| View previous topic :: View next topic |
| Author |
Message |
rinnan
Tux's lil' helper
Joined: 24 May 2003
Posts: 138
Location: Honolulu, Hawai`i
|
 Posted: Sat Jan 01, 2005 1:03 am Post subject: |
 |
|
| Valhlalla wrote: | My system is set up to email me any failed logins, but since I'm parranoid I'm going to check anyway  |
Good thing I don't do that -- I would have gotten 107 e-mails for the last 3 days. Better than spam! |
|
| Back to top |
|
 |
appleboy
n00b
Joined: 14 Mar 2004
Posts: 61
|
| Posted: Sat Jan 01, 2005 5:57 am Post subject: |
|
|
One thing that I would like to see created is a program that monitors logs and whenever failed attempts are made on programs like ssh, telnet, etc. it automatically finds the ISP and sends them an email with the log and some information. I think if the ISPs started getting tons of email from automated programs telling them their client's are hacked they would start doing some massive overhaul and go after their clients to clean up their computers. heck, if they're systems crashed from getting so much email, I think it would make them open an eye or two  |
|
| Back to top |
|
|
kill
Apprentice
Joined: 25 Dec 2004
Posts: 179
|
| Posted: Sat Jan 01, 2005 5:45 pm Post subject: |
|
|
| appleboy wrote: | | One thing that I would like to see created is a program that monitors logs and whenever failed attempts are made on programs like ssh, telnet, etc. it automatically finds the ISP and sends them an email with the log and some information. |
You should have read the entire thread.
| hanj wrote: | You should try incident.pl. It uses output from ACID and does a whois to retrive abuse contacts of the offending IP. The format it needs is mbox file, so if you're running with .maildir like me, you'll need another script that cats all the mails together prior incident.pl
http://freshmeat.net/projects/incident.pl/ |
|
|
| Back to top |
|
|
massheep
Tux's lil' helper
Joined: 02 Jan 2005
Posts: 81
|
| Posted: Sun Jan 02, 2005 9:04 pm Post subject: change port |
|
|
i got zero failed logins since i changed my sshd port from 22 to 59999 
to do so you need to edit /etc/ssh/sshd_config and change the line
to (or to which port you like).
don't forget to adjust firewall if you got one. |
|
| Back to top |
|
|
jkt
Retired Dev
Joined: 06 Feb 2004
Posts: 1250
Location: Prague, Czech republic, EU
|
| Posted: Mon Jan 03, 2005 8:22 pm Post subject: |
|
|
| appleboy wrote: | | One thing that I would like to see created is a program that monitors logs |
give "tenshi" a try. it's a project being developed by gentoo team, originally used on getnoo core servers.
_________________
cd /local/pub && more beer > /dev/mouth
Česká dokumentace |
|
| Back to top |
|
|
zephirus
n00b
Joined: 21 Nov 2003
Posts: 66
|
| Posted: Wed Jan 05, 2005 12:00 pm Post subject: |
|
|
Wow... I checked my messages file because of this thread, and now I am glad that I only allow ssh access with strict publickey auth. After all those failed attempts I ran a chrootkit anyway, and it seems I am fine.
Of course, as I am ever curious about Info Security, does anyone have any resources that explain both how to accomplish, and how to protect from, SSH hacks? I would like to better understand both sides of the coin... |
|
| Back to top |
|
|
rex123
Apprentice
Joined: 21 Apr 2004
Posts: 272
|
| Posted: Wed Jan 05, 2005 12:15 pm Post subject: |
|
|
| zephirus wrote: | | Of course, as I am ever curious about Info Security, does anyone have any resources that explain both how to accomplish, and how to protect from, SSH hacks? I would like to better understand both sides of the coin... |
I can tell you how to accomplish this particular (most prevalent) 'hack':
1) search for machines listening on port 22
2) try to log on as test/test, root/root, john/john, etc (you can make up your own)
3) when you find a machine that allows you in, use it to find more similar machines until you get kicked off
4) install an irc bot on each machine that allows you to control the machine remotely via an undernet irc channel
5) also try to get root access via a few known local exploits, hoping that the administrator hasn't patched something or other. This isn't actually necessary, but it's kind of fun.
6) Once you've got your army of bots up to more than 1000 machines, you are the most 7337 h4X0r ever, and can retire.
To protect yourself from it, don't use your login name, or "password", or "test" etc as your password.
To protect yourself better, move your ssh port, don't run ssh, only allow certificate-based logins, use port knocking, restrict access by IP, or just turn your computer off :) |
|
| Back to top |
|
|
zephirus
n00b
Joined: 21 Nov 2003
Posts: 66
|
| Posted: Wed Jan 05, 2005 4:16 pm Post subject: |
|
|
| rex123 wrote: | | use port knocking |
Now that I want to learn... That looks very valuable... Any suggestions on reading material, tutorials, and/or how-tos on this?? |
|
| Back to top |
|
|
mtamizi
n00b
Joined: 23 Oct 2004
Posts: 18
|
| Posted: Wed Jan 05, 2005 10:11 pm Post subject: |
|
|
| Quote: | | Now that I want to learn... That looks very valuable... Any suggestions on reading material, tutorials, and/or how-tos on this?? |
Here's some fairly general tips on security.
Run Nessus on your computer for network security auditing to protect your computer. Also try out `nmap` the port scanner. Note: Nessus can be pointed at other peoples computers to find vulnerbilities on remote hosts.
For reading material:
* Anything by the Honeynet project. http://project.honeynet.org/papers/index.html
* http://www.phrack.org/
* And for some more fun, although fictional, reading you should check out the "Stealing the Network" series. Here is a sample chapter: http://www.insecure.org/stc/
Btw, you should always have at least one layer of NAT (Network Address Translation) on your network. This can be done with any off the shelf router or a custom built PC router. |
|
| Back to top |
|
|
jkt
Retired Dev
Joined: 06 Feb 2004
Posts: 1250
Location: Prague, Czech republic, EU
|
| Posted: Wed Jan 05, 2005 10:16 pm Post subject: |
|
|
| mtamizi wrote: | | Btw, you should always have at least one layer of NAT (Network Address Translation) on your network. |
why? it's completely useless and only causing trouble, IMHO.
_________________
cd /local/pub && more beer > /dev/mouth
Česká dokumentace |
|
| Back to top |
|
|
mtamizi
n00b
Joined: 23 Oct 2004
Posts: 18
|
| Posted: Thu Jan 06, 2005 12:09 am Post subject: |
|
|
| Quote: | | why? it's completely useless and only causing trouble |
Not true -- it's very useful. It prevents others from being able to directly address any computer on the network. You can use port forwarding to gain remote access to services like ssh. The whole point is to create only one point of entrance into the network.
You're right if there is only one computer on the network. I should have stated I'm assuming there are at least two computers on the network. |
|
| Back to top |
|
|
krolden
Apprentice
Joined: 28 May 2004
Posts: 293
Location: Belgium
|
| Posted: Thu Jan 06, 2005 11:47 am Post subject: |
|
|
| rex123 wrote: |
To protect yourself from it, don't use your login name, or "password", or "test" etc as your password.
|
Or run a brute force tool against yourself. Kinda like Randal Schwartz did. |
|
| Back to top |
|
|
jkt
Retired Dev
Joined: 06 Feb 2004
Posts: 1250
Location: Prague, Czech republic, EU
|
| Posted: Thu Jan 06, 2005 12:59 pm Post subject: |
|
|
| mtamizi wrote: | | Quote: | | why? it's completely useless and only causing trouble |
Not true -- it's very useful. It prevents others from being able to directly address any computer on the network. You can use port forwarding to gain remote access to services like ssh. The whole point is to create only one point of entrance into the network.
|
| Code: |
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
and why to bother with NAT, if not needed?
| Quote: |
You're right if there is only one computer on the network. I should have stated I'm assuming there are at least two computers on the network. |
if you have several computers and several IP addresses availabe, there's no point in doing NAT.
_________________
cd /local/pub && more beer > /dev/mouth
Česká dokumentace |
|
| Back to top |
|
|
NightMonkey
Guru
Joined: 21 Mar 2003
Posts: 357
Location: Philadelphia, PA
|
| Posted: Sat Jan 08, 2005 12:16 am Post subject: |
|
|
| jkt wrote: | | mtamizi wrote: | | Quote: | | why? it's completely useless and only causing trouble |
Not true -- it's very useful. It prevents others from being able to directly address any computer on the network. You can use port forwarding to gain remote access to services like ssh. The whole point is to create only one point of entrance into the network.
|
| Code: |
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
and why to bother with NAT, if not needed?
| Quote: |
You're right if there is only one computer on the network. I should have stated I'm assuming there are at least two computers on the network. |
if you have several computers and several IP addresses availabe, there's no point in doing NAT. |
Even if you have one computer, I think it's useful for the "Lazy Admin". Using NAT and Port Forwarding on a dedicated network device (with very stripped down OS and services), you have a "default deny" setup, which even works for those guests running Windows or some other OS. In other words, it takes the OS of your clients out of the equation, and uses the IP network topology (Layer 3), rather than having to explicitly deny packets from the Internet as they arrive at your hosts' interface.
While I'm not saying that the "belt and suspenders" approach of having host-based security is not valuable, this can add a layer of security that can act in addition to host-based security. For instance, we have a local root exploit in our current Linux kernels. By using a Linksys device to perform NAT and port forwarding, I don't need to care so much, since that exploit doesn't exist for the Linksys box. It's true, I need to worry about my hosts running Linux, and eagerly await a patch, I don't have to worry about my network in general, until I see an exploit of the Linksys box.
Plus, hey, I like the web-based interface for configuring port forwardings *ducks*.  |
|
| Back to top |
|
|
jkt
Retired Dev
Joined: 06 Feb 2004
Posts: 1250
Location: Prague, Czech republic, EU
|
| Posted: Sat Jan 08, 2005 1:38 pm Post subject: |
|
|
| NightMonkey wrote: | Even if you have one computer, I think it's useful for the "Lazy Admin". Using NAT and Port Forwarding on a dedicated network device (with very stripped down OS and services), you have a "default deny" setup, which even works for those guests running Windows or some other OS. In other words, it takes the OS of your clients out of the equation, and uses the IP network topology (Layer 3), rather than having to explicitly deny packets from the Internet as they arrive at your hosts' interface.
|
please, don't talk about windows, we all know that firewalling them must be done on separate box.
to the NAT - I can't see any advantages of doing that. If you have only one public IP address, you don't have any other option, of course, but if you have multiple, why not to use them?
NAT is sometimes called "firewall for poor people" - yep, that's right. If you cannot setup your router (irrelevant if it runs linux, *bsd, IOS os it is some hw box) to do proper firewalling, you can use NAT. But why?
| Quote: | | While I'm not saying that the "belt and suspenders" approach of having host-based security is not valuable, this can add a layer of security that can act in addition to host-based security. |
QUite common case is that your router is firewalling your private network. No need for NAT.
| Quote: | | For instance, we have a local root exploit in our current Linux kernels. By using a Linksys device to perform NAT and port forwarding, I don't need to care so much, since that exploit doesn't exist for the Linksys box. It's true, I need to worry about my hosts running Linux, and eagerly await a patch, I don't have to worry about my network in general, until I see an exploit of the Linksys box. |
Are you sure? You'd be quite surprised if you see how many of these boxes run linux, in fact...
And you aren't giving shell accounts on your routers/firewalls (and they don't run any services), are you? (exploit is local, not remote.)
| Quote: | | Plus, hey, I like the web-based interface for configuring port forwardings *ducks*. |
If you insist on clicking everything, `emerge webmin` .
_________________
cd /local/pub && more beer > /dev/mouth
Česká dokumentace |
|
| Back to top |
|
|
NightMonkey
Guru
Joined: 21 Mar 2003
Posts: 357
Location: Philadelphia, PA
|
| Posted: Sat Jan 08, 2005 9:50 pm Post subject: |
|
|
Protecting your host against bad packets with iptables.... zero dollars
Seeing that the bad packets never ever get to your host in the first place.... priceless.
And, no, my linksys box isn't running Linux. |
|
| Back to top |
|
|
JeffW_
Retired Dev
Joined: 19 Sep 2004
Posts: 80
Location: Fremont CA, USA
|
| Posted: Mon Jan 10, 2005 10:57 am Post subject: |
|
|
| I just block SSH from all of China and Taiwan (http://www.404ster.com/sshblocks.php)... Brute force attacks have dropped to near nothing. I disallow direct root access via ssh. All users have strong passwords. I don't have any problems. |
|
| Back to top |
|
|
bone
Apprentice
Joined: 07 Jun 2002
Posts: 255
Location: Midwest, USA
|
| Posted: Fri Jan 14, 2005 12:27 am Post subject: |
|
|
| ill0gical wrote: | | I just block SSH from all of China and Taiwan (http://www.404ster.com/sshblocks.php)... Brute force attacks have dropped to near nothing. I disallow direct root access via ssh. All users have strong passwords. I don't have any problems. |
Where on earth did you get that list? Who compiled it? I just want to make sure, before i attempt to use it, that its going to only do China & Taiwan (Not brazilian hackers and russian hackers beware).
jt |
|
| Back to top |
|
|
JeffW_
Retired Dev
Joined: 19 Sep 2004
Posts: 80
Location: Fremont CA, USA
|
| Posted: Fri Jan 14, 2005 1:10 am Post subject: |
|
|
I got the majority of the list from http://china.blackholes.us/. I ran it through a Perl script to compact the netblocks. I also added in netblocks which ran SSH brute force attacks against my servers. The list is updated as new attacks occur. I have a Perl script that can update iptables automatically (listens on a single UDP port in the upper range).
_________________
JeffWalter |
|
| Back to top |
|
|
Avernus-
n00b
Joined: 04 Feb 2004
Posts: 15
|
| Posted: Mon Jan 17, 2005 9:47 am Post subject: |
|
|
^^ Haha blocking China
I actually blocked the whole China IP Range (well as much as I though I safely could) at work. Stopped alot of portscans, virus scripts, scripted hack attempts, etc. It cut the daily size of the firewall logs in half.
Only problem is that this also blocked Austrailia and a few other countries that dont send out a mass of bad traffic. |
|
| Back to top |
|
|
JeffW_
Retired Dev
Joined: 19 Sep 2004
Posts: 80
Location: Fremont CA, USA
|
| Posted: Mon Jan 17, 2005 8:30 pm Post subject: |
|
|
Since when does Australia lease IP space from China? Granted, their IP allocations are done through APNIC, but I'm not blocking APNIC (Japan, Hong Kong, China, Taiwan, Australia, etc...), I'm blocking China and Taiwan.
I have multiple people in Australia which use one of my servers and they've had no problems.
_________________
JeffWalter |
|
| Back to top |
|
|
matador
Apprentice
Joined: 28 Sep 2004
Posts: 174
Location: Gothenburg, Sweden
|
| Posted: Tue Jan 18, 2005 3:44 pm Post subject: |
|
|
I watched my messages log and boy did I get a hick-up there... They haven't compromized my system (since I use 16 char. passwords). I believe they might have been using this brute force utility based on the usernames: http://www.k-otik.com/exploits/08202004.brutessh2.c.php
I have already switched port but I think I will restrict the IP:s to Swedish ones.
_________________
#267386
Checked the wiki or the faq?
Answear a post if you've got time |
|
| Back to top |
|
|
MaxDamage
l33t
Joined: 03 Jan 2004
Posts: 650
Location: Oviedo, Spain
|
|
| Back to top |
|
|
thatguyiam
n00b
Joined: 17 Nov 2004
Posts: 23
|
| Posted: Sun Jan 23, 2005 12:56 am Post subject: |
|
|
| appleboy wrote: | | One thing that I would like to see created is a program that monitors logs and whenever failed attempts are made on programs like ssh, telnet, etc. it automatically finds the ISP and sends them an email with the log and some information. I think if the ISPs started getting tons of email from automated programs telling them their client's are hacked they would start doing some massive overhaul and go after their clients to clean up their computers. heck, if they're systems crashed from getting so much email, I think it would make them open an eye or two |
... Until you mistype your own password and an e-mail is sent to your own ISP. JK
But in seriousness, brute forcing is annoying at best. All this talk of port knocking and such--bah! Change the port SSH runs on and don't have passwords the same as the username! Simple.
I've also noticed that these bots have been trying as many unique usernames as they can, like "micheal" and "nicole" and so forth. Given that they're IP is right in the log, it wouldn't be *that* hard to trace back to them, even if they went through a few hacked boxes.
A more interesting thing to do would be to set up a script that tried to log into the box that's probing your server with the same username they're using on yours, then send an e-mail if it's sucessful.
Or, if you're bored like me, you can play a game called "guess why that box was hacked" in which a quick nmap shows you that 4 trojans are running on it  |
|
| Back to top |
|
|
jkt
Retired Dev
Joined: 06 Feb 2004
Posts: 1250
Location: Prague, Czech republic, EU
|
| Posted: Sun Jan 23, 2005 9:42 pm Post subject: |
|
|
| thatguyiam wrote: | | A more interesting thing to do would be to set up a script that tried to log into the box that's probing your server with the same username they're using on yours, then send an e-mail if it's sucessful. |
don't do it, you will probably run into troubles as it could be illegal.
_________________
cd /local/pub && more beer > /dev/mouth
Česká dokumentace |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
