Access attempts

[Krendoshazin]

Hi, i'm using slackware 10 and i was wondering if there is a way to disable remote access, i use it as a personal OS and there's really no need for it in my case. the reason i wish to disable it is because of the series of access attempts that have been made on this machine, luckily all have failed so far, here is a small sample.

Code:

Jan 31 11:40:43 excaliber sshd[2375]: Failed password for illegal user web from 200.27.232.100 port 53241 ssh2
Jan 31 11:40:45 excaliber sshd[2377]: Illegal user oracle from 200.27.232.100
Jan 31 11:40:45 excaliber sshd[2377]: Failed password for illegal user oracle from 200.27.232.100 port 53347 ssh2
Jan 31 11:40:47 excaliber sshd[2379]: Illegal user sybase from 200.27.232.100
Jan 31 11:40:47 excaliber sshd[2379]: Failed password for illegal user sybase from 200.27.232.100 port 53608 ssh2
Jan 31 11:40:49 excaliber sshd[2381]: Illegal user master from 200.27.232.100
Jan 31 11:40:49 excaliber sshd[2381]: Failed password for illegal user master from 200.27.232.100 port 53745 ssh2
Jan 31 11:40:51 excaliber sshd[2383]: Illegal user account from 200.27.232.100
Jan 31 11:40:51 excaliber sshd[2383]: Failed password for illegal user account from 200.27.232.100 port 53910 ssh2
Jan 31 11:40:53 excaliber sshd[2385]: Illegal user backup from 200.27.232.100
Jan 31 11:40:53 excaliber sshd[2385]: Failed password for illegal user backup from 200.27.232.100 port 54186 ssh2
Jan 31 11:40:54 excaliber sshd[2387]: Illegal user server from 200.27.232.100
Jan 31 11:40:54 excaliber sshd[2387]: Failed password for illegal user server from 200.27.232.100 port 54301 ssh2
Jan 31 11:40:56 excaliber sshd[2389]: Illegal user adam from 200.27.232.100
Jan 31 11:40:56 excaliber sshd[2389]: Failed password for illegal user adam from 200.27.232.100 port 54568 ssh2
Jan 31 11:40:58 excaliber sshd[2391]: Illegal user alan from 200.27.232.100
Jan 31 11:40:58 excaliber sshd[2391]: Failed password for illegal user alan from 200.27.232.100 port 54707 ssh2
Jan 31 11:41:00 excaliber sshd[2393]: Illegal user frank from 200.27.232.100
Jan 31 11:41:02 excaliber sshd[2395]: Illegal user george from 200.27.232.100
Jan 31 11:41:02 excaliber sshd[2395]: Failed password for illegal user george from 200.27.232.100 port 55131 ssh2
Jan 31 11:41:04 excaliber sshd[2397]: Illegal user henry from 200.27.232.100
Jan 31 11:41:04 excaliber sshd[2397]: Failed password for illegal user henry from 200.27.232.100 port 55192 ssh2
Jan 31 11:41:11 excaliber sshd[2401]: Illegal user john from 200.27.232.100
Jan 31 11:41:11 excaliber sshd[2401]: Failed password for illegal user john from 200.27.232.100 port 55812 ssh2
Jan 31 11:41:13 excaliber sshd[2405]: Failed password for root from 200.27.232.100 port 56088 ssh2
Jan 31 11:41:15 excaliber sshd[2407]: Failed password for root from 200.27.232.100 port 56194 ssh2
Jan 31 11:41:17 excaliber sshd[2409]: Failed password for root from 200.27.232.100 port 56487 ssh2
Jan 31 11:41:18 excaliber sshd[2411]: Failed password for root from 200.27.232.100 port 56614 ssh2
Jan 31 11:41:20 excaliber sshd[2413]: Failed password for root from 200.27.232.100 port 56783 ssh2
Jan 31 11:41:22 excaliber sshd[2415]: Illegal user test from 200.27.232.100
Jan 31 11:41:22 excaliber sshd[2415]: Failed password for illegal user test from 200.27.232.100 port 57042 ssh2

any help on this matter would be greatly appreciated.

