Linode Forum
https://forum.linode.com/

New entry for deny hosts, action needed?
https://forum.linode.com/viewtopic.php?f=19&t=7697		 Page 1 of 2
Author:  Ericson578 [ Tue Sep 06, 2011 11:18 am ]
Post subject:  New entry for deny hosts, action needed?
I'm new to network security and administering my own server, so I'm not sure if I need to do anything.

This IP address: 72.10.39.52 was added to deny hosts, and when I searched my logs for activity involving this IP I got these results:


./auth.log:287:Sep 5 21:45:39 li200-196 sshd[3053]: Did not receive identification string from 72.10.39.52
./auth.log:301:Sep 5 23:56:34 li200-196 sshd[3112]: Invalid user globus from 72.10.39.52
./auth.log:302:Sep 5 23:56:34 li200-196 sshd[3115]: Invalid user condor from 72.10.39.52
./auth.log:303:Sep 5 23:56:35 li200-196 sshd[3117]: Invalid user tomcat from 72.10.39.52
./auth.log:304:Sep 5 23:56:36 li200-196 sshd[3119]: Invalid user global from 72.10.39.52
./auth.log:305:Sep 5 23:56:37 li200-196 sshd[3121]: Invalid user upload from 72.10.39.52
./auth.log:306:Sep 5 23:56:37 li200-196 sshd[3123]: Invalid user jboss from 72.10.39.52
./auth.log:307:Sep 5 23:56:38 li200-196 sshd[3125]: Invalid user postmaster from 72.10.39.52
./auth.log:308:Sep 5 23:56:39 li200-196 sshd[3127]: Invalid user demo from 72.10.39.52
./auth.log:309:Sep 5 23:56:40 li200-196 sshd[3129]: Invalid user apache from 72.10.39.52
./auth.log:310:Sep 5 23:56:40 li200-196 sshd[3131]: Invalid user postgres from 72.10.39.52
./auth.log:312:Sep 5 23:56:42 li200-196 sshd[3135]: Invalid user tester from 72.10.39.52
./auth.log:313:Sep 5 23:56:42 li200-196 sshd[3137]: Invalid user testing from 72.10.39.52
./auth.log:314:Sep 5 23:56:43 li200-196 sshd[3139]: Invalid user test from 72.10.39.52
./auth.log:315:Sep 5 23:56:44 li200-196 sshd[3141]: Invalid user photo from 72.10.39.52
./auth.log:316:Sep 5 23:56:45 li200-196 sshd[3143]: Invalid user oracle from 72.10.39.52
./auth.log:317:Sep 5 23:56:45 li200-196 sshd[3145]: Invalid user feedback from 72.10.39.52
./auth.log:318:Sep 5 23:56:46 li200-196 sshd[3147]: Invalid user sameer from 72.10.39.52
./auth.log:319:Sep 5 23:56:46 li200-196 sshd[3152]: refused connect from 72.10.39.52 (72.10.39.52)
./auth.log:324:Sep 6 00:29:09 li200-196 sshd[3168]: refused connect from 72.10.39.52 (72.10.39.52)


Should I be worried? I think my server is locked down ok, I followed the security tips from these forums. SSH doesn't allow root, or passwords, only accepts keys. I'm blocking most ports except for ssh, http, and I think one or two more.

I'm thinking someone was trying to access their own linode but maybe was typing in the wrong address. But it also looks like the intruder was scanning my box...

Any tips welcome! Thanks :)

edit: also found this in /var/log/auth.log

Sep 5 21:57:15 li200-196 sshd[3057]: Address 173.1.96.226 maps to 173.1.96.226.reverse.gogrid.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Author:  Ericson578 [ Tue Sep 06, 2011 2:35 pm ]
Post subject:  found some info
This article relates to the logs entries I found: http://xpt.sourceforge.net/techdocs/nix ... 01s04.html

Based on that I think I'm set. I might change the ssh port to a higher one, but unless I see lots of attempts in my auth.log for now I think I'll hold off.

If anyone thinks I should be taking any actions let me know :)
Author:  vonskippy [ Tue Sep 06, 2011 3:05 pm ]
Post subject: 
If you're really worried, have IPTABLES drop all traffic from that IP.
Author:  Ericson578 [ Tue Sep 06, 2011 3:39 pm ]
Post subject:  thanks
vonskippy wrote:
If you're really worried, have IPTABLES drop all traffic from that IP.


Thanks for the tip vonskippy. If I see anymore attempts in the log I'll do just that.

Since I'm using Ubuntu 11.04 I'm using ufw to manage my ip tables. For anyone reading this and wanting to know how to block an ip address using ufw do this as root:

Code:
ufw deny from <ip address>


Or if you already have port 80 open, this will override any later rules. In that case edit /etc/ufw/before.rules and add a section "Block IP" after "Drop INVALID packets" :

Code:
-A ufw-before-input -s 111.222.3.44 -j DROP


Source: https://help.ubuntu.com/community/UFW
Author:  FunkyRes [ Wed Sep 07, 2011 2:50 am ]
Post subject: 
Run sshd on a high port.

That's a brute force attack, the IP the attack came from probably was hacked itself, and if the brute force worked, YOUR ip might be in someone else's logs doing the same thing.

