LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 09-06-2004, 11:35 AM   #16
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57

I think you're looking for something like a honeypot. However, I'd highly recommend running something like that on a dedicated system, as allowing unauthorized users to have access to your system, even if it's a virtual one, is a really bad idea. Even if running a dedicated honeypot, you should be very comfortable with linux and have a good idea of what you're doing beforehand.
 
Old 09-14-2004, 01:32 AM   #17
shanenin
Member
 
Registered: Aug 2003
Location: Rochester, MN, U.S.A
Distribution: Gentoo
Posts: 987

Rep: Reputation: 30
Quote:
Originally posted by e_larkin
Here is my logwatch output and this is pretty standard every single day!

Failed logins from these:
admin/password from 200.181.46.200: 2 Time(s)
guest/password from 200.181.46.200: 1 Time(s)
guest/password from 200.206.182.38: 1 Time(s)
root/password from 200.181.46.200: 3 Time(s)
test/password from 200.181.46.200: 2 Time(s)
test/password from 200.206.182.38: 1 Time(s)
user/password from 200.181.46.200: 1 Time(s)

**Unmatched Entries**
Illegal user test from 200.181.46.200
User guest not allowed because shell /dev/null is not executable Illegal user admin from 200.181.46.200 Illegal user admin from 200.181.46.200 Illegal user user from 200.181.46.200 Illegal user test from 200.181.46.200 Illegal user test from 200.206.182.38 User guest not allowed because shell /dev/null is not executable

what Im wondering is if there is a way to setup a false file system allow a guest, user, admin, or test login to the system so that when it (the script or person) does login it can be monitored and then traced back to an originating IP?

I would love to start messing with the idiot thats actually doing this.

where are you reading that log info from?
 
Old 09-14-2004, 05:36 AM   #18
Bjorkli
Member
 
Registered: Jul 2003
Location: Norway
Posts: 65

Rep: Reputation: 15
That log is being mailed to root user automatically once a day in many of the modern linux distr. like Redhat Fedora. To see it "su - root" (password) then "mail", and you see the log under the heading "SSHD". I have the same problem, and sometimes I use whois command to find abuse@ email address, and mail them my log and a complaint. Once I got a reply back saying sorry, and that they would fix the breached machine. To counter this, I have made the user names tougher to guess, and put root in "sshd deny" file. If you are very paranoid about this, you could put all users that uses email (eg. username@yourdomain.com) in the deny list so that the hacker won't get the user name from email addresses, and limit the sshd users to the actuall users that use sshd. Of course, root should always be in the deny list, especially if you have a <yourname><birthyear> type password for root.

NB. It can be wise to automatically forward all mail like this for the root user to another external mail address, like hotmail, so that hackers can't reach it and delete it if they actually get into your machine.

Last edited by Bjorkli; 09-14-2004 at 06:49 AM.
 
Old 09-14-2004, 09:21 AM   #19
crackito
LQ Newbie
 
Registered: Sep 2004
Location: Portugal
Posts: 1

Rep: Reputation: 0
I use apf fw, and bfd....bfd check's for brute force attempts anda add hosts to the deny.hosts of the fw.
 
Old 09-15-2004, 04:57 AM   #20
Ambrosia
LQ Newbie
 
Registered: Aug 2004
Location: Germany
Distribution: Debian Sid
Posts: 17

Rep: Reputation: 1
I've set up a Honeypot after noticing similiar activity on SSH, using an old Slackware 8, 2.4.18 and a bogus guest/guest account.

The entire thing seems automated, and as soon as the guest logs in, a local root exploit gets used to gain root access..automatism stops there though, as the actual news root pass gets entered manually (yay for script kiddies typoing).

After that, behavior differed...one immediately installed an IRC bot which connected to Undernet (EnergyBot), and started to scan from my machine (but strangely, all the machines he scanned were firewalled...hum..).
Sadly I hadn't my keylogger/outputlogger set up properly, so the log wasn't really usable aside of that info.
Others just changed the root pass, and logged out again.

Those scans aren't really frequent here (one each couple of days or so), and seem to have different origins (a few US, one from Romaina).

Ah yes, the Romanian guy...changed root pass, logged out, didn't return for a while. I then restored an hour-old copy of the system, and -bang-, minutes later he's exploting the thing -again- (using a different root pass), and doesn't even at all seem to notice a certain familiarity with a certain box he exploited before..heh..kiddies.

On further note, it's safe to assume that they logged in from their own private boxes..nmap revealed all ports as firewalled.

