LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 06-11-2009, 08:17 PM   #1
orbit
Member
 
Registered: Sep 2006
Location: Australia
Distribution: Slackware
Posts: 176

Rep: Reputation: 30
Connection to localhost has been lost, am I Hacked !!! ??


Hello all,
My system (Slackware12.1, KDE3.5.10) has suddenly developed a problem with KSystemGuard ...
Everytime I try to open the Process Table to view or stop running processes, I get a recursive window stating:

" ERROR KDE system Guard
!Connection to localhost has been lost."


I am now unable to check processes and/or do anything on my system (this makes me a little nervous as I don't know what is running).

I have rebooted the system, and also completely shut it down ... no difference.

After Googling this error, I have noticed that this seems to be a fairly widespread problem, but I have been unable to find a solution for it.

The only new software I have installed recently is a newer version of Opera Browser (and I removed Seamonkey browser), would this have caused this error?

Another point is that I have some strange connection entries in my system log (this has compounded my fears that I no longer have control of my system).



This is a small extract from the system log, Am I being Hacked ??? :

Quote:
06/11/2009 04:29:50 AM Weasel-Server sshd[11049] Failed password for invalid user nanchan from 121.52.210.198 port 43662 ssh2
06/11/2009 04:29:50 AM Weasel-Server sshd[11049] Invalid user nanchan from 121.52.210.198
06/11/2009 04:29:52 AM Weasel-Server sshd[11059] Failed password for invalid user nao from 121.52.210.198 port 43868 ssh2
06/11/2009 04:29:52 AM Weasel-Server sshd[11059] Invalid user nao from 121.52.210.198
06/11/2009 04:29:55 AM Weasel-Server sshd[11069] Failed password for invalid user naoko from 121.52.210.198 port 44072 ssh2
06/11/2009 04:29:55 AM Weasel-Server sshd[11069] Invalid user naoko from 121.52.210.198
06/11/2009 04:29:57 AM Weasel-Server sshd[11082] Failed password for invalid user naokun from 121.52.210.198 port 44261 ssh2
06/11/2009 04:29:57 AM Weasel-Server sshd[11082] Invalid user naokun from 121.52.210.198
06/11/2009 04:29:59 AM Weasel-Server sshd[11092] Failed password for invalid user naonao from 121.52.210.198 port 44467 ssh2
06/11/2009 04:29:59 AM Weasel-Server sshd[11092] Invalid user naonao from 121.52.210.198
06/11/2009 04:30:01 AM Weasel-Server sshd[11102] Failed password for invalid user naonori from 121.52.210.198 port 44644 ssh2
06/11/2009 04:30:01 AM Weasel-Server sshd[11102] Invalid user naonori from 121.52.210.198
06/11/2009 04:30:03 AM Weasel-Server sshd[11112] Failed password for invalid user naopun from 121.52.210.198 port 44853 ssh2
06/11/2009 04:30:03 AM Weasel-Server sshd[11112] Invalid user naopun from 121.52.210.198
06/11/2009 04:30:06 AM Weasel-Server sshd[11122] Failed password for invalid user naosann from 121.52.210.198 port 45034 ssh2
06/11/2009 04:30:06 AM Weasel-Server sshd[11122] Invalid user naosann from 121.52.210.198
06/11/2009 04:30:08 AM Weasel-Server sshd[11135] Failed password for invalid user naotata from 121.52.210.198 port 45227 ssh2
06/11/2009 04:30:08 AM Weasel-Server sshd[11135] Invalid user naotata from 121.52.210.198
06/11/2009 04:30:10 AM Weasel-Server sshd[11145] Failed password for invalid user nappy from 121.52.210.198 port 45438 ssh2
06/11/2009 04:30:10 AM Weasel-Server sshd[11145] Invalid user nappy from 121.52.210.198
06/11/2009 04:30:12 AM Weasel-Server sshd[11155] Failed password for invalid user nasuka from 121.52.210.198 port 45620 ssh2
06/11/2009 04:30:12 AM Weasel-Server sshd[11155] Invalid user nasuka from 121.52.210.198
06/11/2009 04:30:14 AM Weasel-Server sshd[11165] Failed password for invalid user nato from 121.52.210.198 port 45829 ssh2
06/11/2009 04:30:14 AM Weasel-Server sshd[11165] Invalid user nato from 121.52.210.198
06/11/2009 04:30:17 AM Weasel-Server sshd[11178] Failed password for invalid user natsu from 121.52.210.198 port 46018 ssh2
06/11/2009 04:30:17 AM Weasel-Server sshd[11178] Invalid user natsu from 121.52.210.198
06/11/2009 04:30:19 AM Weasel-Server sshd[11188] Failed password for invalid user natsuki from 121.52.210.198 port 46222 ssh2
06/11/2009 04:30:19 AM Weasel-Server sshd[11188] Invalid user natsuki from 121.52.210.198
06/11/2009 04:30:21 AM Weasel-Server sshd[11198] Failed password for invalid user natsuko from 121.52.210.198 port 46406 ssh2
06/11/2009 04:30:21 AM Weasel-Server sshd[11198] Invalid user natsuko from 121.52.210.198
06/11/2009 04:30:23 AM Weasel-Server sshd[11208] Failed password for invalid user natsumi from 121.52.210.198 port 46606 ssh2
06/11/2009 04:30:23 AM Weasel-Server sshd[11208] Invalid user natsumi from 121.52.210.198
06/11/2009 04:30:26 AM Weasel-Server sshd[11218] Failed password for invalid user natuko from 121.52.210.198 port 46797 ssh2
06/11/2009 04:30:26 AM Weasel-Server sshd[11218] Invalid user natuko from 121.52.210.198
06/11/2009 04:30:28 AM Weasel-Server sshd[11231] Failed password for invalid user natume from 121.52.210.198 port 46987 ssh2
06/11/2009 04:30:28 AM Weasel-Server sshd[11231] Invalid user natume from 121.52.210.198
06/11/2009 04:30:30 AM Weasel-Server sshd[11241] Failed password for invalid user nawate from 121.52.210.198 port 47187 ssh2
06/11/2009 04:30:30 AM Weasel-Server sshd[11241] Invalid user nawate from 121.52.210.198
06/11/2009 04:30:32 AM Weasel-Server sshd[11251] Failed password for invalid user nba from 121.52.210.198 port 47372 ssh2
06/11/2009 04:30:32 AM Weasel-Server sshd[11251] Invalid user nba from 121.52.210.198
06/11/2009 04:30:35 AM Weasel-Server sshd[11261] Failed password for invalid user nbishida from 121.52.210.198 port 47579 ssh2
06/11/2009 04:30:35 AM Weasel-Server sshd[11261] Invalid user nbishida from 121.52.210.198
06/11/2009 04:30:37 AM Weasel-Server sshd[11274] Failed password for invalid user ncfukuda from 121.52.210.198 port 49828 ssh2
06/11/2009 04:30:37 AM Weasel-Server sshd[11274] Invalid user ncfukuda from 121.52.210.198
06/11/2009 04:30:39 AM Weasel-Server sshd[11284] Failed password for invalid user necomasa from 121.52.210.198 port 50034 ssh2
06/11/2009 04:30:39 AM Weasel-Server sshd[11284] Invalid user necomasa from 121.52.210.198
06/11/2009 04:30:41 AM Weasel-Server sshd[11294] Failed password for invalid user nekomimi from 121.52.210.198 port 50240 ssh2
06/11/2009 04:30:41 AM Weasel-Server sshd[11294] Invalid user nekomimi from 121.52.210.198
06/11/2009 04:30:43 AM Weasel-Server sshd[11304] Failed password for invalid user nekonote from 121.52.210.198 port 50433 ssh2
06/11/2009 04:30:43 AM Weasel-Server sshd[11304] Invalid user nekonote from 121.52.210.198
06/11/2009 04:30:46 AM Weasel-Server sshd[11317] Failed password for invalid user neomolak from 121.52.210.198 port 50634 ssh2
06/11/2009 04:30:46 AM Weasel-Server sshd[11317] Invalid user neomolak from 121.52.210.198
06/11/2009 04:30:48 AM Weasel-Server sshd[11327] Failed password for invalid user neoslyly from 121.52.210.198 port 50826 ssh2
06/11/2009 04:30:48 AM Weasel-Server sshd[11327] Invalid user neoslyly from 121.52.210.198
06/11/2009 04:30:50 AM Weasel-Server sshd[11337] Failed password for invalid user nepia41 from 121.52.210.198 port 51037 ssh2
06/11/2009 04:30:50 AM Weasel-Server sshd[11337] Invalid user nepia41 from 121.52.210.198
06/11/2009 04:30:52 AM Weasel-Server sshd[11347] Failed password for invalid user nero from 121.52.210.198 port 51228 ssh2
06/11/2009 04:30:52 AM Weasel-Server sshd[11347] Invalid user nero from 121.52.210.198
06/11/2009 04:30:55 AM Weasel-Server sshd[11357] Failed password for invalid user nes from 121.52.210.198 port 51417 ssh2
06/11/2009 04:30:55 AM Weasel-Server sshd[11357] Invalid user nes from 121.52.210.198
06/11/2009 04:30:57 AM Weasel-Server sshd[11370] Failed password for invalid user netidol from 121.52.210.198 port 51621 ssh2
06/11/2009 04:30:57 AM Weasel-Server sshd[11370] Invalid user netidol from 121.52.210.198
06/11/2009 04:30:59 AM Weasel-Server sshd[11380] Failed password for invalid user netm from 121.52.210.198 port 51809 ssh2
06/11/2009 04:30:59 AM Weasel-Server sshd[11380] Invalid user netm from 121.52.210.198
06/11/2009 04:31:01 AM Weasel-Server sshd[11390] Failed password for invalid user newcrown from 121.52.210.198 port 52012 ssh2
06/11/2009 04:31:01 AM Weasel-Server sshd[11390] Invalid user newcrown from 121.52.210.198
06/11/2009 04:31:04 AM Weasel-Server sshd[11400] Failed password for invalid user neworld from 121.52.210.198 port 52215 ssh2
06/11/2009 04:31:04 AM Weasel-Server sshd[11400] Invalid user neworld from 121.52.210.198
06/11/2009 04:31:06 AM Weasel-Server sshd[11413] Failed password for invalid user newton from 121.52.210.198 port 52411 ssh2
06/11/2009 04:31:06 AM Weasel-Server sshd[11413] Invalid user newton from 121.52.210.198
06/11/2009 04:31:08 AM Weasel-Server sshd[11423] Failed password for invalid user nfukawa from 121.52.210.198 port 52605 ssh2
06/11/2009 04:31:08 AM Weasel-Server sshd[11423] Invalid user nfukawa from 121.52.210.198
06/11/2009 04:31:10 AM Weasel-Server sshd[11433] Failed password for invalid user nhhae from 121.52.210.198 port 52793 ssh2
06/11/2009 04:31:10 AM Weasel-Server sshd[11433] Invalid user nhhae from 121.52.210.198
06/11/2009 04:31:12 AM Weasel-Server sshd[11443] Failed password for invalid user nicolo from 121.52.210.198 port 53004 ssh2
06/11/2009 04:31:12 AM Weasel-Server sshd[11443] Invalid user nicolo from 121.52.210.198
06/11/2009 04:31:15 AM Weasel-Server sshd[11456] Failed password for invalid user nigel from 121.52.210.198 port 53192 ssh2
06/11/2009 04:31:15 AM Weasel-Server sshd[11456] Invalid user nigel from 121.52.210.198
06/11/2009 04:31:18 AM Weasel-Server sshd[11466] Failed password for invalid user nigota from 121.52.210.198 port 53391 ssh2
06/11/2009 04:31:18 AM Weasel-Server sshd[11466] Invalid user nigota from 121.52.210.198
06/11/2009 04:43:50 AM Weasel-Server none -- MARK --
06/11/2009 05:03:50 AM Weasel-Server none -- MARK --
06/11/2009 05:23:50 AM Weasel-Server none -- MARK --
06/11/2009 05:43:50 AM Weasel-Server none -- MARK --
06/11/2009 06:03:50 AM Weasel-Server none -- MARK --
06/11/2009 06:23:50 AM Weasel-Server none -- MARK --
06/11/2009 06:31:19 AM

As soon as I saw this, I freaked and have chmod disabled /etc/rc.d/rc.sshd

Could anyone please offer any suggestions as to what I can do to:
1. Get my Process Table working again.
2. Protect from ssh (attacks?) like this?

Thank you very much, I'll very much look forward to your replies.

Regards
 
Old 06-11-2009, 08:41 PM   #2
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 357Reputation: 357Reputation: 357Reputation: 357
I don't use KDE, so I can't be of much help there.

But those SSH brute force attacks are very very common for any machine running an Internet accessible SSH daemon. As you can see, it is just stepping through username/password combinations, and they are all (predictably) failing. If you are using a strong password, there is almost zero chance an SSH brute force would ever actually succeed against your system. The attacker would first have to figure out your username (which is hard enough, and not possible through SSH brute forcing alone), and then actually brute force the password itself. As long as you aren't using a password that is in the dictionary, and is a combination of letters and numbers (ideally with a few symbols thrown in), it would take a few hundred years to crack the password at the rate he is averaging at there (about 1 per second).

Of course, that doesn't take into account a remote exploit in the SSH daemon, but that is another topic entirely. Always make sure you are running the latest security patches for your Slackware release.
 
Old 06-11-2009, 08:44 PM   #3
vinegaroon
Member
 
Registered: Sep 2008
Posts: 99

Rep: Reputation: 21
Hi there.
Those log entries indicate that someone is trying to access your system (through ssh) with a brute force method.
To disable sshd and prevent it from starting you need to run:
chmod +x /etc/rc.d/rc.sshd
/etc/rc.d/rc.sshd stop
chmod -x /etc/rc.d/rc.sshd

If you do not use sshd on your system I recommend you do this.

I'm not too sure about your ksysguard problem, however another way you could use to view processes on a linux system is with the 'top' command in a terminal.
 
Old 06-11-2009, 09:20 PM   #4
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian,Ubuntu,Slackware
Posts: 479

Rep: Reputation: 48
If you do need to run ssh, perhaps set it to listen to a different port than the default 22. This would at least prevent your logs from filling up with random scans to to that port.

(Do this via the file /etc/ssh/sshd_config)
 
Old 06-11-2009, 09:39 PM   #5
orbit
Member
 
Registered: Sep 2006
Location: Australia
Distribution: Slackware
Posts: 176

Original Poster
Rep: Reputation: 30
Hi MS3FGX and vinegaroon thanks for replies,

I have been using a dictionary word with some numbers and punctuation as my root password, but after this I will change my root password to a longer more random combination of letters, numbers and punctuation.


This leads to a few new questions:

1. Is there a log kept anywhere for ssh connections so that I can check to see if this attacker actually got into my system? (perhaps locking me out of the process table so I could not see what he is/was up to?).

2. Do you think that these two problems (ssh attack & lack of process table) are related?, or completely independant of each other?

3. Is there any danger of having a fairly simple and easy [user] password, (but at the same time having a strong root password), or should I make my [user] password strong as well?

4. I do use remote ssh to connect into this machine, so what steps can I take to secure ssh from this kind from attack?

5. What is the process for doing security updates in Slackware? Is it just a simple case of installing some packages (if so what ones and where from?), or is it a case of manually editing system files to gain security? (if so what files, and what would be the edited content)?


Thank you very much if you can answer these questions, I appreciate your support.

Kind Regards
 
Old 06-11-2009, 09:42 PM   #6
orbit
Member
 
Registered: Sep 2006
Location: Australia
Distribution: Slackware
Posts: 176

Original Poster
Rep: Reputation: 30
Hi mattydee,

you must have snuck in there while I was typing my last response, heh heh

Thank you, your response has answered one of my questions about securing ssh.

Kind Regards
 
Old 06-11-2009, 09:53 PM   #7
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian,Ubuntu,Slackware
Posts: 479

Rep: Reputation: 48
I would also look into using the AllowGroups parameter in sshd_config to only allow ssh access to users in a specific group.
Most people also recommend disallowing root logon via ssh... again through sshd_config

You could also use pub/priv key authentication and disallow user/password auth altogether.

Last edited by mattydee; 06-11-2009 at 09:55 PM.
 
Old 06-12-2009, 02:15 AM   #8
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Rep: Reputation: 544Reputation: 544Reputation: 544Reputation: 544Reputation: 544Reputation: 544
Quote:
" ERROR KDE system Guard
!Connection to localhost has been lost."
There are a few older posts here at LQ noting that the lm_sensors package is required to properly run KSysguard. If the lm_sensors package is not installed the previous error message can be expected.
 
Old 06-12-2009, 04:55 AM   #9
Ilgar
Member
 
Registered: Jan 2005
Location: Istanbul, Turkey
Distribution: Slackware64 14.2, Slackwarearm-current
Posts: 997

Rep: Reputation: 123Reputation: 123
About the ssh login attempts: It's quite common to have such attacks as the other posters already said. I'm using the following script in my rc.firewall:

Code:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
  --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
  --update --seconds 60 --hitcount 4 -j DROP
What it does is to limit each IP to 3 login attempts in 60 seconds. Packets for the extra attempts are dropped. Bots and scripts usually give up trying when they get not response. Since I began using this script I have a much cleaner system log.

PS: For extra security, in your sshd.conf file disable Protocol 1 and use only Protocol 2. Maybe it's already like that by default, I'm not sure. But don't panic, I don't know of any cases where ssh or even the 1st protocol was broken. If you use ssh, I'd say the risks are not big enough to necessitate turning it off.
 
Old 06-12-2009, 05:42 AM   #10
GazL
Senior Member
 
Registered: May 2008
Posts: 4,793
Blog Entries: 14

Rep: Reputation: Disabled
Quote:
Originally Posted by orbit View Post
3. Is there any danger of having a fairly simple and easy [user] password, (but at the same time having a strong root password), or should I make my [user] password strong as well?
In short, yes.

If an attacker manages to login with a normal user account, it opens up a whole range of attack vectors through unpatched privilege escalation vulnerabilities.

As an example, many of these tend to show up in the kernel as vulnerabilities in ioctl() or other system calls. There's been quite a few security issues fixed within the 2.6.27.y branch which is now upto .25, yet slackware stable is still running with its shipped .7 kernel.

I can appreciate that the slackware guys are a small team with limited time and resources and so I won't criticise them for not following these kernel updates with official packages, but if security is important to you, it's something you need to be aware of and to make sure you pick up the slack (forgive the pun) and ensure you patch it yourself.

The best option is to keep the attacker out in the first place with good strong passwords on all accounts.


As for Q5, You'll find the updates that the team do make through offical security notices at slackware.com/security. People use various ways of applying them automatically, but I still do it the old fashioned way; by hand.
 
Old 06-12-2009, 05:54 AM   #11
Eternal_Newbie
Member
 
Registered: Jun 2005
Location: The Pudding Isles
Distribution: Slackware
Posts: 573

Rep: Reputation: 59
For your problem with ksysguard, it appears to have a dependency on mozilla-nss, like many programs. On Slackware mozilla-nss is provided by the Seamonkey package, so you may want to reinstall seamonkey or install a separate mozilla-nss package. I believe Alien Bob has a slackbuild for it
 
Old 06-12-2009, 09:07 AM   #12
vinegaroon
Member
 
Registered: Sep 2008
Posts: 99

Rep: Reputation: 21
Another thing orbit - it's probably not a good idea to allow root to login via ssh.
You can disable root login in /etc/ssh/sshd_config
Look for:
#PermitRootLogin yes
and change it to
PermitRootLogin no
 
Old 06-12-2009, 01:23 PM   #13
C-Sniper
Member
 
Registered: Dec 2006
Distribution: Slackware
Posts: 507

Rep: Reputation: 33
To prevent most of those attacks, I would recommend running sshd on a port > 1000.

Example, I have both my computers that run sshd running on port 2001 and 2002
 
Old 06-15-2009, 07:23 PM   #14
orbit
Member
 
Registered: Sep 2006
Location: Australia
Distribution: Slackware
Posts: 176

Original Poster
Rep: Reputation: 30
Wow, what an amazing amount of help!

Thank you all for your invaluable assistance, I really appreciate it!

I'll will address each of the suggestions here as soon as I get home tonight, so that I can secure the system.

Thank you all very much again

Kind Regards
 
Old 06-15-2009, 09:50 PM   #15
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 551Reputation: 551Reputation: 551Reputation: 551Reputation: 551Reputation: 551
Thumbs up mozilla-nss

Quote:
Originally Posted by Eternal_Newbie View Post
For your problem with ksysguard, it appears to have a dependency on mozilla-nss, like many programs. On Slackware mozilla-nss is provided by the Seamonkey package, so you may want to reinstall seamonkey or install a separate mozilla-nss package. I believe Alien Bob has a slackbuild for it
To the OP: Indeed, Ksysguard (if that's what you're using) will show 'localhost disconnected' for various reasons, one of which as mentioned earlier was lm_sensors or the libsensors shared library (required for lm_sensors to work).

To EternalNewbie: THANKS for the mention of mozilla-nss! A light came on when I read your post, because a while back, I was doing some 'cleaning' around my system (read: deleting 'unneeded' stuff and upgrading some other stuff) and when I was done, I discovered that Ksysguard no longer worked for me either, and I went about making a little bash script to give me my temp/fan information instead. I have been thinking all along that the fact that I upgraded to the newest versions of libsensors & lm_sensors is the reason that Ksysguard no longer worked (incompatibility??) BUT: Eureka! I also removed either/or/both of Mozilla-nss and/or SeaMonkey (because I don't use it) and so... Well, you see? Maybe if I re-install mozilla-nss, Ksysguard will work again for me

LOL..

Cheers,
Sasha
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh: connection to host port: 22: Connection timed out lost connection cucolin@ Linux - Server 4 11-22-2011 07:15 AM
'remote connection' window.. am i being hacked? logicalfuzz Linux - Security 1 11-12-2005 01:59 AM
KDE Sysguard: Connection to localhost has been lost! manjusura Linux - Newbie 0 02-19-2004 02:46 PM
lp filename yields "cannot open connection to localhost - Connection refused" jjge Linux - General 3 12-29-2003 12:02 AM
lost localhost keithturner Linux - Newbie 2 01-29-2003 11:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 04:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration