Re: [SLUG] Re: slug Digest, Vol 29, Issue 5
On 02/06/2008, at 9:36 PM, Darryl Barlow wrote: The compromise occurred over the Christmas/New Year period when I was interstate. The server had ssh access enabled via password entry and fell victim to a brute force password attack. Fortunately I had software installed which alerted me to the problems. ... (But I also noted with interest the recent bug in Debian systems when generating keys, which would have made even this method insecure on these boxes). you rarely need to ssh into a box 120 times a minute, so I rate limit my ssh connections to 2 a minute with iptables. This stops (dare i say) all automated brute force attacks, when ssh starts timing out, the bots move on. Won't stop a person, though will slow them down to a crawl. There's other things like fail2ban, using a non standard port. Perhaps blocking any ip that knocks on the standard port. But these measures will only stop bots. If someone is determined, they will just change hosts/ip's and continue the attack. Michael Chesterton http://chesterton.id.au/blog/ http://barrang.com.au/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Re: slug Digest, Vol 29, Issue 5
I had the pleasure some years ago of a cracker gaining access to a Linux box on my work Network running SME Server. I am a lawyer, not a software professional, though computers have been an enjoyable hobby for me since my late teens, and I have administered our work network and a number of others for some years. I have read this thread with some discomfort. Though I would like to think I am reasonably well informed I am very conscious that there is a great deal I do not know. The compromise occurred over the Christmas/New Year period when I was interstate. The server had ssh access enabled via password entry and fell victim to a brute force password attack. Fortunately I had software installed which alerted me to the problems. I was particularly fortunate in that I was able to shut down access whilst the cracker was logged-in, and the activities were clearly shown in the log files. I took copies of the logs and shut down the machine, then took it off the network and did a more thorough review on my return to Sydney. Needless to say, even though I was fairly confident that I had traced all of the nefarious activities I did a complete reinstall of the whole system. I also made some substantial changes to the way the network was set up, including ssh access. I learnt some valuable lessons. I was doing quite a few things well, and was thus able to detect the compromise quickly. But I was also doing a number of things wrong, including allowing external ssh login by password. (But I also noted with interest the recent bug in Debian systems when generating keys, which would have made even this method insecure on these boxes). My point is that these things do happen. The server was a private one, and was not hosting any external services other than email and ssh. I still do not know how the attacker located the machine. I presume it was probably through a port scan which may have taken place some time before. It is a big mistake to believe that these problems are limited to Windows machines. If you are running Linux servers particularly you need to take this type of problem very seriously. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: slug Digest, Vol 29, Issue 5
Darryl Barlow [EMAIL PROTECTED] writes: [...] The server had ssh access enabled via password entry and fell victim to a brute force password attack. [...] I still do not know how the attacker located the machine. I presume it was probably through a port scan which may have taken place some time before. The most likely case is that they found the machine by brute force as well; a fair proportion of hostile modern software simply picks random IP addresses and attacks them in the hope that there is something vulnerable. This has the benefit, for the attacker, of turning up things that don't get advertised, and of having a very low cost to identify targets -- especially when the economies of scale result in your large network being able to randomly scan more and more of the overall network. Regards, Daniel Sadly, the hackers these days just don't care any more. Nothing personal about it, most of the time. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: slug Digest, Vol 29, Issue 5
Quoting Darryl Barlow [EMAIL PROTECTED]: I had the pleasure some years ago of a cracker gaining access to a Linux box on my work Network running SME Server. I still do not know how the attacker located the machine. I presume it was probably through a port scan . I have seen the same thing with other installs of SME Server. The machines I saw it on were properly firewalled and not even visible. People I know have come to the conclusion that it was software already embedded within the system at distribution. It got activated in idle time. It was doing spam mass mailing. I wonder if this is what you experienced ? David -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: slug Digest, Vol 29, Issue 5
[EMAIL PROTECTED] writes: Quoting Darryl Barlow [EMAIL PROTECTED]: I had the pleasure some years ago of a cracker gaining access to a Linux box on my work Network running SME Server. I still do not know how the attacker located the machine. I presume it was probably through a port scan . I have seen the same thing with other installs of SME Server. The machines I saw it on were properly firewalled and not even visible. People I know have come to the conclusion that it was software already embedded within the system at distribution. It got activated in idle time. It was doing spam mass mailing. Which release of SME Server was this? Having done some auditing, and worked with customers who ran SME Server systems for some years without incident -- but only on older versions -- I am surprised at this claim. Do you have any supporting evidence for that? Alternately, did the folks you know write this up anywhere? Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: slug Digest, Vol 29, Issue 5
Quoting Daniel Pittman [EMAIL PROTECTED]: Which release of SME Server was this? Having done some auditing, and worked with customers who ran SME Server systems for some years without incident -- but only on older versions -- I am surprised at this claim. It is some years ago now... As I recall the older versions didn't seem to have the problem. I only found the problem with the 'last two' versions... whatever numbers they were.. sorry can't remember. Do you have any supporting evidence for that? Alternately, did the folks you know write this up anywhere? We weren't able to track down the exact process that was doing the sending... Every time you touched the mouse.. or keyed 'ps ax' the sending seemed to stop. When it was spamming, we got disconnection threats from our isp... We noticed that if the machine was totally isolated to the local network it didn't send anything. If it had internet access then it would spam. I'm very certain that if one were to install it fresh from CD on a fresh machine it would start spamming again. The rogue code (I think) would still be there. These are just my opinions... i don't have any logs or enough evidence to catch it quite frankly it was too clever for me. David -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: slug Digest, Vol 29, Issue 5
[EMAIL PROTECTED] writes: Quoting Daniel Pittman [EMAIL PROTECTED]: Which release of SME Server was this? Having done some auditing, and worked with customers who ran SME Server systems for some years without incident -- but only on older versions -- I am surprised at this claim. It is some years ago now... As I recall the older versions didn't seem to have the problem. I only found the problem with the 'last two' versions... whatever numbers they were.. sorry can't remember. No worries. Do you have any supporting evidence for that? Alternately, did the folks you know write this up anywhere? We weren't able to track down the exact process that was doing the sending... Every time you touched the mouse.. or keyed 'ps ax' the sending seemed to stop. When it was spamming, we got disconnection threats from our isp... I'm very certain that if one were to install it fresh from CD on a fresh machine it would start spamming again. The rogue code (I think) would still be there. Well, I certainly never observed that, and would be surprised if there had been rogue code along those lines in there -- even after the product ended up mostly unmaintained in the hands of the community. Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html