Use a port > 1024 for sshd and you will rarely ever see a brute force attempt again.

sshd configuration may be in a different place in your distro, but edit

/etc/ssh/sshd_config

Make sure Port 22 is commented out, and under it put

Port 1331

(or whatever port you choose)

Also, by default setups for linode allow you to ssh in as root.
Make sure you have a non root user you can log in with, then make sure

PermitRootLogin no

is set in the same file.

Restart the sshd daemon and you will rarely if ever see a brute force attempt against that service again.

You will need to set up your ssh client to connect to different port.
See your client documentation (or ask someone who uses same client).
Author:  FunkyRes [ Wed Sep 07, 2011 2:53 am ]
Post subject:  Re: found some info
Ericson578 wrote:
This article relates to the logs entries I found: http://xpt.sourceforge.net/techdocs/nix ... 01s04.html

Based on that I think I'm set. I might change the ssh port to a higher one, but unless I see lots of attempts in my auth.log for now I think I'll hold off.

If anyone thinks I should be taking any actions let me know :)


Do it. You will see daily attacks against it soon if you do not already.
Didn't take long with my first linode to see daily attacks against the sshd port.
Author:  glg [ Wed Sep 07, 2011 9:28 am ]
Post subject:  Re: found some info
FunkyRes wrote:
Do it. You will see daily attacks against it soon if you do not already.
Didn't take long with my first linode to see daily attacks against the sshd port.


So? If you have passwords disabled, who cares if someone is trying to hit your sshd? you can install fail2ban if the logs are getting annoying.

Changing sshd to a high port is obscurity, not security. A port scan will easily find it.
Author:  Ericson578 [ Wed Sep 07, 2011 11:33 am ]
Post subject:  Re: found some info
glg wrote:
So? If you have passwords disabled, who cares if someone is trying to hit your sshd? you can install fail2ban if the logs are getting annoying.

Changing sshd to a high port is obscurity, not security. A port scan will easily find it.


Thanks glg, that was the direction I was leaning towards.

My current setup sshd doesn't accept passwords, only keys, and doesn't allow root access. I was looking around in the sshd config file and found a place to specify which users can login, but I'm worried that I might accidentally prevent the linode web-based ssh access which I want to keep around as a last resort.
Author:  Ericson578 [ Wed Sep 07, 2011 11:35 am ]
Post subject:  Zombie boxes
FunkyRes wrote:
That's a brute force attack, the IP the attack came from probably was hacked itself, and if the brute force worked, YOUR ip might be in someone else's logs doing the same thing.


I don't think I was hacked, but if my machine was making outgoing ssh attempts how could I tell?
Author:  FunkyRes [ Wed Sep 07, 2011 1:34 pm ]
Post subject: 
I doubt you were hacked, but just pointing out that banning an IP may not be the best course of action. Attacks will still happen and legitimate users of that IP (now or in the future) won't be able to reach you, even when the problem no longer exists.
Author:  Ericson578 [ Wed Sep 07, 2011 1:42 pm ]
Post subject:  do zombie boxes have a tell?
I don't think I was hacked either. But I'm genuinely interested in knowing how to monitor my box to see if it's making strange outgoing requests.

Any ideas? I'm assuming there's a log file somewhere where I can view outgoing connection attempts.
Author:  FunkyRes [ Wed Sep 07, 2011 1:54 pm ]
Post subject: 
When you are hacked, things like log files can't be trusted to be accurate.

I'm not sure what log (if any) an outgoing portscan or ssh attempts would touch.

netstat might help.
Author:  hoopycat [ Wed Sep 07, 2011 5:36 pm ]
Post subject: 
You'll probably receive a ticket from Linode in a frighteningly short amount of time. Mass ssh scans aren't exactly subtle.

For what it's worth, here's my decision tree for denyhosts alerts:

1) Is it from a Linode IP? If no, archive the e-mail.
2) Is it from within the last few hours? If no, archive the e-mail.
3) Forward it to abuse@linode.com with the usual boilerplate (including my IP address and the time zone).
4) Receive confirmation that it is being dealt with.

I used to notify other abuse desks, but I get too darned many to care much more than that. :-) For the 24 hours ending at 8am this morning, my home router dropped 1954 packets from 211 sources; a number of these are probably "bad", but I simply cannot gather together enough free time to do much more than ship the logs off to DShield. Receiving attacks is an indication of a healthy and fully-functional Internet connection.

And yes, ssh lives on port 22. I need less cruft riding around in my dotfiles repository, not more.
Author:  FunkyRes [ Thu Sep 08, 2011 1:02 am ]
Post subject: 
Less cruft is not an excuse for poor administration.

Moving ssh to another port allows you to close port 22.
When the port scan sees it is closed, the brute force is not even tried.
When the brute force is not even tried, your server doesn't use resources responding to the request and no file I/O is used logging the attempts.

Some services you really can't easily run on other ports, but ssh daemon is one you can, and you really should look at the config file anyway because the defaults are rarely a perfect match for what you really want to do.
Author:  mnordhoff [ Thu Sep 08, 2011 1:47 am ]
Post subject:  Re: found some info
Ericson578 wrote:
... I'm worried that I might accidentally prevent the linode web-based ssh access which I want to keep around as a last resort.

Lish logs into your node over the virtual equivalent of a serial console, not your node's sshd. That's why it works even if you break networking.

By the way, lish is also available via ssh to the host -- to emphasize, you ssh to the *host*, which accesses your node via the serial console. It's much better than the terrible Ajax console. :)
Page 1 of 2 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/