LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 09-30-2004, 04:07 PM   #46
craig34
LQ Newbie
 
Registered: Sep 2004
Distribution: FreeBSD
Posts: 8

Rep: Reputation: 0

Quote:
Originally posted by Capt_Caveman
Honestly, spending your effort hardening your system and maintaining security will be a better payoff than worrying about the best way to implement your blacklist.
I suppose it's to general of a question to ask for how you might achieve this? Maybe a top 5 list so it doesn't take forever?
 
Old 09-30-2004, 09:33 PM   #47
mangolicious
Member
 
Registered: Sep 2004
Location: Nowhere Special (if you don't get it, rent Blazing Saddles)
Distribution: Gentoo Linux
Posts: 63

Rep: Reputation: 15
my two cents

Quote:
Originally posted by flashingcurser
Does it only scan the default port? I always change sshd to listen to a non-standard non-priv port.

hey that's not a bad idea
 
Old 09-30-2004, 09:46 PM   #48
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
Quote:
Originally posted by craig34
I suppose it's to general of a question to ask for how you might achieve this? Maybe a top 5 list so it doesn't take forever?
There are a number of security checklists and HOTWOs in the Security References thread that unSpawn put together. Those will probably be a better starting framework than a top 5
 
Old 09-30-2004, 09:55 PM   #49
mangolicious
Member
 
Registered: Sep 2004
Location: Nowhere Special (if you don't get it, rent Blazing Saddles)
Distribution: Gentoo Linux
Posts: 63

Rep: Reputation: 15
yep. same thing.

Im getting the same thing as all of the rest of you...
only with mine the attacker is only trying to get the root password (with the exception of the odd jane and patrick here and there)
also, im getting this:
Code:
Sep 27 13:11:26 [sshd] error: Could not get shadow information for NOUSER
and this
Code:
Sep 27 13:11:29 [sshd] Failed password for root from 202.235.200.79 port 56337 ssh2
that's just weird. why would you ever be able to get shadow information with sshd?? how is 202.235.200.79 accessing ports that I had blocked out? this simply is not making any sense. some1 please explain. my brain hurts.

PS: 202.235.200.79 reverse DNS's to http://www.kabujouhou.com/
lol!
im being spammed by a chinese website. priceless hey by the way, if anybody can read chinese in this forum could they get back to me on what that site is?

Last edited by mangolicious; 09-30-2004 at 10:02 PM.
 
Old 10-01-2004, 08:39 AM   #50
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
I'm going to repost my earlier question also:
Quote:
I've been blocking these at the firewall. Any thoughts on if its better to block at the firewall vs. using a hosts.allow as mentioned here?
 
Old 10-01-2004, 04:07 PM   #51
mangolicious
Member
 
Registered: Sep 2004
Location: Nowhere Special (if you don't get it, rent Blazing Saddles)
Distribution: Gentoo Linux
Posts: 63

Rep: Reputation: 15
Truckstuff, it seems to be cleaner to use hosts.allow/deny but really, there's not much difference in between the two. whichever one you are most comfortable dealing with.
 
Old 10-04-2004, 06:05 AM   #52
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
To limit/end these Script Kiddie playtimes:

1) Make passwords long & strong, stuff like: &^bV{-)wQ17HG*dzQK?X

2) Limit sshd's accessing domains you know you don't need in hosts.deny (sshd can be compiled w/hosts_access support or put in under xinetd/inet with -i option). For example, I know that no one from China should be logging into my sshd, so:

hosts.deny:

Code:
sshd: .cn, .cn.net, .cn.com, .jp, .jp.com
3) Add line

Code:
sshd: UNKNOWN
to hosts.deny. Surprisingly, this stops alot of them but hasn't stopped any of my legit users. You can combine this rule with #2 above.

4) Make use of the AllowUser, DenyUser tags in sshd_config. Make sure you list exactly who should and who should not
login. IMO, never, ever allow root.

sshd_config:

Code:
# Explicitly set who can and who can not login by way of ssh
AllowGroups users
AllowUsers tom joe harry

# Everything that isn't above
DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news  uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite

DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc

5) Check into key-only ssh login. If someone doesn't have a valid key, it will be very hard to login with any password!

6) Turn up logging and watch logs carefully. Maybe limit access times too (with xinetd's port times). I completely drop traffic from known trouble networks/domains/netblocks, but this may be too extreme for some people. xinetd can do rate limit as well.

7) You can put sshd on another port, but this shouldn't be needed if all your other defense is in place. Stay up on patches and current security. Most intruders I've seen get local, then use kernel exploits like km3.c (ptrace) or do_brk(), mremap to gain root. Of those that did get root, they usually downloaded IRC stuff (bouncers, bots) and linux viruses OSF, and RST varient #2. The attackers were quite amatureuish, and left behind plenty of evidence, including bash history files, logs, and other records. Once a machine is compromised, they use it to do more. The most advanced tool that I've seen
came as a C source file, so the port could be changed. It had an extensive password list with dictionary type words. More words could be added. RST #2 contains its own backdoor. Rootkits T0rn, and SucKit were popular as well. Many of the tools came from the go.ro domain. In many cases, the admins of the attacking machines didn't know they were compromised. Several expressed gratitude when notified of the attempts, but unfortunately the norm seems to be no response (at least in the cases I've reported myself).

As far as using hosts based access for iptables, I'd say go for both: knock out as much trouble spots as you can with each tool, because they work slightly different. For example, I may not need to allow sshd login from a certain domain, but I do want to be able to send and receive mail with it; so I can't drop it completely. With hosts based access you can give rules to just one daemon, or all.

- jayjwa

(Re-editted for reformating on 10/6)

Last edited by jayjwa; 10-06-2004 at 09:38 AM.
 
Old 10-04-2004, 06:44 AM   #53
floppywhopper
Member
 
Registered: Aug 2004
Location: Albany, Western Australia
Distribution: Mageia 2, SME Server 8
Posts: 616
Blog Entries: 2

Rep: Reputation: 54
floppywhopper here again
Smoothwall reports that
not only am I getting this SSH bulls**t
but also attempts against port 901 ( SWAT )
yesterday 6 pages of crap in the firewall logs
today some f***kwit from japan having a go
up to 8 times per minute
and I'm only on dial-up
I feel sorry for guys on ADSL or similar where youre connected 24/7
no wonder the internet is so slow

floppy
 
Old 10-06-2004, 09:20 AM   #54
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
These are getting worse. This recent one, yesterday's, is the most advanced tool I've had used against my system. It happended while I was away; the attacker ran a bruteforce attack for about 12 minutes, using not only the usual "test" "guest" junk, but also some UID's I'm sure somebody is likely to have. I'm really glad that I make use of the AllowUsers and DenyUsers tags in sshd_config! 4.28.181.157 (wbar24.tmp1-4.28.181.157.tmp1.dsl-verizon.net), a linux machine estamated thru passive OS fingering to be a 2.6.8 and up for 1106 hours, was the attacker. The ISP was notified, but all I've got back so far is a form-letter and a case number.

Code:
Oct  4 11:23:50 atr2 sshd[3228]: Generating 768 bit RSA key.
Oct  4 11:23:50 atr2 sshd[3228]: RSA key generation complete.
Oct  4 11:23:51 atr2 sshd[3228]: Connection from 4.28.181.157 port 37387
Oct  4 11:23:51 atr2 sshd[3228]: Did not receive identification string from 4.28.181.157
Oct  4 11:32:39 atr2 sshd[3230]: Generating 768 bit RSA key.
Oct  4 11:32:40 atr2 sshd[3230]: RSA key generation complete.
Oct  4 11:32:41 atr2 sshd[3230]: Connection from 4.28.181.157 port 49500
Oct  4 11:32:45 atr2 sshd[3230]: User nobody not allowed because listed in DenyUsers
Oct  4 11:32:45 atr2 sshd[3230]: Failed password for invalid user nobody from 4.28.181.157 port 49500 ssh2
Oct  4 11:32:47 atr2 sshd[3233]: Generating 768 bit RSA key.
Oct  4 11:32:48 atr2 sshd[3233]: RSA key generation complete.
Oct  4 11:32:49 atr2 sshd[3233]: Connection from 4.28.181.157 port 49608
Oct  4 11:32:52 atr2 sshd[3233]: Invalid user patrick from 4.28.181.157
Oct  4 11:32:52 atr2 sshd[3233]: Failed password for invalid user patrick from 4.28.181.157 port 49608 ssh2
Oct  4 11:32:53 atr2 sshd[3236]: Generating 768 bit RSA key.
Oct  4 11:32:54 atr2 sshd[3236]: RSA key generation complete.
Oct  4 11:32:54 atr2 sshd[3236]: Connection from 4.28.181.157 port 49710
Oct  4 11:32:58 atr2 sshd[3236]: Invalid user patrick from 4.28.181.157
Oct  4 11:32:58 atr2 sshd[3236]: Failed password for invalid user patrick from 4.28.181.157 port 49710 ssh2
Oct  4 11:32:59 atr2 sshd[3239]: Generating 768 bit RSA key.
Oct  4 11:33:00 atr2 sshd[3239]: RSA key generation complete.
Oct  4 11:33:01 atr2 sshd[3239]: Connection from 4.28.181.157 port 49783
Oct  4 11:33:04 atr2 sshd[3239]: User root not allowed because listed in DenyUsers
Oct  4 11:33:04 atr2 sshd[3239]: Failed password for invalid user root from 4.28.181.157 port 49783 ssh2
Oct  4 11:33:06 atr2 sshd[3242]: Generating 768 bit RSA key.
Oct  4 11:33:07 atr2 sshd[3242]: RSA key generation complete.
Oct  4 11:33:08 atr2 sshd[3242]: Connection from 4.28.181.157 port 49894
Oct  4 11:33:11 atr2 sshd[3242]: User root not allowed because listed in DenyUsers
Oct  4 11:33:11 atr2 sshd[3242]: Failed password for invalid user root from 4.28.181.157 port 49894 ssh2
Oct  4 11:33:13 atr2 sshd[3245]: Generating 768 bit RSA key.
Oct  4 11:33:15 atr2 sshd[3245]: RSA key generation complete.
Oct  4 11:33:16 atr2 sshd[3245]: Connection from 4.28.181.157 port 50040
Oct  4 11:33:21 atr2 sshd[3245]: User root not allowed because listed in DenyUsers
Oct  4 11:33:21 atr2 sshd[3245]: Failed password for invalid user root from 4.28.181.157 port 50040 ssh2
Oct  4 11:33:22 atr2 sshd[3248]: Generating 768 bit RSA key.
Oct  4 11:33:23 atr2 sshd[3248]: RSA key generation complete.
Oct  4 11:33:23 atr2 sshd[3248]: Connection from 4.28.181.157 port 50208
Oct  4 11:33:28 atr2 sshd[3248]: User root not allowed because listed in DenyUsers
Oct  4 11:33:28 atr2 sshd[3248]: Failed password for invalid user root from 4.28.181.157 port 50208 ssh2
Oct  4 11:33:30 atr2 sshd[3251]: Generating 768 bit RSA key.
Oct  4 11:33:31 atr2 sshd[3251]: RSA key generation complete.
Oct  4 11:33:31 atr2 sshd[3251]: Connection from 4.28.181.157 port 50314
Oct  4 11:33:34 atr2 sshd[3251]: User root not allowed because listed in DenyUsers
Oct  4 11:33:34 atr2 sshd[3251]: Failed password for invalid user root from 4.28.181.157 port 50314 ssh2
Oct  4 11:33:36 atr2 sshd[3254]: Generating 768 bit RSA key.
Oct  4 11:33:37 atr2 sshd[3254]: RSA key generation complete.
Oct  4 11:33:37 atr2 sshd[3254]: Connection from 4.28.181.157 port 50419
Oct  4 11:33:40 atr2 sshd[3254]: Invalid user rolo from 4.28.181.157
Oct  4 11:33:40 atr2 sshd[3254]: Failed password for invalid user rolo from 4.28.181.157 port 50419 ssh2
Oct  4 11:33:41 atr2 sshd[3257]: Generating 768 bit RSA key.
Oct  4 11:33:42 atr2 sshd[3257]: RSA key generation complete.
Oct  4 11:33:43 atr2 sshd[3257]: Connection from 4.28.181.157 port 50527
Oct  4 11:33:46 atr2 sshd[3257]: Invalid user iceuser from 4.28.181.157
Oct  4 11:33:46 atr2 sshd[3257]: Failed password for invalid user iceuser from 4.28.181.157 port 50527 ssh2
Oct  4 11:33:47 atr2 sshd[3260]: Generating 768 bit RSA key.
Oct  4 11:33:48 atr2 sshd[3260]: RSA key generation complete.
Oct  4 11:33:48 atr2 sshd[3260]: Connection from 4.28.181.157 port 50628
Oct  4 11:33:52 atr2 sshd[3260]: Invalid user horde from 4.28.181.157
Oct  4 11:33:52 atr2 sshd[3260]: Failed password for invalid user horde from 4.28.181.157 port 50628 ssh2
Oct  4 11:33:53 atr2 sshd[3263]: Generating 768 bit RSA key.
Oct  4 11:33:54 atr2 sshd[3263]: RSA key generation complete.
Oct  4 11:33:54 atr2 sshd[3263]: Connection from 4.28.181.157 port 50729
Oct  4 11:33:57 atr2 sshd[3263]: Invalid user cyrus from 4.28.181.157
Oct  4 11:33:57 atr2 sshd[3263]: Failed password for invalid user cyrus from 4.28.181.157 port 50729 ssh2
Oct  4 11:33:58 atr2 sshd[3266]: Generating 768 bit RSA key.
Oct  4 11:33:59 atr2 sshd[3266]: RSA key generation complete.
Oct  4 11:33:59 atr2 sshd[3266]: Connection from 4.28.181.157 port 50788
Oct  4 11:34:02 atr2 sshd[3266]: Invalid user www from 4.28.181.157
Oct  4 11:34:02 atr2 sshd[3266]: Failed password for invalid user www from 4.28.181.157 port 50788 ssh2
Oct  4 11:34:04 atr2 sshd[3269]: Generating 768 bit RSA key.
Oct  4 11:34:04 atr2 sshd[3269]: RSA key generation complete.
Oct  4 11:34:05 atr2 sshd[3269]: Connection from 4.28.181.157 port 50868
Oct  4 11:34:07 atr2 sshd[3269]: Invalid user wwwrun from 4.28.181.157
Oct  4 11:34:07 atr2 sshd[3269]: Failed password for invalid user wwwrun from 4.28.181.157 port 50868 ssh2
Oct  4 11:34:09 atr2 sshd[3272]: Generating 768 bit RSA key.
Oct  4 11:34:10 atr2 sshd[3272]: RSA key generation complete.
Oct  4 11:34:10 atr2 sshd[3272]: Connection from 4.28.181.157 port 50945
Oct  4 11:34:13 atr2 sshd[3272]: Invalid user matt from 4.28.181.157
Oct  4 11:34:13 atr2 sshd[3272]: Failed password for invalid user matt from 4.28.181.157 port 50945 ssh2
Oct  4 11:34:14 atr2 sshd[3275]: Generating 768 bit RSA key.
Oct  4 11:34:15 atr2 sshd[3275]: RSA key generation complete.
Oct  4 11:34:16 atr2 sshd[3275]: Connection from 4.28.181.157 port 51021
Oct  4 11:34:19 atr2 sshd[3275]: Invalid user test from 4.28.181.157
Oct  4 11:34:19 atr2 sshd[3275]: Failed password for invalid user test from 4.28.181.157 port 51021 ssh2
Oct  4 11:34:20 atr2 sshd[3278]: Generating 768 bit RSA key.
Oct  4 11:34:20 atr2 sshd[3278]: RSA key generation complete.
Oct  4 11:34:21 atr2 sshd[3278]: Connection from 4.28.181.157 port 51099
Oct  4 11:34:24 atr2 sshd[3278]: Invalid user test from 4.28.181.157
Oct  4 11:34:24 atr2 sshd[3278]: Failed password for invalid user test from 4.28.181.157 port 51099 ssh2
Oct  4 11:34:26 atr2 sshd[3281]: Generating 768 bit RSA key.
Oct  4 11:34:27 atr2 sshd[3281]: RSA key generation complete.
Oct  4 11:34:28 atr2 sshd[3281]: Connection from 4.28.181.157 port 51186
Oct  4 11:34:30 atr2 sshd[3281]: Invalid user test from 4.28.181.157
Oct  4 11:34:30 atr2 sshd[3281]: Failed password for invalid user test from 4.28.181.157 port 51186 ssh2
Oct  4 11:34:32 atr2 sshd[3284]: Generating 768 bit RSA key.
Oct  4 11:34:32 atr2 sshd[3284]: RSA key generation complete.
Oct  4 11:34:33 atr2 sshd[3284]: Connection from 4.28.181.157 port 51276
Oct  4 11:34:36 atr2 sshd[3284]: Invalid user test from 4.28.181.157
Oct  4 11:34:36 atr2 sshd[3284]: Failed password for invalid user test from 4.28.181.157 port 51276 ssh2
Oct  4 11:34:37 atr2 sshd[3287]: Generating 768 bit RSA key.
