Got attacked or I don't know what... What should I do?

frzburn · 03-14-2006, 03:04 PM

I was updating my system with emerge, so I went to read a little bit. When I came back 45 minutes later to check how it was going, my system had rebooted.
I checked in the log, and the last inputs befor the system reboot was all like this one:

Code:

Mar 14 14:55:41 MetalGear sshd[2911]: Invalid user oracle from 218.38.18.28

And now, maybe it isn't related to these attacks, but by the reboot while emerging, but each time I logon, with any user, I got these output:

Code:

configuration error - unknown item 'FAILLOG_ENAB' (notify administrator)
configuration error - unknown item 'LASTLOG_ENAB' (notify administrator)
configuration error - unknown item 'MOTD_FILE' (notify administrator)
configuration error - unknown item 'FTMP_FILE' (notify administrator)
configuration error - unknown item 'ENV_ROOTPATH' (notify administrator)
configuration error - unknown item 'PASS_MIN_LEN' (notify administrator)
configuration error - unknown item 'CHFN_AUTH' (notify administrator)

Here's a part of the log about theses attacks (got it with cat /var/log/messages | grep "Invalid user"). It's just a small part of the output as there's just too much.

Code:

Feb 20 09:36:32 MetalGear sshd[24294]: Invalid user linux from 212.249.5.243
Feb 20 09:14:47 MetalGear sshd[21168]: Invalid user adan from 218.28.168.85
Feb 20 09:15:21 MetalGear sshd[21279]: Invalid user adelbert from 218.28.168.85
Feb 20 09:15:26 MetalGear sshd[21304]: Invalid user adham from 218.28.168.85
Feb 20 09:15:32 MetalGear sshd[21309]: Invalid user adlai from 218.28.168.85
Feb 20 09:15:37 MetalGear sshd[21314]: Invalid user adler from 218.28.168.85
Feb 20 09:21:06 MetalGear sshd[22499]: Invalid user a from 212.249.5.243
Feb 20 09:21:12 MetalGear sshd[22505]: Invalid user b from 212.249.5.243
Feb 20 09:37:09 MetalGear sshd[24459]: Invalid user passwd from 212.249.5.243
Feb 20 09:37:11 MetalGear sshd[24464]: Invalid user change from 212.249.5.243
Feb 20 09:37:13 MetalGear sshd[24469]: Invalid user mwyatt from 212.249.5.243
Feb 20 09:37:22 MetalGear sshd[24484]: Invalid user vcsa from 212.249.5.243
Mar 13 13:09:38 MetalGear sshd[9315]: Invalid user test from 66.232.8.37
Mar 13 13:09:39 MetalGear sshd[9320]: Invalid user guest from 66.232.8.37
Mar 13 13:09:41 MetalGear sshd[9325]: Invalid user admin from 66.232.8.37
Mar 13 13:09:46 MetalGear sshd[9330]: Invalid user admin from 66.232.8.37
Mar 13 13:09:47 MetalGear sshd[9335]: Invalid user user from 66.232.8.37
Mar 13 13:09:55 MetalGear sshd[9355]: Invalid user test from 66.232.8.37
Mar 14 13:06:08 MetalGear sshd[21064]: Invalid user staff from 211.239.154.87
Mar 14 13:06:10 MetalGear sshd[21098]: Invalid user sales from 211.239.154.87
Mar 14 13:06:28 MetalGear sshd[21355]: Invalid user webadmin from 211.239.154.87

I got 1940 of those entries since feb 20 :S And it's not always the same IP adress...

Now, what can I do with this?

Flyen · 03-14-2006, 03:19 PM

re: the /var/log/messages | grep "Invalid user" stuff

Those attacks are fairly common. You could try a program like denyhosts or pam_abl
http://www.hexten.net/pam_abl/

pam_abl is probably the better solution..

frzburn · 03-14-2006, 03:33 PM

Quote:

Originally Posted by Flyen

re: the /var/log/messages | grep "Invalid user" stuff

Those attacks are fairly common. You could try a program like denyhosts or pam_abl
http://www.hexten.net/pam_abl/

pam_abl is probably the better solution..

OK, so it's nothing I should really care about?

Flyen · 03-14-2006, 03:49 PM

Nope. Not unless you use weak passwords or your system had an open vulnerability before you updated.

unSpawn · 03-14-2006, 05:17 PM

The FAILLOG_ENAB is a signature for probs in /etc/login.defs. Please make sure it is used (wrt to PAM) and the syntax is correct before you decide to disable anything. In addition to what Flyen already said for ssh brute forcing a lot of people will offer the advice to move ssh to another port but that does not strenghten your system. You might also want to read the sticky thread "Failed SSH login attempts" in this forum for ways to drop attempts by any repeat offenders.

krasl · 03-14-2006, 10:19 PM

Just a quick note: you could configure iptables to just drop packets to the SSH port from any IP addresses except addresses you know to be valid.

NOTE: obviously if you are on DHCP then this could be a problem when your IP address changes.

frzburn · 03-15-2006, 04:08 PM

OK... So I don't used any weak passwords, I got a firewall (on my router) blocking all ports except those I need (and I do have fixed IPs), and I need to ssh to my computer from various, undetermined locations.
So I guess I'll just leave it as is.

Thanks!

krasl · 03-15-2006, 04:16 PM

You could also use public key authentication for ssl. Then, in order to connect, you must have the correct key on the machine. This happens even before usernames/passwords are entered, so disallowed users would not even see password prompts and get a chance to try passwords.

See ssh-keygen, sshd manpages

See /etc/ssh/sshd_config

Krasl

lucktsm · 03-15-2006, 11:15 PM

You can also change the port used on the ssh server to be something other than 22. Doing that prevents a lot of these bot programs.