LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-27-2004, 11:24 AM   #1
linuxboy69
Member
 
Registered: Oct 2003
Distribution: Redhat 9
Posts: 138

Rep: Reputation: 15
SSH attack, Have I been hacked? Please help


As you might have heard, lately, there has been alot of ssh scanning going on and it has happened to my firewalls for the longest time. Until yesterday it has just been the subtle ssh login attempts for user guest, admin etc... but then ......... BOOM!!! I was hit with hundreds of ssh connections to root. I have three firewalls that were attacked yesterday.

I have heard in the past that it is possible to get root access by overloading ssh with connections till the point where it just lets you in. Is this possible?

One thing that worries me is that in my secure logs it shows two of the firewalls being attacked for an 1 and 1/2 hours and then the third was attacked for almost 4 hours. Why would one get hit more than the others?

Another thing that worries me is that on the tail end of my logs of one of the firewalls, it looks like this:

Aug 26 16:40:44 localhost sshd[1067]: Failed password for root from 210.205.6.157 port 45135 ssh2
Aug 26 16:40:44 localhost sshd[1067]: Received disconnect from 210.205.6.157: 11: Bye Bye
Aug 26 16:40:45 localhost sshd[1068]: Could not reverse map address 210.205.6.157.
Aug 26 16:40:48 localhost sshd[1068]: Failed password for root from 210.205.6.157 port 45329 ssh2
Aug 26 16:40:48 localhost sshd[1068]: Received disconnect from 210.205.6.157: 11: Bye Bye
Aug 26 16:40:59 localhost sshd[1069]: Could not reverse map address 210.205.6.157.
Aug 26 16:41:01 localhost sshd[1069]: Failed password for root from 210.205.6.157 port 45519 ssh2
Aug 26 16:41:01 localhost sshd[1069]: Connection closed by 210.205.6.157

The other firewall logs look like this:

Aug 26 18:35:19 h64-42-240-228 sshd[23464]: Received disconnect from 210.205.6.157: 11: Bye Bye
Aug 26 18:35:20 h64-42-240-228 sshd[23465]: Could not reverse map address 210.205.6.157.
Aug 26 18:35:22 h64-42-240-228 sshd[23465]: Failed password for root from 210.205.6.157 port 54996 ssh2
Aug 26 18:35:22 h64-42-240-228 sshd[23465]: Received disconnect from 210.205.6.157: 11: Bye Bye
Aug 26 18:35:24 h64-42-240-228 sshd[23466]: Could not reverse map address 210.205.6.157.
Aug 26 18:35:26 h64-42-240-228 sshd[23466]: Failed password for root from 210.205.6.157 port 55185 ssh2
Aug 26 18:35:26 h64-42-240-228 sshd[23466]: Received disconnect from 210.205.6.157: 11: Bye Bye
Aug 26 18:35:28 h64-42-240-228 sshd[23467]: Could not reverse map address 210.205.6.157.
Aug 26 18:35:30 h64-42-240-228 sshd[23467]: Failed password for root from 210.205.6.157 port 55375 ssh2
Aug 26 18:35:30 h64-42-240-228 sshd[23467]: Received disconnect from 210.205.6.157: 11: Bye Bye
Aug 26 18:35:31 h64-42-240-228 sshd[23468]: Could not reverse map address 210.205.6.157.
Aug 26 18:35:34 h64-42-240-228 sshd[23468]: Failed password for root from 210.205.6.157 port 55550 ssh2
Aug 26 18:35:34 h64-42-240-228 sshd[23468]: Received disconnect from 210.205.6.157: 11: Bye Bye

Any suggestions?

Last edited by linuxboy69; 08-27-2004 at 11:25 AM.
 
Old 08-27-2004, 12:50 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Re: SSH attack, Have I been hacked? Please help

I have heard in the past that it is possible to get root access by overloading ssh with connections till the point where it just lets you in. Is this possible?
No. You'd eventually either start dropping incoming packets or max out the number of simulataneous ssh connections, but linux wouldn't just "throw-in-the-towel" and let you log in without a valid username/password. Now if you did something foolish like still having a root password of "root" or "admin" despite knowing there was an increase in ssh scans/bruteforce attempts, then you could very well be in trouble.

One thing that worries me is that in my secure logs it shows two of the firewalls being attacked for an 1 and 1/2 hours and then the third was attacked for almost 4 hours.
That seems like a long time, but if you have decent passwords, then that is really a trivial amount of time compared to how long it would take to bruteforce a non-dictionary alpha-numeric password. Also, you should never allow root to login directly over ssh. In the sshd config file there is an entry of "AllowRootLogins", which you should set to "No".

Why would one get hit more than the others?
Don't know. Maybe they didn't like that machine?

Aug 26 16:41:01 localhost sshd[1069]: Failed password for root from 210.205.6.157 port 45519 ssh2
Aug 26 16:41:01 localhost sshd[1069]: Connection closed by 210.205.6.157

If you look at the timestamps here, they are refering to the same login attempt (which failed).

Any suggestions?
Check the output of last -i and see if any root logins occured at that time. If you have at least semi-reasonable passwords, then these login attempts are an annoyance at best. Don't forget to change the AllowRootLogins to No and I'd personally add an iptables rule to drop everything from the funboi at 210.205.6.157. If it's possible, you can restrict access to ssh to only a few machines or networks (even just limiting access to an entire ISPs network) can significantly reduce the number of these attempts.
 
Old 08-27-2004, 02:20 PM   #3
linuxboy69
Member
 
Registered: Oct 2003
Distribution: Redhat 9
Posts: 138

Original Poster
Rep: Reputation: 15
Now if you did something foolish like still having a root password of "root" or "admin" despite knowing there was an increase in ssh scans/bruteforce attempts, then you could very well be in trouble.

The passwords I use are a mix of characters and number thankfully.

Also, you should never allow root to login directly over ssh. In the sshd config file there is an entry of "AllowRootLogins", which you should set to "No".

Good Advice, I am changing that ASAP.

I'd personally add an iptables rule to drop everything from the funboi at 210.205.6.157.

I have been scanned by so many different ips. Is it likely that it is the same person spoofing many ips? Is there an actual way of tracking down where these are coming from if they are spoofed?
 
Old 08-27-2004, 03:18 PM   #4
Finlay
Senior Member
 
Registered: Mar 2003
Location: Seattle
Distribution: Slackware ?-14.1
Posts: 1,029

Rep: Reputation: 47
i got attacked by that same IP yesterday
it traced it down to someone in korea
i emailed the ISP that hosts it and forwarded the IP and ISP to the FBI
 
Old 08-27-2004, 06:26 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I have been scanned by so many different ips. Is it likely that it is the same person spoofing many ips? Is there an actual way of tracking down where these are coming from if they are spoofed?
These are most likely not spoofed. Spoofing a connection that requires a three-way tcp handshake takes a fairly considerable amount of effort. They might be coming from someone elses machine that was cracked and used as an intermediate to attack other machines, so I'd be carefull about "going-after" any of those IP addresses. However, reporting them to their ISP (as Finlay did) is a good idea.
 
Old 08-30-2004, 10:17 AM   #6
linuxboy69
Member
 
Registered: Oct 2003
Distribution: Redhat 9
Posts: 138

Original Poster
Rep: Reputation: 15
Still on the same computer, I checked the secure logs today and found this in the logs:

Aug 28 19:51:09 pricilla sshd[22007]: Connection closed by 211.199.110.131

Is it possible to log only the disconnecting part of the connection? Just want to double check and make sure that I am not missing the first part because someone might have deleted entries from the logs.

There was no corresponding opening connection with that ip. I am getting really paranoid now with all the strange things that seem to be happening lately lol. Thank you helping me and calming my nerves. It is greatly appreciated.

P.S This ip also scanned another computer of mine. Here is the clip of the log:

Aug 28 19:58:03 localhost sshd[2980]: Could not reverse map address 211.199.110.131.
Aug 28 19:58:03 localhost sshd[2980]: Failed password for illegal user guest from 211.199.110.131 port 51720 ssh2
Aug 28 19:58:03 localhost sshd[2980]: Received disconnect from 211.199.110.131: 11: Bye Bye
Aug 28 19:58:13 localhost sshd[2981]: Did not receive identification string from 211.199.110.131

Last edited by linuxboy69; 08-30-2004 at 10:30 AM.
 
Old 08-30-2004, 10:53 AM   #7
Finlay
Senior Member
 
Registered: Mar 2003
Location: Seattle
Distribution: Slackware ?-14.1
Posts: 1,029

Rep: Reputation: 47
i disabled root from being able to login to ssh and have not received any logs since then, have you done that?
you can change your log level of sshd, type man 'sshd' it explains what file to change.
 
Old 08-30-2004, 11:47 AM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Still on the same computer, I checked the secure logs today and found this in the logs:
Aug 28 19:51:09 pricilla sshd[22007]: Connection closed by 211.199.110.131

Seems like you're not the only one:
http://www.dshield.org/warning_expla...&Submit=Submit

Just want to double check and make sure that I am not missing the first part because someone might have deleted entries from the logs.
Again check last -i for any abnormal logins that correspond with that time frame. If you're concerned about log deletion, download and run chkrootkit, which checks for utmp/wtmp alteration. As a side note, I would highly recommend installing some type of file alteration scanner like tripwire, samhain, afick, etc. They can detect modification of critical files that would often occur after an intrusion. They are also rather difficult to defeat for the standard script kiddie, especially if you put copies of the scanner binary, the database, and utills on non-writable media. Plus the best part, is you can run a scan and be relatively sure (along with other checks) that an intrusion hasn't occured, saving you sleepless nights wondering if Joe Cracker is using your server to distribute illegal goat porn.
 
Old 08-24-2005, 08:46 AM   #9
deez
LQ Newbie
 
Registered: Apr 2004
Location: Orlando, Fl
Distribution: Gentoo
Posts: 4

Rep: Reputation: 0
Might I suggest changing the port ssh uses. There's 65000+ possible ports on the machine. My box used to be hit by a bunch of ssh login attempts when I used port 22, but since I've changed the port to a non-standard number, they've gone down notably.
 
Old 08-25-2005, 05:36 PM   #10
Eaglehawk2
LQ Newbie
 
Registered: Aug 2005
Location: Loveland CO
Distribution: multiple distros
Posts: 1

Rep: Reputation: 0
Another suggestion I would make, being a beginning Info security guy, would be to setup ethereal and see what that brings up. This IDS will be able to help you see what is going on and what is coming in over the wire. This software is really cool because it is free! It does take a bit to read and understand, but if you need help please let me know.
 
Old 09-04-2005, 01:17 AM   #11
latino
Member
 
Registered: Aug 2003
Location: Puerto Rico
Distribution: RHEL 5.5
Posts: 141

Rep: Reputation: 15
Hi:

Besides the recomendation to setup to NOT allow root from ssh. Check APF and BFD this combination helps a lot. Also install rkhunter.

http://www.rfxnetworks.com/bfd.php

http://www.webhostgear.com/141.html

http://www.rfxnetworks.com/apf.php

Read well the conf. It is easy to install, APF have a setting DS= that allows the server to block ips if listed at:
http://www.dshield.org/

Later



 
Old 09-07-2005, 07:20 AM   #12
pats
Member
 
Registered: Jul 2005
Distribution: Debian Sarge/Etch, (K)Ubuntu, FC6, AIX5.3, VMWare ESXServer
Posts: 159

Rep: Reputation: 30
also setting ftp,ssh and whatever else to block connections after 3 or so unsuccessful login attempts can be usefull. this will make a brute force attack impossible unless you have a really really bad password
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hacked? mikeshn Linux - Security 2 03-12-2004 01:57 PM
Help! Have I been hacked? Tenover Linux - Security 1 11-19-2003 03:24 PM
Did we just get hacked? vous Linux - Security 4 11-17-2003 08:11 AM
am i being hacked? tearinox Linux - Security 5 11-13-2003 06:00 PM
i think i've been hacked! safil Linux - Security 7 11-02-2003 10:16 AM


All times are GMT -5. The time now is 08:56 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration