Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
There appears to be some form of automated malware circulating around the internet in the last 2 weeks. It attempts sshd logins using simple username-password combinations. A sample scan looks like:
Jul 19 21:04:33 server sshd[28379]: Illegal user test from XXX.XXX.XXX.XXX
Jul 19 21:04:34 server sshd[28381]: Illegal user guest from XXX.XXX.XXX.XXX
Jul 19 21:04:36 server sshd[28383]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:37 server sshd[28385]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:38 server sshd[28387]: Illegal user user from XXX.XXX.XXX.XXX
Several reports indicate that the malicious code is a scanner designed to identify systems with weak username/passwords. Once a weak system is identified, its IP address is appended to a list for manually exploitation later on. However, the possibility of a unknown exploit has not been ruled-out.
All Linux users are recommended to implement a sensible username and password policy in order to avoid being compromised by this tool. An example of a sensible policy would be at least the use of non-dictionary, alpha-numeric+punctuation characters. Restricting sshd access to only those systems necessary will further reduce the possiblity of compromise. Access restriction can be done using iptables or tcp_wrappers (hosts.allow/deny)
Originally posted by Pastorino It will be even more secure by disabling password authentication completely, and allowing only private key authentication.
Except I beat my head against the wall for 2 weeks a few months ago trying to get private key auth working with SSHD.
At any rate, I've been seeing these attempts in my logs for the last few weeks. Just figured it was some stupid skiddie; guess I was right.
Capt_Caveman: it's not a scanner for weak usernames/passwds, it's a ssh bruteforcer with those uid's/passwd's hard-coded.
Kiddies using it can't change the code obviously
I use more of the wikipedia definition of bruteforce, where it's something that attempts a large number of password variations against a single host, like iterating through the entire search-space of all possible alpha-numeric combinations. In essence "one or a few hosts, lots of usernames/passwords".
Of course, you can call them whatever you like
Last edited by Capt_Caveman; 08-15-2004 at 02:15 PM.
Dunno if this is the right place to ask this, but how can I configure some effective tcp wrappers using etc/hosts.allow and .deny? I'm getting the same ssh login/password spam on my box, and have been getting it for over a month now. I want to block this before it gets a chance to try combinations on my box, so I figured I'd try and disallow any ssh access except from a few specific places.
Here's the way I understand it, but it doesn't work. Someone please enlighten me:
In /etc/hosts.deny:
ALL: ALL
This will block all traffic coming in to the box, except what's provisioned in hosts.allow.
In /etc/hosts.allow:
ALL: LOCAL, .domain.com, 192.168.1
This will only allow local traffic, request from "domain.com", and any requests from your local subnet.
However, this does not work. If I try to ssh into my box from "domain.com", I get a connection refused. What gives?
Last edited by paperdiesel; 08-18-2004 at 08:27 AM.
The syntax should be ok. Maybe there is some problem with the hostname lookup, try using the IP address block of .domain.com instead. Do you see any relevant messages in the system logs about failed SSH attempts?
Originally posted by TruckStuff Except I beat my head against the wall for 2 weeks a few months ago trying to get private key auth working with SSHD.
At any rate, I've been seeing these attempts in my logs for the last few weeks. Just figured it was some stupid skiddie; guess I was right.
It's actually very easy.
$ ssh-keygen -t rsa
(Just press enter for all answers)
$ #Put your pub key, usually /home/USER/.ssh/id_rsa.pub, onto the server you're logging on to.
Originally posted by Capt_Caveman There appears to be some form of automated malware circulating around the internet in the last 2 weeks. It attempts sshd logins using simple username-password combinations. A sample scan looks like:
Jul 19 21:04:33 server sshd[28379]: Illegal user test from XXX.XXX.XXX.XXX
Jul 19 21:04:34 server sshd[28381]: Illegal user guest from XXX.XXX.XXX.XXX
Jul 19 21:04:36 server sshd[28383]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:37 server sshd[28385]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:38 server sshd[28387]: Illegal user user from XXX.XXX.XXX.XXX
Several reports indicate that the malicious code is a scanner designed to identify systems with weak username/passwords. Once a weak system is identified, its IP address is appended to a list for manually exploitation later on. However, the possibility of a unknown exploit has not been ruled-out.
All Linux users are recommended to implement a sensible username and password policy in order to avoid being compromised by this tool. An example of a sensible policy would be at least the use of non-dictionary, alpha-numeric+punctuation characters. Restricting sshd access to only those systems necessary will further reduce the possiblity of compromise. Access restriction can be done using iptables or tcp_wrappers (hosts.allow/deny)
One way to secure a little bit more a Linux box is by using the chattr command. Usually I keep the passwd. etc., set to +i. this no way no one can add or modify them, no even root.
You can check your file(s) setting with the command "lsattr." e.g lsattr ----i-------- passwd
Been seeing this too, I have taken to explicitly blocking the troublesome IP's at firewall level as I use my box as a router - this way I just do a few quick Grep's through the /var/log/secure and then add a couple of rules.
Keeps them from doing anything as the firewall just drops packets from those hosts.
Here is my logwatch output and this is pretty standard every single day!
Failed logins from these:
admin/password from 200.181.46.200: 2 Time(s)
guest/password from 200.181.46.200: 1 Time(s)
guest/password from 200.206.182.38: 1 Time(s)
root/password from 200.181.46.200: 3 Time(s)
test/password from 200.181.46.200: 2 Time(s)
test/password from 200.206.182.38: 1 Time(s)
user/password from 200.181.46.200: 1 Time(s)
**Unmatched Entries**
Illegal user test from 200.181.46.200
User guest not allowed because shell /dev/null is not executable Illegal user admin from 200.181.46.200 Illegal user admin from 200.181.46.200 Illegal user user from 200.181.46.200 Illegal user test from 200.181.46.200 Illegal user test from 200.206.182.38 User guest not allowed because shell /dev/null is not executable
what Im wondering is if there is a way to setup a false file system allow a guest, user, admin, or test login to the system so that when it (the script or person) does login it can be monitored and then traced back to an originating IP?
I would love to start messing with the idiot thats actually doing this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.