Right now I've put the Honeypot on hold...what do you think, is it worth continuing it? Any good ideas on further actions?

Ambrosia

Last edited by Ambrosia; 09-15-2004 at 05:05 AM.
 
Old 09-18-2004, 09:36 PM   #21
floppywhopper
Member
 
Registered: Aug 2004
Location: Albany, Western Australia
Distribution: Mageia 4.1, SME Server 8
Posts: 627
Blog Entries: 2

Rep: Reputation: 55
Hmm
thanks for the warning Cap caveman
I use smoothwall and I noticed
a SSH attempt in my firewall log
Snort didnt pick it up however
I simply set Smoothwall to drop packets from that IP - simple
The idea of letting someone into even a honey pot doesnt really seem like a good idea unless as you say you a really clued up on Linux,BSD or whatever

As to the idea of "messing with these guys"
It sort of defeats the purpose of running in stealth, better to report thse idiots to the relevant authorities.
I had someone ( usr/moron ) try my system on, Another client of my ISP, I simply reported it to my ISP, sent my firewall and Snort logs and problem stopped - simple

floppywhopper
 
Old 09-19-2004, 08:21 PM   #22
micxz
Senior Member
 
Registered: Oct 2002
Location: CA
Distribution: openSuSE, Cent OS, Slackware
Posts: 1,131

Rep: Reputation: 75
Quote:
Originally posted by e_larkin
I would love to start messing with the idiot thats actually doing this.
interesting read:

http://www.jaenicke.org/sk/
 
Old 09-20-2004, 09:08 AM   #23
Ambrosia
LQ Newbie
 
Registered: Aug 2004
Location: Germany
Distribution: Debian Sid
Posts: 17

Rep: Reputation: 1
Interesting. Now, it -could- be the same guy. But alas, no action was done after he got into my Honeypot. Considering that the IPs in the logs of that link don't resolve (and he did when he logged into mine), I assume it's somebody different.

Still..interesting read. Thanks
 
Old 09-20-2004, 11:11 PM   #24
Xon
Member
 
Registered: Sep 2004
Posts: 49

Rep: Reputation: 15
There was a tool which was working with a timestamp pattern that allowed to catch right usernames in some sshds.
 
Old 09-21-2004, 03:08 AM   #25
Kahless
Member
 
Registered: Jul 2003
Location: Pennsylvainia
Distribution: Slackware / Debian / *Ubuntu / Opensuse / Solaris uname: Brian Cooney
Posts: 503

Rep: Reputation: 30
this may be a bit malicous, but you could put some nice viruses in your honey pot. ones that look like somthing the script kiddie would want, (porn or a game) and kinly wipe out their partition tables.


I bet it would be a good long while until they scan you again, especially if their mommy grounds them for breaking the computer :P
 
Old 09-22-2004, 05:50 AM   #26
Ambrosia
LQ Newbie
 
Registered: Aug 2004
Location: Germany
Distribution: Debian Sid
Posts: 17

Rep: Reputation: 1
Dialers
 
Old 09-24-2004, 09:19 PM   #27
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Rep: Reputation: 15
Just out of interest is that a normal amount of hacking attempts?

Our server runs about 20 webservers and 50 email accounts .

When we started the system there were until we shut it down 50.000 emails sent over us with a couple of hours on the first day. Since we reside with a big service provider in Germany, maybe they target them proforma. We had a system in the States before, the amount wasn't nearly as big as that.

Timeframe is from beginning September to today. In the mo I have hosts.allow and firewall running, no root login and only certain machines incoming. I'll look into keygen ssh.


# some specific drop IPs just for troublemakers.
203.236.241.189 -j DROP # illegal login attempt ssh
210.105.240.195 -j DROP # illegal login attempt ssh
210.83.195.78 -j DROP # illegal login attempt ssh
217.113.73.102 -j DROP # illegal login attempt ssh
69.28.69.138 -j DROP # illegal login attempt ssh
193.204.49.40 -j DROP # illegal login attempt ssh
203.236.241.189 -j DROP # illegal login attempt ssh
220.168.17.55 -j DROP # illegal login attempt ssh
62.117.78.34 -j DROP # illegal login attempt ssh
213.69.152.70 -j DROP # illegal login attempt ssh
80.55.252.66 -j DROP # illegal access on http script
67.113.225.67 -j DROP # illegal ftp login attempt 7.9.2004
218.84.100.230 -j DROP # illegal ssh login attempt 7.9.2004
12.174.224.3 -j DROP # illegal ssh login attempt 8.9.2004
61.166.6.60 -j DROP # illegal ssh login attempt 9.9.2004
80.207.208.85 -j DROP # illegal ssh login attempt 10.9.2004
69.31.86.200 -j DROP # illegal ssh login attempt 11.9.2004
211.248.173.2 -j DROP # illegal ssh login attempt 11.9.2004
216.9.241.69 -j DROP # illegal ssh login attempt 12.9.2004
81.169.151.2 -j DROP # illegal ssh login attempt 12.9.2004
81.169.151.3 -j DROP # illegal ssh login attempt 13.9.2004
134.34.53.250 -j DROP # illegal ftp login attempt 14.9.2004
218.188.4.24 -j DROP # illegal ssh login attempt 15.9.2004
220.73.215.151 -j DROP # illegal ssh login attempt 15.9.2004
66.28.204.50 -j DROP # illegal ssh login attempt 16.9.2004
81.169.157.38 -j DROP # illegal ssh login attempt 16.9.2004
81.169.151.34 -j DROP # illegal scan attempt 17.9.2004
212.34.65.198 -j DROP # illegal ssh login attempt 17.9.2004
212.34.65.197 -j DROP # illegal ssh login attempt 17.9.2004
212.34.65.198 -j DROP # illegal ssh login attempt 17.9.2004
212.34.65.199 -j DROP # illegal ssh login attempt 17.9.2004
212.34.65.200 -j DROP # illegal ssh login attempt 17.9.2004
212.34.65.201 -j DROP # illegal ssh login attempt 17.9.2004
84.128.7.59 -j DROP # illegal ssh login attempt 17.9.2004
134.34.53.250 -j DROP # illegal ssh login attempt 17.9.2004
84.128.7.59 -j DROP # illegal ssh login attempt 17.9.2004
219.140.166.19 -j DROP # illegal ssh login attempt 18.9.2004
148.235.242.165 -j DROP # illegal ssh login attempt 19.9.2004
205.209.168.20 -j DROP # illegal ssh login attempt 19.9.2004
202.30.32.19 -j DROP # illegal ssh login attempt 19.9.2004
80.67.224.21 -j DROP # illegal mysql login attempt 3.9.2004
66.199.181.64 -j DROP # illegal ssh login attempt 21.9.2004
80.128.94.56 -j DROP # illegal ssh login attempt 22.9.2004
210.212.204.37 -j DROP # illegal ssh login attempt 22.9.2004
61.184.104.236 -j DROP # illegal ssh login attempt 22.9.2004
218.232.104.41 -j DROP # illegal ssh login attempt 22.9.2004
201.10.45.4 -j DROP # illegal ssh login attempt 23.9.2004
218.188.9.51 -j DROP # illegal ssh login attempt 23.9.2004
148.215.14.181 -j DROP # illegal ssh login attempt 24.9.2004
70.240.3.138 -j DROP # illegal ssh login attempt 24.9.2004

Last edited by DrNeil; 09-24-2004 at 09:21 PM.
 
Old 09-25-2004, 05:39 PM   #28
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Rep: Reputation: 15
Does my question go under in the stickies ?
 
Old 09-25-2004, 06:10 PM   #29
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
Quote:
Originally posted by DrNeil
Does my question go under in the stickies ?
When you reply to something that is stickied at the top of the forum, then yes it does. Please try to keep the replies to the stickied threads as relevant as possible.

In regards to the number of ssh login attempts you observed, yes that isn't abnormal. I've seen systems log significantly more than that. Don't know what the first part of your question (about emails) was about, but I don't think it has anything to do with failed ssh logins, so please start a new thread if necessary. Thanks.
 
Old 09-25-2004, 08:46 PM   #30
DrNeil
Member
 
Registered: Aug 2004
Location: Scotland
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150

Rep: Reputation: 15
Quote:
Originally posted by Capt_Caveman
When you reply to something that is stickied at the top of the forum, then yes it does. Please try to keep the replies to the stickied threads as relevant as possible
Lol there you try to minimise thread numbers and its wrong again.
 
  


Reply

Tags
hostsdeny, keys, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh...log files that store the login attempts Bgrad Linux - Networking 4 03-29-2010 10:40 AM
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 04:22 PM
ssh login attempts from localhost?! sovietpower Linux - Security 2 05-29-2005 02:19 AM
SSH login attempts - how to get rid of the automated malware? alexberk Linux - Security 1 05-24-2005 05:57 AM
How do I block IP's to prevent unauthorized SSH login attempts? leofoxx Linux - Security 6 05-23-2005 10:36 PM


All times are GMT -5. The time now is 05:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration