LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   breaking into my machine? (http://www.linuxquestions.org/questions/linux-security-4/breaking-into-my-machine-381167/)

debtman7 11-08-2005 12:59 PM

breaking into my machine?
 
I think this is a lost cause, but I figured it's worth a check to see if anyone has any ideas.

I've locked myself out of my well secured machine. Actually I didn't do it, 3 days ago I could log in just fine via ssh and today I am getting:

ssh_exchange_identification: Connection closed by remote host

when I try. No idea what happened. I had the hosting company reboot it (colocated box) but that didn't do anything. The problem is, this machine is tightened down pretty good since I had it hacked into before. At this point, since ssh is not working, the only access I have to the box is http. The web server has a CMS installed so I can use the website to create any php pages I want. Of course, the php pages run as the webserver user so I can't even look at the system logs to try and see why ssh won't let me in. Nothing else is accessible, and the firewall blocks everything except ssh and http.

So, confirm my suspicion that I'm pretty much screwed... My options if I can't get into it somehow are limited to having the hosting company wipe it out and starting all over again... The machine is running fedora core 3 with no real updates, and the webserver is lighttpd which I know of no exploits for...

TBC Cosmo 11-08-2005 01:54 PM

In what ways was it tightened down? What authentication methods were enabled for sshd when the machine was reconfigured? Its co-lo, does that mean to far for console access?

Tuttle 11-08-2005 02:01 PM

The only way I can think is if you asked them to put a live cd in the drive and add a user for you to ssh in on, maybe you could find the problem remotely....

debtman7 11-08-2005 02:24 PM

Quote:

Originally posted by TBC Cosmo
In what ways was it tightened down? What authentication methods were enabled for sshd when the machine was reconfigured? Its co-lo, does that mean to far for console access?
No console access, at least by me. Nothing was reconfigured, I have no idea why it's not accepting connections. It's locked down as far as firewall only allows ssh and http, tcp wrappers only allow ssh connections from my ip subnet and ssh doesn't allow root logins. And of course the webserver runs as an unprivileged user without access to anything.

unSpawn 11-08-2005 07:37 PM

ssh_exchange_identification: Connection closed by remote host
Means the connection is cut off before ssh can begin to exchange its identification sequences.
Exact the reply when tcpwrappers blocks access.


tcp wrappers only allow ssh connections from my ip subnet
Maybe a stupid question but do you have a dynamic IP?


Nothing was reconfigured
If you didn't change tcp wrappers config three days ago then somebody else did...


In any case you could ask the colo ppl to nuke hosts.{allow,deny} and restart sshd.


I've locked myself out of my well secured machine.
Thats why I keep an unlisted sshd waiting through Xinetd.
Xinetd can block traffic similar to Libwrap so you don't need make it use hosts.{allow,deny} for that.

debtman7 11-09-2005 07:44 AM

Nope, no dynamic IP and I restricted it by domain rather than IP. The webserver has permission to read the hosts.allow and hosts.deny and they are unchanged, so I have no idea why it's rejecting me. Only thing I can think of is a DNS issue...

I'm not sure that they can really do anything for me, since I control the machine completely and it's unmanaged by them, they have a pretty hands off policy. The only thought I've had so far is to edit the webserver config and have it run as root user so I can do what I need in php, but of course the webserver user doesn't have write permission to the config file. I tried to create a new config file and start up a copy of the webserver running as root on a different port, but realized that won't work because the firewall won't allow other ports in.

Well, I think that about does it :) I'll do some php scripts to backup what I need and see if the hosting company can give me a clean install. xinetd is probably a good idea, but I'm not sure what it would fix. Right now I have no idea why things aren't working and it seems I'm not going to have any way to find out, which makes it hard to make sure it doesn't happen again.

unSpawn 11-09-2005 09:07 AM

Before you ask them to nuke your setup maybe could you have them tarball the /etc and /var/log tree.
The logs could shed some light on this.

myguest 11-11-2005 03:28 AM

I 've been facing the same problem.

Check again your hosts.allow and deny files. I was using the following notation to specify my network and getting no syntax error in log files

sshd: 192.168.0.0/24 in hosts.allow file
ALL: ALL EXCEPT 192.168.0.0/24 in hosts.deny file

I changed the syntax to:

sshd: 192.168.0. in my allow file
ALL: ALL EXCEPT 192.168.0. in my deny file


and everything is pretty ok.


All times are GMT -5. The time now is 08:11 AM.