Find the answer to your Linux question:
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 11 to 20 of 23
The IP was in the syslog as well. Finding out the geographical location of an IP address is rather easy, actually. All you have to do is using the whois ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578

    The IP was in the syslog as well. Finding out the geographical location of an IP address is rather easy, actually. All you have to do is using the whois databases. For a domain name, you can use the whois database of the NIC (network information center) responsible for that TLD (top level domain). For an IP address (my curse on the people who say IP number), you will have to use the whois databases of ARIN (for american addresses), RIPE (for european addresses) or APNIC (for asian addresses).
    In this example, the command "whois -h whois.ripe.net 62.231.98.116" explicitly states that it is an internet cafe in romania.
    Anyway, might I suggest disabling password authentication entirely and only allow public key authentication?

  2. #12
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    I can't disable it completely because it is a shell server with close to 100 users on it. Wouldn't want to lose any customers from that. You shouldn't have to specify which whois database to use anymore, it should pick it on its own. I know mine does, I am using version 4.6.2. Though I have heard of some people on debian who still need to specify the database, not sure what version they are on.

  3. #13
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Ah! Then it might be a bad idea... I thought this was a web server or something.
    About whois... 4.6.2? I'm suspecting that you're using some other program than I do, because mine is shipped with RH8 and it's version 1.0.10.

  4. $spacer_open
    $spacer_close
  5. #14
    Linux Engineer
    Join Date
    Apr 2003
    Location
    Sweden
    Posts
    796
    Can the hacker have used the ssl-exploit that was discovered for not so long ago?? Ssh is using ssl in the "bottom". In that case the intruder can have got a hold of you ssh-keys with a timing attack. That could explain why he didnt get prompted for a password??!..maybe...

    Make sure to update your ssl-packages and set

    PermitRootLogin no
    And use only Version 2 keys

    in your etc/ssh/sshd_config its crasy to let root have direct access, its not so hard to su when you have logged on with your own accounts, if you can. Read about the ssl-exploit here

    http://archives.neohapsis.com/archiv...3-04/0013.html

    I hope we can figure this out what happend....its good for all of us to know howto prevent this from happening again...

    Regards

    Regards

    Andutt

  6. #15
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    It wasn't the ssl expliot because I patched against that already, sometime back in april. Permitting root login isn't a security risk, not like anyone is going to sniff our packets then crack 3des anytime soon. Also if you would look at the logs I posted, you will see that it did prompt him for a password and he entered the incorrect one, then it logged him in.

  7. #16
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    3des? Correct me if I'm wrong, but doesn't SSH use blowfish?

  8. #17
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    3des is the default unless you specify otherwise in sshd_config.

  9. #18
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    You sure? I find it strange that OpenSSH's logo is a blowfish if they don't use it primarily. On the other hand, the logo has just made me assume that they're using it, so I might very well be wrong.

  10. #19
    Linux Engineer
    Join Date
    Apr 2003
    Location
    Sweden
    Posts
    796
    Can the user somehow got in hold of your root-password from the mysqldatabase and runnend a dictionary-program against it...but then the logs wouldnt have said incorrect passoword, if it wasnt the first attempt or something?? Did you have a strong root password??

    And i think it a security risk to have direct root access, then it had been more diffifcult for the hacker to have done something, if he had to log on with a normal account first....When you establish the ssh tunnel its quite much "talk" back and forth between the hosts...maybe its possible to "see" something there.. a bug maybe? If the tunnel already is established...well then none outside can see anything.

    Openssh is using follwing keys


    The rest of the session is encrypted using a symmetric cipher, currently
    128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit
    AES. The client selects the encryption algorithm to use from those of-
    fered by the server. Additionally, session integrity is provided through
    a cryptographic message authentication code (hmac-sha1 or hmac-md5).
    Regards

    Regards

    Andutt

  11. #20
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Quote Originally Posted by andutt
    And i think it a security risk to have direct root access, then it had been more diffifcult for the hacker to have done something, if he had to log on with a normal account first....When you establish the ssh tunnel its quite much "talk" back and forth between the hosts...maybe its possible to "see" something there.. a bug maybe? If the tunnel already is established...well then none outside can see anything.
    Well, you are aware that the SSL layer is fully established by the time the protocol enters the authentication phase, right? It would be folly to do otherwise. Sending passwords during the authentication phase is no different from sending them once you're logged in. Having to go through another user is just unnecessary when using SSH.

    Quote Originally Posted by andutt
    Openssh is using follwing keys


    The rest of the session is encrypted using a symmetric cipher, currently
    128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit
    AES. The client selects the encryption algorithm to use from those of-
    fered by the server. Additionally, session integrity is provided through
    a cryptographic message authentication code (hmac-sha1 or hmac-md5).
    The question was which one it uses by default. We all know that it's capable of several ciphers.

Page 2 of 3 FirstFirst 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •