Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I think you're looking for something like a honeypot. However, I'd highly recommend running something like that on a dedicated system, as allowing unauthorized users to have access to your system, even if it's a virtual one, is a really bad idea. Even if running a dedicated honeypot, you should be very comfortable with linux and have a good idea of what you're doing beforehand.
Originally posted by e_larkin Here is my logwatch output and this is pretty standard every single day!
Failed logins from these:
admin/password from 200.181.46.200: 2 Time(s)
guest/password from 200.181.46.200: 1 Time(s)
guest/password from 200.206.182.38: 1 Time(s)
root/password from 200.181.46.200: 3 Time(s)
test/password from 200.181.46.200: 2 Time(s)
test/password from 200.206.182.38: 1 Time(s)
user/password from 200.181.46.200: 1 Time(s)
**Unmatched Entries**
Illegal user test from 200.181.46.200
User guest not allowed because shell /dev/null is not executable Illegal user admin from 200.181.46.200 Illegal user admin from 200.181.46.200 Illegal user user from 200.181.46.200 Illegal user test from 200.181.46.200 Illegal user test from 200.206.182.38 User guest not allowed because shell /dev/null is not executable
what Im wondering is if there is a way to setup a false file system allow a guest, user, admin, or test login to the system so that when it (the script or person) does login it can be monitored and then traced back to an originating IP?
I would love to start messing with the idiot thats actually doing this.
That log is being mailed to root user automatically once a day in many of the modern linux distr. like Redhat Fedora. To see it "su - root" (password) then "mail", and you see the log under the heading "SSHD". I have the same problem, and sometimes I use whois command to find abuse@ email address, and mail them my log and a complaint. Once I got a reply back saying sorry, and that they would fix the breached machine. To counter this, I have made the user names tougher to guess, and put root in "sshd deny" file. If you are very paranoid about this, you could put all users that uses email (eg. username@yourdomain.com) in the deny list so that the hacker won't get the user name from email addresses, and limit the sshd users to the actuall users that use sshd. Of course, root should always be in the deny list, especially if you have a <yourname><birthyear> type password for root.
NB. It can be wise to automatically forward all mail like this for the root user to another external mail address, like hotmail, so that hackers can't reach it and delete it if they actually get into your machine.
I've set up a Honeypot after noticing similiar activity on SSH, using an old Slackware 8, 2.4.18 and a bogus guest/guest account.
The entire thing seems automated, and as soon as the guest logs in, a local root exploit gets used to gain root access..automatism stops there though, as the actual news root pass gets entered manually (yay for script kiddies typoing).
After that, behavior differed...one immediately installed an IRC bot which connected to Undernet (EnergyBot), and started to scan from my machine (but strangely, all the machines he scanned were firewalled...hum..).
Sadly I hadn't my keylogger/outputlogger set up properly, so the log wasn't really usable aside of that info.
Others just changed the root pass, and logged out again.
Those scans aren't really frequent here (one each couple of days or so), and seem to have different origins (a few US, one from Romaina).
Ah yes, the Romanian guy...changed root pass, logged out, didn't return for a while. I then restored an hour-old copy of the system, and -bang-, minutes later he's exploting the thing -again- (using a different root pass), and doesn't even at all seem to notice a certain familiarity with a certain box he exploited before..heh..kiddies.
On further note, it's safe to assume that they logged in from their own private boxes..nmap revealed all ports as firewalled.
Right now I've put the Honeypot on hold...what do you think, is it worth continuing it? Any good ideas on further actions?
Hmm
thanks for the warning Cap caveman
I use smoothwall and I noticed
a SSH attempt in my firewall log
Snort didnt pick it up however
I simply set Smoothwall to drop packets from that IP - simple
The idea of letting someone into even a honey pot doesnt really seem like a good idea unless as you say you a really clued up on Linux,BSD or whatever
As to the idea of "messing with these guys"
It sort of defeats the purpose of running in stealth, better to report thse idiots to the relevant authorities.
I had someone ( usr/moron ) try my system on, Another client of my ISP, I simply reported it to my ISP, sent my firewall and Snort logs and problem stopped - simple
Interesting. Now, it -could- be the same guy. But alas, no action was done after he got into my Honeypot. Considering that the IPs in the logs of that link don't resolve (and he did when he logged into mine), I assume it's somebody different.
Distribution: Slackware / Debian / *Ubuntu / Opensuse / Solaris uname: Brian Cooney
Posts: 503
Rep:
this may be a bit malicous, but you could put some nice viruses in your honey pot. ones that look like somthing the script kiddie would want, (porn or a game) and kinly wipe out their partition tables.
I bet it would be a good long while until they scan you again, especially if their mommy grounds them for breaking the computer :P
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150
Rep:
Just out of interest is that a normal amount of hacking attempts?
Our server runs about 20 webservers and 50 email accounts .
When we started the system there were until we shut it down 50.000 emails sent over us with a couple of hours on the first day. Since we reside with a big service provider in Germany, maybe they target them proforma. We had a system in the States before, the amount wasn't nearly as big as that.
Timeframe is from beginning September to today. In the mo I have hosts.allow and firewall running, no root login and only certain machines incoming. I'll look into keygen ssh.
# some specific drop IPs just for troublemakers.
203.236.241.189 -j DROP # illegal login attempt ssh
210.105.240.195 -j DROP # illegal login attempt ssh
210.83.195.78 -j DROP # illegal login attempt ssh
217.113.73.102 -j DROP # illegal login attempt ssh
69.28.69.138 -j DROP # illegal login attempt ssh
193.204.49.40 -j DROP # illegal login attempt ssh
203.236.241.189 -j DROP # illegal login attempt ssh
220.168.17.55 -j DROP # illegal login attempt ssh
62.117.78.34 -j DROP # illegal login attempt ssh
213.69.152.70 -j DROP # illegal login attempt ssh
80.55.252.66 -j DROP # illegal access on http script
67.113.225.67 -j DROP # illegal ftp login attempt 7.9.2004
218.84.100.230 -j DROP # illegal ssh login attempt 7.9.2004
12.174.224.3 -j DROP # illegal ssh login attempt 8.9.2004
61.166.6.60 -j DROP # illegal ssh login attempt 9.9.2004
80.207.208.85 -j DROP # illegal ssh login attempt 10.9.2004
69.31.86.200 -j DROP # illegal ssh login attempt 11.9.2004
211.248.173.2 -j DROP # illegal ssh login attempt 11.9.2004
216.9.241.69 -j DROP # illegal ssh login attempt 12.9.2004
81.169.151.2 -j DROP # illegal ssh login attempt 12.9.2004
81.169.151.3 -j DROP # illegal ssh login attempt 13.9.2004
134.34.53.250 -j DROP # illegal ftp login attempt 14.9.2004
218.188.4.24 -j DROP # illegal ssh login attempt 15.9.2004
220.73.215.151 -j DROP # illegal ssh login attempt 15.9.2004
66.28.204.50 -j DROP # illegal ssh login attempt 16.9.2004
81.169.157.38 -j DROP # illegal ssh login attempt 16.9.2004
81.169.151.34 -j DROP # illegal scan attempt 17.9.2004
212.34.65.198 -j DROP # illegal ssh login attempt 17.9.2004
212.34.65.197 -j DROP # illegal ssh login attempt 17.9.2004
212.34.65.198 -j DROP # illegal ssh login attempt 17.9.2004
212.34.65.199 -j DROP # illegal ssh login attempt 17.9.2004
212.34.65.200 -j DROP # illegal ssh login attempt 17.9.2004
212.34.65.201 -j DROP # illegal ssh login attempt 17.9.2004
84.128.7.59 -j DROP # illegal ssh login attempt 17.9.2004
134.34.53.250 -j DROP # illegal ssh login attempt 17.9.2004
84.128.7.59 -j DROP # illegal ssh login attempt 17.9.2004
219.140.166.19 -j DROP # illegal ssh login attempt 18.9.2004
148.235.242.165 -j DROP # illegal ssh login attempt 19.9.2004
205.209.168.20 -j DROP # illegal ssh login attempt 19.9.2004
202.30.32.19 -j DROP # illegal ssh login attempt 19.9.2004
80.67.224.21 -j DROP # illegal mysql login attempt 3.9.2004
66.199.181.64 -j DROP # illegal ssh login attempt 21.9.2004
80.128.94.56 -j DROP # illegal ssh login attempt 22.9.2004
210.212.204.37 -j DROP # illegal ssh login attempt 22.9.2004
61.184.104.236 -j DROP # illegal ssh login attempt 22.9.2004
218.232.104.41 -j DROP # illegal ssh login attempt 22.9.2004
201.10.45.4 -j DROP # illegal ssh login attempt 23.9.2004
218.188.9.51 -j DROP # illegal ssh login attempt 23.9.2004
148.215.14.181 -j DROP # illegal ssh login attempt 24.9.2004
70.240.3.138 -j DROP # illegal ssh login attempt 24.9.2004
Originally posted by DrNeil Does my question go under in the stickies ?
When you reply to something that is stickied at the top of the forum, then yes it does. Please try to keep the replies to the stickied threads as relevant as possible.
In regards to the number of ssh login attempts you observed, yes that isn't abnormal. I've seen systems log significantly more than that. Don't know what the first part of your question (about emails) was about, but I don't think it has anything to do with failed ssh logins, so please start a new thread if necessary. Thanks.
Distribution: Debian, Suse, Knoppix, Dyna:bolic, Mandrake [couple of years ago], Slackware [1993 or so]
Posts: 150
Rep:
Quote:
Originally posted by Capt_Caveman When you reply to something that is stickied at the top of the forum, then yes it does. Please try to keep the replies to the stickied threads as relevant as possible
Lol there you try to minimise thread numbers and its wrong again.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
