Re: increasing failed sshd logins/clearing breadcrumb trails
Date: Wed, 15 Sep 2004 12:21:29 +0930 From: Tim Aslat [EMAIL PROTECTED] Subject: Re: increasing failed sshd logins/clearing breadcrumb trails To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=US-ASCII Tim Aslat [EMAIL PROTECTED] once said: In the immortal words of Glenn Sieb [EMAIL PROTECTED]... I've been getting this for weeks. They're all under APNIC, and emails to [EMAIL PROTECTED] involved networks has gone unanswered. I've been getting these as well, but from a multitude of address spaces. Not just APNIC. The easiest way to protect this is to check your sshd_config and set: PermitRootLogin no Interestingly, this option did not exist in my config file (I added it), but all other options were commented out. Is this the default? Is it wise to leave it this way? Agreed. However if you 'Absolutely' require something to be done remotely as root, make it a pub/priv key sequence and limit the command using the keys. ie: change sshd_config to PermitRootLogin without-password and set up command=/usr/local/bin/rsync --server --daemon . ssh-dss snip actual key in the authorized_keys file. This limits the abilities of the remoe login to just running the rsync command with the specified switches. Anything else just doesn't work. Which, if you're exposed to the 'Net would be a sane practice--force people to log in as themselves and su (or sudo or sudoscript) to root. Very sane practice Indeed. Admittedly, I am not sure about the rest of your posting. When I run last, (on 4.10-STABLE) it shows logins back to the 1st of September. It is possible that the box was compromised and the utmp/wtmp log removed/edited/etc, and I would start looking immediately for other traces of a possible intrusion. My current wtmp log, which dates from today back to Aug 30, is quite small and shows only two logins... I've logged in twice since reporting this incident to the list. There exists no utmp file in /var/log/. I'm really starting to feel as if the machine were compromised, or at least perused, and my utter lack of security knowledge has become glaringly apparent. What other traces could I look for; what other files might give me a clue? And where would I begin looking for files that might have been planted on the machine (scripts, server threads)? Cheers good luck Thanks, but it doesn't seem any luck I've got at this point would be good Tim ~John ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: increasing failed sshd logins/clearing breadcrumb trails
John DeStefano said the following on 9/16/2004 10:40 AM: The easiest way to protect this is to check your sshd_config and set: PermitRootLogin no Interestingly, this option did not exist in my config file (I added it), but all other options were commented out. Is this the default? Is it wise to leave it this way? Yes--it's in man sshd_config: PermitRootLogin Specifies whether root can login using ssh(1). The argument must be ``yes'', ``without-password'', ``forced-commands-only'' or ``no''. The default is ``no''. Note that if ChallengeResponseAuthentication is ``yes'', the root user may be allowed in with its password even if PermitRootLogin is set to ``without-password''. If this option is set to ``without-password'' password authenti- cation is disabled for root. If this option is set to ``forced-commands-only'' root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root. If this option is set to ``no'' root is not allowed to login. Best, Glenn -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin, Historical Review of Pennsylvania, 1759 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
increasing failed sshd logins/clearing breadcrumb trails
I've noticed a few posts over the past week or so regarding users' servers being probed by remote ssh attempts. Coincidentally (or perhaps not so), around that time, I began getting quite a few records of such attempts to my server, at the rate of about 3 tries per IP, and about three IPs per night. Unfortunately, last night (Mon Sep 13), this attack was much more concentrated and persistent: someone from (or spoofing from) one IP (211.250.185.100) hammered my server with login attempts over a 20-minute period. The last report I got was a final, failed root password at 20:22:13 Eastern Time (GMT-5:00). I just read this record and logged into my server, and ran last, which gave me a blank record, saying only: wtmp begins Tue Sep 14 22:01:55 EDT 2004 ...which happened to be the exact time I just logged into my server. I'm wondering if it is a normal clean-up occurrance for the 'last' log to turn over at a certain time/date, or if this ssh-er finally got into my system and cleaned up his/her tracks? I realize the power of one who has root privelages, but what logs would they have wiped out to remain invisible, and what others might I have a possible chance of looking at to determine what happened? ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: increasing failed sshd logins/clearing breadcrumb trails
John DeStefano said the following on 9/14/2004 10:15 PM: I've noticed a few posts over the past week or so regarding users' servers being probed by remote ssh attempts. Coincidentally (or perhaps not so), around that time, I began getting quite a few records of such attempts to my server, at the rate of about 3 tries per IP, and about three IPs per night. Unfortunately, last night (Mon Sep 13), this attack was much more concentrated and persistent: someone from (or spoofing from) one IP (211.250.185.100) hammered my server with login attempts over a 20-minute period. The last report I got was a final, failed root password at 20:22:13 Eastern Time (GMT-5:00). I've been getting this for weeks. They're all under APNIC, and emails to [EMAIL PROTECTED] involved networks has gone unanswered. The easiest way to protect this is to check your sshd_config and set: PermitRootLogin no Which, if you're exposed to the 'Net would be a sane practice--force people to log in as themselves and su (or sudo or sudoscript) to root. Admittedly, I am not sure about the rest of your posting. When I run last, (on 4.10-STABLE) it shows logins back to the 1st of September. Best, Glenn ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: increasing failed sshd logins/clearing breadcrumb trails
In the immortal words of Glenn Sieb [EMAIL PROTECTED]... I've been getting this for weeks. They're all under APNIC, and emails to [EMAIL PROTECTED] involved networks has gone unanswered. I've been getting these as well, but from a multitude of address spaces. Not just APNIC. The easiest way to protect this is to check your sshd_config and set: PermitRootLogin no Agreed. However if you 'Absolutely' require something to be done remotely as root, make it a pub/priv key sequence and limit the command using the keys. ie: change sshd_config to PermitRootLogin without-password and set up command=/usr/local/bin/rsync --server --daemon . ssh-dss snip actual key in the authorized_keys file. This limits the abilities of the remoe login to just running the rsync command with the specified switches. Anything else just doesn't work. Which, if you're exposed to the 'Net would be a sane practice--force people to log in as themselves and su (or sudo or sudoscript) to root. Very sane practice Admittedly, I am not sure about the rest of your posting. When I run last, (on 4.10-STABLE) it shows logins back to the 1st of September. It is possible that the box was compromised and the utmp/wtmp log removed/edited/etc, and I would start looking immediately for other traces of a possible intrusion. Cheers good luck Tim -- Tim Aslat [EMAIL PROTECTED] Spyderweb Consulting http://www.spyderweb.com.au Phone: +61 0401088479 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: increasing failed sshd logins/clearing breadcrumb trails
Tim Aslat said the following on 9/14/2004 10:51 PM: In the immortal words of Glenn Sieb [EMAIL PROTECTED]... I've been getting this for weeks. They're all under APNIC, and emails to [EMAIL PROTECTED] involved networks has gone unanswered. I've been getting these as well, but from a multitude of address spaces. Not just APNIC. I should have been clearer--the ones coming in on *my* server have all been from APNIC :-/ Agreed. However if you 'Absolutely' require something to be done remotely as root, make it a pub/priv key sequence and limit the command using the keys. *nod* But I really can't think of any reason to have an exposed machine allow a direct-root login... Probably I just haven't had that particular need or experience yet... But with protected machines? Sure--at my old job (at Lumeta) we had our one trusted machine which was allowed to ssh as root (using keys only) to our internal machines. For purposes of pushes/pulls/upgrades/stuff along those lines. Very sane practice *nod* I'd like to think Tal rubbed off on me a bit :) It is possible that the box was compromised and the utmp/wtmp log removed/edited/etc, and I would start looking immediately for other traces of a possible intrusion. *nod* Hopefully he wasn't hacked--that would be major suckage :-/ Best, Glenn -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ~Benjamin Franklin, Historical Review of Pennsylvania, 1759 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
