Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
11-08-2005, 12:59 PM
|
#1
|
|
LQ Newbie
Registered: Aug 2005
Posts: 4
Rep: 
|
breaking into my machine?
I think this is a lost cause, but I figured it's worth a check to see if anyone has any ideas.
I've locked myself out of my well secured machine. Actually I didn't do it, 3 days ago I could log in just fine via ssh and today I am getting:
ssh_exchange_identification: Connection closed by remote host
when I try. No idea what happened. I had the hosting company reboot it (colocated box) but that didn't do anything. The problem is, this machine is tightened down pretty good since I had it hacked into before. At this point, since ssh is not working, the only access I have to the box is http. The web server has a CMS installed so I can use the website to create any php pages I want. Of course, the php pages run as the webserver user so I can't even look at the system logs to try and see why ssh won't let me in. Nothing else is accessible, and the firewall blocks everything except ssh and http.
So, confirm my suspicion that I'm pretty much screwed... My options if I can't get into it somehow are limited to having the hosting company wipe it out and starting all over again... The machine is running fedora core 3 with no real updates, and the webserver is lighttpd which I know of no exploits for...
|
|
|
|
|
11-08-2005, 01:54 PM
|
#2
|
|
Member
Registered: Feb 2004
Location: NY
Distribution: Fedora 10, CentOS 5.4, Debian 5 Sparc64
Posts: 352
Rep: 
|
In what ways was it tightened down? What authentication methods were enabled for sshd when the machine was reconfigured? Its co-lo, does that mean to far for console access?
|
|
|
|
|
11-08-2005, 02:01 PM
|
#3
|
|
Senior Member
Registered: Jul 2003
Location: Wellington, NZ
Distribution: mainly slackware
Posts: 1,288
Rep:
|
The only way I can think is if you asked them to put a live cd in the drive and add a user for you to ssh in on, maybe you could find the problem remotely....
|
|
|
|
|
11-08-2005, 02:24 PM
|
#4
|
|
LQ Newbie
Registered: Aug 2005
Posts: 4
Original Poster
Rep:
|
Quote:
Originally posted by TBC Cosmo
In what ways was it tightened down? What authentication methods were enabled for sshd when the machine was reconfigured? Its co-lo, does that mean to far for console access?
|
No console access, at least by me. Nothing was reconfigured, I have no idea why it's not accepting connections. It's locked down as far as firewall only allows ssh and http, tcp wrappers only allow ssh connections from my ip subnet and ssh doesn't allow root logins. And of course the webserver runs as an unprivileged user without access to anything. |
|
|
|
|
11-08-2005, 07:37 PM
|
#5
|
|
Moderator
Registered: May 2001
Posts: 24,811
|
ssh_exchange_identification: Connection closed by remote host
Means the connection is cut off before ssh can begin to exchange its identification sequences.
Exact the reply when tcpwrappers blocks access.
tcp wrappers only allow ssh connections from my ip subnet
Maybe a stupid question but do you have a dynamic IP?
Nothing was reconfigured
If you didn't change tcp wrappers config three days ago then somebody else did...
In any case you could ask the colo ppl to nuke hosts.{allow,deny} and restart sshd.
I've locked myself out of my well secured machine.
Thats why I keep an unlisted sshd waiting through Xinetd.
Xinetd can block traffic similar to Libwrap so you don't need make it use hosts.{allow,deny} for that.
|
|
|
|
|
11-09-2005, 07:44 AM
|
#6
|
|
LQ Newbie
Registered: Aug 2005
Posts: 4
Original Poster
Rep:
|
Nope, no dynamic IP and I restricted it by domain rather than IP. The webserver has permission to read the hosts.allow and hosts.deny and they are unchanged, so I have no idea why it's rejecting me. Only thing I can think of is a DNS issue...
I'm not sure that they can really do anything for me, since I control the machine completely and it's unmanaged by them, they have a pretty hands off policy. The only thought I've had so far is to edit the webserver config and have it run as root user so I can do what I need in php, but of course the webserver user doesn't have write permission to the config file. I tried to create a new config file and start up a copy of the webserver running as root on a different port, but realized that won't work because the firewall won't allow other ports in.
Well, I think that about does it  I'll do some php scripts to backup what I need and see if the hosting company can give me a clean install. xinetd is probably a good idea, but I'm not sure what it would fix. Right now I have no idea why things aren't working and it seems I'm not going to have any way to find out, which makes it hard to make sure it doesn't happen again. |
|
|
|
|
11-09-2005, 09:07 AM
|
#7
|
|
Moderator
Registered: May 2001
Posts: 24,811
|
Before you ask them to nuke your setup maybe could you have them tarball the /etc and /var/log tree.
The logs could shed some light on this.
|
|
|
|
|
11-11-2005, 03:28 AM
|
#8
|
|
LQ Newbie
Registered: Jun 2004
Location: Zimbabwe
Distribution: redhat
Posts: 21
Rep:
|
I 've been facing the same problem.
Check again your hosts.allow and deny files. I was using the following notation to specify my network and getting no syntax error in log files
sshd: 192.168.0.0/24 in hosts.allow file
ALL: ALL EXCEPT 192.168.0.0/24 in hosts.deny file
I changed the syntax to:
sshd: 192.168.0. in my allow file
ALL: ALL EXCEPT 192.168.0. in my deny file
and everything is pretty ok.
Last edited by myguest; 11-11-2005 at 06:51 AM.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 06:22 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
