Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I know it was really stupid, but I have a test box I built for RHEL 4 running on Centos , I am a newbie to Linux and thought it wise to mess about for a while, but I decided on a really in secure password as after I let my collegue ssh into my box I reset the password on the fly and choose it with not much care, on Tueday night it was hacked into.
Not sure what was really done to it but accordding to the history there was two rpms installed then removed, so other stuff I was not sure of done, as some files were vi'd and there was a ftp record but not sure what was done again.
I have since rebuilt my PC using Fedora's latest release and have upgraded my security to try and prevent these measures again, but I do have my old hard drive with all the data intact. If any one has some ideas on what you need to look for I can forward any file you want for inspection? I do know though that it took 503 attempts to crack in to it.
Note: I believe that mistakes are good if you learn from them.
This is what i've been getting i suppose its related to the same problem:
Jul 4 17:40:02 linux sshd[19342]: Failed password for invalid user test from 200.67.79.197 port 48306 ssh2
Jul 4 17:40:54 linux sshd[19366]: Invalid user test from 200.67.79.197
Jul 4 17:40:54 linux sshd[19366]: Failed password for invalid user test from 200.67.79.197 port 49006 ssh2
Jul 4 17:42:20 linux sshd[19404]: Invalid user test from 200.67.79.197
Jul 4 17:42:20 linux sshd[19404]: Failed password for invalid user test from 200.67.79.197 port 50139 ssh2
Jul 4 17:42:26 linux sshd[19406]: Invalid user test from 200.67.79.197
Jul 4 17:42:26 linux sshd[19406]: Failed password for invalid user test from 200.67.79.197 port 50199 ssh2
Jul 4 17:43:06 linux sshd[19422]: Invalid user test from 200.67.79.197
Jul 4 17:43:06 linux sshd[19422]: Failed passw
with the amount of time that passing between tries, it looks more like someone doing it by hand, other than the scripts that we've been talking about.
do take the precautions that have been brought up here though.
this is more what they look like-
Jul 2 17:45:54 prometheus sshd[10752]: Illegal user michael from ::ffff:193.65.36.24
Jul 2 17:45:56 prometheus sshd[10754]: Illegal user amanda from ::ffff:193.65.36.24
Jul 2 17:45:57 prometheus sshd[10756]: Illegal user mysql from ::ffff:193.65.36.24
Jul 2 17:45:59 prometheus sshd[10758]: Illegal user rpm from ::ffff:193.65.36.24
Jul 2 17:46:01 prometheus sshd[10760]: Illegal user operator from ::ffff:193.65.36.24
Jul 2 17:46:02 prometheus sshd[10762]: Illegal user sgi from ::ffff:193.65.36.24
Jul 2 17:46:04 prometheus sshd[10764]: Illegal user Aaliyah from ::ffff:193.65.36.24
Jul 2 17:46:06 prometheus sshd[10766]: Illegal user Aaron from ::ffff:193.65.36.24
Jul 2 17:46:07 prometheus sshd[10768]: Illegal user Aba from ::ffff:193.65.36.24
Jul 2 17:46:09 prometheus sshd[10770]: Illegal user Abel from ::ffff:193.65.36.24
Jul 2 17:46:11 prometheus sshd[10772]: Illegal user Jewel from ::ffff:193.65.36.24
Jul 2 17:46:14 prometheus sshd[10776]: Illegal user users from ::ffff:193.65.36.24
Jul 2 17:46:15 prometheus sshd[10778]: Illegal user admins from ::ffff:193.65.36.24
Jul 2 17:46:17 prometheus sshd[10780]: Illegal user admins from ::ffff:193.65.36.24
see how fast they cycle through the names, and then there isn't a passwd spot either.
one thing that i would do, is to do a whois on the ip and then send an email to the isp.
you can just use-
whois -h completewhois.com ABUSEDATA ipaddress | grep -i Abuse\ E-mail
you'll see the abuse info. i've found that some asian isps don't have an abuse, they have a security. in that case if the about line doesn't work for you within 15 seconds, then i would do a regular whois on the ip.
some people here will think sending out an email is stupid, yet with a line count of the illegals from last week totalling over 6000, it's nice to see a reply stating that they have been taken offline.
It's a script for sure, no one will try by hand dictionary with UIDs, try pam_tally to limit the login attempts and if someone can actually tell me how to use it/..
I had "Pamela" as invalid user login attempt it's so funny
p.s. just any tip for pam_tally will do, I tried goolin' for it - no luck
Last edited by johnnydangerous; 07-06-2005 at 12:53 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.