for me to reply. Even if I enabled only PKI I'd still get login attempts, regardless if they will ever succeed. I just hope that someday having to write just a single entry of 0.0.0.0/0 into iptables as the only way to stop these attempts -- but this would be quite a problem for legitimate use. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Fri Jan 24, 2020 1:56 am Post subject: |
|
|
erm67 wrote: | axl wrote: | I the big thing he was running was just some irc clients. nothing very nefarious or scary |
Well the irc clients were probably controlling a botnet |
I actually have another thread where I talk about using irc to coordinate several VM's. Wow. I didn't know they used irc for that. Makes perfect sense, because why would you reinvent a wheel when it was already made. And I'm trying to use the same thing but for not nefarious purposes. wow. I mean, I must have known that... just didn't put 2 and 2 together.
Still I dont think this particular case was this. he talked romanian, he was most likely a disgruntled employee. I didn't pursue it further. After I figured out what was going on, was pretty simple to cut it off. I mentioned he saved passwords in /opt. made that a link to /dev/null. ssh was infected, so equery k openssh played a big role at the time. well, some sniffing... but mostly after I cut him off, he was off. It ended. It was a fluke. As soon as I made a new key the whole thing stopped. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Fri Jan 24, 2020 5:26 am Post subject: |
|
|
After you cut him off, did he revenge?
I recall one time after I cut someone off, I got DDoS'ed for my efforts. There was nothing I could do but sit there until he got bored.
I forgot how the guy got in. Or even how long ago this was. But the DDoS was painful. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Sat Jan 25, 2020 12:02 am Post subject: |
|
|
No. DDos.
Maybe I don't understand ddos. But as far as I understand it, there has to be a thing, that when super visited, the server will just choke. I mean, this would be the most effective way a ddos would work. Find like a link on some page, that takes more than a second to render, and than decide to visit that link from X hosts and let the server choke.
You can't do that on my servers. It's much easier to get the whatever error... what is it? unreachable? not sure... than choke the server. what I'm saying is that you can't choke apache. it has enough cores and memory to never get chocked effectively. whatever you do. you can run out of workers, but whatever you do to them, the underlying server will keep on going.
This was always true about all services. At best DDOS attacks against stuff I admin will consume all workers. And legitimate clients will not be able to use those services. And this can only be true for apache, and for shorts periods of time. And even if that is true, there is always enough bandwidth to cover all the workers, and there is still bandwidth for something else.
Plus, I think my ISP is pretty cool. It only happened to me once, in the 90's or early 2000 when I was under a ddos and I actually had to call them. and it was the early years. At the time I didn't know that a phat page could be used against me, and they did something that literally stopped the attack in the tracks, on their part. As I understand it now, it was a simple ratelimit, if this client already seen this page a second ago, don't allow connection. and the attack literally was ineffective like instantly, while normal connections kept on going.
But again, my understanding is that ddos should not work. what should you do for it not to work? I should be clear about that.
When I say: it should not work, I mean it should not kill the whole site. As long as you compartmentalize properly, it should leave you with _some_ ability to still function. Again, perhaps once service will completely be flooded and has to be essentially shut down, but that doesn't mean the internet is down... other services are down, the server is down.
But ... maybe I haven't really experienced a real... proper DDOS attack. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Sat Jan 25, 2020 12:55 am Post subject: |
|
|
Remember the guy had a large botnet at his disposal, and my ISP does not filter packets. So they completely filled my network with packets. I believe they were big ICMP packets. My machine did not need to respond to the packets, the packets came down the pipe and there was nothing I could do on my end.
I technically could tell my ISP to filter everything but TCP, and deal with only SYN flooding which can be equally as damaging, even with syn cookies as if there were enough to fill the pipe, it matters not if any SYN are ignored. As said, these SYN packets are 60-70odd bytes a piece, one is no big deal, but with limited bandwidth and get millions of these sent to you, your connection gets overwhelmed, even to a stealthed port.
It goes against my ideals anyway - I really don't want any filtering. I'm glad my ISP allowed me to disable port 25 filtering. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Sat Jan 25, 2020 1:25 am Post subject: |
|
|
I HOPE that's old times. new equipment with prio traffic by default. and you can't flood icmp to kill tcp. cmon. that's so 80's.
IF there is nobody answering at the other end of the line, you can't actually kill a line with icmp. I don't think you can. If you want to try... have to change my signature. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Sat Jan 25, 2020 2:53 am Post subject: |
|
|
Again, you don't need to respond to get your line filled, prioritized or not! The network equipment still needs to pass all packets, and if you have no control at the highest bandwidth switch point, you get no choice of what you get. The content of the packet doesn't matter, if it goes down your line, stick fork in, you're done.
Oops, wanted to make it clear that if you do respond to packets, it's easier to DDoS hence they tend to choose packets that causes responses, and those are typically the legitimate services of that machine!
Sure I'd try, but you have to give me a 9999 machine botnet first. And no, they must be distributed on their separate DS3s, not 9999 VMs on 56k. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Sat Jan 25, 2020 9:29 pm Post subject: |
|
|
To flood icmp would be just silly. But if an OS would have to respond to 9999 tcp port requests, regardless if there is something binded there or not, would just put extreme pressure on the infrastructure itself. Having 9999 tcp requests every second... would be problematic.
It's not volume of data. It's volume of requests. I see it now. Anything and everything will just crash. Nothing is equipped to deal with 9999 tcp requests at the same time.
And you can't reliably test it in an internal network. Even though maybe an internal network might have more access and or speed, it doesn't have one other important factor. Diversity. 9999 hosts would prolly break anything. just by sheer number of requests. And 9999 is prolly a low low number of hosts. I imagine botnets being much larger than that. if they are larger than 65535... that's all the ports. If each one does just a tcp request, each second...
That's crazy. I don't know how anything would survive that. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Sun Jan 26, 2020 1:31 am Post subject: |
|
|
It's actually "smart" to flood ICMP if it's not filtered, and especially deadly if the remote tries to respond to all them. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Sun Jan 26, 2020 1:33 am Post subject: |
|
|
eccerr0r wrote: | It's actually "smart" to flood ICMP if it's not filtered, and especially deadly if the remote tries to respond to all them. |
I think even the shittiest china equipment these days will put icmp in the lowest place in the tcp stack.
i think, but not sure, the kernel itself will just drop icmp in favor of tcp. didn't see the source code itself where the tcp stack changed, but cmon... nobody worries about icmp. or cares about it. and they really shouldn't. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Fri Jan 31, 2020 10:14 am Post subject: |
|
|
After the cessation of responding to all those undesirable packets, I've noticed something about my download speeds ... it's returned to speeds I had a few years ago. I had been wondering why my download speeds dropped a little, not totally a significant number but when frequently hitting the rail at the speed limit of ones connection and that number goes down a little... one notices.
Blasted distributed dictionary attacks. *sigh* _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Fri Feb 28, 2020 10:00 am Post subject: |
|
|
LOL seems someone, for 2 straight minutes, sent 100 ssh attempts per second... Yow.
Fortunately my machine didn't respond to them.
Other than that, the number of ssh attempts have dropped way low and my logfile is no longer growing as fast as before. Hooray! Though February is a short month, it's the first month in a while that my logfile is trending less than 30MB uncompressed for the month! Last October's log was 25MB *compressed* ... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Sun Mar 01, 2020 4:19 pm Post subject: |
|
|
New analysis:
I set up my computer to log ICMP echo requests despite no longer responding to them.
Crap. I'm getting distributed ICMPed from a botnet too. What gives? I constantly get new hosts sending these.
There are different patterns, traceroutes is one pattern and seems to be fairly common. There are the run of the mill pings, one host is sending one every 10 minutes - at least they are consistent.
Why, why, why... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 3007 Location: Edge of marsh USA
|
Posted: Sun Mar 01, 2020 8:14 pm Post subject: |
|
|
eccerr0r wrote: | New analysis:
...
Crap. I'm getting distributed ICMPed from a botnet too. What gives? I constantly get new hosts sending these. |
You are certainly popular. I suppose stealth isn't an option? So much potential bandwidth for the bit bucket. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sun Mar 01, 2020 9:12 pm Post subject: |
|
|
If you can, hit them with the tarpit iptables target from net-firewall/xtables-addons. Any TCP-based attacks will waste a ton of resources on their end, but it only costs you as much as a -j DROP. |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Sun Mar 01, 2020 9:51 pm Post subject: |
|
|
REJECT is also good. Depends on the situation. There are cases where REJECT tells the attacker you don't have that service. Yes, they will not die on a timeout, but on a repeat.
Also, let me point out something very evident. Nobody is scanning for ssh on unknown ports. just change the default port. It's so easy and simple... You don't need to do anything else. It's not like web and mail that HAVE TO work on 25 and 80. ssh can work on whatever port you want, and for you admin is just one more parameter. but for security... it's a whole lot of relaxation. |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Sun Mar 01, 2020 9:53 pm Post subject: |
|
|
or iptables block it entirely and put a vpn in front of it. get inside the network, then have access to ssh. and that vpn doesn't have to work on the default port either. you are allowed to be non-standard to obscure stuff. |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Sun Mar 01, 2020 9:55 pm Post subject: |
|
|
also. don't put ssh on 222 or 2222 or 22222. they check for that. put it on something that is not in services. put it in the high 60000 ports. nobody is checking those ports. like ever. make sure you don't have other nat rules which might interfere with that. iptables is sometimes a fickle bitch. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Sun Mar 01, 2020 10:36 pm Post subject: |
|
|
I've been dropping all ICMPs, but monitoring them for forensic analysis.
