Attempt of being hacked -- protection?

Hi all,

Yesterday evening, I noticed network traffic going over my router and
netstat showed five parrallel ssh connections to the address
host52.co.154.isl (different ports).

I immediately pulled the network cable but was still worried that my
system had been compromised. I then ran chkrootkit (from a parallel
installation of another distro) but didn't find anything, but anyway, I
now use the opportunity to change my passwords and upgrade to a newer
distro version.

Today, I inspected /var/log/messages and found that some guy had
started to systematically try to login under different user names (see
below).

My questions now are:

(1) How can I protect myself from such an attack? Is there a
possibility to configure the system so that it refuses any login
attempt for, let's say a couple of hours, when such a systematic attack
is detected? (at least the detection part should not be too hard).
Also, a clear message informing the user about the ongoing attack would
have been nice.

(2) Can/should I report this abuse to the ISP in question? How?

(3) Are there any other security measures I should take now?

Thanks for your help

Nov 7 20:09:25 Dtop sshd[9359]: Invalid user linux from
::ffff:61.63.154.52
Nov 7 20:09:28 Dtop sshd[9361]: Invalid user unix from
::ffff:61.63.154.52
Nov 7 20:09:31 Dtop sshd[9363]: Invalid user webadmin from
::ffff:61.63.154.52
Nov 7 20:09:38 Dtop sshd[9367]: Invalid user test from
::ffff:61.63.154.52
Nov 7 20:09:44 Dtop sshd[9371]: Invalid user admin from
::ffff:61.63.154.52
Nov 7 20:09:47 Dtop sshd[9373]: Invalid user guest from
::ffff:61.63.154.52
Nov 7 20:09:50 Dtop sshd[9392]: Invalid user master from
::ffff:61.63.154.52
Nov 7 20:09:53 Dtop sshd[9396]: Invalid user apache from
::ffff:61.63.154.52
Nov 7 20:10:03 Dtop sshd[9402]: Invalid user network from
::ffff:61.63.154.52
Nov 7 20:10:06 Dtop sshd[9404]: Invalid user word from
::ffff:61.63.154.52
Nov 7 20:10:09 Dtop sshd[9406]: Invalid user fr from
::ffff:61.63.154.52
Nov 7 20:10:12 Dtop sshd[9408]: Invalid user west from
::ffff:61.63.154.52
<snip>
Nov 7 20:21:38 Dtop sshd[10108]: Invalid user annelise from
::ffff:61.63.154.52
Nov 7 20:21:41 Dtop sshd[10110]: Invalid user annette from
::ffff:61.63.154.52
Nov 7 20:21:44 Dtop sshd[10112]: Invalid user anthony from
::ffff:61.63.154.52
Nov 7 20:21:47 Dtop sshd[10114]: Invalid user antoinette from
::ffff:61.63.154.52
Nov 7 20:21:50 Dtop sshd[10116]: Invalid user anton from
::ffff:61.63.154.52
Nov 7 20:21:53 Dtop sshd[10118]: Invalid user antonia from
::ffff:61.63.154.52
Nov 7 20:21:56 Dtop sshd[10120]: Invalid user antonie from
::ffff:61.63.154.52
Nov 7 20:21:59 Dtop sshd[10122]: Invalid user apollo from
::ffff:61.63.154.52
Nov 7 20:22:02 Dtop sshd[10124]: Invalid user april from
::ffff:61.63.154.52
Nov 7 20:24:03 Dtop sshd[10126]: fatal: Timeout before authentication
for ::ffff:61.63.154.52
Nov 7 20:28:01 Dtop sshd[7380]: Received signal 15; terminating.

ultimatespamheap@yahoo.com wrote:
> Yesterday evening, I noticed network traffic going over my router and
> netstat showed five parrallel ssh connections to the address
> host52.co.154.isl (different ports).
> Today, I inspected /var/log/messages and found that some guy had
> started to systematically try to login under different user names (see
> below).
> My questions now are:
> (1) How can I protect myself from such an attack? Is there a
> possibility to configure the system so that it refuses any login
> attempt for, let's say a couple of hours, when such a systematic attack
> is detected? (at least the detection part should not be too hard).
> Also, a clear message informing the user about the ongoing attack would
> have been nice.
> (2) Can/should I report this abuse to the ISP in question? How?
> (3) Are there any other security measures I should take now?
> Nov 7 20:09:25 Dtop sshd[9359]: Invalid user linux from
> ::ffff:61.63.154.52
> Nov 7 20:09:28 Dtop sshd[9361]: Invalid user unix from
> ::ffff:61.63.154.52
> Nov 7 20:09:31 Dtop sshd[9363]: Invalid user webadmin from
> ::ffff:61.63.154.52

