PDA

View Full Version : Users passwords keep changing??



daviddoria
5th January 2008, 09:32 PM
I have a small mail server running ( a fedora 8 machine) that i made a few users on for the sole purpose of having separate mailboxes in /home/USER/.maildir. The users login to the pop3 server from outlook express in windows XP. However, about every 2 days they call me and complain that their mail login is failing. When I go look, the password that i set no longer works (not even for the pop3 server, even to login to the machine!!). Is it possible that they are getting corrupt? I mean there is no way these people know how to change a password on a linux account. When i reset the password as root everything goes back to normal.

Whats up??

Thanks,

David

stevea
5th January 2008, 09:44 PM
Not sure what mail server you are using, nor how you have configuresd authentication. Some mail servers do not by default use the /etc/passd file for authentication, but instead use a .db file. Strange behavior none the less. Are there "password changed" entries in /var/log/secure ?

daviddoria
5th January 2008, 10:20 PM
wow... so i looked at /var/log/secure.... there are pages and pages of this;

Jan 4 12:25:28 davedesktop sshd[10938]: Failed password for invalid user sean from 125.248.145.178 port 15015 ssh2
Jan 4 12:25:32 davedesktop sshd[10940]: Failed password for invalid user shaun from 125.248.145.178 port 15284 ssh2
Jan 4 12:25:35 davedesktop sshd[10942]: Failed password for invalid user sven from 125.248.145.178 port 16499 ssh2
Jan 4 12:25:39 davedesktop sshd[10945]: Failed password for invalid user steve from 125.248.145.178 port 17774 ssh2
Jan 4 12:25:43 davedesktop sshd[10947]: Failed password for invalid user steven from 125.248.145.178 port 18382 ssh2

as you may have guessed, those are not users on my machine!!!??? Someone is hacking me? Granted the accounts that had the passwords changed were silly 3 letter passwords that matched the user names (DOH!!). What else can I check to see if anything else has been messed with? I actually had a couple of those users in the sudoers no password file..... that has since been fixed (another DOH!!)

Is something like this worth reporting? (to my ISP? or who?)

Any more pointers about what to do/check would be great.

Thanks,

David

stevea
5th January 2008, 10:44 PM
Uh oh - 3 letter passwords are silly if they involve user authentication.
Yes you should report it. One of the other files in /var/log should have the IP
address of the hacker.

"who -a /var/log/wtmp" may show you whe nany hacker logins occurred.

You might want to look into the hosts.allow hosts.deny software - this can
be used to reject connection attempts based on IP address.
Serious passwords would be another step.

Also if those mail users do not need to login to your system (if they just need email service) then change their default shell to "nologin". That is start System->Administration->User and Groups
select a user and properties, select their "login shell" and set it to /sbin/nologin. That way they ca nstill authenicate but they can't get a shell.

stevea
5th January 2008, 10:51 PM
Oops - that is the IP address and it's some Korean script kiddie.
125.248.145.178


If you do a "whois 125.248.145.178" you'll see an abuse email that might be worth a forward.

daviddoria
5th January 2008, 10:57 PM
ok the passwords have been made 100x heftier. I don't understand what I am supposed to learn from 'who -a /var/log/wtmp' that i cant get from 'cat /var/log/secure | grep 'password' '? most likely i am missing something :) What does wtmp stand for anyhow? The IP was actually right in the line where it said "password changed" and/or "invalid user", so thats the one i report? Do i just call the ISP and say "I've had a hacker attempt and here's how I know."? They wont even know what i'm talking about if i start talking about /var/log/secure and stuff hahahaha

I will definitely change the users to not get a shell - i just have to lookup how to do it from a terminal. I was hesitant to add myself to hosts.allow because then if my ip changes ( i have one of those kind of pseudo static ips, like i dont pay for it but the isp just doesnt really ever change it) i wont be able to login anymore, and there is no one there who i would want messing with my hosts file hahaha

Thanks for the help, i was freaking out a little bit lol - how can i see if they "did" anything else - what could they "do"? I know with windows people could install some kind of software that would help them with a DoS attack, but where would I check if something like that was done?

Thanks,

David

wintersm
5th January 2008, 11:17 PM
you need to checkout a program called fail2ban, it can be configured to watch for failed login attempts and after a couple of attempts it puts a filewall ban in place for a set period of time, that way the script kiddies give up and move on..

I use it with sshd (even though i dont use passwords) and it works fine - stops those dictionary name attempts after 2 trys.. The other thing, if you can help it, dont have fairly insecure services like pop open to the world..