Thread: Attempt of being hacked -- protection?
View Single Post

  #7 (permalink)  
Old 11-09-2005
John Thompson
 
Posts: n/a
Default Re: Attempt of being hacked -- protection?
On 2005-11-08, ultimatespamheap@yahoo.com <ultimatespamheap@yahoo.com> wrote:

> Yesterday evening, I noticed network traffic going over my router and
> netstat showed five parrallel ssh connections to the address
> host52.co.154.isl (different ports).

Were these active connections or just login attempts?

There's a lot of compromised machines running ssh dictionary attacks for
the script kiddies.

> I immediately pulled the network cable but was still worried that my
> system had been compromised. I then ran chkrootkit (from a parallel
> installation of another distro) but didn't find anything, but anyway, I
> now use the opportunity to change my passwords and upgrade to a newer
> distro version.

Sounds prudent.

> Today, I inspected /var/log/messages and found that some guy had
> started to systematically try to login under different user names (see
> below).

> Nov 7 20:09:25 Dtop sshd[9359]: Invalid user linux from
>::ffff:61.63.154.52
> Nov 7 20:09:28 Dtop sshd[9361]: Invalid user unix from
>::ffff:61.63.154.52
> Nov 7 20:09:31 Dtop sshd[9363]: Invalid user webadmin from
>::ffff:61.63.154.52
> Nov 7 20:09:38 Dtop sshd[9367]: Invalid user test from
>::ffff:61.63.154.52
> Nov 7 20:09:44 Dtop sshd[9371]: Invalid user admin from
>::ffff:61.63.154.52

Looks like one of the aforementioned scripted attacks.

> My questions now are:
>
> (1) How can I protect myself from such an attack?

There's a couple things you can do. Make sure sshd is configured not to
allow root logins ("PermitRootLogin no" in /etc/ssh/sshd_config). Set up
sshd to use cryptographic keys instead of passwords for login
authentication. Use tcp_wrappers to restrict logins to only connections
originating from specific ip addresses.

> Is there a possibility to configure the system so that it refuses any login
> attempt for, let's say a couple of hours, when such a systematic attack
> is detected? (at least the detection part should not be too hard).

Probably, but why would you want to set yourself up for a DoS situation?

> Also, a clear message informing the user about the ongoing attack would
> have been nice.

You can tell syslog to report events differently if you want.

> (2) Can/should I report this abuse to the ISP in question? How?

You can, but I haven't had much luck with those Taiwan ISPs.

--

John (john@os2.dhs.org)
Reply With Quote