Next once I collect enough data I'll need to compare the ssh botnet pool vs the ping botnet pool. I wonder if they're the same botnet or not.
The one that's pinging every 10 minutes is an AWS machine. Ugh. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22857
|
Posted: Sun Mar 01, 2020 11:21 pm Post subject: |
|
|
eccerr0r wrote: | The one that's pinging every 10 minutes is an AWS machine. Ugh. | That might be a good thing. For some of their services, AWS is pretty strict about abuse, so if you can find a contact point to report it to Amazon, they may intervene without you needing to identify the account holder. |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Sun Mar 01, 2020 11:33 pm Post subject: |
|
|
Hu wrote: | eccerr0r wrote: | The one that's pinging every 10 minutes is an AWS machine. Ugh. | That might be a good thing. For some of their services, AWS is pretty strict about abuse, so if you can find a contact point to report it to Amazon, they may intervene without you needing to identify the account holder. |
I've been thinking about this. How to approach them. First contact. I mentioned before... without actually reporting a problem, you can't expect it to be fixed.
So I tried an approach, then another, then another one yet.
You can look up... I think it was in this thread. Look up abuse, send mail.
I didn't try amazon. I tried other entities. I figured I would have no chance with amazon. but I do have a lot of backlogs to send to amazon is someone is willing to listen. who did you talk to ?
BTW, my success rate with reporting abuse after whatever time has lapsed since then (it feels like years) is 0%. 0% of abuse requests have been answered. like globally. ever... |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Sun Mar 01, 2020 11:50 pm Post subject: |
|
|
also, again, I mostly deal with smtp issues.
You can fake hide ssh to another port. You can't do the same with smtp. SO MANY FREAKING attempts.
I'm ok with a host doing 200 login attempts a second. the system will just block him by login 5.
were you ever bombarded with phishing attempts. like they know the domain. they don't know users. and for days on end... you get like 10 mails a second, to random dictionary users.
I only have one user. myself. still, maybe this user, or this user. maybe user mike. you dont have mike? how about joe? how about ... days after days of just mails for random users. and you can't turn off mail.
on the other hand, based on the little information I gathered from a honey pot I setup, I think it was mostly a prechecker for a spam service. Nothing really scary or nefarious. just fake corona virus remedies. |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1146 Location: Romania
|
Posted: Mon Mar 02, 2020 12:09 am Post subject: |
|
|
it also helps if you can find ways to redirect all output to one place. and then... just observe that one place.
most things will log to syslog by themselves. which is good.
syslog can be redirected to another host.
I have ONE place where all logs get sent. I always have ONE monitor showing them. AT ALL TIMES. I use ccze to make it more readable. very handy.
People always complain about systemd. I use initramfs images loaded with busybox and "the" daemon that it will run on that VM. it's detailed in another thread.
the point is... you can just run stuff with:
run --stuff | logger -t whatever_program_i_want_to_be_logged_in_logs.
or if it already runs, and has it's own logs... like apache... you could do:
tail -f /ramfs/error.log | logger -t error.log &
bam. no complicated issues.
pipes man. i dont care if a system is build with systemd... i can still use it without it.
I Love my logs screen. it has only one purpose. show logs in a readable color way. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9846 Location: almost Mile High in the USA
|
Posted: Mon Mar 02, 2020 8:01 am Post subject: |
|
|
I never worried too much about SMTP. I do get a lot of SMTP connects but as far as I can tell, all of the ones without me as the intended recipient are not relayed (i.e., forwarded), and that's all I care about. I know I'll get spam but so be it. Not a big deal until they start sending me multi megabyte mail messages.
It's just the SSH attempts that are annoying as these are looking for privilege escalation.
The ICMP echos merely piques interest as I don't see how this benefits them yet. I'd really like to know why.
I'm about rounding out a day in ICMP echo request logging. I have THREE AWS machines sending a echo request every 10 minutes from three IP addresses:
ec2-13-58-***-***.us-east-2.compute.amazonaws.com
ec2-18-144-***-***.us-west-1.compute.amazonaws.com
ec2-3-95-***-***.compute-1.amazonaws.com
The *** are masked to protect the innocent, if they really are. All six masked *** are unique numbers, they don't share anything in common.
Anyone care to share their data? I'm thinking I should see if I can collect data from my other IPs.
There are 405 unique hosts in approximately the past day that have sent me ICMP echo requests, and so far spot checking, ICMP hosts are different than the SSH hosts, which boggles me further. Any ideas as to their value to a hacker would be entertaining. And why they haven't given up after eating ICMP echo replies...
BTW, I have to split my logs, if I dumped everything to a screen, it'd need to be a fairly large screen else useful stuff would scroll off before I get a chance to look at them, and I'd have to go back to the file anyway. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
|