[pottibaer]

Hi!

I saw - nobody answered so far to your request, and so I wanna tell ya what I would do ...

It's an interesting thing to find out what ports are open, isn't it?
First of all, the portmapper must run

code (as user root):
cd /etc/rc.d
chmod 755 ./rc.portmap
./rc.portmap start

nmap localhost

now you will see, what ports are open!

e.g. if ssh port is open, just stop rc.sshd-daemon, and then chmod rc.sshd to 644 (so it will not be started during next reboot! Same you can do with other daemons that are opening doors -

of course you will stop rc.portmap again and change its modes!

Last tip by now ...

edit your startx (best with vi)

which startx
vi /usr/X11R6/bin/startx

and there you will find

serverargs=""

and here you enter

serverargs="-nolisten tcp"


hope that helps you further!

greetings from vienna

[Jammin1984]

Hi, this is off-topic, sorry.

But....

You have me a little paranoid here.

Which log did you look at and how to check for such activity??

Thanks much

[pottibaer]

>[quote="Jammin1984"]Hi, this is >off-topic, sorry.

hmmm ... well, I would check first my doors ...

>But....

>You have me a little paranoid here.
There is no need for that! Your are not working on a MS Windows Box, are you?

>Which log did you look at and how to >check for such activity??

The same like you -
e.g.

Code:

dmesg

But you also may check the messages ...

so, read again above what I said before just to check your "doors" - are you behind a firewall (from your ISP, company ...)

[Jammin1984]

Im behind my unis firewall, which is silly locked down....

Would still be easy enough for someone on my LAN tho.

Thanks

[sdousley]

It looks like people are trying to get into your computer over ssh. notice the sshd[number] after excaliber.

If you want to stop the ssh daemon straight away run

Code:

rc.sshd stop

but then when you restart your computer it will be running again, so to stop that, look in /etc/init.d/rc3.d

there's probably a file that symlinks to ../sshd (there is on my computer)

to find out what links to ../sshd open a shell in /etc/init.d/rc3.d and type:

Code:

ls -l *ssh*

to see that it's a symlink it will look like this:

lrwxrwxrwx 1 root root 7 Jun 28 2004 S12sshd -> ../sshd

it's a file called S12sshd pointing to ../sshd

if you dont want sshd to start at boot, just remove the files that point to ../sshd and it should be ok, then you shouldn't get any more logs for failed auth.

[Jammin1984]

This is kind of over my head but since I am always asking for help, gotta try and return the favour.

Since your running slackware could you not run pkgtool, go to setup then services and disable it this way??

[Krendoshazin]

strange, this issue was solved a long time ago as you can see from the date. not to worry though.

Hi, this is off-topic, sorry.
You have me a little paranoid here.
Which log did you look at and how to check for such activity??
Thanks much

the logs that told me of the activity were in /var/log/ and is called messages. the problem was solved by stopping the ssh service, also stopping some other things not needed like sendmail, installing firestarter firewall in order to stealth all the ports and control the traffic, and also making sure that X doesn't act as a server and listen to the tcp port 6000 you have to type startx -- -nolisten tcp, rather than the usual startx, on a graphical login this isn't an issue

This is kind of over my head but since I am always asking for help, gotta try and return the favour.

Since your running slackware could you not run pkgtool, go to setup then services and disable it this way??

i prefer to just disable a service rather than remove it completely, in case it's ever needed for future use i won't have to go to the trouble of reinstalling it. these services can be misused but as long as you keep on top of things there's no problem, as you can see from what i posted they tried their damned hardest, but never gained access

[Krendoshazin]

/usr/X11R6/bin/startx

and there you will find
serverargs=""

and here you enter
serverargs="-nolisten tcp"

thanks that did the trick, i was looking for a way to do that, now i won't have to use the graphical login or keeping typing out the entire command every reboot