There are various means of possible protection. Some web searches
will find many of them and discussions of them thereof, e.g.:
http://denyhosts.sourceforge.net/
There are of course also many ways to block out IPs that one doesn't
want to allow at all, or one can also configure "port knocking" or
more stealthy means of allowing only (presumably) authorized access.

Yes, you can certainly report them to the ISP ... such as find the
abuse, or most suitable contact, via whois, and send them the
relevant details (logs), including timezone information for the log
timestamps - they'll typically need to know attacked and attacking
IPs, and in many cases also both source and destination ports. You
may never know if the ISP does something useful with the information,
though - many of them will tell you little to nothing, due to
customer privacy concerns/policies, etc. Most attacking systems are
systems that have been victimized by some cracker anyway (and had
your system been cracked, it would likely be doing more of the same
type of attacking). You can also join coordinated efforts in such
regards, e.g.:
http://www.dshield.org/fightback.php
.... those can potentially be rather useful in that ISPs would get
more consolidated reports, and at least in theory, getting reports
from organizations showing lots of systems being attacked may carry
more weight with an ISP than random reports from attacked individual
systems or small groups of systems.

Unfortunately such "attacks" are rather common and frequent on the
Internet. This is yet another reason why strong passwords, locking
out unnecessary services/access, and staying quite current on security
updates/patches continue to be quite important to security.

I've been seeing this sort of thing for a year or so. There are
various basic things which can help, especially if you're the only
user:

* Change the port
* Install a tool which will block hosts which try too many times
* Add an AllowUsers line to sshd_config (see manpage)
* Make sure that sshd is running as the sshd user (in case of
exploits rather than password guesses)
* Disable password authentication and use s/key or public keys
* Limit access to a set list of machines if practical

This sort of attack isn't really something to worry about, as long as
you have strong passwords - or even non-criminally-weak passwords.
Like all good secure login systems, ssh doesn't give away whether an
account even exists until you enter the correct password, so even if
your username is in the short dictionary which that script tries, as
long as your password isn't very very obvious (blank or the username
or similar) then it won't get far. If you have lots of users then a
cron job running john the ripper over basic account name permutations
and a liberal application of the ban stick probably wouldn't hurt.


~Ed

ultimatespamheap wrote:

> Hi all,
>
> Yesterday evening, I noticed network traffic going over my router and
> netstat showed five parrallel ssh connections to the address
> host52.co.154.isl (different ports).

<snippage>

Common stuff for people running sshd. Kids trying to brute force your
server. Nothing to panic over if you have *strong* passwords. You should
also limit SSH logins to some non-superuser account, and su or sudo if you
need root access. If you want an acceptable way to generate strong
passwords that you can remember, try this...

http://world.std.com/~reinhold/diceware.html

Read their pages carefully. There's some caveats, and good advice for
hardening your passwords even further.

There's a number of other things you can do too...

Make sure sshd is updated. More to thwart other attacks than anything else.

Move your SSH port to something uncommon (security through obscurity). Not
the best but it helps limit the number of attempts a bit.

Use keys instead of passwords to log in. This probably won't reduce the
number of attempts too much because they're automated. Someone sees the
port open and points a script or such at it. They probably never even see
failed attempts.

Set limits on the number of failed login attempts that can be made before
no more are accepted for some arbitrary amount of time. Something like 3
attempts then a 3 minute wait or whatever makes you comfortable.

Restrict access to a predefined IP range or selected hosts. Only works if
you know who is going to be using SSH... from where. There's also ways to
automatically add IP/hosts to a list of disallowed addresses after too may
failed login attempts. DenyHosts comes to mind...

http://denyhosts.sourceforge.net/

Use a "port knocking" scheme to make it appear as though you're not
running sshd until some other combination of ports is accessed in a
sequence. A sort of "combination lock" if you will. Requires either a
special client, or some hoop jumping to gain any access at all. Good for
keeping the Badguys(tm) out, maybe an unusable pain in the rear for
you (or other users). Some good information is here...

http://www.portknocking.org/


> (2) Can/should I report this abuse to the ISP in question? How?

