Jump to content
Gowator

Crackers!

Recommended Posts

I have someone systematically trying to hack my server.

 

e.g.

Jun  5 16:54:14 linuxmigrations sshd[30211]: Failed password for invalid user nz from 85.41.60.62 port 27419 ssh2
Jun  5 16:54:16 linuxmigrations sshd[30233]: Failed password for invalid user nz from 84.42.192.45 port 47820 ssh2
Jun  5 16:54:18 linuxmigrations sshd[30243]: Failed password for invalid user na from 85.41.60.62 port 27585 ssh2
Jun  5 16:54:19 linuxmigrations sshd[30259]: Failed password for invalid user na from 84.42.192.45 port 48098 ssh2
Jun  5 16:54:22 linuxmigrations sshd[30269]: Failed password for invalid user ns from 85.41.60.62 port 27752 ssh2
Jun  5 16:54:22 linuxmigrations sshd[30285]: Failed password for invalid user ns from 84.42.192.45 port 48321 ssh2
Jun  5 16:54:24 linuxmigrations sshd[30304]: Failed password for invalid user nd from 84.42.192.45 port 48551 ssh2
Jun  5 16:54:25 linuxmigrations sshd[30301]: Failed password for invalid user nd from 85.41.60.62 port 27916 ssh2
Jun  5 16:54:27 linuxmigrations sshd[30327]: Failed password for invalid user nf from 84.42.192.45 port 48757 ssh2
Jun  5 16:54:29 linuxmigrations sshd[30337]: Failed password for invalid user nf from 85.41.60.62 port 28078 ssh2
Jun  5 16:54:29 linuxmigrations sshd[30347]: Failed password for invalid user ng from 84.42.192.45 port 48939 ssh2
Jun  5 16:54:33 linuxmigrations sshd[30372]: Failed password for invalid user nh from 84.42.192.45 port 49165 ssh2
Jun  5 16:54:33 linuxmigrations sshd[30369]: Failed password for invalid user ng from 85.41.60.62 port 28240 ssh2
Jun  5 16:54:35 linuxmigrations sshd[30395]: Failed password for invalid user nj from 84.42.192.45 port 49453 ssh2
Jun  5 16:54:37 linuxmigrations sshd[30405]: Failed password for invalid user nh from 85.41.60.62 port 28429 ssh2
Jun  5 16:54:38 linuxmigrations sshd[30421]: Failed password for invalid user nk from 84.42.192.45 port 49685 ssh2
Jun  5 16:54:40 linuxmigrations sshd[30437]: Failed password for invalid user nl from 84.42.192.45 port 49878 ssh2
Jun  5 16:54:41 linuxmigrations sshd[30441]: Failed password for invalid user nj from 85.41.60.62 port 28603 ssh2
Jun  5 16:54:43 linuxmigrations sshd[30463]: Failed password for invalid user np from 84.42.192.45 port 50080 ssh2

 

 

and also on dictionary words

 

Jun  6 12:01:56 linuxmigrations sshd[2683]: Failed password for invalid user test1 from 61.82.16.62 port 39766 ssh2
Jun  6 12:02:01 linuxmigrations sshd[2717]: Failed password for invalid user testing from 61.82.16.62 port 39921 ssh2
Jun  6 12:02:06 linuxmigrations sshd[2751]: Failed password for invalid user testuser from 61.82.16.62 port 40082 ssh2
Jun  6 12:02:12 linuxmigrations sshd[2788]: Failed password for invalid user testuser from 61.82.16.62 port 40221 ssh2
Jun  6 12:02:17 linuxmigrations sshd[2826]: Failed password for invalid user local from 61.82.16.62 port 40382 ssh2
Jun  6 12:02:24 linuxmigrations sshd[2866]: Failed password for invalid user local from 61.82.16.62 port 40550 ssh2
Jun  6 12:02:29 linuxmigrations sshd[2906]: Failed password for invalid user local from 61.82.16.62 port 40733 ssh2
Jun  6 12:02:36 linuxmigrations sshd[2946]: Failed password for invalid user local from 61.82.16.62 port 40887 ssh2
Jun  6 12:02:41 linuxmigrations sshd[2986]: Failed password for invalid user local2 from 61.82.16.62 port 41074 ssh2
Jun  6 12:02:48 linuxmigrations sshd[3026]: Failed password for invalid user toto from 61.82.16.62 port 41237 ssh2
Jun  6 12:02:54 linuxmigrations sshd[3066]: Failed password for invalid user toto from 61.82.16.62 port 41421 ssh2
Jun  6 12:03:00 linuxmigrations sshd[3106]: Failed password for invalid user toto from 61.82.16.62 port 41584 ssh2
Jun  6 12:03:06 linuxmigrations sshd[3146]: Failed password for invalid user toto from 61.82.16.62 port 41762 ssh2
Jun  6 12:03:11 linuxmigrations sshd[3186]: Failed password for invalid user toto2 from 61.82.16.62 port 41951 ssh2
Jun  6 12:03:18 linuxmigrations sshd[3227]: Failed password for invalid user lotto from 61.82.16.62 port 42101 ssh2
Jun  6 12:03:24 linuxmigrations sshd[3267]: Failed password for invalid user doctor from 61.82.16.62 port 42298 ssh2
Jun  6 12:03:30 linuxmigrations sshd[3307]: Failed password for invalid user doctor from 61.82.16.62 port 42459 ssh2
Jun  6 12:03:36 linuxmigrations sshd[3347]: Failed password for invalid user doctor from 61.82.16.62 port 42640 ssh2
Jun  6 12:03:42 linuxmigrations sshd[3387]: Failed password for invalid user doctor from 61.82.16.62 port 42806 ssh2
Jun  6 12:03:48 linuxmigrations sshd[3428]: Failed password for invalid user doctor2 from 61.82.16.62 port 42992 ssh2
Jun  6 12:03:54 linuxmigrations sshd[3468]: Failed password for invalid user admin from 61.82.16.62 port 43154 ssh2
Jun  6 12:04:00 linuxmigrations sshd[3508]: Failed password for invalid user admin from 61.82.16.62 port 43322 ssh2
Jun  6 12:04:06 linuxmigrations sshd[3549]: Failed password for invalid user admin from 61.82.16.62 port 43502 ssh2

 

with random sucess

 

Jun 6 12:06:07 linuxmigrations sshd[4370]: Failed password for news from 61.82.16.62 port 46985 ssh2

Jun 5 16:52:17 linuxmigrations sshd[29252]: (pam_unix) check pass; user unknown

Jun 5 16:52:17 linuxmigrations sshd[29252]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host62-60.pool8541.interbusiness.it

Jun 5 16:52:20 linuxmigrations sshd[29252]: Failed password for invalid user mv from 85.41.60.62 port 22470 ssh2

Jun 5 16:52:22 linuxmigrations sshd[29268]: Invalid user mc from 85.41.60.62

Jun 5 16:52:22 linuxmigrations sshd[29268]: (pam_unix) check pass; user unknown

Jun 5 16:52:22 linuxmigrations sshd[29268]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host62-60.pool8541.interbusiness.it

Jun 5 16:52:23 linuxmigrations sshd[29268]: Failed password for invalid user mc from 85.41.60.62 port 22653 ssh2

 

 

etc....

What should I do?

Share this post


Link to post
Share on other sites

so long as they havnt got in, you should be fine. so check that they havnt got in. If they have, consider your system compromised, backup relevant files, and do a *complete* reinstall, and audit any code you have running on it of your own writing, eg php based website.

 

maybe remind your users to change/lengthen their passwords. > 10 characters should be right most of the time, so long as they aren't guessable. all mine are seeminly random alphanumeric, though there's meaning in the randomness to me. that sorta password works well.

 

I use this firewall rule, it only allows three SSH connections per minute from any IP

		iptables -A INPUT -p tcp --syn -i eth0 --dport 22 -m recent --update \
		 --seconds 60 --hitcount 3 -j DROP
	iptables -A INPUT -p tcp --syn -i eth0 --dport 22 -m recent --set

 

no idea how mandriva's default firewall works, but chucking that in /etc/rc.local and running it ought to work. Not difficult to test anyway, and if it doesnt work, im sure there's some silly mandriva method.

 

Jun 5 16:52:22 linuxmigrations sshd[29268]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host62-60.pool8541.interbusiness.it

check your sshd_config, and ensure that it is set to dissallow root login too. uid=0=root.

 

James

Edited by iphitus

Share this post


Link to post
Share on other sites

Thx, already changed sshd but the 3 logins per IP per min are a good idea. Im on Debian anyway but should be able to work that one out.

On changing the user ...

just checking

 

1) edit /etc/passwd and change

2) Do i need to do a recusrive find/chown ? or I guess this actually depends on the filesystem?

 

Sorry casting out questions instead of reading since I obviously want to do this quickly...

I think PAM actually shut it down last night so trying to do my best... as quick as possible.

 

all help greatly appreciated.

Share this post


Link to post
Share on other sites
Thx, already changed sshd but the 3 logins per IP per min are a good idea. Im on Debian anyway but should be able to work that one out.

On changing the user ...

just checking

 

1) edit /etc/passwd and change

NO. never edit it directly, use the appropriate tools. I never suggested changing the user, only the passwords. Just stuff you should be doing anyway, frequent password changing... right? :P

2) Do i need to do a recusrive find/chown ? or I guess this actually depends on the filesystem?

again, you dont need to change your user. even then, if you change a user's username, so long as the numeric ID remains the same, you will not need to do a recursive chown.

 

Sorry casting out questions instead of reading since I obviously want to do this quickly...

I think PAM actually shut it down last night so trying to do my best... as quick as possible.

 

could always just pull the cable and isolate the machine ;) or temporarily reconfigure your router to not forward ports, (assuming you have one). PAM isnt a daemon, so I dont know what you mean by 'shut down'.

 

James

 

edit: looks like you fell victim to my terrible post then edit habit, i added a bit more to the above post before.

Edited by iphitus

Share this post


Link to post
Share on other sites

Damn, I have a user called mc;

 

What is your set up gowator, do you have a router with nat and firewall. Where is this log, I wonder if I am putting myself at risk too...

Share this post


Link to post
Share on other sites
Damn, I have a user called mc;

 

What is your set up gowator, do you have a router with nat and firewall. Where is this log, I wonder if I am putting myself at risk too...

Yep, best not to advertise your username perhaps ;)

 

 

Problem is this is a webserver open to the world, I occaisionally need to login remotely to tweak or add things.

Hence I have a router but this is set in the DMZ.... at least right now.

 

 

NO. never edit it directly, use the appropriate tools.
I was always taught vi was the appropriate tool :D at least when I did my Solaris sysad course.
I never suggested changing the user, only the passwords.

Yes but like ffi I have a weak username...

Just stuff you should be doing anyway, frequent password changing... right? tongue.gif

Yep .. I just forgot to have a stronger username ... LOL

 

However Im thinking to have a ssh user with a long..long secure name and only allow ssh from that user.

Share this post


Link to post
Share on other sites
Damn, I have a user called mc;

 

What is your set up gowator, do you have a router with nat and firewall. Where is this log, I wonder if I am putting myself at risk too...

Even if you permit 3 logins per minute, this won't stop crackers from continuing an atack.

A better solution is to install a daemon called denyhosts ,http://denyhosts.sourceforge.net. Denyhosts blacklists IP addresses when more than X (say 3) failed login attempts were made from that IP address. It simply adds those IP addresses to hosts.deny.

Share this post


Link to post
Share on other sites

Sorry to butt in, erm this user mc is only more or less a guest account but I had just set up my computer yesterday to give full access to my ntfs partitions. Can hackers get in with this user?

 

Where are my system security logs?

 

BTW: I heard this script is quite good, better than denyhosts apparently in combination with APF:

 

http://www.rfxnetworks.com/bfd.php

Edited by ffi

Share this post


Link to post
Share on other sites
Sorry to butt in, erm this user mc is only more or less a guest account but I had just set up my computer yesterday to give full access to my ntfs partitions. Can hackers get in with this user?

 

Where are my system security logs?

 

You can start with checking /var/log/auth.log

 

 

ps can someone quickly check the link in my sig and check its accesible... went from 200 visitors a day to zero since this attack.

Edited by Gowator

Share this post


Link to post
Share on other sites

Seems to be fast to me :unsure:

Share this post


Link to post
Share on other sites

I have a 8MB line and it takes over 30 secs before the page loads, in Opera, FF and Konqueror...

 

(might be dns look up or something like that after the site loads, browsing within the site is fast)

Edited by ffi

Share this post


Link to post
Share on other sites
I have a 8MB line and it takes over 30 secs before the page loads, in Opera, FF and Konqueror...

 

(might be dns look up or something like that after the site loads, browsing within the site is fast)

Probably, Im at the end of the foodchain on DNS, I get a static from my ISP but its in a huge group ...

 

If anyone else has seen this (like they are following links from here) I have the auth.log I can post or email.

Share this post


Link to post
Share on other sites

weak username?

 

it's still damned near impossible to get into a system, even if you have a username. I mean, it doesnt take a mastermind to know my username is 'iphitus'. there's nothing anyone can do with my username, they still need a password, and no dictionary attack is going to hit mine. and add to that there's at least 8x10^24 combinations of numbers and letters and characters of which, one could be my pw. I can't see anyone attempting to guess that today.

 

I wouldnt go to the trouble of changing username, it's not going to do anything to increase security.

 

As for setting your computer up in a DMZ, it'd probably be better to take it off DMZ, and only enable the ports you need, 80 for http, 443 for https, and 22 only if you really need it. How often do you really need to maintain your setup remotely? If you do, maybe try chucking ssh on a different port, it's less likely to get picked up by a random bot scan like you probably did this time.

 

James

Edited by iphitus

Share this post


Link to post
Share on other sites

This is exactly the same attack method that compromised my machine a few weeks back (again the success was down to weak username and password (both since changed)).

 

Leo

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...