Attemped hack

metallica1973 · 04-22-2005, 12:24 PM

After reading a couple of post on being hacked I decided to check my logs and found this from
var/log/messages: I have been trying to setup and good basic firewall with IPTABLES but Mr caveman is too busy to reply to SOS calls. Can somebody please help me out! I shortened it but it is long and they are many attemps

var/log/messages:

Mar 4 00:12:01 Sludge sshd[3999]: Did not receive identification string from ::ffff:61.71.120.170
Mar 4 00:16:49 Sludge sshd[4018]: Failed password for nobody from ::ffff:61.71.120.170 port 33996 ssh2
Mar 4 00:16:50 Sludge sshd[4018]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:16:54 Sludge sshd[4019]: Illegal user patrick from ::ffff:61.71.120.170
Mar 4 00:16:54 Sludge sshd[4019]: input_userauth_request: illegal user patrick
Mar 4 00:16:54 Sludge sshd[4019]: Failed password for illegal user patrick from ::ffff:61.71.120.170 port 34111 ssh2
Mar 4 00:16:54 Sludge sshd[4019]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:16:58 Sludge sshd[4020]: Illegal user patrick from ::ffff:61.71.120.170
Mar 4 00:16:58 Sludge sshd[4020]: input_userauth_request: illegal user patrick
Mar 4 00:16:58 Sludge sshd[4020]: Failed password for illegal user patrick from ::ffff:61.71.120.170 port 34209 ssh2
Mar 4 00:16:59 Sludge sshd[4020]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:17:03 Sludge sshd[4021]: Failed password for root from ::ffff:61.71.120.170 port 34331 ssh2
Mar 4 00:17:04 Sludge sshd[4021]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:17:08 Sludge sshd[4022]: Failed password for root from ::ffff:61.71.120.170 port 34440 ssh2
Mar 4 00:17:09 Sludge sshd[4022]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:17:13 Sludge sshd[4023]: Failed password for root from ::ffff:61.71.120.170 port 34551 ssh2
Mar 4 00:17:13 Sludge sshd[4023]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:17:18 Sludge sshd[4024]: Failed password for root from ::ffff:61.71.120.170 port 34653 ssh2
Mar 4 00:17:18 Sludge sshd[4024]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:17:22 Sludge sshd[4025]: Failed password for root from ::ffff:61.71.120.170 port 34769 ssh2
Mar 4 00:17:23 Sludge sshd[4025]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:17:27 Sludge sshd[4026]: Illegal user rolo from ::ffff:61.71.120.170
Mar 4 00:17:27 Sludge sshd[4026]: input_userauth_request: illegal user rolo
Mar 4 00:17:27 Sludge sshd[4026]: Failed password for illegal user rolo from ::ffff:61.71.120.170 port 34880 ssh2
Mar 4 00:17:27 Sludge sshd[4026]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:17:31 Sludge sshd[4027]: Illegal user iceuser from ::ffff:61.71.120.170
Mar 4 00:17:31 Sludge sshd[4027]: input_userauth_request: illegal user iceuser
Mar 4 00:17:31 Sludge sshd[4027]: Failed password for illegal user iceuser from ::ffff:61.71.120.170 port 34980 ssh2
Mar 4 00:17:32 Sludge sshd[4027]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:17:36 Sludge sshd[4028]: Illegal user horde from ::ffff:61.71.120.170
Mar 4 00:17:36 Sludge sshd[4028]: input_userauth_request: illegal user horde
Mar 4 00:17:36 Sludge sshd[4028]: Failed password for illegal user horde from ::ffff:61.71.120.170 port 35095 ssh2
Mar 4 00:17:37 Sludge sshd[4028]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:17:41 Sludge sshd[4029]: Illegal user cyrus from ::ffff:61.71.120.170
Mar 4 00:17:41 Sludge sshd[4029]: input_userauth_request: illegal user cyrus
Mar 4 00:17:42 Sludge sshd[4029]: Failed password for illegal user cyrus from ::ffff:61.71.120.170 port 35198 ssh2
Mar 4 00:17:42 Sludge sshd[4029]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:17:46 Sludge sshd[4030]: Illegal user www from ::ffff:61.71.120.170
Mar 4 00:17:46 Sludge sshd[4030]: input_userauth_request: illegal user www
Mar 4 00:17:48 Sludge sshd[4030]: Failed password for illegal user www from ::ffff:61.71.120.170 port 35332 ssh2
Mar 4 00:17:48 Sludge sshd[4030]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:17:54 Sludge sshd[4031]: Failed password for wwwrun from ::ffff:61.71.120.170 port 35481 ssh2
Mar 4 00:17:54 Sludge sshd[4031]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:17:59 Sludge sshd[4032]: Illegal user matt from ::ffff:61.71.120.170
Mar 4 00:17:59 Sludge sshd[4032]: input_userauth_request: illegal user matt
Mar 4 00:17:59 Sludge sshd[4032]: Failed password for illegal user matt from ::ffff:61.71.120.170 port 35611 ssh2
Mar 4 00:17:59 Sludge sshd[4032]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:18:04 Sludge sshd[4033]: Illegal user test from ::ffff:61.71.120.170
Mar 4 00:18:04 Sludge sshd[4033]: input_userauth_request: illegal user test
Mar 4 00:18:04 Sludge sshd[4033]: Failed password for illegal user test from ::ffff:61.71.120.170 port 35728 ssh2

Mar 4 00:24:55 Sludge sshd[4120]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:24:59 Sludge sshd[4121]: Failed password for root from ::ffff:61.71.120.170 port 48827 ssh2
Mar 4 00:25:00 Sludge sshd[4121]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:25:04 Sludge sshd[4122]: Failed password for root from ::ffff:61.71.120.170 port 49658 ssh2
Mar 4 00:25:04 Sludge sshd[4122]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:25:08 Sludge sshd[4123]: Failed password for root from ::ffff:61.71.120.170 port 50455 ssh2
Mar 4 00:25:09 Sludge sshd[4123]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:25:12 Sludge sshd[4124]: Failed password for root from ::ffff:61.71.120.170 port 51240 ssh2
Mar 4 00:25:13 Sludge sshd[4124]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:25:16 Sludge sshd[4125]: Illegal user test from ::ffff:61.71.120.170
Mar 4 00:25:16 Sludge sshd[4125]: input_userauth_request: illegal user test
Mar 4 00:25:16 Sludge sshd[4125]: Failed password for illegal user test from ::ffff:61.71.120.170 port 51932 ssh2
Mar 4 00:25:17 Sludge sshd[4125]: Received disconnect from ::ffff:61.71.120.170: 11: Bye Bye
Mar 4 00:46:40 Sludge -- MARK --
Mar 4 00:59:00 Sludge /USR/SBIN/CRON[4163]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
Mar 4 01:26:40 Sludge -- MARK --
Mar 4 01:46:40 Sludge -- MARK --

Mar 4 05:26:40 Sludge -- MARK --
Mar 4 05:46:40 Sludge -- MARK --
Mar 4 05:59:00 Sludge /USR/SBIN/CRON[4595]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
Mar 4 06:26:40 Sludge -- MARK --
Mar 4 06:46:40 Sludge -- MARK --
Mar 4 06:59:00 Sludge /USR/SBIN/CRON[4669]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
Mar 4 07:26:40 Sludge -- MARK --
Mar 4 07:46:40 Sludge -- MARK --
Mar 4 07:59:00 Sludge /USR/SBIN/CRON[4744]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
Mar 4 08:26:40 Sludge -- MARK --
Mar 4 08:46:40 Sludge -- MARK --
Mar 4 08:59:00 Sludge /USR/SBIN/CRON[4819]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
Mar 4 09:26:40 Sludge -- MARK --
Mar 4 09:46:40 Sludge -- MARK --
Mar 4 09:59:00 Sludge /USR/SBIN/CRON[4893]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
Mar 4 10:26:40 Sludge -- MARK --
Mar 4 10:46:40 Sludge -- MARK --
Mar 4 10:59:00 Sludge /USR/SBIN/CRON[4968]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
Mar 4 11:26:40 Sludge -- MARK --
Mar 4 11:46:40 Sludge -- MARK --

nilleso · 04-22-2005, 01:01 PM

A simple fix and a way to block unwanted intruders at the IP level BEFORE they get a chance to start banging away at password checks is to edit your /etc/hosts.allow to something like:

sshd:192.168.1. #allows 192.168.1.0-255
sshd:xxx.xxx.xxx.xxx #some other addr
sshd:xxx.xxx.xxx.xxx #another allowed addr
all:all:deny #deny everyone else

That will deny ssh connection attempts from all unwanted IP's (although you will still log that it was blocked which is good)

You also want to add the following line to /etc/hosts.deny
all:all

this blocks all other services:IP addr's not listed in hosts.allow.
There are many other ways to harden your box from outside attempts but this is a quick, easy, and functional one to get you started.

cheers

marvin00001 · 04-22-2005, 01:56 PM

Lets have a look at your iptables rules...

An effective firewall works with excplicit rules and dont allow anything into the LAN unless otherwise explicitly configured drop all incoming packet's...

Please post your rules

metallica1973 · 04-22-2005, 04:03 PM

Here they go: iptables -vnL

Chain INPUT (policy ACCEPT 35251 packets, 19M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 609K packets, 506M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 38444 packets, 8537K bytes)
pkts bytes target prot opt in out source destination

Chain ftp_rule (0 references)
pkts bytes target prot opt in out source destination

iptables -t nat -vnL

Chain INPUT (policy ACCEPT 35251 packets, 19M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 609K packets, 506M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 38444 packets, 8537K bytes)
pkts bytes target prot opt in out source destination

Chain ftp_rule (0 references)
pkts bytes target prot opt in out source destination
Sludge:~ # iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 23303 packets, 2272K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 185 packets, 11252 bytes)
pkts bytes target prot opt in out source destination
12650 815K MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1237 packets, 75799 bytes)
pkts bytes target prot opt in out source destination

there you have it. I dont think that I am even blocking anything!

Can one of you give me a decent yet secure IPTABLES Rules that will block everything from outside my lan(Internet) and allow ftp downloads and etc from inside my lan. Another question that I have is TCP WRAPPERS related to IPTABLES,is it the same?

Linux~Powered · 04-22-2005, 06:58 PM

Move SSHs port from 22 to something else. That will help to thwart off attacks. I had the same problem. I've yet to get an attack like this since I altered the port.

metallica1973 · 04-22-2005, 07:43 PM

I dont have inetd turn on. I use SUSE distro 9.0. by the way so sight is coming along!