You can, but your responses and success rate are going to be a bit
"dismal" at best. Most of the time you won't hear anything back from
any abuse reports, and when you do it's either some form letter, or a
"report this to someone who cares" thing. OTOH, if you manage to get a
confirmed kill it's *most* satisfying. ;-)

Do a whois on the IP adress and look for "tech" and "abuse" contact
information. Sometimes tracerout and ping can reveal info too. There's a
decent set of online tools all in one place here if you don't like the
command line stuff...

http://www.dnsstuff.com/

You may also have a graphical interface to common tools installed by your
distribution. gnome-nettool would be an example.

> Nov 7 20:09:25 Dtop sshd[9359]: Invalid user linux from
> ::ffff:61.63.154.52

http://www.dnsstuff.com/tools/whois....54.52&email=on

Asia. <sigh> Tiawan to be more precise. Sometimes I honestly believe that
you could lop off *all* of Asia from the net and reduce bad traffic by
80% or so... no joke. For a while anyway, until the kids found other
hosts in other countries that were only slightly less misconfigured or
insecure. :(

--
_?_ Outside of a dog, a book is a man's best friend.
(@ @) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
grok! Registered Linux user #402208

ultimatespamheap@yahoo.com writes:

>Hi all,

>Yesterday evening, I noticed network traffic going over my router and
>netstat showed five parrallel ssh connections to the address
>host52.co.154.isl (different ports).

>I immediately pulled the network cable but was still worried that my
>system had been compromised. I then ran chkrootkit (from a parallel
>installation of another distro) but didn't find anything, but anyway, I
>now use the opportunity to change my passwords and upgrade to a newer
>distro version.

It prossibly had, although you may have just seen those attempts in
progress.
Ie, if those ports changed in a few second timescale, that was probably it.


>Today, I inspected /var/log/messages and found that some guy had
>started to systematically try to login under different user names (see
>below).

Yes. Common occurance.

>My questions now are:

>(1) How can I protect myself from such an attack? Is there a
>possibility to configure the system so that it refuses any login
>attempt for, let's say a couple of hours, when such a systematic attack
>is detected? (at least the detection part should not be too hard).
>Also, a clear message informing the user about the ongoing attack would
>have been nice.

The danger you face is that that person will deny you the possibility of
logging in ( rpeated attempts from a spoofed machine you usually log in
from)
What kind of "clear message". Do you really want all of those messages
showing up on your terminal?

Anyway, it is an attack using simple passwords. Make sure that all
passwords on your system are strong.



>(2) Can/should I report this abuse to the ISP in question? How?
o
You can try. Use whois to find out who the isp is.


>(3) Are there any other security measures I should take now?

>Thanks for your help

>Nov 7 20:09:25 Dtop sshd[9359]: Invalid user linux from
>::ffff:61.63.154.52
>Nov 7 20:09:28 Dtop sshd[9361]: Invalid user unix from
>::ffff:61.63.154.52
>Nov 7 20:09:31 Dtop sshd[9363]: Invalid user webadmin from
>::ffff:61.63.154.52
>Nov 7 20:09:38 Dtop sshd[9367]: Invalid user test from
>::ffff:61.63.154.52
>Nov 7 20:09:44 Dtop sshd[9371]: Invalid user admin from
>::ffff:61.63.154.52
>Nov 7 20:09:47 Dtop sshd[9373]: Invalid user guest from
>::ffff:61.63.154.52
>Nov 7 20:09:50 Dtop sshd[9392]: Invalid user master from
>::ffff:61.63.154.52
>Nov 7 20:09:53 Dtop sshd[9396]: Invalid user apache from
>::ffff:61.63.154.52
>Nov 7 20:10:03 Dtop sshd[9402]: Invalid user network from
>::ffff:61.63.154.52
>Nov 7 20:10:06 Dtop sshd[9404]: Invalid user word from
>::ffff:61.63.154.52
>Nov 7 20:10:09 Dtop sshd[9406]: Invalid user fr from
>::ffff:61.63.154.52
>Nov 7 20:10:12 Dtop sshd[9408]: Invalid user west from
>::ffff:61.63.154.52
> <snip>
>Nov 7 20:21:38 Dtop sshd[10108]: Invalid user annelise from
>::ffff:61.63.154.52
>Nov 7 20:21:41 Dtop sshd[10110]: Invalid user annette from
>::ffff:61.63.154.52
>Nov 7 20:21:44 Dtop sshd[10112]: Invalid user anthony from
>::ffff:61.63.154.52
>Nov 7 20:21:47 Dtop sshd[10114]: Invalid user antoinette from
>::ffff:61.63.154.52
>Nov 7 20:21:50 Dtop sshd[10116]: Invalid user anton from
>::ffff:61.63.154.52
>Nov 7 20:21:53 Dtop sshd[10118]: Invalid user antonia from
>::ffff:61.63.154.52
>Nov 7 20:21:56 Dtop sshd[10120]: Invalid user antonie from
>::ffff:61.63.154.52
>Nov 7 20:21:59 Dtop sshd[10122]: Invalid user apollo from
>::ffff:61.63.154.52
>Nov 7 20:22:02 Dtop sshd[10124]: Invalid user april from
>::ffff:61.63.154.52
>Nov 7 20:24:03 Dtop sshd[10126]: fatal: Timeout before authentication
>for ::ffff:61.63.154.52
>Nov 7 20:28:01 Dtop sshd[7380]: Received signal 15; terminating.

Unruh wrote:

>>(2) Can/should I report this abuse to the ISP in question? How?
> o
> You can try. Use whois to find out who the isp is.
>

It is doubtfull that the attack is actually coming from the crackers own
computer. Most likely he is using an system that is not his that has been
cracked previously. This way it makes it more difficult to track the
cracker down. It looks like the offending IP address is from a legitimate
business in Taiwan. When you report it to the ISP they will go back to the
business and the cracker will just start using a different cracked system.
If the cracker has any sense at all, he is going though several cracked
systems in different legal jurisdictions making it almost impossible to
take any real action against the true cracker.



--

On 2005-11-08, ultimatespamheap@yahoo.com <ultimatespamheap@yahoo.com> wrote:

> Yesterday evening, I noticed network traffic going over my router and
> netstat showed five parrallel ssh connections to the address
> host52.co.154.isl (different ports).

Were these active connections or just login attempts?

There's a lot of compromised machines running ssh dictionary attacks for
the script kiddies.

> I immediately pulled the network cable but was still worried that my
> system had been compromised. I then ran chkrootkit (from a parallel
> installation of another distro) but didn't find anything, but anyway, I
> now use the opportunity to change my passwords and upgrade to a newer
> distro version.

Sounds prudent.

> Today, I inspected /var/log/messages and found that some guy had
> started to systematically try to login under different user names (see
> below).

> Nov 7 20:09:25 Dtop sshd[9359]: Invalid user linux from
>::ffff:61.63.154.52
> Nov 7 20:09:28 Dtop sshd[9361]: Invalid user unix from
>::ffff:61.63.154.52
> Nov 7 20:09:31 Dtop sshd[9363]: Invalid user webadmin from
>::ffff:61.63.154.52
> Nov 7 20:09:38 Dtop sshd[9367]: Invalid user test from
>::ffff:61.63.154.52
> Nov 7 20:09:44 Dtop sshd[9371]: Invalid user admin from
>::ffff:61.63.154.52

Looks like one of the aforementioned scripted attacks.

> My questions now are:
>
> (1) How can I protect myself from such an attack?

There's a couple things you can do. Make sure sshd is configured not to
allow root logins ("PermitRootLogin no" in /etc/ssh/sshd_config). Set up
sshd to use cryptographic keys instead of passwords for login
authentication. Use tcp_wrappers to restrict logins to only connections
originating from specific ip addresses.

> Is there a possibility to configure the system so that it refuses any login
> attempt for, let's say a couple of hours, when such a systematic attack
> is detected? (at least the detection part should not be too hard).

Probably, but why would you want to set yourself up for a DoS situation?

> Also, a clear message informing the user about the ongoing attack would
> have been nice.

You can tell syslog to report events differently if you want.

> (2) Can/should I report this abuse to the ISP in question? How?

You can, but I haven't had much luck with those Taiwan ISPs.

--

John (john@os2.dhs.org)