Could it be a hacker?
I host my website on a server at my office. I only host traffic to the site, and allow mail to be sent from the site.
Recently, several logwatch messages sent to my root account have shown sections just like this one below: Quote:
If so, what is the best thing for me to do to prevent this? I'm almost certain that nobody has actually logged on illegally. Take into consideration that I am fairly new at this, but I am not by any means a real newbie. |
This is known, bots and or script kiddies and their scripts running from remote servers that have either been compromised themselves or not to attempt logins.
First step, disable root login via SSH. Second step, setup iptables to block any IP's or IP Ranges from connecting to your machine remotely. Or block all IP's except the known ranges you connect from. And the correct term is cracker, not hacker. ;) |
If you don't know what those IPs are you should block them via iptables. Better yet you should insure that iptables only allows in http/https traffic - you shouldn't have ssh and other ports open to the world. You should restrict ssh to internal addresses and/or to only those external addresses you wish to allow. (This assumes you don't have another firewall between the server and the net - if you do you should block it there.)
It looks to me like someone at 84.246.244.93 is trying all the well known accounts so I'd certainly suspect a hacker there. That address is in Denmark according to www.dnsstuff.com IP check. |
I only log on from two locations (home and office), and those are both DHCP. As far a setting iptables to only accept logins from those addresses, how do I set a range? I have only used commands to target one IP before.
|
This happens continuously - scans for ssh logins. The steps you need to take:
1- Never allow remote root login. In sshd_config: PermitRootLogin no 2- Only allow specific users to login remotely (as few as possible). In sshd_config: AllowUsers user1 user2 user3 3- Use very strong passwords for the allowed users (mixed case, numbers and special symbols, with a minimum length of 12 characters). Even better, only allow login by ssh passphrase. In sshd_config: RSAAuthentication yes RhostsRSAAuthentication yes DSAAuthentication yes PasswordAuthentication no PermitEmptyPasswords no Also see: man ssh-keygen 4- Move ssh to a non-standard port. In sshd_config (for example): Port 12345 Remember to also close the old port (22) and open the new port in your firewalls/routers. That's usually more than enough to protect your systems. There are additional tools that automatically add firewall blocks for bad access attempts, but they are not usually needed if you follow good security practices. The "bad guys" will just run their script, fail, and move on. |
Quote:
You could set iptables to allow the whole block by using 66.120.90.0/24 That way if your IP changes to 66.120.90.156, it will still allow you to connect via the iptable rule you have in place. If your whole block changes, well, you'll have to sort that out manually at the machine but in most cases, it's not common for your ISP to change a whole range on you, at least it's not common. And if you have some type of router in place that's always on if you have DSL or Cable, it's very unlikely your IP changes at all. I have cable and have had the same IP for 3 years now on a DHCP connection. ;) |
Quote:
|
So then if I entered for example:
Quote:
If so, how would I include another range from the internal network, such as 192.168.0.0/24? |
Additionally, how would I disable root login?
|
Quote:
As part of a best practice, the use of non-standard ports is a useful deterent. It's like putting bars on your windows. Not effective for a determined attacker, but still useful. |
Quote:
|
Quote:
|
What do you think about PAM authentication? Is this best set to yes or no in sshd_config?
|
Quote:
Bars on a window are the same - their only purpose is to slow down an attacker, not stop them. As such, they act as a deterent. Why spend the time cutting through the bars, when there are thousands of homes without bars? Now if the bars are on a bank... :) |
Who'd a thunk it? Thieves are doing ROI analyses...
:p |
All times are GMT -5. The time now is 10:48 AM. |