How to track who's helping intruder pass through firewall
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to track who's helping intruder pass through firewall
My problem is this:
I am "practicing" in a company for three months - not employed, limited in what I can do. But I need to get things done to have a chance to get a real job...
The company is responsible for other companys networks, my job is to read logs etc to make sure everything is fine. Now one internal Linux-server behind a firewall is subject to several login-attempts (SSH). This is done daytime only (one exception) so I suppose intruder is "helped" by someone on the inside. Question: How can I track intruder's way-in? I have root-access to all servers, but no access to firewall. (Well, I can get in but I'm not supposed to.) I'm not explicitly forbidden to install a program on the server, but it's the last thing I want to do.
There are 3 different sources logged, all are external IP's.
The usernames used are 'test' 'guest' 'user' and 'admin' - they don't exist.
Also, users shouldn't log in directly to this server, it has no user-accounts at all.
There is some form of malware or scanner that is going around trying to guess very simple user/passwd combos. However, it's starting to become fairly widespread.
Yes, I've noticed I'm not alone...
Well, I'm not really worried, they won't get in - that server is pretty secure.
(And if they do get in I'll be there to stop them. Should raise my chances to get a job
But I do wonder how they get past that firewall and onto the server? It must be by exploiting some employee connected to internet. It would be good to find out who.
Or have they found a way through the firewall? Would be great if I could report a security-hole in that firewall - it's supposed to be very tight!
Originally posted by pingu Yes, I've noticed I'm not alone...
Well, I'm not really worried, they won't get in - that server is pretty secure.
(And if they do get in I'll be there to stop them. Should raise my chances to get a job
But I do wonder how they get past that firewall and onto the server? It must be by exploiting some employee connected to internet. It would be good to find out who.
Or have they found a way through the firewall? Would be great if I could report a security-hole in that firewall - it's supposed to be very tight!
To fight with a cracker, think like a cracker, be a cracker :-) Your internal server has an external IP, right? Then do the same thing.. Try to do ssh from a external IP to your internal server and then analize the logs. If it works, look at the firewall rules that let you come in.
Originally posted by pingu But I do wonder how they get past that firewall and onto the server? It must be by exploiting some employee connected to internet. It would be good to find out who.
Or have they found a way through the firewall? Would be great if I could report a security-hole in that firewall - it's supposed to be very tight!
I thought that since you were looking for a helper on the inside that the sources would be internal. Since they are external sources you might actually want to check your firewall configuration to verify that SSH to this host is not open. Have you tried starting an SSH session from the outside just to verify? Since there are you user accounts on this system, the only access to this box from the outside should be just the services that are meant to be publicly accessible (ie www). If there are no services on this system that are meant to be public, then all external traffic to this system should be blocked.
Now I am soo ashamed...
I was so eager to find a problem that I forgot the first rule:
"Let go of the keyboard - relax - think & analyze"
You see, for the other companys I log in to one server, connect to other internally. But not this one.
I'm connecting to it directly, from outside, so anybody could.
The problem I tried to solve does not exist...
Well, thanks everybody.
I'm beginning to believe I shouldn't have a job after all....
If possible, you may consider recommending filtering the outside SSH access to known clients only (ie your site and any other partner sites). You could point out the failed login attempts to make the justification.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.