LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-26-2006, 02:47 PM   #1
xtremeclones
Member
 
Registered: Jan 2006
Posts: 70

Rep: Reputation: 15
is this a Dos Attack??


Hey guys,

one of my linux boxes went offline yesterday, and i had to go reset, it. under /var/log/messages i see this.

Sep 25 12:41:56 Host sshd[14191]: reverse mapping checking getaddrinfo for static-ip-.cable.net.co failed - POSSIBLE BREAKIN ATTEMPT!

Every 7 - 10 seconds i see one of these.

What can i do to stop this??

Is there any other log that i can look at to tell me what processes went down or anything else. I do not see that they got in though.


thanks for the help
 
Old 09-26-2006, 03:42 PM   #2
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 33
auth.log is good too on some distries.

you can check on www.ripe.net who the isp is of the ip / subdomain attacking you and you report it to the admin-c and tech-c (that is what ripe tells you to do)
 
Old 09-26-2006, 03:46 PM   #3
xtremeclones
Member
 
Registered: Jan 2006
Posts: 70

Original Poster
Rep: Reputation: 15
there is no auth.log in that system.

thanks for the info.
 
Old 09-26-2006, 04:31 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
it's not a symptom of a DoS attack... it's more like a brute-force attack (if you're seeing tons of these)... keep in mind also that when you have tons of users logging into your box via SSH it's not strange for many of them to get failed reverse DNS lookups (reverse DNS lookups can be easily disabled in your sshd_config file IIRC)... about how many (legitimate) users are accessing your box via ssh??

Last edited by win32sux; 09-26-2006 at 04:33 PM.
 
Old 09-26-2006, 05:46 PM   #5
xtremeclones
Member
 
Registered: Jan 2006
Posts: 70

Original Poster
Rep: Reputation: 15
Ok, so its a bruteforse attack. Yeah no one is supposed to ssh into this system other than me and another guy and this happens maybe twice a day.

what preventive steps can i do so that this does not happen again?

Im running FC3.
 
Old 09-26-2006, 06:48 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by xtremeclones
Ok, so its a bruteforse attack. Yeah no one is supposed to ssh into this system other than me and another guy and this happens maybe twice a day.

what preventive steps can i do so that this does not happen again?

Im running FC3.
for starters, see the sticky at the top of the security forum...

here's a direct link: http://www.linuxquestions.org/questi...d.php?t=340366

having your SSH daemon listen on a non-standard port will help keep the brute-force attacks down - maybe enough for your satisfaction, and maybe not... the ideal seems to be to install a solution that scans your log and then runs an IPtables command to the block IPs of obviously bogus connection attempts... more info in the sticky...
 
Old 09-27-2006, 12:16 AM   #7
filex
Member
 
Registered: Sep 2004
Posts: 56

Rep: Reputation: 15
Try DENYHOSTS http://denyhosts.sourceforge.net/
 
Old 09-27-2006, 12:30 AM   #8
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
With only two authorized ssh users, it may be easier adding these two names to the AllowUsers entry of the /etc/ssh/sshd_config configuration file. All other users will be denied access. The brute force attacks will use system user names, root, common names and dictionary names. Denying root and system users access is the first step to reduce the chance of compromise.

There is a "man 5 sshd_config" manpage which will list all of the options.
 
Old 09-27-2006, 02:40 AM   #9
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 33
you could also setup rsa keys with a passhprase and force the daemon to only accept keys as a authentication method
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Make a rule for this dos attack. crime Linux - Security 3 08-28-2006 03:48 PM
Attack on sshd caused near-DOS The MCP Linux - Security 2 02-14-2006 10:06 PM
Linux DOS Attack Possibility chereth Linux - Security 2 02-09-2006 01:26 PM
detecting a DOS attack ignus Linux - Security 4 07-29-2004 03:17 PM
Are we under DOS attack? sarmadys Linux - Security 2 02-06-2002 10:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration