[SOLVED] Suspect sever break-in with user 'sshd' on Ubuntu 12.04, Ebury?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Suspect sever break-in with user 'sshd' on Ubuntu 12.04, Ebury?
Before wiping the server and starting over, thought I see if there was more I can do to find out about how this happened, get feedback on how to prevent.
116.10.191.234:6761 (ESTABLISHED) observed shortly (within an hour) after installing OpenSSH-Server. Auth.log shows:
db@emailserver:~$ cat /var/log/auth.log | grep -i accepted
May 16 19:38:17 emailserver sshd[9819]: Accepted password for db from 192.168.9.25 port 49756 ssh2
May 16 20:14:30 emailserver sshd[834]: Accepted password for db from 192.168.9.25 port 56239 ssh2
May 16 20:45:18 emailserver sshd[2410]: Accepted password for db from 192.168.9.25 port 50393 ssh2
db@emailserver:~$ cat /var/log/auth.log | grep -i 116.10.191.234
May 16 20:45:35 emailserver sshd[2412]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.234 user=root
May 16 20:45:37 emailserver sshd[2412]: Failed password for root from 116.10.191.234 port 6761 ssh2
May 16 20:45:40 emailserver sshd[2412]: Failed password for root from 116.10.191.234 port 6761 ssh2
May 16 20:45:42 emailserver sshd[2412]: Failed password for root from 116.10.191.234 port 6761 ssh2
May 16 20:45:49 emailserver sshd[2412]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.234 user=root
May 16 20:46:04 emailserver sshd[2675]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.234 user=root
May 16 20:46:06 emailserver sshd[2675]: Failed password for root from 116.10.191.234 port 15600 ssh2
May 16 20:46:13 emailserver sshd[2675]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.234 user=root
However, per article, file size suggest Ebury is culprit:
db@emailserver:~$ find /lib* -type f -name libkeyutils.so* -exec ls -la {} \;
-rw-r--r-- 1 root root 13672 Oct 17 2011 /lib/i386-linux-gnu/libkeyutils.so.1.4
Additional notes: Server created 20APR14, connected to internet 24/7 for this entire time. No auth.log entries for failed connection attempts prior to installing openssh. Strong root password used.
The server is currently disconnected. Before wiping it clean and starting over, thought I would first check if it or I could be helpful to Linux community. Just need direction, any suggestions? Or, suggestions on how to prevent this after I start over? Repeat of 2002 OpenSSH trojan? I am fairly new to Linux, so in all likelyhood I just did some noob mistake.
Indeed user "sshd" itself (as in 'getent passwd sshd') shouldn't be making such connections.
Quote:
Originally Posted by vranger@genzyme.linkpc.n
Code:
db@emailserver:~$ cat /var/log/auth.log | grep -i 116.10.191.234
May 16 20:45:35 emailserver sshd[2412]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.234 user=root
May 16 20:45:37 emailserver sshd[2412]: Failed password for root from 116.10.191.234 port 6761 ssh2
May 16 20:45:40 emailserver sshd[2412]: Failed password for root from 116.10.191.234 port 6761 ssh2
May 16 20:45:42 emailserver sshd[2412]: Failed password for root from 116.10.191.234 port 6761 ssh2
May 16 20:45:49 emailserver sshd[2412]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.234 user=root
May 16 20:46:04 emailserver sshd[2675]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.234 user=root
May 16 20:46:06 emailserver sshd[2675]: Failed password for root from 116.10.191.234 port 15600 ssh2
May 16 20:46:13 emailserver sshd[2675]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.234 user=root
Quote:
Originally Posted by vranger@genzyme.linkpc.n
However, per article, file size suggest Ebury is culprit:
Code:
db@emailserver:~$ find /lib* -type f -name libkeyutils.so* -exec ls -la {} \;
-rw-r--r-- 1 root root 13672 Oct 17 2011 /lib/i386-linux-gnu/libkeyutils.so.1.4
You forgot to include output of
Code:
ipcs -m
Next to that: verify your OpenSSH server and client and libkeyutils package.
Also note RKH version 1.4.2 includes 3 ClamAV signatures that may be of help. If you already have 'clamscan' installed (shouldn't install any software on presumed compromised machines) then you can extract the signatures, cd into the rkhunter/files/signatures directory (or supply full path to the "--database=" switch) and run
Additional notes: Server created 20APR14, connected to internet 24/7 for this entire time. No auth.log entries for failed connection attempts prior to installing openssh. Strong root password used.
Next to properly hardening a server please adhere to SSH best practices:
- use sane SSH configuration values (no version 1 protocol, etc, etc),
- do not allow root logins over any network ever,
- only allow unprivileged user logins and using pubkey auth only,
- do deploy measures like fail2ban or equivalent.
Since it appears there were no break-in attempts prior to installing OpenSSH, and then an immediate successful break-in shortly after, I suspect the Openssh install using apt-get to be the culprit. How does one check the source of the files being installed with apt-get are coming from a legitimate source, and even that they are trojan free?
Those might be just short-lived connections where someone was unsuccessfully trying to log in as root. If you have an ssh server listening on port 22 you are going to see a lot of those.
Was the ipcs command run as root user?
Or did you run the command right after restarting the SSH daemon?
Quote:
Originally Posted by vRanger
How does one check the source of the files being installed with apt-get are coming from a legitimate source, and even that they are trojan free?
There's several ways and the default Debian(-like) way of using debsums unfortunately requires you to modify apt-related configuration files before the event. One way is to download a copy of the SSH daemon, client, dependencies and any other packages onto a known clean machine, generate a list of hashes (md5sum or md5deep) and run them with 'md5sum -c' on the "victim" system.
Quote:
Originally Posted by vRanger
Since it appears there were no break-in attempts prior to installing OpenSSH, and then an immediate successful break-in shortly after, I suspect the Openssh install using apt-get to be the culprit.
Did you check all logs? Have you verified the integrity of the whole system? If not then please be more thorough and don't be too quick drawing conclusions.
Since it appears there were no break-in attempts prior to installing OpenSSH, and then an immediate successful break-in shortly after, I suspect the Openssh install using apt-get to be the culprit.
Oops, a red herring just landed in the boat. I simply don't accept this hypothesis.
could have been short lived connections for break-in attempts, and not an actual successful break-in?
I would agree with this seeing how my system shows sshd as the user for unsuccessful logins. Plus with your Auth log, it shows the China ip as trying to log in as root. So ignoring the unsuccessful notice there would mean that if there was access then the root account would be shown with a second ip address as a established connection with ssh. Also Iirc sshd as a user has no valid shell to run like a standalone ssh user (such as /bin/bash for root). You can check this by looking into / etc / passwd at the shell column. That being said definitely run ssh on another port/ harden the ssh config/ install fail2ban or similar.
Agreed, the hypothesis was incorrect.
After you kind and insightful suggestions, I ran experiment, connect with SSH but not log in.
The result was an additional established connection, which went away when closing the not logged in SSH session.
So in fact, no proof of a successful intrusion is presented.
Thank you all for your support!
But you do have evidence in logs of password guessing against your site. Consider disabling password logins and requiring keys to get rid of this.
"Whaddaya mean, consider?!"
When you go to any workplace, you do not see a guard saying, "What's the magic word?" No, you see a badge-reader. Everyone's got their own badge, uniquely issued to them.
Also, in many companies, you have to pass through a front-gate and a fence just to get into the complex at all. In computerland, that gate is called "VPN," and you should be using it to encircle everything. There are no "open ports," unless and until you - again, using your uniquely-issued identification badge, not a password (PSK) – can pass over the one drawbridge that crosses the outer moat. Only then are you privileged to use your SSH credentials to pass further.
It is called, "defense in depth." If users are able even to attempt an ssh-login into your system from afar, then you are already doing something very wrong.
Thanks everyone. Responses ranged from skeptical to ultra paranoid, and I learned a lot! Security is far more complex than I first imagined, and more interesting as well. Finding the right balance between paranoid, which can be difficult to manage, and insufficient, which can be difficult to recover from, is the challenge. For my server, and for its purpose, I am choosing the following:
iptables - firewall
Fail2Ban - set to permanently ban on three log in failure attempts. Did this by changing the default tries of 5 to 3 and ban timeout to 0 (infinite). I use a very strong password, so this is really overkill. Mostly it annoys me that failed log in attempts are clogging up my log files. I use sudo, so root and ssh users have log in disabled. There are hardly any other users that are attempted for break in attempts.
Obscurity - changed the ssh port from default to some other large number under the max of 65,535.
Tripwire - let's me know who gains access and when. If they weren't supposed to, I can revert to backup and change passwords.
md5 checksums - get a clean list of check sums after all software is installed, and before connecting to the internet and save to USB or remote location. This way I can periodically check the installed applications to verify their integrity in case crafty intruder managed to sneak in and root the server. Looks like rkhunter might have some functionality to automate this, so I'll look into that.
ssh - using private key with pass phrase and disabled password log in capability for all users.
I'm also considering one other suggestions posted on another site, use separate server to monitor network traffic. Since Tripwire could be compromised if the server is broken into, this would be another option for a more secure way to monitor connections. It however is crossing the line into ultra paranoid, and still, seems like an interesting thing to explore.
Also, an idea I'm toying with is creating a simple script that would monitor the 'who' output, and trigger a timer that when expired will disable all NICs. The script would have to be disabled shortly after logging in to prevent the server from being cut off from the outside world. Crafty intruder would have to have first hand knowledge of such a script in order to defeat it. Again, major overkill, but simple to implement, and easy to maintain.
Finally, if you made it this far, then you will certainly enjoy the following article, which chronicles the adventures of a security expert who sets up servers with the goal of baiting would be crafty intruders to analyze what they do. In this case it is a person or organization that utilizes servers to effect DOS attacks:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.