Oct  4 11:34:38 atr2 sshd[3287]: RSA key generation complete.
Oct  4 11:34:39 atr2 sshd[3287]: Connection from 4.28.181.157 port 51353
Oct  4 11:34:41 atr2 sshd[3287]: Invalid user www-data from 4.28.181.157
Oct  4 11:34:41 atr2 sshd[3287]: Failed password for invalid user www-data from 4.28.181.157 port 51353 ssh2
Oct  4 11:34:43 atr2 sshd[3290]: Generating 768 bit RSA key.
Oct  4 11:34:44 atr2 sshd[3290]: RSA key generation complete.
Oct  4 11:34:44 atr2 sshd[3290]: Connection from 4.28.181.157 port 51434
Oct  4 11:34:47 atr2 sshd[3290]: User mysql not allowed because listed in DenyUsers
Oct  4 11:34:47 atr2 sshd[3290]: Failed password for invalid user mysql from 4.28.181.157 port 51434 ssh2
Oct  4 11:34:49 atr2 sshd[3293]: Generating 768 bit RSA key.
Oct  4 11:34:50 atr2 sshd[3293]: RSA key generation complete.
Oct  4 11:34:50 atr2 sshd[3293]: Connection from 4.28.181.157 port 51521
Oct  4 11:34:53 atr2 sshd[3293]: User operator not allowed because listed in DenyUsers
Oct  4 11:34:53 atr2 sshd[3293]: Failed password for invalid user operator from 4.28.181.157 port 51521 ssh2
Oct  4 11:34:55 atr2 sshd[3296]: Generating 768 bit RSA key.
Oct  4 11:34:55 atr2 sshd[3296]: RSA key generation complete.
Oct  4 11:34:56 atr2 sshd[3296]: Connection from 4.28.181.157 port 51591
Oct  4 11:34:59 atr2 sshd[3296]: User adm not allowed because listed in DenyUsers
Oct  4 11:34:59 atr2 sshd[3296]: Failed password for invalid user adm from 4.28.181.157 port 51591 ssh2
Oct  4 11:35:00 atr2 sshd[3299]: Generating 768 bit RSA key.
Oct  4 11:35:01 atr2 sshd[3299]: RSA key generation complete.
Oct  4 11:35:01 atr2 sshd[3299]: Connection from 4.28.181.157 port 51676
Oct  4 11:35:04 atr2 sshd[3299]: Invalid user apache from 4.28.181.157
Oct  4 11:35:04 atr2 sshd[3299]: Failed password for invalid user apache from 4.28.181.157 port 51676 ssh2
Oct  4 11:35:06 atr2 sshd[3302]: Generating 768 bit RSA key.
Oct  4 11:35:07 atr2 sshd[3302]: RSA key generation complete.
Oct  4 11:35:09 atr2 sshd[3302]: Connection from 4.28.181.157 port 51744
Oct  4 11:35:11 atr2 sshd[3302]: Invalid user irc from 4.28.181.157
Oct  4 11:35:11 atr2 sshd[3302]: Failed password for invalid user irc from 4.28.181.157 port 51744 ssh2
Oct  4 11:35:13 atr2 sshd[3305]: Generating 768 bit RSA key.
Oct  4 11:35:14 atr2 sshd[3305]: RSA key generation complete.
Oct  4 11:35:15 atr2 sshd[3305]: Connection from 4.28.181.157 port 51846
Oct  4 11:35:18 atr2 sshd[3305]: Invalid user irc from 4.28.181.157
Oct  4 11:35:18 atr2 sshd[3305]: Failed password for invalid user irc from 4.28.181.157 port 51846 ssh2
Oct  4 11:35:20 atr2 sshd[3308]: Generating 768 bit RSA key.
Oct  4 11:35:21 atr2 sshd[3308]: RSA key generation complete.
Oct  4 11:35:22 atr2 sshd[3308]: Connection from 4.28.181.157 port 51946
Oct  4 11:35:25 atr2 sshd[3308]: User adm not allowed because listed in DenyUsers
Oct  4 11:35:25 atr2 sshd[3308]: Failed password for invalid user adm from 4.28.181.157 port 51946 ssh2
Oct  4 11:35:27 atr2 sshd[3311]: Generating 768 bit RSA key.
Oct  4 11:35:27 atr2 sshd[3311]: RSA key generation complete.
Oct  4 11:35:28 atr2 sshd[3311]: Connection from 4.28.181.157 port 52036
Oct  4 11:35:31 atr2 sshd[3311]: User root not allowed because listed in DenyUsers
Oct  4 11:35:31 atr2 sshd[3311]: Failed password for invalid user root from 4.28.181.157 port 52036 ssh2
Oct  4 11:35:33 atr2 sshd[3315]: Generating 768 bit RSA key.
Oct  4 11:35:33 atr2 sshd[3315]: RSA key generation complete.
Oct  4 11:35:34 atr2 sshd[3315]: Connection from 4.28.181.157 port 52118
Oct  4 11:35:41 atr2 sshd[3315]: User root not allowed because listed in DenyUsers
Oct  4 11:35:41 atr2 sshd[3315]: Failed password for invalid user root from 4.28.181.157 port 52118 ssh2


# nmap 3.70 scan initiated Mon Oct  4 12:08:37 2004 as: nmap -sT -T4 -n -oN ssh-attack.log --append_output -P0 4.28.181.157 

Interesting ports on 4.28.181.157:
(The 1655 ports scanned but not shown below are in state: filtered)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
1723/tcp closed pptp
5190/tcp closed aol
8080/tcp open   http-proxy

# Nmap run completed at Mon Oct  4 12:10:05 2004 -- 1 IP address (1 host up) scanned in 88.233 seconds
My point in posting this is that they are using UID's other than "test" and "guest", and it's very likely that someone who reads this will have one of the mentioned user-id's unsecured: apache, mysql, adm, www, wwwrun, root, operator, www-date, and a few others. I have no idea where he got the names "horde" and "patrick" from. I have no users by those names.
I have a bad feeling that this was an unsecured proxy server (allowing CONNECT), so likely nothing will happen to this guy; he's probably trying someone else's account now. But he didn't get in here.

Last edited by jayjwa; 10-06-2004 at 09:42 AM.
 
Old 10-06-2004, 09:30 AM   #55
craig34
LQ Newbie
 
Registered: Sep 2004
Distribution: FreeBSD
Posts: 8

Rep: Reputation: 0
Strangely enough, I've begun to notice a huge slowdown in SSH attempts on my server. Actually had none yesterday... possibly the calm before the storm? Hopefully not since I'm away this weekend.
 
Old 10-06-2004, 09:38 AM   #56
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Quote:
Originally posted by craig34
Strangely enough, I've begun to notice a huge slowdown in SSH attempts on my server. Actually had none yesterday... possibly the calm before the storm? Hopefully not since I'm away this weekend.
Ditto here. They all seemed to stop on Sunday for me. I came into work Monday morning and was astonished that there were none of these attempts at all on Sunday. Monday and Tuesday were also slow.
 
Old 10-06-2004, 09:39 AM   #57
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Quote:
# nmap 3.70 scan initiated Mon Oct 4 12:08:37 2004 as: nmap -sT -T4 -n -oN ssh-attack.log --append_output -P0 4.28.181.157

Interesting ports on 4.28.181.157:
(The 1655 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1723/tcp closed pptp
5190/tcp closed aol
8080/tcp open http-proxy

# Nmap run completed at Mon Oct 4 12:10:05 2004 -- 1 IP address (1 host up) scanned in 88.233 seconds
I'd be careful using nmap outside of your network. ISPs have been known to ban/blacklist without question for this type of activity.
 
Old 10-08-2004, 11:38 AM   #58
shinobi59
Member
 
Registered: Oct 2004
Posts: 53

Rep: Reputation: 15
quote:Originally posted by TruckStuff
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Except I beat my head against the wall for 2 weeks a few months ago trying to get private key auth working with SSHD.

At any rate, I've been seeing these attempts in my logs for the last few weeks. Just figured it was some stupid skiddie; guess I was right.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


put your private key into the remote system in a file called authorized_keys.

1) Check if you have a .ssh directory
ssh user@remotehost 'ls -l .ssh'

2) If not:
ssh user@remotehost 'mkdir .ssh'

3) Copy your public key
scp $HOME/.ssh/id_rsa.pub user@remotehost:.ssh/authorized_keys

NOTE: if the .ssh directory and the authorized_keys file already exist and the remote system / account are shared or you access user@remotehost from more than one machine then do the following:

scp $HOME/.ssh/id_rsa.pub user@remotehost:.

then

ssh user@remobehost 'cat id_rsa.pub >> .ssh/authoized_keys' to append to rather than overwrite the authorized_keys file.
 
Old 10-08-2004, 07:04 PM   #59
floppywhopper
Member
 
Registered: Aug 2004
Location: Albany, Western Australia
Distribution: Mageia 2, SME Server 8
Posts: 616
Blog Entries: 2

Rep: Reputation: 54
Truck stuff said
.... ISPs have been known to ban/blacklist without question for this type of activity

not necessarily !!
here in Australia its apparently not illegal to do these sorts of scans
only illegal to actually break in to the system
at least that is what my ISP said

however when I showed them 2 days worth of logs
the activity stopped ( they were another customer of my ISP )

It seems strange that you can get arrested here for attempting to break and enter a house
but not attempting to break and enter via the internet
however it may be a breach of the ISP service agreement
in which case you're in luck
if they can be bothered to do anything about it
or even if they are bright enough to understand what was going on

A friend of mine was cracked
cos the ISP was cracked
they used my friend to spam everybody in the universe
and the ISP is like "duh... nope, not our problem"
ISP run by Homer-Simpson-clone rejects

I guess the moral to this story is to run a tightly locked down system

live long and prosper

floppywhopper

Last edited by floppywhopper; 10-08-2004 at 07:05 PM.
 
Old 10-10-2004, 07:17 PM   #60
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
Hm. No reply from the network in question on that ssh attempt I posted above. Somehow it doesn't surprise me. I had hoped I'd have gotten at least a "yeah, it was a unsecured proxy, we fixed it/told them to fix it/put it offline", or something. As far as scanning goes, I do it when I get connections to my host that are more than just "noise", as a way to try and gadge what might be occuring. I don't do it repeatedly, or to hosts without them contacting me first. I don't really mind it done to my host either, as long as it's not a precursor to an attack of some sort. I see it as the cyberspace equal of peeking out of the peephole some doors have at the people in the hall way. I tend to think that if an entire 12-minute long bruteforce login attempt went noticed by that ISP, even after several letters where sent to them w/logs pointing it out, then they can't be too concerned with one scan.
 
  


Reply

Tags
hostsdeny, keys, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh...log files that store the login attempts Bgrad Linux - Networking 4 03-29-2010 09:40 AM
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 03:22 PM
ssh login attempts from localhost?! sovietpower Linux - Security 2 05-29-2005 01:19 AM
SSH login attempts - how to get rid of the automated malware? alexberk Linux - Security 1 05-24-2005 04:57 AM
How do I block IP's to prevent unauthorized SSH login attempts? leofoxx Linux - Security 6 05-23-2005 09:36 PM


All times are GMT -5. The time now is 08:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration