Gowator Posted June 7, 2006 Report Share Posted June 7, 2006 I have someone systematically trying to hack my server. e.g. Jun 5 16:54:14 linuxmigrations sshd[30211]: Failed password for invalid user nz from 85.41.60.62 port 27419 ssh2 Jun 5 16:54:16 linuxmigrations sshd[30233]: Failed password for invalid user nz from 84.42.192.45 port 47820 ssh2 Jun 5 16:54:18 linuxmigrations sshd[30243]: Failed password for invalid user na from 85.41.60.62 port 27585 ssh2 Jun 5 16:54:19 linuxmigrations sshd[30259]: Failed password for invalid user na from 84.42.192.45 port 48098 ssh2 Jun 5 16:54:22 linuxmigrations sshd[30269]: Failed password for invalid user ns from 85.41.60.62 port 27752 ssh2 Jun 5 16:54:22 linuxmigrations sshd[30285]: Failed password for invalid user ns from 84.42.192.45 port 48321 ssh2 Jun 5 16:54:24 linuxmigrations sshd[30304]: Failed password for invalid user nd from 84.42.192.45 port 48551 ssh2 Jun 5 16:54:25 linuxmigrations sshd[30301]: Failed password for invalid user nd from 85.41.60.62 port 27916 ssh2 Jun 5 16:54:27 linuxmigrations sshd[30327]: Failed password for invalid user nf from 84.42.192.45 port 48757 ssh2 Jun 5 16:54:29 linuxmigrations sshd[30337]: Failed password for invalid user nf from 85.41.60.62 port 28078 ssh2 Jun 5 16:54:29 linuxmigrations sshd[30347]: Failed password for invalid user ng from 84.42.192.45 port 48939 ssh2 Jun 5 16:54:33 linuxmigrations sshd[30372]: Failed password for invalid user nh from 84.42.192.45 port 49165 ssh2 Jun 5 16:54:33 linuxmigrations sshd[30369]: Failed password for invalid user ng from 85.41.60.62 port 28240 ssh2 Jun 5 16:54:35 linuxmigrations sshd[30395]: Failed password for invalid user nj from 84.42.192.45 port 49453 ssh2 Jun 5 16:54:37 linuxmigrations sshd[30405]: Failed password for invalid user nh from 85.41.60.62 port 28429 ssh2 Jun 5 16:54:38 linuxmigrations sshd[30421]: Failed password for invalid user nk from 84.42.192.45 port 49685 ssh2 Jun 5 16:54:40 linuxmigrations sshd[30437]: Failed password for invalid user nl from 84.42.192.45 port 49878 ssh2 Jun 5 16:54:41 linuxmigrations sshd[30441]: Failed password for invalid user nj from 85.41.60.62 port 28603 ssh2 Jun 5 16:54:43 linuxmigrations sshd[30463]: Failed password for invalid user np from 84.42.192.45 port 50080 ssh2 and also on dictionary words Jun 6 12:01:56 linuxmigrations sshd[2683]: Failed password for invalid user test1 from 61.82.16.62 port 39766 ssh2 Jun 6 12:02:01 linuxmigrations sshd[2717]: Failed password for invalid user testing from 61.82.16.62 port 39921 ssh2 Jun 6 12:02:06 linuxmigrations sshd[2751]: Failed password for invalid user testuser from 61.82.16.62 port 40082 ssh2 Jun 6 12:02:12 linuxmigrations sshd[2788]: Failed password for invalid user testuser from 61.82.16.62 port 40221 ssh2 Jun 6 12:02:17 linuxmigrations sshd[2826]: Failed password for invalid user local from 61.82.16.62 port 40382 ssh2 Jun 6 12:02:24 linuxmigrations sshd[2866]: Failed password for invalid user local from 61.82.16.62 port 40550 ssh2 Jun 6 12:02:29 linuxmigrations sshd[2906]: Failed password for invalid user local from 61.82.16.62 port 40733 ssh2 Jun 6 12:02:36 linuxmigrations sshd[2946]: Failed password for invalid user local from 61.82.16.62 port 40887 ssh2 Jun 6 12:02:41 linuxmigrations sshd[2986]: Failed password for invalid user local2 from 61.82.16.62 port 41074 ssh2 Jun 6 12:02:48 linuxmigrations sshd[3026]: Failed password for invalid user toto from 61.82.16.62 port 41237 ssh2 Jun 6 12:02:54 linuxmigrations sshd[3066]: Failed password for invalid user toto from 61.82.16.62 port 41421 ssh2 Jun 6 12:03:00 linuxmigrations sshd[3106]: Failed password for invalid user toto from 61.82.16.62 port 41584 ssh2 Jun 6 12:03:06 linuxmigrations sshd[3146]: Failed password for invalid user toto from 61.82.16.62 port 41762 ssh2 Jun 6 12:03:11 linuxmigrations sshd[3186]: Failed password for invalid user toto2 from 61.82.16.62 port 41951 ssh2 Jun 6 12:03:18 linuxmigrations sshd[3227]: Failed password for invalid user lotto from 61.82.16.62 port 42101 ssh2 Jun 6 12:03:24 linuxmigrations sshd[3267]: Failed password for invalid user doctor from 61.82.16.62 port 42298 ssh2 Jun 6 12:03:30 linuxmigrations sshd[3307]: Failed password for invalid user doctor from 61.82.16.62 port 42459 ssh2 Jun 6 12:03:36 linuxmigrations sshd[3347]: Failed password for invalid user doctor from 61.82.16.62 port 42640 ssh2 Jun 6 12:03:42 linuxmigrations sshd[3387]: Failed password for invalid user doctor from 61.82.16.62 port 42806 ssh2 Jun 6 12:03:48 linuxmigrations sshd[3428]: Failed password for invalid user doctor2 from 61.82.16.62 port 42992 ssh2 Jun 6 12:03:54 linuxmigrations sshd[3468]: Failed password for invalid user admin from 61.82.16.62 port 43154 ssh2 Jun 6 12:04:00 linuxmigrations sshd[3508]: Failed password for invalid user admin from 61.82.16.62 port 43322 ssh2 Jun 6 12:04:06 linuxmigrations sshd[3549]: Failed password for invalid user admin from 61.82.16.62 port 43502 ssh2 with random sucess Jun 6 12:06:07 linuxmigrations sshd[4370]: Failed password for news from 61.82.16.62 port 46985 ssh2 Jun 5 16:52:17 linuxmigrations sshd[29252]: (pam_unix) check pass; user unknown Jun 5 16:52:17 linuxmigrations sshd[29252]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host62-60.pool8541.interbusiness.it Jun 5 16:52:20 linuxmigrations sshd[29252]: Failed password for invalid user mv from 85.41.60.62 port 22470 ssh2 Jun 5 16:52:22 linuxmigrations sshd[29268]: Invalid user mc from 85.41.60.62 Jun 5 16:52:22 linuxmigrations sshd[29268]: (pam_unix) check pass; user unknown Jun 5 16:52:22 linuxmigrations sshd[29268]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host62-60.pool8541.interbusiness.it Jun 5 16:52:23 linuxmigrations sshd[29268]: Failed password for invalid user mc from 85.41.60.62 port 22653 ssh2 etc.... What should I do? Quote Link to comment Share on other sites More sharing options...
iphitus Posted June 7, 2006 Report Share Posted June 7, 2006 (edited) so long as they havnt got in, you should be fine. so check that they havnt got in. If they have, consider your system compromised, backup relevant files, and do a *complete* reinstall, and audit any code you have running on it of your own writing, eg php based website. maybe remind your users to change/lengthen their passwords. > 10 characters should be right most of the time, so long as they aren't guessable. all mine are seeminly random alphanumeric, though there's meaning in the randomness to me. that sorta password works well. I use this firewall rule, it only allows three SSH connections per minute from any IP iptables -A INPUT -p tcp --syn -i eth0 --dport 22 -m recent --update \ --seconds 60 --hitcount 3 -j DROP iptables -A INPUT -p tcp --syn -i eth0 --dport 22 -m recent --set no idea how mandriva's default firewall works, but chucking that in /etc/rc.local and running it ought to work. Not difficult to test anyway, and if it doesnt work, im sure there's some silly mandriva method. Jun 5 16:52:22 linuxmigrations sshd[29268]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host62-60.pool8541.interbusiness.it check your sshd_config, and ensure that it is set to dissallow root login too. uid=0=root. James Edited June 7, 2006 by iphitus Quote Link to comment Share on other sites More sharing options...
Gowator Posted June 7, 2006 Author Report Share Posted June 7, 2006 Thx, already changed sshd but the 3 logins per IP per min are a good idea. Im on Debian anyway but should be able to work that one out. On changing the user ... just checking 1) edit /etc/passwd and change 2) Do i need to do a recusrive find/chown ? or I guess this actually depends on the filesystem? Sorry casting out questions instead of reading since I obviously want to do this quickly... I think PAM actually shut it down last night so trying to do my best... as quick as possible. all help greatly appreciated. Quote Link to comment Share on other sites More sharing options...
iphitus Posted June 7, 2006 Report Share Posted June 7, 2006 (edited) Thx, already changed sshd but the 3 logins per IP per min are a good idea. Im on Debian anyway but should be able to work that one out. On changing the user ... just checking 1) edit /etc/passwd and change NO. never edit it directly, use the appropriate tools. I never suggested changing the user, only the passwords. Just stuff you should be doing anyway, frequent password changing... right? :P 2) Do i need to do a recusrive find/chown ? or I guess this actually depends on the filesystem? again, you dont need to change your user. even then, if you change a user's username, so long as the numeric ID remains the same, you will not need to do a recursive chown. Sorry casting out questions instead of reading since I obviously want to do this quickly...I think PAM actually shut it down last night so trying to do my best... as quick as possible. could always just pull the cable and isolate the machine ;) or temporarily reconfigure your router to not forward ports, (assuming you have one). PAM isnt a daemon, so I dont know what you mean by 'shut down'. James edit: looks like you fell victim to my terrible post then edit habit, i added a bit more to the above post before. Edited June 7, 2006 by iphitus Quote Link to comment Share on other sites More sharing options...
ffi Posted June 7, 2006 Report Share Posted June 7, 2006 Damn, I have a user called mc; What is your set up gowator, do you have a router with nat and firewall. Where is this log, I wonder if I am putting myself at risk too... Quote Link to comment Share on other sites More sharing options...
Gowator Posted June 7, 2006 Author Report Share Posted June 7, 2006 Damn, I have a user called mc; What is your set up gowator, do you have a router with nat and firewall. Where is this log, I wonder if I am putting myself at risk too... Yep, best not to advertise your username perhaps ;) Problem is this is a webserver open to the world, I occaisionally need to login remotely to tweak or add things. Hence I have a router but this is set in the DMZ.... at least right now. NO. never edit it directly, use the appropriate tools.I was always taught vi was the appropriate tool :D at least when I did my Solaris sysad course. I never suggested changing the user, only the passwords. Yes but like ffi I have a weak username... Just stuff you should be doing anyway, frequent password changing... right? tongue.gif Yep .. I just forgot to have a stronger username ... LOL However Im thinking to have a ssh user with a long..long secure name and only allow ssh from that user. Quote Link to comment Share on other sites More sharing options...
coverup Posted June 7, 2006 Report Share Posted June 7, 2006 Damn, I have a user called mc; What is your set up gowator, do you have a router with nat and firewall. Where is this log, I wonder if I am putting myself at risk too... Even if you permit 3 logins per minute, this won't stop crackers from continuing an atack. A better solution is to install a daemon called denyhosts ,http://denyhosts.sourceforge.net. Denyhosts blacklists IP addresses when more than X (say 3) failed login attempts were made from that IP address. It simply adds those IP addresses to hosts.deny. Quote Link to comment Share on other sites More sharing options...
ffi Posted June 7, 2006 Report Share Posted June 7, 2006 (edited) Sorry to butt in, erm this user mc is only more or less a guest account but I had just set up my computer yesterday to give full access to my ntfs partitions. Can hackers get in with this user? Where are my system security logs? BTW: I heard this script is quite good, better than denyhosts apparently in combination with APF: http://www.rfxnetworks.com/bfd.php Edited June 7, 2006 by ffi Quote Link to comment Share on other sites More sharing options...
Gowator Posted June 7, 2006 Author Report Share Posted June 7, 2006 (edited) Sorry to butt in, erm this user mc is only more or less a guest account but I had just set up my computer yesterday to give full access to my ntfs partitions. Can hackers get in with this user? Where are my system security logs? You can start with checking /var/log/auth.log ps can someone quickly check the link in my sig and check its accesible... went from 200 visitors a day to zero since this attack. Edited June 7, 2006 by Gowator Quote Link to comment Share on other sites More sharing options...
ffi Posted June 7, 2006 Report Share Posted June 7, 2006 The link is slow but there; Damn mcc, add, remove or change users isnt working in cooker :( Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted June 7, 2006 Report Share Posted June 7, 2006 Seems to be fast to me :unsure: Quote Link to comment Share on other sites More sharing options...
ffi Posted June 7, 2006 Report Share Posted June 7, 2006 (edited) I have a 8MB line and it takes over 30 secs before the page loads, in Opera, FF and Konqueror... (might be dns look up or something like that after the site loads, browsing within the site is fast) Edited June 7, 2006 by ffi Quote Link to comment Share on other sites More sharing options...
Gowator Posted June 7, 2006 Author Report Share Posted June 7, 2006 I have a 8MB line and it takes over 30 secs before the page loads, in Opera, FF and Konqueror... (might be dns look up or something like that after the site loads, browsing within the site is fast) Probably, Im at the end of the foodchain on DNS, I get a static from my ISP but its in a huge group ... If anyone else has seen this (like they are following links from here) I have the auth.log I can post or email. Quote Link to comment Share on other sites More sharing options...
iphitus Posted June 7, 2006 Report Share Posted June 7, 2006 (edited) weak username? it's still damned near impossible to get into a system, even if you have a username. I mean, it doesnt take a mastermind to know my username is 'iphitus'. there's nothing anyone can do with my username, they still need a password, and no dictionary attack is going to hit mine. and add to that there's at least 8x10^24 combinations of numbers and letters and characters of which, one could be my pw. I can't see anyone attempting to guess that today. I wouldnt go to the trouble of changing username, it's not going to do anything to increase security. As for setting your computer up in a DMZ, it'd probably be better to take it off DMZ, and only enable the ports you need, 80 for http, 443 for https, and 22 only if you really need it. How often do you really need to maintain your setup remotely? If you do, maybe try chucking ssh on a different port, it's less likely to get picked up by a random bot scan like you probably did this time. James Edited June 7, 2006 by iphitus Quote Link to comment Share on other sites More sharing options...
Leo Posted June 7, 2006 Report Share Posted June 7, 2006 This is exactly the same attack method that compromised my machine a few weeks back (again the success was down to weak username and password (both since changed)). Leo Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.