LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-22-2005, 01:36 PM   #1
stlyz3
Member
 
Registered: Mar 2005
Posts: 54

Rep: Reputation: 15
Possible Break In???


I have gotten some strange server log activity over the past couple of days. They say

Oct 22 11:54:04 PC sshd[5556]: reverse mapping checking getaddrinfo for 130.67-18-135.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Oct 22 11:54:04 PC sshd[5558]: reverse mapping checking getaddrinfo for 130.67-18-135.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!

Does this mean that I was actually broken into or that someone is trying? If so, what method are they using so that I can possibly stop it?

Any help at all will be greatly appreciated.
 
Old 10-22-2005, 04:19 PM   #2
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 77
This is most likely a break in attempt from some script kiddie. If the attacker managed to gain access, it would be in your logs, unless they scrubbed them, but then why leave these lines in there?

My instinct says you are probably fine, but please check your logs for unauthorized access, and even use a rootkit hunter to make sure...

As for method, usually it is just a brute force password attack. Do your logs also contain failed login attempts?

Solutions:
1. don't leave port 22 open to the internet if you don't need access from there
2. Disable password logins and use PubkeyAuthentication instead.
3. Do _not_ allow root logins
4. You can move sshd to a non-standard port. This will take care of a lot of automated script-kiddie attacks

good luck...
 
Old 10-23-2005, 07:30 PM   #3
stlyz3
Member
 
Registered: Mar 2005
Posts: 54

Original Poster
Rep: Reputation: 15
I have read about changing the SSH port to something else, but no one has mentioned how to do so. Can you please tell me how?
 
Old 10-23-2005, 07:56 PM   #4
Brian1
Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 61
Edit: file:///etc/ssh/sshd_config and change this:
# Port 22
to whatever
Port 2020

Restart sshd.

This will help some but the best defense is make use of public keys only. No passwords or root logins as mentioned in the above post.

Hope this helps
Brian1
 
Old 10-23-2005, 08:36 PM   #5
stlyz3
Member
 
Registered: Mar 2005
Posts: 54

Original Poster
Rep: Reputation: 15
Thanks Brian.

I have root logins turned off; its my first security defense. With that said, how do I use public keys only? I have never heard of doing so before. Can you please explain how that works?
 
Old 10-23-2005, 09:19 PM   #6
Brian1
Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 61
Here are a few quick links from http://www.google.com/linux on how to setup public keys. They can be a bit confusing but I don't have the time to really write a clearer use. The first uses rsa keys and the second uses dsa. dsa is a stronger the rsa from what I know. Both are quite alike and should get you going. If they work let me know. If I get some spare time I might write something up. I would say there are many post on the subject here. Use the search feature for setting up ssh with keys.

http://sial.org/howto/openssh/publickey-auth/
http://www.ubuntuforums.org/archive/...p/t-30709.html

Hope this helps.
Brian1
 
Old 10-25-2005, 09:40 PM   #7
M$ISBS
Member
 
Registered: Aug 2003
Posts: 820

Rep: Reputation: 30
If root logins are not turned on how do you login to do things as root?
 
Old 10-26-2005, 12:10 AM   #8
short101
Member
 
Registered: May 2004
Location: Aust.
Distribution: Debian
Posts: 424

Rep: Reputation: 30
you log in as a user and then su..
 
Old 10-26-2005, 12:34 AM   #9
M$ISBS
Member
 
Registered: Aug 2003
Posts: 820

Rep: Reputation: 30
Yea, I thought they meant stopping all root logins. How do you stop other kinds of root logins?


Last edited by unSpawn; 10-26-2005 at 02:16 PM.
 
Old 10-26-2005, 03:43 PM   #10
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,455

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
Quote:
Originally posted by Brian1
Here are a few quick links from http://www.google.com/linux on how to setup public keys. They can be a bit confusing but I don't have the time to really write a clearer use. The first uses rsa keys and the second uses dsa. dsa is a stronger the rsa from what I know. Both are quite alike and should get you going. If they work let me know. If I get some spare time I might write something up. I would say there are many post on the subject here. Use the search feature for setting up ssh with keys.
http://sial.org/howto/openssh/publickey-auth/
http://www.ubuntuforums.org/archive/...p/t-30709.html
Hope this helps.
Brian1
Honestly, I don't think it matters so much which kind of certificates you use, but simply that you do use certificates.

Think of a certificate as a basically-unforgeable identification-badge. Only users who can present a valid credential should be given the slightest bit of attention. They don't get the chance to utter, and thus to brute-force, a password if they cannot get that far.

Note that it doesn't cost any money to set up and use certificates in this way...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How does it all break down? Bu3Nix Slackware - Installation 5 09-15-2005 03:50 PM
Possible Break In Attempt stlyz3 Linux - Security 2 08-05-2005 10:37 AM
could I break my pc? linuxhippy Slackware 9 04-02-2005 08:15 AM
New mobo - what will it break? p-static Linux - Hardware 3 08-27-2004 05:33 PM
Could someone please break it down for me...? Pwcca Slackware 6 01-23-2003 11:05 AM


All times are GMT -5. The time now is 09:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration