Re: Attempt to breakin

From: Alexander Clouter (alex_at_digriz.junk-this.org.uk)
Date: 07/09/05 

Date: Sat, 09 Jul 2005 10:03:01 -0000

Morning,

On 2005-07-08, Todd Knarr <tknarr@silverglass.org> wrote:
>
> I've seen a lot of these on my systems. It looks like someone trying
> a really dumb brute-force attack. You can do a few things to protect
> yourself:
>
Although dumb its effective. Working on an ISP helldesk we recently blocked
one of our users for scanning 200,000 hosts in port 22; in all probability he
had a weak username/password combination and someone ran a trojan on his
machine. We use snort to detect these things and pick up the results in the
morning for human decision making.

The amusing part about it is that the user knew they were blocked (we
high-jack the web browser to redirect them to a 'disabled' page explaining
whats happened) and so called asking if we could permit port 22 to be opened
to his machine so that he could remotely clean the machine. We explained we
could not do this as he was obviously infected with something trojan than
makes good use of port 22 and did it to scan/infect 200,000 machines. The
reply was golden, "whats port 22 used for"....WTF, *you* asked *us*...to but?

Needless to say I think we confirmed to ourselves the user believes in secure
passwords such as 'password' for the root account :)

> 1) Make sure your sshd is up to the most recent version with all the
> latest security fixes.
>
good advice, this was another thought of ours, an SSH daemon thats more than
a year or two old has a couple of very easy to remotely "get root" exploits.

> 2) Lock out direct root logins, require people to come in as a normal
> user and then su to root.
>
in /etc/ssh/sshd_config you should have a line that says 'PermitRootLogin
no'. Its well worth also having a 'wheel' account so that only a handful of
people that belong to the 'wheel' group can 'su' to root; on a Debian box I
like to make us of the 'staff'/'users' groups to double up as a 'wheel' flag;
anyone whos primary group is 'staff' can 'su'.

> 3) Lock out password access and require everyone to come in using a
> public key. Nobody can guess passwords if sshd won't accept passwords
> for login.
>
Extremely good advice however not logistically practical for everyone. If
only a few people administer the box then obviously this should be the
rule[1] however if its a box that used by "computer students" who seem to
spend more time playing Counterstrike rather than programming their projects
they seem to not be bearly able to comprend passwords[2] :)

> 4) Identify the IP addresses or netblocks the attacks are coming from and,
> if you don't need access from those same blocks yourself, firewall them
> off or add deny entries in hosts.allow to block access to sshd from
> those addresses/netblocks.
>
Depends strongly on your needs. If you are expected to maintain the box
whilst you are on holiday with a mobile phone in India for example, this is
not practical; if however the box should only be available to the
office/company/country[3] then block it; please make sure the firewall rule
is a REJECT[4] :)

Cheers

Alex

[1] http://cfm.gs.washington.edu/security/ssh/client-pkauth/
[2] well this was the case I found whilst at Imperial College, London :)
[3] http://ip.ludost.net/
[4] http://support.metronet.co.uk/security/dubious-firewall-techniques.xhtml1

Relevant Pages

  • Re: three questions
    ... (root by default) ... The Security check is a separate "letter" to you. ... the login failures sectoin means that you ... mistyped passwords or in some other way attempted to login improperly. ...
    (freebsd-questions)
  • Re: The Leap to Linux
    ... > they are just not secure. ... samba - encrypted passwords = Easier for cracker to gain root access. ... displayed ROOT vulnrabilities. ...
    (alt.os.linux)
  • RE: should i bother??
    ... > (network address translation from a public IP to a private network is always advised here) ... certain outgoing ports on the firewall at work. ... I run root kit hunter as a daily cron job. ... > Strong passwords of random letters, with at least two numbers and two special characters for all accounts, definately root. ...
    (Fedora)
  • Re: Removing hackers file
    ... >>But reinstall and get up to date with the security updates. ... >>Note they have root on your machine, and thus they may well know your ... > I am sending this from Windows, but Windows may be compromised too? ... re-install, change all your passwords, and start from scratch. ...
    (comp.os.linux.security)
  • Re: Attempt to breakin
    ... a really dumb brute-force attack. ... Make sure your sshd is up to the most recent version with all the ... Nobody can guess passwords if sshd won't accept passwords ... off or add deny entries in hosts.allow to block access to sshd from ...
    (comp.os.linux.networking)