bandit13

Todd Millecam tyggna at gmail.com
Thu Feb 5 00:32:41 MST 2015 

Well, you're not really meant to read which IP addresses were blocked by
sshguard because placing those in a single log file could open yourself up
to ddos attacks, so it places them in a pretty cut-and-dry database.  You
can read it by typing:
]$ strings /var/db/sshguard/blacklist.db

As for checking for being compromised:  top and nmon are your friend, as
well as the occasional tcpdump.  ps auxxx will also help and will be
informative.  top will let you know if they're actively running anything.
Most script-kiddies want your box just for one reason: spam.  They use your
processor and RAM to try and help their financial situation.  In recent
years, they've also added bitcoin mining bots into their bag of tricks
(which is really a new breed of stupid because you can then trace them back
through the bitcoin block chain, find where they physically live, get hold
of their wallet and miner info and find them in real-life really quick).
In either of those cases, you'll see a process continually at the top of
CPU and RAM usage on top that you didn't personally spawn.   If you see
that, ps -elf will often lead you to the trojan or parent process they
installed and you can just simply delete the binary and change passwords to
lock them out.

If it's a sleeping process, then the hacker that got in wants your computer
for part of their botnet (to do ddos attacks or help perform one-off brute
force attacks).  These are harder to detect, but they still need to do
keep-alive check-ins with their controller box, and you'll see those
connections in a tcpdump, and you'll see the sleeping process in ps auxxx,
but it just won't show up on top or nmon as often.

I don't personally use ufw, so someone else will have to help you there.

As for seeing an IP address from your local subnet: spoofing an IP address
is a common method of brute-forcing attacks, because they only need to
issue a command rather than get a response back to compromise the computer
(their Trojan software will give a response to them after it's installed).
sshguard, I believe, by default looks for this kind of behavior where
someone has a mac address that isn't seen through a local arp and is using
a ip address not seen on the local VLAN.

On Wed, Feb 4, 2015 at 11:46 PM, Michael Havens <bmike1 at gmail.com> wrote:

> Okay Buddy,
>
> I just installed sshguard and have been reading and re-reading the man
> page and can't figure out how to look at the log file. Can you help me out?
>
>  I was wondering.... how could I tell if a hacker got into my box?
>
> After looking around a little at
> https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Logging I found
> that for what I started this morning the log is:  /var/log/auth.log
> I just looked at that log and was wondering what it meant.
> It starts on Feb 1st and seems to just be repeating:
>
> Feb  1 07:39:01 c521 CRON[21882]: pam_unix(cron:session): session opened
> for user root by (uid=0)
> Feb  1 07:39:01 c521 CRON[21882]: pam_unix(cron:session): session closed
> for user root
> Feb  1 07:50:33 c521 sudo:   bmike1 : TTY=unknown ; PWD=/home/bmike1 ;
> USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py
> Feb  1 07:50:33 c521 sudo: pam_unix(sudo:session): session opened for user
> root by (uid=0)
> Feb  1 07:50:55 c521 sudo: pam_unix(sudo:session): session closed for user
> root
> Feb  1 08:09:01 c521 CRON[21985]: pam_unix(cron:session): session opened
> for user root by (uid=0)
> Feb  1 08:09:01 c521 CRON[21985]: pam_unix(cron:session): session closed
> for user root
> Feb  1 08:17:01 c521 CRON[22013]: pam_unix(cron:session): session opened
> for user root by (uid=0)
> Feb  1 08:17:01 c521 CRON[22013]: pam_unix(cron:session): session closed
> for user root
> Feb  1 08:20:33 c521 sudo:   bmike1 : TTY=unknown ; PWD=/home/bmike1 ;
> USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py
> Feb  1 08:20:33 c521 sudo: pam_unix(sudo:session): session opened for user
> root by (uid=0)
> Feb  1 08:20:56 c521 sudo: pam_unix(sudo:session): session closed for user
> root
> Feb  1 08:39:01 c521 CRON[22100]: pam_unix(cron:session): session opened
> for user root by (uid=0)
> Feb  1 08:39:02 c521 CRON[22100]: pam_unix(cron:session): session closed
> for user root
> Feb  1 08:50:33 c521 sudo:   bmike1 : TTY=unknown ; PWD=/home/bmike1 ;
> USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py
> --etc--
>
> I then looked at the other logs in /var/log and saw ufw.log and ufw.log.1
> . ufw.log is empty while ufw.log.1 contains only stuff from JAN 26 & 27:
>
> Jan 26 14:22:52 c521 kernel: [  175.220626] [UFW BLOCK] IN=eth0 OUT=
> MAC=01:00:5e:00:00:fb:00:1c:c4:b4:d7:19:08:00 SRC=192.168.0.10
> DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=11536 PROTO=2
> Jan 26 14:22:55 c521 kernel: [  178.348404] [UFW BLOCK] IN=eth0 OUT=
> MAC=01:00:5e:00:00:fb:00:1c:c4:b4:d7:19:08:00 SRC=192.168.0.10
> DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=11553 PROTO=2
> Jan 27 10:30:43 c521 kernel: [72646.275669] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54164 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
> Jan 27 10:30:44 c521 kernel: [72647.435192] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54362 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
> Jan 27 10:30:46 c521 kernel: [72648.723882] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54637 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
> Jan 27 10:30:48 c521 kernel: [72651.308359] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54687 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
> Jan 27 10:30:53 c521 kernel: [72656.476479] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=55145 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
> Jan 27 10:31:04 c521 kernel: [72666.796199] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=55407 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
> Jan 27 10:31:24 c521 kernel: [72687.436850] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=58810 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
> Jan 27 10:32:06 c521 kernel: [72728.780502] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=63010 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
>
> I just looked at the log. On the 26th it was blocking something from
> 192.168.0.10 . That is my home network! I haven't had 192.168.0.10 for at
> least a year.
>
> :-)~MIKE~(-:
>
> On Wed, Feb 4, 2015 at 2:44 PM, Todd Millecam <tyggna at gmail.com> wrote:
>
>> ufw should keep the rule permanent.
>>
>> There's a program/service that will keep track of this for you
>> automatically (and do the limit brute force, and block multiple failed
>> attempts) called sshguard.  If you use that, you can see how many unique
>> IPs attempted to break into your system by reading your /etc/hosts.deny
>> file.
>>
>> For my public-facing servers, I get about 13 unique new attackers per day.
>>
>>
>>
>> On Wed, Feb 4, 2015 at 2:32 PM, Michael Havens <bmike1 at gmail.com> wrote:
>>
>>> I was wondering.... I was playing bandit and on level 13 they say some
>>> suggested reading is https://help.ubuntu.com/community/SSH/OpenSSH/Keys
>>> . I was reasing that page and followed a link to
>>> https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Logging
>>> because I always wondered how I could see how many log in attempts were
>>> made to my computer (not that I think anyone will crack my password which
>>> is greater than ten characters. Wait a second.... I do not think I ever set
>>> an ssh password. ...
>>> guys, my websearch has proven to be fruitless. what do you suggest I do?
>>>
>>> in any case, I was looking at the settings for openssh.config (or
>>> whatever the file is called) and happened upon:
>>>
>>>      Rate-limit the connections
>>>
>>> which happens to use ufw:
>>>
>>> sudo ufw limit ssh
>>>
>>> I was wondering if that command would turn it on permanently? After I
>>> entered the command it responded with something like 'new rule added' so I
>>> am assuming (I am not an ass!) that is so.
>>>
>>> I was wondering what should be changed?
>>> I am making loglevel Verbose
>>> :-)~MIKE~(-:
>>>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>
>>
>>
>> --
>> Todd Millecam
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>



-- 
Todd Millecam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20150205/a4cfb6dc/attachment.html>

More information about the PLUG-discuss mailing list