Thread: Attempt of being hacked -- protection?
View Single Post

  #4 (permalink)  
Old 11-08-2005
Jeffrey F. Bloss
 
Posts: n/a
Default Re: Attempt of being hacked -- protection?
ultimatespamheap wrote:

> Hi all,
>
> Yesterday evening, I noticed network traffic going over my router and
> netstat showed five parrallel ssh connections to the address
> host52.co.154.isl (different ports).

<snippage>

Common stuff for people running sshd. Kids trying to brute force your
server. Nothing to panic over if you have *strong* passwords. You should
also limit SSH logins to some non-superuser account, and su or sudo if you
need root access. If you want an acceptable way to generate strong
passwords that you can remember, try this...

http://world.std.com/~reinhold/diceware.html

Read their pages carefully. There's some caveats, and good advice for
hardening your passwords even further.

There's a number of other things you can do too...

Make sure sshd is updated. More to thwart other attacks than anything else.

Move your SSH port to something uncommon (security through obscurity). Not
the best but it helps limit the number of attempts a bit.

Use keys instead of passwords to log in. This probably won't reduce the
number of attempts too much because they're automated. Someone sees the
port open and points a script or such at it. They probably never even see
failed attempts.

Set limits on the number of failed login attempts that can be made before
no more are accepted for some arbitrary amount of time. Something like 3
attempts then a 3 minute wait or whatever makes you comfortable.

Restrict access to a predefined IP range or selected hosts. Only works if
you know who is going to be using SSH... from where. There's also ways to
automatically add IP/hosts to a list of disallowed addresses after too may
failed login attempts. DenyHosts comes to mind...

http://denyhosts.sourceforge.net/

Use a "port knocking" scheme to make it appear as though you're not
running sshd until some other combination of ports is accessed in a
sequence. A sort of "combination lock" if you will. Requires either a
special client, or some hoop jumping to gain any access at all. Good for
keeping the Badguys(tm) out, maybe an unusable pain in the rear for
you (or other users). Some good information is here...

http://www.portknocking.org/


> (2) Can/should I report this abuse to the ISP in question? How?

You can, but your responses and success rate are going to be a bit
"dismal" at best. Most of the time you won't hear anything back from
any abuse reports, and when you do it's either some form letter, or a
"report this to someone who cares" thing. OTOH, if you manage to get a
confirmed kill it's *most* satisfying. ;-)

Do a whois on the IP adress and look for "tech" and "abuse" contact
information. Sometimes tracerout and ping can reveal info too. There's a
decent set of online tools all in one place here if you don't like the
command line stuff...

http://www.dnsstuff.com/

You may also have a graphical interface to common tools installed by your
distribution. gnome-nettool would be an example.

> Nov 7 20:09:25 Dtop sshd[9359]: Invalid user linux from
> ::ffff:61.63.154.52

http://www.dnsstuff.com/tools/whois....54.52&email=on

Asia. <sigh> Tiawan to be more precise. Sometimes I honestly believe that
you could lop off *all* of Asia from the net and reduce bad traffic by
80% or so... no joke. For a while anyway, until the kids found other
hosts in other countries that were only slightly less misconfigured or
insecure. :(

--
_?_ Outside of a dog, a book is a man's best friend.
(@ @) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
grok! Registered Linux user #402208

Reply With Quote