LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-18-2010, 12:38 AM   #1
namrata shah
LQ Newbie
 
Registered: Nov 2010
Posts: 6

Rep: Reputation: 0
Breakin attempt? Normal?


Hi,

I am facing the same problem of bruteforce attack from last 3 days which was faced by ssfrstlstnm.
I read the steps provided by Capt_Caveman

I have a query that-
currently I am accessing my server with root account.
after setting PermitRootLogin to no, will I be able to login as root?

If I'll not be able then what I have to do to have access of root?

I am newbie for this type of issue.
please help me...
waiting for your response.
 
Old 11-18-2010, 01:46 AM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
Quote:
Originally Posted by namrata shah View Post
Hi,

I am facing the same problem of bruteforce attack from last 3 days which was faced by ssfrstlstnm.
I read the steps provided by Capt_Caveman

I have a query that-
currently I am accessing my server with root account.
after setting PermitRootLogin to no, will I be able to login as root?

If I'll not be able then what I have to do to have access of root?

I am newbie for this type of issue.
please help me...
waiting for your response.
Given the post immediately previous to yours, you should have realised that a better approach to this would have been to start a new thread (providing a link back to the original thread with a comment something like 'I am having a similar problem to the one described here/link'). As soon as I have posted this, I'll report it and the mods can decide whether splitting this section off is a course of action that they would like to take.

That said:
no root logins is not the same as no root access

You would need to ssh in as a normal (non root) user and use su or sudo to get root privileges for tasks that need them. You might want to quickly test that you can make this approach work before you do anything dramatic.

There are two advantages;
  • your non-root user name should not be (up to you to think about this further) on the list of the ~30 most used 'crack attempt login names'
  • someone who does get in as an ordinary user still hasn't got the powers to do the really bad stuff until they manage to crack another password. Provided both the ordinary user and root both use strong passwords, this should not happen, particularly if you have a mechanism for checking log files frequently

Also, re the original problem, you may want to read this.

This problem is pretty much the 'trying the door handles' of the world of exploits, and you really need to have a strategy in place to ensure that you are secure.
 
1 members found this post helpful.
Old 11-18-2010, 03:27 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599
Moved: your post is more suitable in its own thread (the original thread was a couple of years old) and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 11-18-2010, 06:26 AM   #4
crxssi
Member
 
Registered: Apr 2005
Location: USA
Distribution: Mageia,Fedora,RHEL,CentOS
Posts: 95

Rep: Reputation: 16
I was notified of a change to this thread with this:

"I am facing the same problem of bruteforce attack from last 3 days which was faced by ssfrstlstnm.
I read the steps provided by Capt_Caveman"

And see no such message here...

Last edited by crxssi; 11-18-2010 at 06:36 AM. Reason: confused
 
Old 11-18-2010, 07:07 AM   #5
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Originally Posted by crxssi View Post
I was notified of a change to this thread with this:

"I am facing the same problem of bruteforce attack from last 3 days which was faced by ssfrstlstnm.
I read the steps provided by Capt_Caveman"

And see no such message here...

Check the post immediately above yours. UnSpawn linked to the messages the OP referred to.
 
Old 11-19-2010, 12:21 AM   #6
namrata shah
LQ Newbie
 
Registered: Nov 2010
Posts: 6

Original Poster
Rep: Reputation: 0
Hi salasi & crxssi,

I am sorry for my mistake.
 
Old 11-19-2010, 01:06 AM   #7
namrata shah
LQ Newbie
 
Registered: Nov 2010
Posts: 6

Original Poster
Rep: Reputation: 0
Hi Salasi,

Thanks for replying.
I got your point.

I have done with this:
1. created new normal user account with the strong username and password
2. ssh in as normal user.
3. used su command to get root privileges
4. executed some commands at the # command line prompt like mkdir and trying to update the files.
those run fine.

Now,may I have to go for setting PermitRootLogin to no?
I mean, will it be a optimal solution?

I am referring your given link about "Defending against brute force ssh attacks"

Thanks again.
Namrata Shah
 
Old 11-19-2010, 01:54 AM   #8
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 681Reputation: 681Reputation: 681Reputation: 681Reputation: 681Reputation: 681
Two things I always do for ssh is use AllowUsers in ssbd_config to restrict logins to only users specified. Other system users are also brute force targets. Using pki authentication only will protect you against username/password brute force attacks.
Another thing to try is changing the port listened for. This will reduce the number of script kiddie attacks, making more serious threats stand out.
Also double check that only ssh version 2 connections are allowed.
 
1 members found this post helpful.
Old 11-19-2010, 03:39 AM   #9
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
Quote:
Originally Posted by namrata shah View Post
....Now,may I have to go for setting PermitRootLogin to no?
I mean, will it be a optimal solution?
to the first part, yes. You have determined that you can work without root login, so now you need to make sure that the bad guys cannot login as root.

@jschiwal
Quote:
...Another thing to try is changing the port listened for...
The issue of the various countermeasures that one could take is discussed in some detail in the link given in post #2 (samhain). IMHO, that is a clear exposition of the advantages and disadvantages of different approaches, but the urgent thing to do was to get the OP into a better position than pertained at the start of the thread.

What is optimum/best reccomended depends to an extent how good/how industrious with security generally; if you are, let's say, laissez faire, with ongoing security stuff, like checking logs, you had better take very strong measures to start with, because you are not going to full value out of some of the features of your system.

Equally, some people get unreasonably exercised (*) about script kiddie failed 'try the door handles' stuff turning up in your logs; if you are one of those, just switching the port might not be for you, you might want to go down either the 'port knocking' or the 'passwordless' route to give you a very, very robust solution.

(*) I wrote 'unreasonably exercised for a couple of reasons;
stuff like evidence of a blocked script kiddie attempt is just that; someone tried the obvious and they failed. Knowing that someone failed isn't exactly bad news, and you'd rather know than not know.
It might look like better security to be not getting those traces in log files, and some people obsess about that, but real security is something else. Clean logfiles, by and of themselves, aren't security, they are just an obsession with housekeeping.
 
1 members found this post helpful.
Old 11-22-2010, 12:09 AM   #10
namrata shah
LQ Newbie
 
Registered: Nov 2010
Posts: 6

Original Poster
Rep: Reputation: 0
Hi,

1. I ssh in as non -root user
2. then I use su command to have a root access,
3. I am able to edit any files
4. but I am not able to start/stop any services like , sshd or httpd.

do you know what should be the cause?

Thanks.
 
Old 11-22-2010, 08:09 AM   #11
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
Quote:
Originally Posted by namrata shah View Post
do you know what should be the cause?
No, but then you haven't told us anything really useful about this new problem.

You haven't told us how you are starting and stopping services (exactly what command), and you probably need to add which distro of Linux (assuming that it is a distro of Linux, rather than, say, a BSD) you are using. What happens? Do you get an error message? What does it say?

Please try the command 'whoami' to check that you are really root. Any error messages showing up in, eg, dmesg or in a log file?
 
1 members found this post helpful.
Old 11-22-2010, 11:27 PM   #12
namrata shah
LQ Newbie
 
Registered: Nov 2010
Posts: 6

Original Poster
Rep: Reputation: 0
Hey,
don't know what was the problem. but right now It runs fine.
FYI-the o/p of whoami command was root only.

I have set PermitRootLogin to no.
and updated the sshd_config by specifying the non-root user name for AllowUsers criteria.
 
Old 11-22-2010, 11:54 PM   #13
namrata shah
LQ Newbie
 
Registered: Nov 2010
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks a lot Salasi.

i am going to configure RSA Authentication but have some query.could you please help me?
as per your given link, RSA authentication has following steps:

1. Generate an RSA key with ssh -keygen -t rsa. This will create the two files /home/username/.ssh/id_rsa (the private key) and /home/username/.ssh/id_rsa.pub (the public key).
[ I got this point]

[Now, I am accessing my server using putty from windows based machine.]

2. On each machine to which where you want to login, put /home/username/.ssh/id_rsa.pub into /home/username/.ssh/authorized_keys.

[for above point, I got that I have to put public key under specified location of my server]

3. On each machine from which you want to login, place the file /home/username/.ssh/id_rsa into the directory /home/username/.ssh/.

[for this point, as I have window based machine and need to access server from this machine only, where I can place private key]

may be this is a silly question but I have no idea.
Help me please.

Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Breakin attempt? Normal? ssfrstlstnm Linux - Security 11 11-18-2010 06:44 AM
Possible Breakin Attempt - What steps should I take? ArthurDent Linux - Security 9 12-17-2006 07:49 PM
A possible breakin? dinolinux Linux - Security 4 08-31-2005 07:14 PM
Possible breakin attempt jonfa Linux - Security 4 07-20-2005 09:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration