Given this evidence, should I be worried that I may have been hacked
Once I opened up SSH to the outside world, my machine has been hammered once or twice a day most days, with username failures. None of the usernames would fit a username on my system (except root), and I have ssh set to deny root logins, and only use SSH2. Additionally, I have the following in my login.access (only active entry, the name have been changed on this, but the three names would appear as 3 and four character random alphabetical strings): -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local As of the 9th, I've only seen one set of blatant/brute-force attempt at my ssh server. It's interesting, but the major drop in attempts has me more worried than the attempts (could this drop off be because they no longer need to hack me? Could they have hacked me an that be the reason why?) How worried should I be, and what's the best recourse for this? Thanks, -Jim Stapleton ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Given this evidence, should I be worried that I may have been hacked
Jim Stapleton schrieb: Once I opened up SSH to the outside world, my machine has been hammered once or twice a day most days, with username failures. None of the usernames would fit a username on my system (except root), and I have ssh set to deny root logins, and only use SSH2. Additionally, I have the following in my login.access (only active entry, the name have been changed on this, but the three names would appear as 3 and four character random alphabetical strings): -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local As of the 9th, I've only seen one set of blatant/brute-force attempt at my ssh server. It's interesting, but the major drop in attempts has me more worried than the attempts (could this drop off be because they no longer need to hack me? Could they have hacked me an that be the reason why?) How worried should I be, and what's the best recourse for this? On a system I administer I put SSH to a non-standard port (in this case 1234) and the brute force attempts has gone away since then. I suggest you trying that. Besides, you can change to RSA/DSA auth, which is more secure. Regards, Gabor ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Given this evidence, should I be worried that I may have been hacked
I have DSA. I will change it to a nonstandard port, but I was wondering what your oppinion on a good way to check if this is the result of me being hacked, or just someone loosing interest. On 4/14/07, Gabor Kovesdan [EMAIL PROTECTED] wrote: Jim Stapleton schrieb: Once I opened up SSH to the outside world, my machine has been hammered once or twice a day most days, with username failures. None of the usernames would fit a username on my system (except root), and I have ssh set to deny root logins, and only use SSH2. Additionally, I have the following in my login.access (only active entry, the name have been changed on this, but the three names would appear as 3 and four character random alphabetical strings): -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local As of the 9th, I've only seen one set of blatant/brute-force attempt at my ssh server. It's interesting, but the major drop in attempts has me more worried than the attempts (could this drop off be because they no longer need to hack me? Could they have hacked me an that be the reason why?) How worried should I be, and what's the best recourse for this? On a system I administer I put SSH to a non-standard port (in this case 1234) and the brute force attempts has gone away since then. I suggest you trying that. Besides, you can change to RSA/DSA auth, which is more secure. Regards, Gabor ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Given this evidence, should I be worried that I may have been hacked
In response to Jim Stapleton [EMAIL PROTECTED]: Once I opened up SSH to the outside world, my machine has been hammered once or twice a day most days, with username failures. None of the usernames would fit a username on my system (except root), and I have ssh set to deny root logins, and only use SSH2. Additionally, I have the following in my login.access (only active entry, the name have been changed on this, but the three names would appear as 3 and four character random alphabetical strings): -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local As of the 9th, I've only seen one set of blatant/brute-force attempt at my ssh server. It's interesting, but the major drop in attempts has me more worried than the attempts (could this drop off be because they no longer need to hack me? Could they have hacked me an that be the reason why?) How worried should I be, and what's the best recourse for this? The drop is more likely coincidence than anything else, although you may have blocked things to the point where they don't get logged anymore. These breakin attempts are bots. While I don't know for sure, I seriously doubt that botnet gathering crooks discuss with each other which machines they've already broken and thus don't attempt to break them a second time. I don't expect the drop off is related. Personally, I just had 3 such attempts last night, compared to none over the course of several days. It's just a matter of how busy the botnet people are on any given day. You should install/run samhain or something similar to monitor activity so you know if something unauthorized has changed. That's the only real way to know if you've successfully been broken or not. -- Bill Moran http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Given this evidence, should I be worried that I may have been hacked
Jim Stapleton schrieb: I have DSA. I will change it to a nonstandard port, but I was wondering what your oppinion on a good way to check if this is the result of me being hacked, or just someone loosing interest. Well, I think the latter. If you have an up-to-date system with up-to-date packages, you should not be too much worried, I think brute-force is useless if one uses strong passwords. I'd check auth-log and the output of last(1) if that says something, but you can never be sure. So I'd say just be happy, that they stopped trying, but don't give up the regular maintainence so that your system be as secure as it can be. :) Oh, and you can try port-knocking as well to secure the sshd port. If you don't know what it is, just google for it. Gabor ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Given this evidence, should I be worried that I may have been hacked
Jim Stapleton wrote: I have DSA. I will change it to a nonstandard port, but I was wondering what your oppinion on a good way to check if this is the result of me being hacked, or just someone loosing interest. If you are hacked, then something might or might not be going on your system (check for unusual stuff, like rise in number of processes, or disk usage, or network traffic, and think about it). You know how your system behave on day to day, do you? Nevertheless generally speaking, 99.99% of these brute attempts to get ssh access is coming from various zombies, blindly trying out port 22, that's why the port change is usual advice. There are easier ways on how to get inside than just bruteforcing via login credentials wild guessing. For example take unsecured web server with some full-of-bugs content management system. Exploiting a vulnerability will allow someone (this time definitely not a zombie) to get into the system and go forward with any dark actions he/she might have in the mind. nice sunny weekend, Martin ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Given this evidence, should I be worried that I may have been hacked
--On April 14, 2007 7:25:46 AM -0400 Jim Stapleton [EMAIL PROTECTED] wrote: Once I opened up SSH to the outside world, my machine has been hammered once or twice a day most days, with username failures. None of the usernames would fit a username on my system (except root), and I have ssh set to deny root logins, and only use SSH2. Additionally, I have the following in my login.access (only active entry, the name have been changed on this, but the three names would appear as 3 and four character random alphabetical strings): -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local As of the 9th, I've only seen one set of blatant/brute-force attempt at my ssh server. It's interesting, but the major drop in attempts has me more worried than the attempts (could this drop off be because they no longer need to hack me? Could they have hacked me an that be the reason why?) How worried should I be, and what's the best recourse for this? I have a *lot* of experience with hacked boxes. They all share at least one of three things in common: 1) Not patched up to date 2) Incorrectly (or not at all) configured 3) Weak or default passwords Those three things are the cause of almost every breakin I've seen. The first is by far the greatest reason for breakins. The second and third are less frequently but still often the case. It is not at all uncommon to find a box running unpatched and unconfigured services that its owner had no idea were running. If you have any of the above conditions, then you have something to be concerned about. If you don't, then the reduction in attacks is most likely pure coincidence. If you don't want your computer broken into: 1) Keep it patched and up to date at *all* times. Eternal vigilance is the watchword. 2) Disable *and* remove all services you do not intend to run. Don't install a program if you aren't going to be using it. 3) If you want to play around with something, configure it to respond to localhost *only* or restrict access to known IP addresses. 4) *Always* change default passwords and *never* use weak passwords. A weak password is defined as a password that does not use special characters. Period. Alphanumeric passwords can resist brute force attacks for approximately one week using modern computers. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
