Got hacked?

[Bryan O'Neal]

I port translate SSH and direct forward to a single box which I can use
to get to the rest of my network.  I only allow  access from my home
network and my company network.  I can VPN into my company if I need to
get home while on the road.  I do like password authentication because I
often have to call some one (like my wife or my most trusted co worker)
and walk them through a connection when I need information and do not
have network access.  It is easy to change a password, it is harder to
fedex a thumb drive from the middle of the outback.

 

On my windows boxes I eliminate brute force attacks by having it lock
out any account for 2 seconds after a wrong password and 15 minuets
after 10 wrong passwords.  But I don't know how to configure this on
Linux?  

 

________________________________

From: plug-discuss-bounces at lists.plug.phoenix.az.us
[mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of Jon
M. Hanson
Sent: Thursday, February 22, 2007 9:43 PM
To: Main PLUG discussion list
Subject: Re: Got hacked?

 

Darrin Chandler wrote: 

On Thu, Feb 22, 2007 at 09:15:27PM -0700, Jim wrote:
  

	Last night I came home from work and sat down at the computer.
I 
	noticed the lights on the DSL router were blinking very rapidly.
I have 
	an ftp server running on my linux box (Slackware 10.2).  So I
thought 
	someone might have been uploading something.
	 
	Ftpwho showed no users logged in.  I checked the incoming
directory and 
	saw nothing there.
	 
	Tcpdump showed me that they were sending something using ssh.
	 
	I used find to look for anything they might have been uploading,
but 
	found nothing.
	 
	/var/log/syslog contained the following over and over for about
4 hours 
	before I got home
	 
	Feb 22 20:43:56 ladmo smbd[6375]: [2007/02/22 20:43:56, 0] 
	printing/print_cups.c:cups_cache_reload(85)
	Feb 22 20:43:56 ladmo smbd[6375]:   Unable to connect to CUPS
server 
	localhost - Connection refused
	 
	Then I found in /var/log/syslog this over and over
	 
	Feb 21 22:11:14 ladmo sshd[26255]: error: Could not get shadow 
	information for NOUSER
	 
	I stopped sshd and edited /etc/sshd_config by adding the
following:
	AllowUsers root jim
	AllowGroups root
	 
	To test the change, I tried to log into the server via ssh and
using 
	another account.  It wouldn't let me log in using that other
account via 
	ssh.
	 
	I also tried
	find / -mmin 1200 -size +100k
	and without the size option, but found nothing from the time
this was 
	going on.
	 
	After all this I tried to send an email, but sendmail wasn't
working.  I 
	backed up my sendmail config files, uninstalled sendmail,
reinstalled it 
	and restored the config files.  Sendmail worked after that.
	 
	Is there anything else I should do?
	    

 
Look for root kits. Reinstall?
 
Stop all services that you don't actively use. For the remainder,
consider restricting them to your local network (CUPS, etc).
 
If you have a home network, consider plugging your DSL modem directly
into one PC and using that as a firewall machine. Yes, you can also use
it as a desktop if you need.
 
Is there a compelling reason you need password authentication for ssh?
It's very easy to generate public keys and use those. You can even keep
one on a thumb drive to use if you have to. Then turn OFF password
authentication (PasswordAuthentication no) in your sshd_config.
 
  

    I'm guessing they got in through some kind of guest account you have
setup (but maybe didn't know about) or another common account name with
a weak password. I constantly watch my system logs and several times a
week I'll get a ton of attempts to try to brute force passwords to
various accounts through SSH.




-- 
Jon M. Hanson (N7ZVJ)
Homepage:  http://the-hansons-az.net
Weblog:    http://the-hansons-az.net/wordpress
Jabber IM: jon at the-hansons-az.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20070223/5b322584/attachment.htm