LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 06-24-2008, 07:49 PM   #1
drauk
Member
 
Registered: Sep 2007
Location: /MX/BC/TJ
Distribution: Slackware 13
Posts: 37

Rep: Reputation: 15
someone trying to hack me?


Hi, i was checking the logs today (/var/log/messages)
and i found this:
Code:
Jun 22 19:24:16 myhost sshd[13636]: Did not receive identification string from <ip>
Jun 22 19:26:04 myhost sshd[14524]: reverse mapping checking getaddrinfo for <host name> [<ip>] failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 23 19:12:49 myhost sshd[14670]: Failed password for root from <ip> port 40232 ssh2
Jun 23 19:13:06 myhost sshd[14793]: Invalid user <user> from <ip>
the logs repeat a lot, the only thing what change are <ip> and <user>, is someone trying to hack me??, if so am i safe?? or should i do something else to prevent be hacked? O.o

(i remplaced user name for <user> ip address for <ip> and host name for <host name>)

thanks.

Last edited by drauk; 06-24-2008 at 07:51 PM.
 
Old 06-24-2008, 08:10 PM   #2
pinniped
Senior Member
 
Registered: May 2008
Location: planet earth
Distribution: Debian
Posts: 1,732

Rep: Reputation: 50
Yes, some loser is trying to break into your system.
If you need ssh for remote access from unknown IP addresses, try moving ssh to a different port.
If ssh will only be used from known addresses, then block all others.
If ssh will only be used from the LAN, then block all other addresses.
You may also set up sshd_config to not allow 'root' to log in.
 
Old 06-24-2008, 08:10 PM   #3
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
There are several ways to lessen your risk. First would be to not allow directly connecting as root. You can also restrict access to specific users or groups and force the use of keys instead of passwords. Some people recommend running the daemon on another port but that won't stop someone who scans your open ports. The settings to use in /etc/ssh/sshd_config would be:
Code:
AllowUsers user names here
PermitRootLogin no
PasswordAuthentication no
Port portnumber
 
Old 06-24-2008, 08:28 PM   #4
jong357
Senior Member
 
Registered: May 2003
Location: Columbus, OH
Distribution: DIYSlackware
Posts: 1,914

Rep: Reputation: 52
Doesn't Slackware come defaulted to running the ssh daemon? You have to untick it during the installation?

Bad, bad idea.... 90% of desktop users don't even use ssh to hit another machine much less want their box open... I've always thought that default needed to go away. A lot of people won't catch it (or know what it is in the first place) right after installation and it just creates a big security hole.

If you don't plan on connecting to your computer via ssh from another computer, then disable it.

chmod 644 /etc/rc.d/rc.sshd

or whatever the script is called.

Last edited by jong357; 06-24-2008 at 08:29 PM.
 
Old 06-24-2008, 09:00 PM   #5
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
This is very probably one of a multitude of botnet attempts to get access. (Yes, that is classified as hacking.) I sometimes get 1000 a day of these. So long as your password is hard to guess, you are pretty safe. You will increase your odds by making it impossible to log in as root directly, and by making sure that you don't have any random users with shell access (the /etc/passwd file will have /sbin/nologin as the last field of each line for daemon users, who are there only so that they can have a userID). There are other, more complex countermeasures you can take, but there is a diminishing return on that investment.
 
Old 06-24-2008, 09:22 PM   #6
drauk
Member
 
Registered: Sep 2007
Location: /MX/BC/TJ
Distribution: Slackware 13
Posts: 37

Original Poster
Rep: Reputation: 15
thanks for your advice, for now i decide to disabled ssh daemon since i really don't need it.
btw i was checking /etc/passwd and there are an user called 'operator'(on root group), can i delete this user or is neccesary?
 
Old 06-24-2008, 11:51 PM   #7
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
I would leave that user defined. It is a standard userID, and I am not sure what would break if it were undefined. On my systems, that userID does have /sbin/nologin as the last parameter on the line in /etc/passwd
 
Old 06-25-2008, 06:10 AM   #8
hitest
Senior Member
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Distribution: Slackware, OpenBSD
Posts: 4,190

Rep: Reputation: 548Reputation: 548Reputation: 548Reputation: 548Reputation: 548Reputation: 548
I disable ssh when I install Slackware as I'm not running servers on my 12.1 boxes. You could try scanning your unit for rootkits, that may give another clue as to whether or not your unit has been penetrated.

http://slackbuilds.org/repository/12.1/system/rkhunter/
 
Old 06-25-2008, 10:38 AM   #9
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,270
Blog Entries: 3

Rep: Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445
Hi,

I would make sure that you have a 'STRONG' password. You could use a 'key' that would be secure way to login.
 
Old 06-25-2008, 01:05 PM   #10
C-Sniper
Member
 
Registered: Dec 2006
Distribution: Slackware
Posts: 507

Rep: Reputation: 33
If you do end up needing to use SSH, i would recommend using "Denyhosts" for added protection. i use to have many attacks a day but in the end i had a huge /etc/hosts.deny list and that cut m traffic considerably.Not to mention that you also receive the IP addresses to be added from other hack attempts (some 27000+ ip addresses) that are auto added to /etc/hosts.deny. I used it and loved it.
 
Old 06-25-2008, 01:23 PM   #11
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
I say the best way is to keep the ssh daemon running only when you need it. I don't even install ssh, because I almost never use it.
 
Old 06-25-2008, 02:21 PM   #12
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,263

Rep: Reputation: 648Reputation: 648Reputation: 648Reputation: 648Reputation: 648Reputation: 648
Quote:
Originally Posted by C-Sniper
If you do end up needing to use SSH, i would recommend using "Denyhosts" for added protection. i use to have many attacks a day but in the end i had a huge /etc/hosts.deny list and that cut m traffic considerably.Not to mention that you also receive the IP addresses to be added from other hack attempts (some 27000+ ip addresses) that are auto added to /etc/hosts.deny. I used it and loved it.
If you only need to use ssh from your LAN and not across the internet, you can always use /etc/hosts.allow and /etc/hosts.deny to block everyone except those on your network. My hosts.deny file just blocks ALL : ALL, while my hosts.allow file allows only those on my network (192.168.0.). I also have a router with a firewall. I'm definitely not 100% secure, but although I may see some hacking attempts on my router, I never see them on my PC. It's a simple yet effective solution. In addition, using Alien Bob's adaptation of the Easy Firewall Generator is a good idea as well.

Feel free to point out any flaws in my logic -- it would just mean I would change my security settings (and I'm sure would help everyone in the long run).
 
Old 06-25-2008, 03:01 PM   #13
C-Sniper
Member
 
Registered: Dec 2006
Distribution: Slackware
Posts: 507

Rep: Reputation: 33
Quote:
Originally Posted by T3slider View Post
If you only need to use ssh from your LAN and not across the internet, you can always use /etc/hosts.allow and /etc/hosts.deny to block everyone except those on your network. My hosts.deny file just blocks ALL : ALL, while my hosts.allow file allows only those on my network (192.168.0.). I also have a router with a firewall. I'm definitely not 100% secure, but although I may see some hacking attempts on my router, I never see them on my PC. It's a simple yet effective solution. In addition, using Alien Bob's adaptation of the Easy Firewall Generator is a good idea as well.

Feel free to point out any flaws in my logic -- it would just mean I would change my security settings (and I'm sure would help everyone in the long run).
Well unfortunately in my situation i did not have the ability to have both machines in 1 place. (Server at my dad's, main at my mom's) also since the server was also running an FTP server i couldn't just do an ALL:ALL rule for hosts.deny.

As for flaws in your logic, for your current situation and need there are none, and your solution is probably the most secure way to go about it if the PC is going to be used as a LAN server instead of an internet one.
 
Old 06-25-2008, 03:13 PM   #14
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,263

Rep: Reputation: 648Reputation: 648Reputation: 648Reputation: 648Reputation: 648Reputation: 648
Quote:
Originally Posted by C-Sniper
Well unfortunately in my situation i did not have the ability to have both machines in 1 place. (Server at my dad's, main at my mom's) also since the server was also running an FTP server i couldn't just do an ALL:ALL rule for hosts.deny.
Fair enough.
 
Old 06-25-2008, 04:04 PM   #15
gmartin
Member
 
Registered: Mar 2003
Location: PA
Distribution: Slackware 13.37 Linux Reg # 341245
Posts: 285

Rep: Reputation: 40
Question

Quote:
Originally Posted by C-Sniper View Post
If you do end up needing to use SSH, i would recommend using "Denyhosts" for added protection. i use to have many attacks a day but in the end i had a huge /etc/hosts.deny list and that cut m traffic considerably.
Is there a tool to wrap ssh in that will deny an ip after 'x' failed login attempts?
 
  


Reply

Tags
fail2ban, sshd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with my first hack? oldstinkyfish Programming 1 11-13-2004 06:03 AM
Hack this... Pipewrench General 1 10-09-2004 07:02 PM
got hack? deepsix Linux - Software 1 09-16-2003 09:41 PM
what the hack is this? doublefailure Linux - Security 13 04-24-2003 12:23 PM
hack ? spooge Linux - Security 4 01-21-2003 11:54 AM


All times are GMT -5. The time now is 09:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration