sshd attacks - failed passwords
My name is Jason Lim and I am an Administrator (or, rather, co-Administrator) of a forum that is rather large. Recently, we were disconnected from our webhost because of "unsolicited attacks". It appears that our server has been attacking our webhost (sounds funny, eh?). They allowed us the ability to secure it, but I have no idea how.
Neither I nor one of my peers have direct access to the server, so we cannot run remote commands. However, I would appreciate any help. Here is a log of what our webhost sent me: Oct 15 07:41:16 localhost sshd[15184]: Failed password for root from ***.***.***.*** port 41501 ssh2Where ***.***.***.*** is our forum's IP address. The server is a dedicated server, whatever that means. If anyone has any advice, I would be extremely grateful. Also, I am a Linux newbie, so please keep the information as simple as possible. |
Looks like your server has been hacked and your ISP would be right to disconnect it.
Someone needs to be responsible for keeping the server's operating system and forum software up-to-date with security patches and apply good security practice. You should be paying someone to do that. Your host may just be renting you the server and assume you're managing it yourself, in which case it's your responsibility. If you're paying your host to keep it secure and forum software up-to-date then it's their problem. As you don't know the root SSH password you cannot do this maintenance yourself so I'm assuming your webhost has responsibility for this. You would therefore have a right to expect them to deal with this problem. Frankly the best solution is for them to install and secure a new server and then copy over your data. Gary |
Quote:
I am one of 4 Administrators on this forum, but being disorganised idiots as we are, despite the fact we are supposedly able to execute remote commands, I can't, for some reason. But one of us is the owner of the site, the domain name and the server. The server is a dedicated server run by our webhost aplus.net - and I guess it means the responsibility falls on all 4 of us. :( Alright, we did manage to connect to SSH (but that was my fellow Administrator and he is off now). Is there anything we can do? It's not root access, but I assume it is quite high up. And, just to confirm, what do you think the odds that we are definitely hacked is? I am in contact with our webhost at the moment, and would like to ascertain what our, er, poor chances are. :( |
Quote:
Quote:
No offence, but you're probably best off running the forum and leaving someone else to manage the forum software and server security. Some companies provide hosted forums and would assist you in migrating. Your monthly cost would likely be higher because someone has to pay the people to do the maintenance. Gary |
Quote:
I just wish I knew Linux better... Thank you for your help once again. I'll get my superior to get the job done. |
Hey guys, thanks for the help so far. I'm another admin over at the forums, and I do have SSH access..so I can execute remote commands.
I run linux as a desktop, and have for a few years now..but still, my sever knowledge is some-what limited. However, I actually have been updating our server via yum. Right now we run FC4 as our server OS, and we are up-to-date -- this means patches and everything. I'm not sure if that changes anything, but I figured I should add that. -roach |
Quote:
Am I confused on something? I'm no server-whiz, but the above simply looks like someone trying to guess the password to the SSH server (possibly trying to crack it with a program). However, ANYONE can connect to an SSH server remotely with a username and password..just like FTP. Am I right so far? If someone decided to type our host address into their ftp client, and go on a password guessing spree, how exactly is that our problem or responsibility? Anyone can do this...and you can't prevent failed hacking attempts. |
I get those messages in my logs all the time. It's due to hackers trying to log into your ssh server. I've fixed it using the script at blinkeye.ch/mediawiki/index.php/SSH_Blocking (this forum won't allow me to post urls - I'm sure you know what to do!
I created an init script that starts it when my machine boots up. It blocks attempts to get onto your sever for 10 minutes if there have been more than 6 unsuccesful attempts at loggin in. You might need to make a few modifications to it. You need iptables installed. |
If I'm reading the OP correctly, the log he posted is from a different server. Those are ssh login attempts originating from his server, not trying to get into his server.
|
If you need ssh, and have the ability to change the ssh configuration (not always possible with some hosting solutions), consider changing ssh to run on a port other than 22, e.g. 3456, and/or restricting the IPs which can connect to the ssh port to a list of IPs you know only you have access to.
|
hmm I'm not a linux security guru by any means, but afaik if a server has been compromised it's usually best practice to backup all of your data files and do a reinstall of the os. The reason being that you have no idea what the intruder did when they gained access. Yes you know that they tried to launch an attack on your isp, there's also a good chance he/she's setup a backdoor into your system. Changing passwords and ssh config may not be enough at this point. Best practice would be to back up your data, have aplus.net reinstall the os, install tripwire right away, thoroughly lock down any remote login access, then reload your data from your archives. It sounds like a lot but you could probably knock it all out in one night. Just post a message on your forum saying that "we will temporarily be offline for scheduled maintenance from 10pm - 6am".
|
I just re-read the thread a little more carefully... These ssh login attempts are coming FROM your server...
Looks like someone at least has a shell on your machine. This page has some very good advice. Be aware that the only way to be 100% sure the machine is clean is to re-install the OS, but you can't do this over the net, at least not without the host-co's help. Search your forum software maker's page, security advisory sites and hacking sites like milw0rm to help identify the flaw which led to the compromise. I mention milw0rm specifically because it helped identify an attack on one of my sites in the past, and it's often got info there before it gets published on the software vendor's site or security sites. |
Quote:
there is a topic made sticky why not read it... http://www.linuxquestions.org/questi...d.php?t=340366 |
Quote:
Reading that link is going to do absolutely no good because the OP was the SOURCE of the ssh attack, not the vicitm. The OP needs to take steps to determine how the box was compromised and what was done to it. And since we haven't had any new information for a bit, it is pretty useless to sit and speculate. |
Quote:
[edit] Here is a snippet from last -a -d: anon ftpd24200 Wed Oct 11 11:54 - 12:00 (00:05) anonland"Amantis" was a former Administrator on this forum (and she holds no grudges). The IP address is banned by SORBS, and does not match her any of her IP addresses on our forum IP checking facility. We are deleting the account (if not done so already). Are there any commands to block that IP address? Or perhaps any other suggested commands? |
Quote:
|
Quote:
However, what if the SSH attempts were coming from webmin? Would that show that they were executed from OUR server? |
Quote:
Quote:
|
Quote:
We aren't going to reinstall until our webhost replies again later, and definitely not if not required. I do have a good feeling about this, though. If we get any more issues, then I will post here again. |
I would caution against a premature declaration of victory here. If you suspect the Amantis account was compromised, it is possible you'll see evidence in the .bash_history file of what was done. It certainly can't hurt to look and see. Also, assuming your right about the compromised account, there is the question of how it was compromised. A little shoulder surfing? Insecure password? Cracked software?
I'm also a touch confused about how Webmin plays into this. In most of the threads, it sounds like you are using SSH to access the server. However, if you are running Webmin on that server and accessing through that, you may have more trouble. Webmin is often run with root privileges so if that was the way they got in, they may have had root access. |
I thought aplus.net used a web administration package called Plesk on their dedicated servers...
|
Quote:
Here is .bash_history: can't see anything bad, though. But my guess was insecure password. > more .bash_history |
Quote:
Quote:
Quote:
1) Your box was fingered as the culprit in an SSH dictionary attack. 2) The Amantis account has logins that cannot be accounted for by the legitimate owner. That's pretty much all we know as facts, unless you're not telling us everything. And that is not enough to diagnose how the intruder got access. If this is as far as you're willing to go, then you really need to reinstall the OS because you don't know what happened. You need to make sure everything is fully patched and you need to make sure that all passwords and SSH keys (if you use them) are changed. Otherwise you do need to do more digging to find out what actually happened. Your call. |
Quote:
The problem is, reinstalling something like this is not going to be easy. Employing someone to fix this is beyond our financial means (most of us are still students). We have banned a few IPs, disabled SSH, changed the root passwords, deleted Webmin accounts and chanaged ports... We can't find anything suspicious, .bash_history looks clean (cr00k3d is a known user)... We will keep digging, but if soomething happens, I (or we) will be back here. |
Good Day
To check if your box has been compromised install, root kit hunter, can be found at www.rkhunter.nl, aslo to prevent this again use "DenyHost", it can be found at http://www.howtoforge.com/preventing...with_denyhosts . Works wonders for me and I can check who has tried a brute force SSH attack |
Before anyone start suggesting things to "fix" this (which you shouldn't (yet)) I think you should start investigating in a more methodical way. Please read Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html and post anything anomalous here. If it's too much to post, tarball up the results, logs, whatever and provide a D/L location.
// I also would like to applaud those who ask questions, shun guessing, doubt the completeness of the "evidence" and the validity of it all. Only the inquisitive approach can yield the "right" results. Keep up the good work. |
Quote:
Quote:
Quote:
Quote:
Quote:
|
root kit hunter, can be found at www.rkhunter.nl
No, we're at rkhunter.sourceforge.net. |
Quote:
|
All times are GMT -5. The time now is 11:40 AM. |