Possible breakin attempt

[quacked]

In my secure logs,,, I found this

an 17 04:44:52 localhost sshd[15669]: reverse mapping checking getaddrinfo for 2.199.56.59.broad.qz.fj.dynamic.163data.com.cn [59.56.199.2] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 17 04:44:52 localhost unix_chkpwd[15672]: password check failed for user (root)
Jan 17 04:44:52 localhost sshd[15669]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.56.199.2 user=root
Jan 17 04:44:52 localhost sshd[15669]: pam_winbind(sshd:auth): getting password (0x00000010)
Jan 17 04:44:52 localhost sshd[15669]: pam_winbind(sshd:auth): pam_get_item returned a password
Jan 17 04:44:52 localhost sshd[15669]: pam_winbind(sshd:auth): request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER
Jan 17 04:44:54 localhost sshd[15669]: Failed password for root from 59.56.199.2 port 44688 ssh2
Jan 17 12:44:54 localhost sshd[15670]: Connection closed by 59.56.199.2


First off I would like to know exactly what Password they were able to retrieve,,,

I have SElinux set to permissive to be able to allow my Lamp server to function
Denyhosts is installed and functioning to block _ All


Any help would be greatly appreciated,,,

[Evil_Bert]

I'd say you're right - looks like someone tried to login via SSH, but failed. Is your SSH setup for external (internet) access deliberately?

Wouldn't worry about the "get password" bit, that's just internal.

[quacked]

I have webmin installed and liked being able to get a shell from a remote machine ,, came in handy ,,, Just trying to decipher the logs.. and make sure no one was able to gain root access to the machine,,,

In trying to learn more, setup and administration of Linux in general,,,with the Server ,,, services it may require a little more vigilance on my part to keep up with it all,,, Hard to do ,, and learn at the same time,.

Thanks for the reply !!! After your telling me the get Password was internal that cleared up My Main question ,,, And brought a piece of enlightment !!

Localhost,,, Of Course !! ,Again Thanks,,,

[Thetargos]

It happened to me too, but no actual login when I carelessly left my machine as the DMZ box in the router for some months (I was originally testing some firewall policies, and then I left it on DMZ... bad for the heart, bad for the heart indeed! I had a daily over 200 ssh session attempts ! good thing I have strong passwords set on all my local users... except one "guest" account without a pssword, for obvious reasons, but ironically no one even guessed it [its actual name is different, though]).

[leigh123linux]

Make it harder for them

Code:

su -
yum install denyhosts
chkconfig --level 345 denyhosts on
service denyhosts restart

Code:

[root@localhost ~]# yum info denyhosts
Installed Packages
Name   : denyhosts
Arch   : noarch
Version: 2.6
Release: 7.fc8
Size   : 261 k
Repo   : installed
Summary: A script to help thwart ssh server attacks
Description:
DenyHosts is a Python script that analyzes the sshd server log
messages to determine which hosts are attempting to hack into your
system. It also determines what user accounts are being targeted. It
keeps track of the frequency of attempts from each host and, upon
discovering a repeated attack host, updates the /etc/hosts.deny file
to prevent future break-in attempts from that host.  Email reports can
be sent to a system admin.

[Thetargos]

Which reminds me, I have to re-configure my 'newly' installed CentOS server to send root's mail to one of my 'actual' emails, to keep track on the server... Now how did I do it the last time? /me checks his notes.

[ibbo]

Nothing wrong with those logs.

If you do not wish to remotely access your machine simply disable ssh.

I use TCPWrappers to ensure only myself from certain locations can access my machine.
hosts.deny
ALL:ALL
hosts.allow
sshd: <work ip>, 192.168.
Then your log will ony contain lines like "refused connect from "::ffff:61.219.147.75 (::ffff:61.219.147.75)"
Of course if you wish to access your machine from several locations you will have to list them all.

Denyhosts is good but if I recall correctly it allows several attempts and then after these attempts have failed it blocks the offending IP.

Ibbo

[Evil_Bert]

There's also fail2ban. Haven't used it myself but it was reviewed in the Nov '07 issue of Linux Magazine. It's similar to denyhosts, but instead of using tcpwrappers (and the hosts.deny file) it dynamically updates firewall rules, so will work for a wider range of applications (even apps that don't invoke tcpwrappers).

Fail2ban Home

[Kasper-pA-]

I use this little script we made here at our office

This program uses IPTables to drop IP's using invalid usernames that try to SSH into scout more than 5 times:

To run this, you need to do the following:
# Edit /etc/syslogd.conf to read
# SSH Messages to special log (FIFO) filter to /var/log/messages
local3.* |/var/log/sshcheck

# Edit /etc/ssh/sshd_config
SyslogFacility LOCAL3

Run this program in the background (it won't end until you send the magic word).

#!/usr/bin/perl

$FIFO = '/var/log/sshcheck';

$check_for="Failed password for illegal user";
$maxfail=5;
@IP_LIST="";

while (1) {
unless (-p $FIFO) {
unlink $FIFO;
system('mknod', $FIFO, 'p')
&& die "can't mknod $FIFO: $!";
}

# next line blocks until there's a reader
open (FIFO, "< $FIFO") || die "can't read $FIFO: $!";
open (FOUT, ">> /var/log/messages") || die "unable to open /var/log/messages: $!";
while(<FIFO>) {
if(m/$check_for/) {
m/$check_for.(\w+) from ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/;
if($IP_LIST{$2}) {
if($IP_LIST{$2}>=$maxfail) {
print FOUT "*** Dropping $2 using command \"/sbin/iptables -I INPUT -s $2 -j DROP\" ***\n";
`/sbin/iptables -I INPUT -s $2 -j DROP`;
} else {
$IP_LIST{$2}++;
}
} else {
$IP_LIST{$2}=1;
}
}
if(m/STOP FIFO/) {
exit;
}
print FOUT $_;
}
close FOUT;
sleep 2;
}

[shamblett]

Quote:

Originally Posted by Thetargos

Which reminds me, I have to re-configure my 'newly' installed CentOS server to send root's mail to one of my 'actual' emails, to keep track on the server... Now how did I do it the last time? /me checks his notes.

Edit the /etc/aliases file, at the bottom is a line saying who gets roots mail, uncomment this and update it with your user name, save, then run 'newaliases' to recreate the alias database.

[johnnymack]

Hey quacked,

This attempt on your box was someone from the Far East, trying to login as root; happens all the time; is a known security weakness.

You should DISABLE ANY SSH INTO ROOT. Unfortunately, most Linux distros have lax security and release default settings to ssh server allowing users to ssh into root account. This is VERY UNSECURE practice. What you should want is to allow valid users to login as themselves, then su or sudo to execute protected commands. That way, you have logs to tell you WHO is using the root account.
Otherwise, you have root logins and you don't know really who 'that' root was. Besides, if you lockdown ssh into root, someone is trying to takeover your system needs to overcome 2 hurdles: first the local account password, THEN the necessary root exploit.

To cover this hole up, change the sshd settings to disallow root from any login. Edit the file: /etc/ssh/sshd_config and change the line:

PermitRootLogin yes

...to become:

PermitRootLogin no

Save the file and restart the sshd server with the command:

service sshd restart

And make sure that all your other user accounts have GOOD PASSWORDS, else the ever-present
hackers scanning for an easy entry to a system via ssh will nevertheless get in.

If you want even better security for ssh and other remote services into your box, look at implementing "SPA" or some variant of "portknocking". Those will hide your service from external systems unless and until they perform the magic beforehand.

http://www.linuxjournal.com/article/9565
http://www.cipherdyne.org/fwknop/
http://rahulhackingarticles.wetpaint...nocking?t=anon

HTH,

jm

[VisezTrance]

I get that "POSSIBLE BREAK-IN ATTEMPT!" each time I want to login too. Obviously, I'm not tring to hack my own VPS. So what's happening. Well, for each account(IP in my case), the ISP creates some sort of sudomain; so I guess the server tries to look it up but fails.

Someone mentioned fail2ban a bit earlier. It's what I'm using right now. Works quite nice and it's very easy to configure.

You should probably use ssh keys though.

[quacked]

Thanks to "All " !!! It's given me quite a bit to digest,

All in all I'm seeing other attempts to find vulnerabilities in My OS , and have a lot of reading,configuring ,and work ahead,,'

61.218.31.50 - - [04/Feb/2008:19:38:47 -0800] "GET /PMA/main.php HTTP/1.0" 404 288 "-" "-"
61.218.31.50 - - [04/Feb/2008:19:38:47 -0800] "GET /dbadmin/main.php HTTP/1.0" 404 292 "-" "-"
61.218.31.50 - - [04/Feb/2008:19:38:48 -0800] "GET /PMA2006/main.php HTTP/1.0" 404 292 "-" "-"
61.218.31.50 - - [04/Feb/2008:19:38:48 -0800] "GET /pma2006/main.php HTTP/1.0" 404 292 "-" "-"
61.218.31.50 - - [04/Feb/2008:19:38:49 -0800] "GET /sqlmanager/main.php HTTP/1.0" 404 295 "-" "-"
61.218.31.

among other things !!!


and am just a little concerned that some where along the way I won't be able to keep up with it all,,, Staying ahead of it all is quite the task,,,

[joe.pelayo]

Quote:

Originally Posted by Thetargos

It happened to me too, but no actual login when I carelessly left my machine as the DMZ box in the router for some months (I was originally testing some firewall policies, and then I left it on DMZ... bad for the heart, bad for the heart indeed! I had a daily over 200 ssh session attempts ! good thing I have strong passwords set on all my local users... except one "guest" account without a pssword, for obvious reasons, but ironically no one even guessed it [its actual name is different, though]).

Soy hackers now use Linux!

[EtherealMonkey]

Quote:

Originally Posted by quacked

Thanks to "All " !!! It's given me quite a bit to digest,

All in all I'm seeing other attempts to find vulnerabilities in My OS , and have a lot of reading,configuring ,and work ahead,,'

Yes, you will see these things from time to time.

When you catch them in the act (remember that it is normally a script), pop open a port scanner and load up the offending IP.

Although this is not good "netiquette", I have found that it usually buys a few days of peace.

Once, I set up my XP machine to proxy SSH requests to the FC server when connecting from a known good IP. Then set the XP machine to show a false banner (TOS for a GOV) when trying to connect with SSH from any other address. Now, I just run SSH on a non-standard port.

Certain things will slow them down or cause them to quit for a while.

Accept that it will not go away and be thankful that "forewarned is forearmed."

Oh yeah, I also use DenyHosts. So far, so good