bandit13

Michael Havens bmike1 at gmail.com
Wed Feb 4 23:46:40 MST 2015


Okay Buddy,

I just installed sshguard and have been reading and re-reading the man page
and can't figure out how to look at the log file. Can you help me out?

 I was wondering.... how could I tell if a hacker got into my box?

After looking around a little at
https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Logging I found
that for what I started this morning the log is:  /var/log/auth.log
I just looked at that log and was wondering what it meant.
It starts on Feb 1st and seems to just be repeating:

Feb  1 07:39:01 c521 CRON[21882]: pam_unix(cron:session): session opened
for user root by (uid=0)
Feb  1 07:39:01 c521 CRON[21882]: pam_unix(cron:session): session closed
for user root
Feb  1 07:50:33 c521 sudo:   bmike1 : TTY=unknown ; PWD=/home/bmike1 ;
USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py
Feb  1 07:50:33 c521 sudo: pam_unix(sudo:session): session opened for user
root by (uid=0)
Feb  1 07:50:55 c521 sudo: pam_unix(sudo:session): session closed for user
root
Feb  1 08:09:01 c521 CRON[21985]: pam_unix(cron:session): session opened
for user root by (uid=0)
Feb  1 08:09:01 c521 CRON[21985]: pam_unix(cron:session): session closed
for user root
Feb  1 08:17:01 c521 CRON[22013]: pam_unix(cron:session): session opened
for user root by (uid=0)
Feb  1 08:17:01 c521 CRON[22013]: pam_unix(cron:session): session closed
for user root
Feb  1 08:20:33 c521 sudo:   bmike1 : TTY=unknown ; PWD=/home/bmike1 ;
USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py
Feb  1 08:20:33 c521 sudo: pam_unix(sudo:session): session opened for user
root by (uid=0)
Feb  1 08:20:56 c521 sudo: pam_unix(sudo:session): session closed for user
root
Feb  1 08:39:01 c521 CRON[22100]: pam_unix(cron:session): session opened
for user root by (uid=0)
Feb  1 08:39:02 c521 CRON[22100]: pam_unix(cron:session): session closed
for user root
Feb  1 08:50:33 c521 sudo:   bmike1 : TTY=unknown ; PWD=/home/bmike1 ;
USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py
--etc--

I then looked at the other logs in /var/log and saw ufw.log and ufw.log.1 .
ufw.log is empty while ufw.log.1 contains only stuff from JAN 26 & 27:

Jan 26 14:22:52 c521 kernel: [  175.220626] [UFW BLOCK] IN=eth0 OUT=
MAC=01:00:5e:00:00:fb:00:1c:c4:b4:d7:19:08:00 SRC=192.168.0.10
DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=11536 PROTO=2
Jan 26 14:22:55 c521 kernel: [  178.348404] [UFW BLOCK] IN=eth0 OUT=
MAC=01:00:5e:00:00:fb:00:1c:c4:b4:d7:19:08:00 SRC=192.168.0.10
DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=11553 PROTO=2
Jan 27 10:30:43 c521 kernel: [72646.275669] [UFW BLOCK] IN=eth0 OUT=
MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54164 DF PROTO=TCP
SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
Jan 27 10:30:44 c521 kernel: [72647.435192] [UFW BLOCK] IN=eth0 OUT=
MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54362 DF PROTO=TCP
SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
Jan 27 10:30:46 c521 kernel: [72648.723882] [UFW BLOCK] IN=eth0 OUT=
MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54637 DF PROTO=TCP
SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
Jan 27 10:30:48 c521 kernel: [72651.308359] [UFW BLOCK] IN=eth0 OUT=
MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54687 DF PROTO=TCP
SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
Jan 27 10:30:53 c521 kernel: [72656.476479] [UFW BLOCK] IN=eth0 OUT=
MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=55145 DF PROTO=TCP
SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
Jan 27 10:31:04 c521 kernel: [72666.796199] [UFW BLOCK] IN=eth0 OUT=
MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=55407 DF PROTO=TCP
SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
Jan 27 10:31:24 c521 kernel: [72687.436850] [UFW BLOCK] IN=eth0 OUT=
MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=58810 DF PROTO=TCP
SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
Jan 27 10:32:06 c521 kernel: [72728.780502] [UFW BLOCK] IN=eth0 OUT=
MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=63010 DF PROTO=TCP
SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0

I just looked at the log. On the 26th it was blocking something from
192.168.0.10 . That is my home network! I haven't had 192.168.0.10 for at
least a year.

:-)~MIKE~(-:

On Wed, Feb 4, 2015 at 2:44 PM, Todd Millecam <tyggna at gmail.com> wrote:

> ufw should keep the rule permanent.
>
> There's a program/service that will keep track of this for you
> automatically (and do the limit brute force, and block multiple failed
> attempts) called sshguard.  If you use that, you can see how many unique
> IPs attempted to break into your system by reading your /etc/hosts.deny
> file.
>
> For my public-facing servers, I get about 13 unique new attackers per day.
>
>
>
> On Wed, Feb 4, 2015 at 2:32 PM, Michael Havens <bmike1 at gmail.com> wrote:
>
>> I was wondering.... I was playing bandit and on level 13 they say some
>> suggested reading is https://help.ubuntu.com/community/SSH/OpenSSH/Keys
>> . I was reasing that page and followed a link to
>> https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Logging
>> because I always wondered how I could see how many log in attempts were
>> made to my computer (not that I think anyone will crack my password which
>> is greater than ten characters. Wait a second.... I do not think I ever set
>> an ssh password. ...
>> guys, my websearch has proven to be fruitless. what do you suggest I do?
>>
>> in any case, I was looking at the settings for openssh.config (or
>> whatever the file is called) and happened upon:
>>
>>      Rate-limit the connections
>>
>> which happens to use ufw:
>>
>> sudo ufw limit ssh
>>
>> I was wondering if that command would turn it on permanently? After I
>> entered the command it responded with something like 'new rule added' so I
>> am assuming (I am not an ass!) that is so.
>>
>> I was wondering what should be changed?
>> I am making loglevel Verbose
>> :-)~MIKE~(-:
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> Todd Millecam
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20150204/3f24d7e5/attachment.html>


More information about the PLUG-discuss mailing list