Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OK, so a little history first. Just got this Samsung Galaxy S3 and thought I'd be great to now be able to access my home desktop while on the go.
After going some research (probably should have done more), I found out how I could access my desktop from an external network (AP or 3G) while on the road.
I forwarded port 22 on my router to my desktop PC and was then able to SSH into my desktop from the S3. Mind you, I did not set up SSH to use keys as I was not quite sure how it could be done from the S3 also. So I would log in with my username and supply my password.
I'll admit, I did have intentions of disabling all of this after testing but just completely forgot about it. Been playing with the S3 for all of the last two weeks. So port 22 remained open on the router.
While working at the console just now, I got a weird command line that I did not type. It was a search term I had entered on the S3 while browsing from it. Mind you, I'm now permanently logged in to Google Services.
I immediately closed the port and checked my auth.log file and found these:
Code:
Dec 29 11:04:31 <hostname> sshd[25639]: Address 218.60.8.228 maps to cncln.online.ln.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Dec 29 11:04:31 <hostname> sshd[25639]: Invalid user anonymous from 218.60.8.228
Dec 29 11:04:31 <hostname> sshd[25639]: pam_unix(sshd:auth): check pass; user unknown
Dec 29 11:04:31 <hostname> sshd[25639]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.60.8.228
Dec 29 11:04:33 <hostname> sshd[25639]: Failed password for invalid user anonymous from 218.60.8.228 port 36665 ssh2
Dec 29 11:04:41 <hostname> sshd[25642]: Address 218.60.8.228 maps to cncln.online.ln.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Dec 29 11:04:41 <hostname> sshd[25642]: Invalid user passwd from 218.60.8.228
Dec 29 11:04:41 <hostname> sshd[25642]: pam_unix(sshd:auth): check pass; user unknown
Dec 29 11:04:41 <hostname> sshd[25642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.60.8.228
Dec 29 11:04:43 <hostname> sshd[25642]: Failed password for invalid user passwd from 218.60.8.228 port 38522 ssh2
Dec 29 11:04:47 <hostname> sshd[25644]: Address 218.60.8.228 maps to cncln.online.ln.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Dec 29 11:04:47 <hostname> sshd[25644]: Invalid user chuck from 218.60.8.228
Dec 29 11:04:47 <hostname> sshd[25644]: pam_unix(sshd:auth): check pass; user unknown
Dec 29 11:04:47 <hostname> sshd[25644]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.60.8.228
Dec 29 11:04:49 <hostname> sshd[25644]: Failed password for invalid user chuck from 218.60.8.228 port 40368 ssh2
Dec 29 11:04:57 <hostname> sshd[25646]: Address 218.60.8.228 maps to cncln.online.ln.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Dec 29 11:04:57 <hostname> sshd[25646]: Invalid user darkman from 218.60.8.228
Dec 29 11:04:57 <hostname> sshd[25646]: pam_unix(sshd:auth): check pass; user unknown
Dec 29 11:04:57 <hostname> sshd[25646]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.60.8.228
Dec 29 11:04:58 <hostname> sshd[25646]: Failed password for invalid user darkman from 218.60.8.228 port 41586 ssh2
Dec 29 11:05:07 <hostname> sshd[25648]: Address 218.60.8.228 maps to cncln.online.ln.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Dec 29 11:05:07 <hostname> sshd[25648]: Invalid user hostmaster from 218.60.8.228
Dec 29 11:05:07 <hostname> sshd[25648]: pam_unix(sshd:auth): check pass; user unknown
Dec 29 11:05:07 <hostname> sshd[25648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.60.8.228
Dec 29 11:05:09 <hostname> sshd[25648]: Failed password for invalid user hostmaster from 218.60.8.228 port 43211 ssh2
Dec 29 11:17:01 <hostname> CRON[25661]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 29 11:17:01 <hostname> CRON[25661]: pam_unix(cron:session): session closed for user root
Dec 29 11:20:01 <hostname> CRON[25670]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 11:20:01 <hostname> CRON[25670]: pam_unix(cron:session): session closed for user smmsp
Dec 29 11:40:01 <hostname> CRON[25717]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 11:40:01 <hostname> CRON[25717]: pam_unix(cron:session): session closed for user smmsp
Dec 29 12:00:01 <hostname> CRON[25761]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 12:00:01 <hostname> CRON[25761]: pam_unix(cron:session): session closed for user smmsp
Dec 29 11:04:57 <hostname> sshd[25646]: Address 218.60.8.228 maps to cncln.online.ln.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Dec 29 11:04:57 <hostname> sshd[25646]: Invalid user darkman from 218.60.8.228
Dec 29 11:04:57 <hostname> sshd[25646]: pam_unix(sshd:auth): check pass; user unknown
Dec 29 11:04:57 <hostname> sshd[25646]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.60.8.228
Dec 29 11:04:58 <hostname> sshd[25646]: Failed password for invalid user darkman from 218.60.8.228 port 41586 ssh2
Dec 29 11:05:07 <hostname> sshd[25648]: Address 218.60.8.228 maps to cncln.online.ln.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Dec 29 11:05:07 <hostname> sshd[25648]: Invalid user hostmaster from 218.60.8.228
Dec 29 11:05:07 <hostname> sshd[25648]: pam_unix(sshd:auth): check pass; user unknown
Dec 29 11:05:07 <hostname> sshd[25648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.60.8.228
Dec 29 11:05:09 <hostname> sshd[25648]: Failed password for invalid user hostmaster from 218.60.8.228 port 43211 ssh2
Dec 29 11:17:01 <hostname> CRON[25661]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 29 11:17:01 <hostname> CRON[25661]: pam_unix(cron:session): session closed for user root
Dec 29 11:20:01 <hostname> CRON[25670]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 11:20:01 <hostname> CRON[25670]: pam_unix(cron:session): session closed for user smmsp
Dec 29 11:40:01 <hostname> CRON[25717]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 11:40:01 <hostname> CRON[25717]: pam_unix(cron:session): session closed for user smmsp
Dec 29 12:00:01 <hostname> CRON[25761]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 12:00:01 <hostname> CRON[25761]: pam_unix(cron:session): session closed for user smmsp
Dec 29 12:17:01 <hostname> CRON[25801]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 29 12:17:01 <hostname> CRON[25801]: pam_unix(cron:session): session closed for user root
Dec 29 12:20:01 <hostname> CRON[25810]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 12:20:01 <hostname> CRON[25810]: pam_unix(cron:session): session closed for user smmsp
Dec 29 12:40:01 <hostname> CRON[25858]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 12:40:01 <hostname> CRON[25858]: pam_unix(cron:session): session closed for user smmsp
Dec 29 13:00:01 <hostname> CRON[25901]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 13:00:01 <hostname> CRON[25901]: pam_unix(cron:session): session closed for user smmsp
Dec 29 13:17:01 <hostname> CRON[25941]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 29 13:17:01 <hostname> CRON[25941]: pam_unix(cron:session): session closed for user root
Dec 29 13:20:01 <hostname> CRON[25950]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 13:20:01 <hostname> CRON[25950]: pam_unix(cron:session): session closed for user smmsp
Dec 29 13:40:01 <hostname> CRON[25996]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 13:40:01 <hostname> CRON[25996]: pam_unix(cron:session): session closed for user smmsp
Dec 29 14:00:01 <hostname> CRON[26040]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 14:00:01 <hostname> CRON[26040]: pam_unix(cron:session): session closed for user smmsp
Dec 29 14:17:01 <hostname> CRON[26080]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 29 14:17:01 <hostname> CRON[26080]: pam_unix(cron:session): session closed for user root
Dec 29 14:20:01 <hostname> CRON[26088]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 14:20:01 <hostname> CRON[26088]: pam_unix(cron:session): session closed for user smmsp
Dec 29 14:40:01 <hostname> CRON[26164]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 14:40:01 <hostname> CRON[26164]: pam_unix(cron:session): session closed for user smmsp
Dec 29 15:00:02 <hostname> CRON[26276]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 15:00:02 <hostname> CRON[26276]: pam_unix(cron:session): session closed for user smmsp
Dec 29 15:17:01 <hostname> CRON[26322]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 29 15:17:01 <hostname> CRON[26322]: pam_unix(cron:session): session closed for user root
Dec 29 15:20:01 <hostname> CRON[26331]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 15:20:01 <hostname> CRON[26331]: pam_unix(cron:session): session closed for user smmsp
Dec 29 15:40:01 <hostname> CRON[26378]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 15:40:01 <hostname> CRON[26378]: pam_unix(cron:session): session closed for user smmsp
Dec 29 16:00:01 <hostname> CRON[26481]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Dec 29 16:00:02 <hostname> CRON[26481]: pam_unix(cron:session): session closed for user smmsp
There were quite of few of these over the last few days, all from different addresses.
My syslog does not show any thing abnormal.
I'm concerned with the fact that the search term showed up on my console may indicated a possible break-in.
What else can I check to see what files, if any may have been modified?
If I want to continue leaving port 22 open, what security measures should I put in place to prevent this in the future?
I'm not too familiar with all the security measures as I'm not an expert in that field.
The logs show a number of login attempts with common usernames. I see the same on my own systems, and they indicate login attempts by some script or commonly available tool. As long as you have strong passwords, you'll be OK.
I'd recommend key-based SSH authentication and/or firewall rules limiting the number of SYN packets from any one host in a given time period, say, 3 attempts in 5 minutes and you're locked out for half an hour. Does wonders for keeping the logs clean.
My concern is now did the search term I mentioned appear at my command prompt. As I said, this was not entered from my PC, but from the Galaxy S3.
Quote:
Originally Posted by Ser Olmy
... and/or firewall rules limiting the number of SYN packets from any one host in a given time period, say, 3 attempts in 5 minutes and you're locked out for half an hour. Does wonders for keeping the logs clean.
I have no idea how to do this. Any quick guide? I' not sure if my wireless router (D-Link DIR-300) has this facility.
Could the search term be a clipboard issue? If you were logged in from the S3, could you inadvertently have pasted data from the S3 clipboard into the SSH session? I don't see how this could indicate that your PC has been compromised, unless the intruder also had access to your Galaxy S3.
Your router probably doesn't support advanced firewall rules, but a Linux system with iptables does. Here's one of several guides showing how the "recent" match criteria can be used to stop brute force attacks.
I've done some checking and realized that the search term was actually entered from my desktop. Duh...guess I went all screwy when I saw it on the console. Woe to me . . .
I've never quite got the whole iptables thing quite clear and so I think it's set to the default on my Debian Squeeze system. The router is Linux-based, so I guess it uses the iptables internally but the advanced features are certainly not exposed in the UI. I did at one point consider re-flashing with dd-wrt but realized it was not worth the risk of bricking it. I remember starting a thread on that a while back.
Well thanks for link, I'll be looking at the whole iptables thing again.
If you expose an SSH server to the world, it WILL get probed for connections. If you expose an SSH server to the world, you have a responsibility to take steps to properly secure it and this security should be done in layers. The biggest thing, hands down, that you can do to secure your SSH server is use key based authentication and I can guarantee you that there is an SSH application for the Galaxy S3 that will use key based authentication as my several years old older Blackberry does.
There is nothing in the portion of the log indicating that the brute force attempts to gain entry were successful. If you see a line saying Accepted password, then you would be in trouble.
On top of that, you could take various steps like locking down the IP range from which you will accept connections, use fail2ban to limit brute force scans, etc. I would recommend reading the sticky thread on securing an SSH server for lots of additional hints.
Thanks to Unspawn and Noway2, I was able to secure a server I having online against such brute force attacks by using iptables and fail2ban.
iptables basically allows you to make rules for any given port (ssh being port 22 typically) and accept or deny traffic from any IP address or subnet you like. Typically, you start by denying access to critical ports (like 22 for SSH) from *everyone* and then adding exceptions. E.g., you can say "always accept connections on port 22 from IP subnet 76.173.91.0/24" which might be useful for granting SSH access to some subnet from which you are likely to connect. Another example would be "allow port 80 connections from 0.0.0.0/0" which would allow the entire world IPv4 address space connect to an HTTP server. In your case, you might establish some DENY rules on your firewall/router to exclude any well-known sources of mischief. You might also set up an ALLOW rule for the IP space that your phone company allocates to its customers' phones.
fail2ban monitors various logs and creates iptables rules to DENY troublemakers. E.g., it might monitor your SSH log and ban remote address who repeatedly attempt logins and fail.
(..) mapped ip addresses (..) hardware firewall, buy one
Given that you've read this thread thoroughly and noticed it was solved ages ago (see post #5), what aspect of the problem the OP talked about would that solve?
Thanks to all for the recommendations. I will certainly implement the ssh keys and look at how I can set the router to accept connections only from anaaddress range.
Given that you've read this thread thoroughly and noticed it was solved ages ago (see post #5), what aspect of the problem the OP talked about would that solve?
I just wanted to say that this is a way to increase the security level! Not a solution at the OP problem!
Sure MAC / IP mapping has its purpose but it deals with LAN-side ARP tricks or lease kidnapping. Given todays threatscape it IMHO wouldn't even come near the top 20 risks 'net users commonly need to guard against in SOHO environments.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
