LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-08-2005, 12:59 PM   #1
debtman7
LQ Newbie
 
Registered: Aug 2005
Posts: 4

Rep: Reputation: 0
breaking into my machine?


I think this is a lost cause, but I figured it's worth a check to see if anyone has any ideas.

I've locked myself out of my well secured machine. Actually I didn't do it, 3 days ago I could log in just fine via ssh and today I am getting:

ssh_exchange_identification: Connection closed by remote host

when I try. No idea what happened. I had the hosting company reboot it (colocated box) but that didn't do anything. The problem is, this machine is tightened down pretty good since I had it hacked into before. At this point, since ssh is not working, the only access I have to the box is http. The web server has a CMS installed so I can use the website to create any php pages I want. Of course, the php pages run as the webserver user so I can't even look at the system logs to try and see why ssh won't let me in. Nothing else is accessible, and the firewall blocks everything except ssh and http.

So, confirm my suspicion that I'm pretty much screwed... My options if I can't get into it somehow are limited to having the hosting company wipe it out and starting all over again... The machine is running fedora core 3 with no real updates, and the webserver is lighttpd which I know of no exploits for...
 
Old 11-08-2005, 01:54 PM   #2
TBC Cosmo
Member
 
Registered: Feb 2004
Location: NY
Distribution: Fedora 10, CentOS 5.4, Debian 5 Sparc64
Posts: 355

Rep: Reputation: 43
In what ways was it tightened down? What authentication methods were enabled for sshd when the machine was reconfigured? Its co-lo, does that mean to far for console access?
 
Old 11-08-2005, 02:01 PM   #3
Tuttle
Senior Member
 
Registered: Jul 2003
Location: Wellington, NZ
Distribution: mainly slackware
Posts: 1,289

Rep: Reputation: 52
The only way I can think is if you asked them to put a live cd in the drive and add a user for you to ssh in on, maybe you could find the problem remotely....
 
Old 11-08-2005, 02:24 PM   #4
debtman7
LQ Newbie
 
Registered: Aug 2005
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by TBC Cosmo
In what ways was it tightened down? What authentication methods were enabled for sshd when the machine was reconfigured? Its co-lo, does that mean to far for console access?
No console access, at least by me. Nothing was reconfigured, I have no idea why it's not accepting connections. It's locked down as far as firewall only allows ssh and http, tcp wrappers only allow ssh connections from my ip subnet and ssh doesn't allow root logins. And of course the webserver runs as an unprivileged user without access to anything.
 
Old 11-08-2005, 07:37 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,369
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
ssh_exchange_identification: Connection closed by remote host
Means the connection is cut off before ssh can begin to exchange its identification sequences.
Exact the reply when tcpwrappers blocks access.


tcp wrappers only allow ssh connections from my ip subnet
Maybe a stupid question but do you have a dynamic IP?


Nothing was reconfigured
If you didn't change tcp wrappers config three days ago then somebody else did...


In any case you could ask the colo ppl to nuke hosts.{allow,deny} and restart sshd.


I've locked myself out of my well secured machine.
Thats why I keep an unlisted sshd waiting through Xinetd.
Xinetd can block traffic similar to Libwrap so you don't need make it use hosts.{allow,deny} for that.
 
Old 11-09-2005, 07:44 AM   #6
debtman7
LQ Newbie
 
Registered: Aug 2005
Posts: 4

Original Poster
Rep: Reputation: 0
Nope, no dynamic IP and I restricted it by domain rather than IP. The webserver has permission to read the hosts.allow and hosts.deny and they are unchanged, so I have no idea why it's rejecting me. Only thing I can think of is a DNS issue...

I'm not sure that they can really do anything for me, since I control the machine completely and it's unmanaged by them, they have a pretty hands off policy. The only thought I've had so far is to edit the webserver config and have it run as root user so I can do what I need in php, but of course the webserver user doesn't have write permission to the config file. I tried to create a new config file and start up a copy of the webserver running as root on a different port, but realized that won't work because the firewall won't allow other ports in.

Well, I think that about does it I'll do some php scripts to backup what I need and see if the hosting company can give me a clean install. xinetd is probably a good idea, but I'm not sure what it would fix. Right now I have no idea why things aren't working and it seems I'm not going to have any way to find out, which makes it hard to make sure it doesn't happen again.
 
Old 11-09-2005, 09:07 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,369
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Before you ask them to nuke your setup maybe could you have them tarball the /etc and /var/log tree.
The logs could shed some light on this.
 
Old 11-11-2005, 03:28 AM   #8
myguest
LQ Newbie
 
Registered: Jun 2004
Location: Zimbabwe
Distribution: redhat
Posts: 21

Rep: Reputation: 15
I 've been facing the same problem.

Check again your hosts.allow and deny files. I was using the following notation to specify my network and getting no syntax error in log files

sshd: 192.168.0.0/24 in hosts.allow file
ALL: ALL EXCEPT 192.168.0.0/24 in hosts.deny file

I changed the syntax to:

sshd: 192.168.0. in my allow file
ALL: ALL EXCEPT 192.168.0. in my deny file


and everything is pretty ok.

Last edited by myguest; 11-11-2005 at 06:51 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Breaking out of Chroot Aeiri Linux - Security 1 02-26-2005 02:10 PM
Breaking Into Programming - What now? simsjr Programming 14 06-07-2004 01:16 PM
breaking waves... marsques Linux - Software 4 05-18-2004 01:25 AM
It's this a breaking attent? hubergeek Linux - Security 1 11-27-2002 11:24 AM
Breaking Windows cli_man General 17 04-20-2002 02:35 AM


All times are GMT -5. The time now is 03:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration