Linode Forum

[Ericson578]

I'm new to network security and administering my own server, so I'm not sure if I need to do anything.

This IP address: 72.10.39.52 was added to deny hosts, and when I searched my logs for activity involving this IP I got these results:


./auth.log:287:Sep 5 21:45:39 li200-196 sshd[3053]: Did not receive identification string from 72.10.39.52
./auth.log:301:Sep 5 23:56:34 li200-196 sshd[3112]: Invalid user globus from 72.10.39.52
./auth.log:302:Sep 5 23:56:34 li200-196 sshd[3115]: Invalid user condor from 72.10.39.52
./auth.log:303:Sep 5 23:56:35 li200-196 sshd[3117]: Invalid user tomcat from 72.10.39.52
./auth.log:304:Sep 5 23:56:36 li200-196 sshd[3119]: Invalid user global from 72.10.39.52
./auth.log:305:Sep 5 23:56:37 li200-196 sshd[3121]: Invalid user upload from 72.10.39.52
./auth.log:306:Sep 5 23:56:37 li200-196 sshd[3123]: Invalid user jboss from 72.10.39.52
./auth.log:307:Sep 5 23:56:38 li200-196 sshd[3125]: Invalid user postmaster from 72.10.39.52
./auth.log:308:Sep 5 23:56:39 li200-196 sshd[3127]: Invalid user demo from 72.10.39.52
./auth.log:309:Sep 5 23:56:40 li200-196 sshd[3129]: Invalid user apache from 72.10.39.52
./auth.log:310:Sep 5 23:56:40 li200-196 sshd[3131]: Invalid user postgres from 72.10.39.52
./auth.log:312:Sep 5 23:56:42 li200-196 sshd[3135]: Invalid user tester from 72.10.39.52
./auth.log:313:Sep 5 23:56:42 li200-196 sshd[3137]: Invalid user testing from 72.10.39.52
./auth.log:314:Sep 5 23:56:43 li200-196 sshd[3139]: Invalid user test from 72.10.39.52
./auth.log:315:Sep 5 23:56:44 li200-196 sshd[3141]: Invalid user photo from 72.10.39.52
./auth.log:316:Sep 5 23:56:45 li200-196 sshd[3143]: Invalid user oracle from 72.10.39.52
./auth.log:317:Sep 5 23:56:45 li200-196 sshd[3145]: Invalid user feedback from 72.10.39.52
./auth.log:318:Sep 5 23:56:46 li200-196 sshd[3147]: Invalid user sameer from 72.10.39.52
./auth.log:319:Sep 5 23:56:46 li200-196 sshd[3152]: refused connect from 72.10.39.52 (72.10.39.52)
./auth.log:324:Sep 6 00:29:09 li200-196 sshd[3168]: refused connect from 72.10.39.52 (72.10.39.52)


Should I be worried? I think my server is locked down ok, I followed the security tips from these forums. SSH doesn't allow root, or passwords, only accepts keys. I'm blocking most ports except for ssh, http, and I think one or two more.

I'm thinking someone was trying to access their own linode but maybe was typing in the wrong address. But it also looks like the intruder was scanning my box...

Any tips welcome! Thanks :)

edit: also found this in /var/log/auth.log

Sep 5 21:57:15 li200-196 sshd[3057]: Address 173.1.96.226 maps to 173.1.96.226.reverse.gogrid.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

[Ericson578]

This article relates to the logs entries I found: http://xpt.sourceforge.net/techdocs/nix/conn/ssh/ssh06-SshServerSecurity/ar01s04.html

Based on that I think I'm set. I might change the ssh port to a higher one, but unless I see lots of attempts in my auth.log for now I think I'll hold off.

If anyone thinks I should be taking any actions let me know :)

[vonskippy]

If you're really worried, have IPTABLES drop all traffic from that IP.

[Ericson578]

vonskippy wrote: If you're really worried, have IPTABLES drop all traffic from that IP.

Thanks for the tip vonskippy. If I see anymore attempts in the log I'll do just that.

Since I'm using Ubuntu 11.04 I'm using ufw to manage my ip tables. For anyone reading this and wanting to know how to block an ip address using ufw do this as root:

Code: ufw deny from <ip address>

Or if you already have port 80 open, this will override any later rules. In that case edit /etc/ufw/before.rules and add a section "Block IP" after "Drop INVALID packets" :

Code: -A ufw-before-input -s 111.222.3.44 -j DROP

Source: https://help.ubuntu.com/community/UFW

[FunkyRes]

Run sshd on a high port.

That's a brute force attack, the IP the attack came from probably was hacked itself, and if the brute force worked, YOUR ip might be in someone else's logs doing the same thing.

Use a port > 1024 for sshd and you will rarely ever see a brute force attempt again.

sshd configuration may be in a different place in your distro, but edit

/etc/ssh/sshd_config

Make sure Port 22 is commented out, and under it put

Port 1331

(or whatever port you choose)

Also, by default setups for linode allow you to ssh in as root.
Make sure you have a non root user you can log in with, then make sure

PermitRootLogin no

is set in the same file.

Restart the sshd daemon and you will rarely if ever see a brute force attempt against that service again.

You will need to set up your ssh client to connect to different port.
See your client documentation (or ask someone who uses same client).

[FunkyRes]

Ericson578 wrote: This article relates to the logs entries I found: http://xpt.sourceforge.net/techdocs/nix/conn/ssh/ssh06-SshServerSecurity/ar01s04.html

Based on that I think I'm set. I might change the ssh port to a higher one, but unless I see lots of attempts in my auth.log for now I think I'll hold off.

If anyone thinks I should be taking any actions let me know :)

Do it. You will see daily attacks against it soon if you do not already.
Didn't take long with my first linode to see daily attacks against the sshd port.

[glg]

FunkyRes wrote: Do it. You will see daily attacks against it soon if you do not already.
Didn't take long with my first linode to see daily attacks against the sshd port.

So? If you have passwords disabled, who cares if someone is trying to hit your sshd? you can install fail2ban if the logs are getting annoying.

Changing sshd to a high port is obscurity, not security. A port scan will easily find it.

[Ericson578]

glg wrote: So? If you have passwords disabled, who cares if someone is trying to hit your sshd? you can install fail2ban if the logs are getting annoying.

Changing sshd to a high port is obscurity, not security. A port scan will easily find it.

Thanks glg, that was the direction I was leaning towards.

My current setup sshd doesn't accept passwords, only keys, and doesn't allow root access. I was looking around in the sshd config file and found a place to specify which users can login, but I'm worried that I might accidentally prevent the linode web-based ssh access which I want to keep around as a last resort.

[Ericson578]

FunkyRes wrote: That's a brute force attack, the IP the attack came from probably was hacked itself, and if the brute force worked, YOUR ip might be in someone else's logs doing the same thing.

I don't think I was hacked, but if my machine was making outgoing ssh attempts how could I tell?

[FunkyRes]

I doubt you were hacked, but just pointing out that banning an IP may not be the best course of action. Attacks will still happen and legitimate users of that IP (now or in the future) won't be able to reach you, even when the problem no longer exists.

[Ericson578]

I don't think I was hacked either. But I'm genuinely interested in knowing how to monitor my box to see if it's making strange outgoing requests.

Any ideas? I'm assuming there's a log file somewhere where I can view outgoing connection attempts.

[FunkyRes]

When you are hacked, things like log files can't be trusted to be accurate.

I'm not sure what log (if any) an outgoing portscan or ssh attempts would touch.

netstat might help.

[hoopycat]

You'll probably receive a ticket from Linode in a frighteningly short amount of time. Mass ssh scans aren't exactly subtle.

For what it's worth, here's my decision tree for denyhosts alerts:

1) Is it from a Linode IP? If no, archive the e-mail.
2) Is it from within the last few hours? If no, archive the e-mail.
3) Forward it to abuse@linode.com with the usual boilerplate (including my IP address and the time zone).
4) Receive confirmation that it is being dealt with.

I used to notify other abuse desks, but I get too darned many to care much more than that. :-) For the 24 hours ending at 8am this morning, my home router dropped 1954 packets from 211 sources; a number of these are probably "bad", but I simply cannot gather together enough free time to do much more than ship the logs off to DShield. Receiving attacks is an indication of a healthy and fully-functional Internet connection.

And yes, ssh lives on port 22. I need less cruft riding around in my dotfiles repository, not more.

[FunkyRes]

Less cruft is not an excuse for poor administration.

Moving ssh to another port allows you to close port 22.
When the port scan sees it is closed, the brute force is not even tried.
When the brute force is not even tried, your server doesn't use resources responding to the request and no file I/O is used logging the attempts.

Some services you really can't easily run on other ports, but ssh daemon is one you can, and you really should look at the config file anyway because the defaults are rarely a perfect match for what you really want to do.

[mnordhoff]

Ericson578 wrote: ... I'm worried that I might accidentally prevent the linode web-based ssh access which I want to keep around as a last resort.
Lish logs into your node over the virtual equivalent of a serial console, not your node's sshd. That's why it works even if you break networking.

By the way, lish is also available via ssh to the host -- to emphasize, you ssh to the *host*, which accesses your node via the serial console. It's much better than the terrible Ajax console. :)