Find the answer to your Linux question:
Results 1 to 8 of 8
I've been fighting with a hacker in my Web Server for the past couple days. I thought I had Public Key auth setup for SSH, but it apparently wasn't configured ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2009
    Posts
    2

    Hacker Attempts


    I've been fighting with a hacker in my Web Server for the past couple days. I thought I had Public Key auth setup for SSH, but it apparently wasn't configured on that server, so he was spamming ssh logins. He didn't get root, and I'm not sure how they got in at all, but he managed to start sending out attacks from my server. When I found out what was happening, I immediately brought down the external NIC and configured Public Key authentication for SSH, and to not accept passwords at all. It was peaceful for a few days, but then the server went down yesterday. I could ping it, but couldn't ssh in. I restarted the server and pulled up the logs. I found that the first time he had created and then removed users and groups named temp and crond. I believe it was the hacker anyway...after the second time it occurred to me that home directories were created when those users were added, so I just went in and deleted the home folders (I should have looked at the .bash_history at least before doing that, oh well)
    So, somehow he managed to restart my sshd and then could start spamming ssh again, this time the log files were saying "Illegal user ... From". Anyway, I just want this guy to stay out. How can I find out how he is getting in?

    My /var/log/secure file is empty, but my secure.1 file has stuff in it, that's where I saw the user creations and deletions. Why might the secure file be empty? Any help is greatly appreciated. Thanks!

  2. #2
    Linux Newbie
    Join Date
    Sep 2005
    Location
    CZ
    Posts
    164

    Lightbulb

    Why might the secure file be empty?
    Well, look at the last access time - that would be a hint, whether it was cleared or simply nothing had to be logged?

    What do you call
    spamming ssh logins
    ? Is it multiple attempts to log in?

    One way to prevent it is described here: Stopping SSH SPAM with PF! | Christopher J. Umina. A simple solution could be to block the hacker's IP... And wait whether the attacks stop...

    Another way is to disable ssh service, if applicable... Do you really need it running all the time?

  3. #3
    Linux Guru reed9's Avatar
    Join Date
    Feb 2009
    Location
    Boston, MA
    Posts
    4,651
    Change ssh from the default port as well.

  4. #4
    Just Joined!
    Join Date
    Dec 2009
    Posts
    2
    Ok, so I set SSH to just listen on the internal address, so I can connect only from our network. I've also changed the default SSH port. I'll keep an eye on the logs for the next few days to make sure he's not getting back in.

    I read that page on using PF to keep SSH Spammers out, but I'm unfamiliar with what PF is. I googled it and it sounds like it is only available for OpenBSD. Is there a way to do something like this with IPTables?

    Thanks for your help and suggestions!

  5. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Yes, you can do the same with IPTABLES. There are several ways to do this too.

    The real question is how did he get in? This is what you want to stop. Was it some sort of WEB code exploit? Or did he really just log in through ssh ot telnet? Your log files should show you something I would think.

    First thing you need to do is ensure you have your firewall blocking everything that is not needed for external access to the server and for that matter also the internal connection too. Good rule of thumb is to lock the firewall down totally and then just allow what is needed to access the server. Ensure that your POLICIES are set to DROP on all.

    Without knowing what you need or how you are setup, I don't want to guess at the rules. Here is a TUTORIAL which should help you with your rules. Should you require more help just let us know.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #6
    Just Joined!
    Join Date
    Jul 2004
    Location
    United States / West Coast
    Posts
    66
    Another way to solve this is to run APF with their BFD cron job. This is how I took care of my SSH spam issues. APF is a bit more straight forward than IPTABLES. You can setup inbound and outbound ports. I currently have no ports being allowed outbound and a select few inbound from specific IP. All ICMP traffic is rejected as well. Very easy tool to setup and manage. Projects | R-fx Networks

  7. #7
    Linux Guru Jonathan183's Avatar
    Join Date
    Oct 2007
    Posts
    3,043
    Quote Originally Posted by alapierre View Post
    He didn't get root, and I'm not sure how they got in at all ... I found that the first time he had created and then removed users and groups...
    that sounds like root to me ... you may be able to use this in addition to previous info to make things a bit more tricky for someone to get in in future - but I think the only way to be sure the system is clean is a re-install .

  8. #8
    Banned
    Join Date
    Feb 2010
    Posts
    31

    Very effective

    I find the combination of fail2ban and pam_abl to be very effective against brute force attacks.

    They are both easy to install and are designed to stop ssh brute force.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •