Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me
at all.
I am the only one knowing the root password, and I have not logged in those
times that last are showing.
root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8 character long, using numbers
and letters.
This is from my old config, are plaintext-password supposed to be blank?
# show system login
user root {
authentication {
encrypted-password: $1$nZxxsgXC/
plaintext-password:
}
}
user vyatta {
authentication {
encrypted-password: $1$yyyt0/
plaintext-password:
}
}
2008/2/4, Dave Strydom [EMAIL PROTECTED]:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine which you do not
recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED]
wrote:
I got mail from another linux user today. He complained about login
attempts
to his boxes, from my vyatta router!
Am I haxored or what? This is from his log and the ip 12.34.56.78 are
my
router.
Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid
user
root from 12.34.56.78 port 42492 ssh2
Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78not
allowed because not listed in AllowUsers
Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid
user
root from 12.34.56.78 port 42926 ssh2
Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78not
allowed because not listed in AllowUsers
Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid
user
root from 12.34.56.78 port 43408 ssh2
Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from
12.34.56.78
(12.34.56.78)
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
Hi
I am only using ssh. Is it possible to have rsa-keys for all users,
including vyatta?
Maybe the attackers managed to brute force my password?
This is very anoying since I have to reinstall the machine tomorrow and
doesn't know what went wrong. Haven't had time to check the logs either.
How does the user configuration look for you other guys and girls?
2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]:
Hi Jostein,
Are you using telnet or ssh to access the box? Using telnet in not secure
from a public network as the username/password is in clear text.
stig
--
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Jostein
Martinsen-Jones
*Sent:* Monday, February 04, 2008 2:43 AM
*To:* Dave Strydom
*Cc:* vyatta-users@mailman.vyatta.com
*Subject:* Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me
at all.
I am the only one knowing the root password, and I have not logged in
those times that last are showing.
root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8 character long, using numbers
and letters.
This is from my old config, are plaintext-password supposed to be blank?
# show system login
user root {
authentication {
encrypted-password: $1$nZxxsgXC/
plaintext-password:
}
}
user vyatta {
authentication {
encrypted-password: $1$yyyt0/
plaintext-password:
}
}
2008/2/4, Dave Strydom [EMAIL PROTECTED]:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine which you do not
recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED]
wrote:
I got mail from another linux user today. He complained about login
attempts
to his boxes, from my vyatta router!
Am I haxored or what? This is from his log and the ip 12.34.56.78 are
my
router.
Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid
user
root from 12.34.56.78 port 42492 ssh2
Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78not
allowed because not listed in AllowUsers
Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid
user
root from 12.34.56.78 port 42926 ssh2
Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78not
allowed because not listed in AllowUsers
Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid
user
root from 12.34.56.78 port 43408 ssh2
Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from
12.34.56.78
(12.34.56.78)
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
As far as I could tell, you cant set up key-only auth in the CLI. If
you drop an authorized_keys file in to each user's ~/.ssh directory,
and set PasswordAuthentication=no in sshd.conf you will enable key-
only auth.
--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
404.478.2790
Support: [EMAIL PROTECTED]
www.sheltonjohns.com
On Feb 4, 2008, at 2:00 PM, Jostein Martinsen-Jones wrote:
Yes, i did change the root password asap!
I would much like to see a configuration snippet on how to use rsa-
keys.
Can I use several rsa-keys so i can login as different users?
2008/2/4, Nathan McBride [EMAIL PROTECTED]:
Yup sure is. I have setup my vyatta router to only allow rsa keys.
Did you change your root password from 'vyatta'?
Nate
On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote:
Hi
I am only using ssh. Is it possible to have rsa-keys for all users,
including vyatta?
Maybe the attackers managed to brute force my password?
This is very anoying since I have to reinstall the machine tomorrow
and doesn't know what went wrong. Haven't had time to check the logs
either.
How does the user configuration look for you other guys and girls?
2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]:
Hi Jostein,
Are you using telnet or ssh to access the box? Using telnet
in not secure from a public network as the username/password
is in clear text.
stig
__
From:[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of
Jostein Martinsen-Jones
Sent: Monday, February 04, 2008 2:43 AM
To: Dave Strydom
Cc: vyatta-users@mailman.vyatta.com
Subject: Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip 202.172.171.217
isn't
known to me at all.
I am the only one knowing the root password, and I have not
logged in those times that last are showing.
root pts/0202.172.171.217 Mon Feb 4 05:21 -
07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2 14:54 -
16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1 23:51 -
23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1 13:49 -
17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8 character long,
using numbers and letters.
This is from my old config, are plaintext-password
supposed to
be blank?
# show system login
user root {
authentication {
encrypted-password: $1$nZxxsgXC/
plaintext-password:
}
}
user vyatta {
authentication {
encrypted-password: $1$yyyt0/
plaintext-password:
}
}
2008/2/4, Dave Strydom [EMAIL PROTECTED]:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine which you do
not recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones
[EMAIL PROTECTED] wrote:
I got mail from another linux user today. He complained
about login attempts
to his boxes, from my vyatta router!
Am I haxored or what? This is from his log and the ip
12.34.56.78 are my
router.
Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password
for invalid user
root from 12.34.56.78 port 42492 ssh2
Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from
12.34.56.78 not
allowed because not listed in AllowUsers
Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed
password
for invalid user
root from 12.34.56.78 port 42926 ssh2
Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from
12.34.56.78 not
allowed because not listed in AllowUsers
Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password
for invalid user
root from 12.34.56.78 port 43408 ssh2
Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused
Re: [Vyatta-users] Vyatta box hacked?
Yup you can have a key for each user. Take a look at:
http://suso.org/docs/shell/ssh.sdf
Nate
On Mon, 2008-02-04 at 20:00 +0100, Jostein Martinsen-Jones wrote:
Yes, i did change the root password asap!
I would much like to see a configuration snippet on how to use
rsa-keys.
Can I use several rsa-keys so i can login as different users?
2008/2/4, Nathan McBride [EMAIL PROTECTED]:
Yup sure is. I have setup my vyatta router to only allow rsa
keys.
Did you change your root password from 'vyatta'?
Nate
On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones
wrote:
Hi
I am only using ssh. Is it possible to have rsa-keys for all
users,
including vyatta?
Maybe the attackers managed to brute force my password?
This is very anoying since I have to reinstall the machine
tomorrow
and doesn't know what went wrong. Haven't had time to check
the logs
either.
How does the user configuration look for you other guys and
girls?
2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]:
Hi Jostein,
Are you using telnet or ssh to access the
box? Using telnet
in not secure from a public network as the
username/password
is in clear text.
stig
__
From:[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of
Jostein Martinsen-Jones
Sent: Monday, February 04, 2008 2:43 AM
To: Dave Strydom
Cc: vyatta-users@mailman.vyatta.com
Subject: Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip
202.172.171.217 isn't
known to me at all.
I am the only one knowing the root password, and I
have not
logged in those times that last are showing.
root pts/0202.172.171.217 Mon Feb 4
05:21 -
07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2
14:54 -
16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1
23:51 -
23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1
13:49 -
17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8
character long,
using numbers and letters.
This is from my old config, are plaintext-password
supposed to
be blank?
# show system login
user root {
authentication {
encrypted-password: $1$nZxxsgXC/
plaintext-password:
}
}
user vyatta {
authentication {
encrypted-password: $1$yyyt0/
plaintext-password:
}
}
2008/2/4, Dave Strydom [EMAIL PROTECTED]:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine
which you do
not recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones
[EMAIL PROTECTED] wrote:
I got mail from another linux user today. He
complained
about login attempts
to his boxes, from my vyatta router!
Am I haxored or what? This is from his log and the
ip
12.34.56.78 are my
router.
Feb 2 18:11:39 88.191.40.120 sshd[30444]:
(pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed
password
for invalid user
root from 12.34.56.78 port 42492 ssh2
Feb 2 18:11:46 88.191.40.120 sshd[30450]: User
root from
12.34.56.78
Re: [Vyatta-users] Vyatta box hacked?
Yes, i did change the root password asap!
I would much like to see a configuration snippet on how to use rsa-keys.
Can I use several rsa-keys so i can login as different users?
2008/2/4, Nathan McBride [EMAIL PROTECTED]:
Yup sure is. I have setup my vyatta router to only allow rsa keys.
Did you change your root password from 'vyatta'?
Nate
On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote:
Hi
I am only using ssh. Is it possible to have rsa-keys for all users,
including vyatta?
Maybe the attackers managed to brute force my password?
This is very anoying since I have to reinstall the machine tomorrow
and doesn't know what went wrong. Haven't had time to check the logs
either.
How does the user configuration look for you other guys and girls?
2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]:
Hi Jostein,
Are you using telnet or ssh to access the box? Using telnet
in not secure from a public network as the username/password
is in clear text.
stig
__
From:[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jostein Martinsen-Jones
Sent: Monday, February 04, 2008 2:43 AM
To: Dave Strydom
Cc: vyatta-users@mailman.vyatta.com
Subject: Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip 202.172.171.217 isn't
known to me at all.
I am the only one knowing the root password, and I have not
logged in those times that last are showing.
root pts/0202.172.171.217 Mon Feb 4 05:21 -
07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2 14:54 -
16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1 23:51 -
23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1 13:49 -
17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8 character long,
using numbers and letters.
This is from my old config, are plaintext-password supposed to
be blank?
# show system login
user root {
authentication {
encrypted-password: $1$nZxxsgXC/
plaintext-password:
}
}
user vyatta {
authentication {
encrypted-password: $1$yyyt0/
plaintext-password:
}
}
2008/2/4, Dave Strydom [EMAIL PROTECTED]:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine which you do
not recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones
[EMAIL PROTECTED] wrote:
I got mail from another linux user today. He complained
about login attempts
to his boxes, from my vyatta router!
Am I haxored or what? This is from his log and the ip
12.34.56.78 are my
router.
Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password
for invalid user
root from 12.34.56.78 port 42492 ssh2
Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from
12.34.56.78 not
allowed because not listed in AllowUsers
Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password
for invalid user
root from 12.34.56.78 port 42926 ssh2
Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from
12.34.56.78 not
allowed because not listed in AllowUsers
Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password
for invalid user
root from 12.34.56.78 port 43408 ssh2
Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect
from 12.34.56.78
(12.34.56.78)
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
Yup sure is. I have setup my vyatta router to only allow rsa keys.
Did you change your root password from 'vyatta'?
Nate
On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote:
Hi
I am only using ssh. Is it possible to have rsa-keys for all users,
including vyatta?
Maybe the attackers managed to brute force my password?
This is very anoying since I have to reinstall the machine tomorrow
and doesn't know what went wrong. Haven't had time to check the logs
either.
How does the user configuration look for you other guys and girls?
2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]:
Hi Jostein,
Are you using telnet or ssh to access the box? Using telnet
in not secure from a public network as the username/password
is in clear text.
stig
__
From:[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jostein Martinsen-Jones
Sent: Monday, February 04, 2008 2:43 AM
To: Dave Strydom
Cc: vyatta-users@mailman.vyatta.com
Subject: Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip 202.172.171.217 isn't
known to me at all.
I am the only one knowing the root password, and I have not
logged in those times that last are showing.
root pts/0202.172.171.217 Mon Feb 4 05:21 -
07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2 14:54 -
16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1 23:51 -
23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1 13:49 -
17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8 character long,
using numbers and letters.
This is from my old config, are plaintext-password supposed to
be blank?
# show system login
user root {
authentication {
encrypted-password: $1$nZxxsgXC/
plaintext-password:
}
}
user vyatta {
authentication {
encrypted-password: $1$yyyt0/
plaintext-password:
}
}
2008/2/4, Dave Strydom [EMAIL PROTECTED]:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine which you do
not recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones
[EMAIL PROTECTED] wrote:
I got mail from another linux user today. He complained
about login attempts
to his boxes, from my vyatta router!
Am I haxored or what? This is from his log and the ip
12.34.56.78 are my
router.
Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password
for invalid user
root from 12.34.56.78 port 42492 ssh2
Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from
12.34.56.78 not
allowed because not listed in AllowUsers
Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password
for invalid user
root from 12.34.56.78 port 42926 ssh2
Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from
12.34.56.78 not
allowed because not listed in AllowUsers
Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password
for invalid user
root from 12.34.56.78 port 43408 ssh2
Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect
from 12.34.56.78
(12.34.56.78)
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
Re: [Vyatta-users] Vyatta box hacked?
No problemo, will do.
I'm still annoyed that someone managed to get in.
Maybe tripwire would be nice on the box?
2008/2/4, Nathan McBride [EMAIL PROTECTED]:
Correct, you have to drop down to the linux cli, not vyatta's.
On Mon, 2008-02-04 at 14:08 -0500, Aubrey Wells wrote:
As far as I could tell, you cant set up key-only auth in the CLI. If
you drop an authorized_keys file in to each user's ~/.ssh directory,
and set PasswordAuthentication=no in sshd.conf you will enable
key-only auth.
--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
404.478.2790
Support: [EMAIL PROTECTED]
www.sheltonjohns.com
On Feb 4, 2008, at 2:00 PM, Jostein Martinsen-Jones wrote:
Yes, i did change the root password asap!
I would much like to see a configuration snippet on how to use
rsa-keys.
Can I use several rsa-keys so i can login as different users?
2008/2/4, Nathan McBride [EMAIL PROTECTED]:
Yup sure is. I have setup my vyatta router to only allow
rsa keys.
Did you change your root password from 'vyatta'?
Nate
On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones
wrote:
Hi
I am only using ssh. Is it possible to have rsa-keys for
all users,
including vyatta?
Maybe the attackers managed to brute force my password?
This is very anoying since I have to reinstall the machine
tomorrow
and doesn't know what went wrong. Haven't had time to
check the logs
either.
How does the user configuration look for you other guys
and girls?
2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]:
Hi Jostein,
Are you using telnet or ssh to access the
box? Using telnet
in not secure from a public network as the
username/password
is in clear text.
stig
__
From:[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of
Jostein Martinsen-Jones
Sent: Monday, February 04, 2008 2:43 AM
To: Dave Strydom
Cc: vyatta-users@mailman.vyatta.com
Subject: Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip
202.172.171.217 isn't
known to me at all.
I am the only one knowing the root password, and I
have not
logged in those times that last are showing.
root pts/0202.172.171.217 Mon Feb 4
05:21 -
07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2
14:54 -
16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1
23:51 -
23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1
13:49 -
17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8
character long,
using numbers and letters.
This is from my old config, are plaintext-password
supposed to
be blank?
# show system login
user root {
authentication {
encrypted-password: $1$nZxxsgXC/
plaintext-password:
}
}
user vyatta {
authentication {
encrypted-password: $1
$yyyt0/
plaintext-password:
}
}
2008/2/4, Dave Strydom [EMAIL PROTECTED]:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine
which you do
not recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones
[EMAIL PROTECTED] wrote:
I got mail from another linux user today. He
Re: [Vyatta-users] Vyatta box hacked?
Hi Jostein,
Are you using telnet or ssh to access the box? Using telnet in not secure
from a public network as the username/password is in clear text.
stig
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jostein
Martinsen-Jones
Sent: Monday, February 04, 2008 2:43 AM
To: Dave Strydom
Cc: vyatta-users@mailman.vyatta.com
Subject: Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me
at all.
I am the only one knowing the root password, and I have not logged in
those times that last are showing.
root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8 character long, using numbers
and letters.
This is from my old config, are plaintext-password supposed to be blank?
# show system login
user root {
authentication {
encrypted-password: $1$nZxxsgXC/
plaintext-password:
}
}
user vyatta {
authentication {
encrypted-password: $1$yyyt0/
plaintext-password:
}
}
2008/2/4, Dave Strydom [EMAIL PROTECTED]:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine which you do not
recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED]
wrote:
I got mail from another linux user today. He complained about login
attempts
to his boxes, from my vyatta router!
Am I haxored or what? This is from his log and the ip 12.34.56.78 are
my
router.
Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid
user
root from 12.34.56.78 port 42492 ssh2
Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78
not
allowed because not listed in AllowUsers
Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid
user
root from 12.34.56.78 port 42926 ssh2
Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78
not
allowed because not listed in AllowUsers
Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid
user
root from 12.34.56.78 port 43408 ssh2
Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from
12.34.56.78
(12.34.56.78)
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
