FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 01-12-2009, 08:49 PM
Knapp
 
Default SSH hacked?

Today I was sitting next to my computer and I could hear the HD going on and on, like I was doing a torrent or something. I was not doing anything, so I looked to see what was running in the background. Nothing like that was. Then I looked at my firewall and saw one connection that was uploading to my computer with ssh. At this point firestarted crashed so I could not copy down the senders address but it was odd and ended in www.?????????????.NL


I have about 4 people that can use SSH with my computer and the whole system is set for using only gpg type passwords. So my questions are; How can I find out what was uploaded? How could I have been hacked? And, how can I stop it from happing again? For now the ssh port is closed. This is not a problem because it is only used about one time a quarter.

Thanks!
--
Douglas E Knapp

Amazon Gift Cards; let them choose!!
http://www.amazon.com/gp/product/B001078FFE?ie=UTF8&tag=seattlebujinkand&linkCode=a s2&camp=1789&creative=9325&creativeASIN=B001078FF E


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 01-12-2009, 09:21 PM
NoOp
 
Default SSH hacked?

On 01/12/2009 01:49 PM, Knapp wrote:
> Today I was sitting next to my computer and I could hear the HD going on and
> on, like I was doing a torrent or something. I was not doing anything, so I
> looked to see what was running in the background. Nothing like that was.
> Then I looked at my firewall and saw one connection that was uploading to my
> computer with ssh. At this point firestarted crashed so I could not copy
> down the senders address but it was odd and ended in www.?????????????.NL
>
> I have about 4 people that can use SSH with my computer and the whole system
> is set for using only gpg type passwords. So my questions are; How can I
> find out what was uploaded? How could I have been hacked? And, how can I
> stop it from happing again? For now the ssh port is closed. This is not a
> problem because it is only used about one time a quarter.
> Thanks!
>
>

For where it came from have a look in /var/log/auth.log

It should show something along the lines of:

Jan 12 14:06:22 <user> sshd[12412]: Accepted password for <username>
from 192.168.4.103 port 54921 ssh2
Jan 12 14:06:22 <user> sshd[12414]: pam_unix(sshd:session): session
opened for user <username> by (uid=0)
Jan 12 14:06:32 <user> sshd[12414]: pam_unix(sshd:session): session
closed for user <username>

$ cat /var/log/auth.log |grep sshd

To stop it happening again, I'd recommend looking into denyhosts &
changing your ssh port number from the default 22. Note: changing the
port number from 22 won't stop someone that is determined to scan all of
your system for ssh, however it will stop a lot of the random script
kiddies that only scan for standard ports.





--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 01-12-2009, 09:27 PM
"Brian McKee"
 
Default SSH hacked?

On Mon, Jan 12, 2009 at 4:49 PM, Knapp <magick.crow@gmail.com> wrote:
> I have about 4 people that can use SSH with my computer and the whole system
> is set for using only gpg type passwords.

Think I'd review your sshd_config to make sure it's only taking keys
if that's what 'gpg type' passwords is supposed to imply. The only
ssh hacks I've heard of were boxes that weren't updated, or had weak
passwords. I haven't heard of a key only system being compromised if
it's updated....

Brian

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 01-12-2009, 09:50 PM
Lorenzo Luengo
 
Default SSH hacked?

Knapp escribió:
> Today I was sitting next to my computer and I could hear the HD going
> on and on, like I was doing a torrent or something. I was not doing
> anything, so I looked to see what was running in the background.
> Nothing like that was. Then I looked at my firewall and saw one
> connection that was uploading to my computer with ssh. At this point
> firestarted crashed so I could not copy down the senders address but
> it was odd and ended in www.?????????????.NL
>
> I have about 4 people that can use SSH with my computer and the whole
> system is set for using only gpg type passwords. So my questions are;
> How can I find out what was uploaded? How could I have been hacked?
> And, how can I stop it from happing again? For now the ssh port is
> closed. This is not a problem because it is only used about one time a
> quarter.
> Thanks!
I'd think of changing my password and installing fail2ban package, it' really useful to stop people that tries to break into your system by just hammering ports.

--
Lorenzo Luengo Contreras
Administrador de Sistemas DGEO
Universidad de Concepción
Concepción - Chile
+56-41-2207277


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 01-12-2009, 10:18 PM
Phil Tann
 
Default SSH hacked?

NoOp wrote:
> For where it came from have a look in /var/log/auth.log
>
> It should show something along the lines of:
>
> Jan 12 14:06:22 <user> sshd[12412]: Accepted password for <username>
> from 192.168.4.103 port 54921 ssh2
> Jan 12 14:06:22 <user> sshd[12414]: pam_unix(sshd:session): session
> opened for user <username> by (uid=0)
> Jan 12 14:06:32 <user> sshd[12414]: pam_unix(sshd:session): session
> closed for user <username>
>
> $ cat /var/log/auth.log |grep sshd
>
> To stop it happening again, I'd recommend looking into denyhosts &
> changing your ssh port number from the default 22.
>
>
I have found from personal experience that if a "determined person"
keeps hunting they go WAY outside the rane for standard ports. So I use
port 19 for ssh on a couple of systems I maintain. Its very occasional
that I even get a hit on 19.

Good Luck!

Phil Tann
phil.tann@gmail.com


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 01-12-2009, 10:39 PM
NoOp
 
Default SSH hacked?

On 01/12/2009 03:18 PM, Phil Tann wrote:
> NoOp wrote:
>> For where it came from have a look in /var/log/auth.log
>>
>> It should show something along the lines of:
>>
>> Jan 12 14:06:22 <user> sshd[12412]: Accepted password for <username>
>> from 192.168.4.103 port 54921 ssh2
>> Jan 12 14:06:22 <user> sshd[12414]: pam_unix(sshd:session): session
>> opened for user <username> by (uid=0)
>> Jan 12 14:06:32 <user> sshd[12414]: pam_unix(sshd:session): session
>> closed for user <username>
>>
>> $ cat /var/log/auth.log |grep sshd
>>
>> To stop it happening again, I'd recommend looking into denyhosts &
>> changing your ssh port number from the default 22.
>>
>>
> I have found from personal experience that if a "determined person"
> keeps hunting they go WAY outside the rane for standard ports. So I use
> port 19 for ssh on a couple of systems I maintain. Its very occasional
> that I even get a hit on 19.
>
> Good Luck!
>
> Phil Tann
> phil.tann@gmail.com
>
>

The only problem that I see with that is 19 is in the well known ports
range (1-1023), is used by CHARGEN in linux/unix, and does get hit as well:

<http://isc.sans.org/port.html?port=19&repax=1&tarax=2&srcax=2&percent= N&days=70>

as it was/is used to attack MS:
http://support.microsoft.com/kb/169461
[Access Violation in Dns.exe Caused by Malicious Telnet Attack]

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
http://en.wikipedia.org/wiki/CHARGEN

Were I you, I'd select a different port that is not commonly used.





--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 01-12-2009, 10:45 PM
steve
 
Default SSH hacked?

NoOp wrote:

>
> The only problem that I see with that is 19 is in the well known ports
> range (1-1023), is used by CHARGEN in linux/unix, and does get hit as well:
>
> <http://isc.sans.org/port.html?port=19&repax=1&tarax=2&srcax=2&percent= N&days=70>
>
> as it was/is used to attack MS:
> http://support.microsoft.com/kb/169461
> [Access Violation in Dns.exe Caused by Malicious Telnet Attack]
>
> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
> http://en.wikipedia.org/wiki/CHARGEN
>
> Were I you, I'd select a different port that is not commonly used.
>
>
isnt it true though that whatever port you use, if you have it forwarded
from your router, it will show up on a scan of your external ip?





--
Steve Reilly

http://reillyblog.com





--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 01-12-2009, 10:53 PM
NoOp
 
Default SSH hacked?

On 01/12/2009 03:45 PM, steve wrote:
> NoOp wrote:
>
>>
>> The only problem that I see with that is 19 is in the well known ports
>> range (1-1023), is used by CHARGEN in linux/unix, and does get hit as well:
>>
>> <http://isc.sans.org/port.html?port=19&repax=1&tarax=2&srcax=2&percent= N&days=70>
>>
>> as it was/is used to attack MS:
>> http://support.microsoft.com/kb/169461
>> [Access Violation in Dns.exe Caused by Malicious Telnet Attack]
>>
>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
>> http://en.wikipedia.org/wiki/CHARGEN
>>
>> Were I you, I'd select a different port that is not commonly used.
>>
>>
> isnt it true though that whatever port you use, if you have it forwarded
> from your router, it will show up on a scan of your external ip?
>

In general yes, but it depends on how the firewall is setup. As I
mentioned, using a different port isn't a surefire (or even proper) way
to protect ssh, it only makes it a little harder for someone targeting
port 22 directly from a standard script.





--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 01-13-2009, 12:56 AM
Kent Borg
 
Default SSH hacked?

Protect ssh with the following:

1. If using passwords, use long, quality passwords--passwords that are
*not* recycled elsewhere.
2. If using keys, protect your private keys *very* carefully.
3. If offering accounts to others, worry that they also follow #1 and #2.

ssh is a very secure protocol. If you have good keys/passwords, no
script kiddie (or even serious foe) is going to break in with a
brute-force attack. Moving your sshd to an alternate port number is a
silly distraction.


-kb, the Kent who also recommends you keep your system up-to-date.


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 01-13-2009, 01:04 AM
"Beau J. Bechdol"
 
Default SSH hacked?

I don't believe it is a silly practice, it is a good idea in my opinion. Another thing to consider would to setup port forwarding on the router so for example, when someone sends a ssh request to port 22, the router will froward it to the port you designated, port 2222 for example.

-Beau



On Mon, Jan 12, 2009 at 6:56 PM, Kent Borg <kentborg@borg.org> wrote:

Protect ssh with the following:



1. If using passwords, use long, quality passwords--passwords that are

*not* recycled elsewhere.

2. If using keys, protect your private keys *very* carefully.

3. If offering accounts to others, worry that they also follow #1 and #2.



ssh is a very secure protocol. If you have good keys/passwords, no

script kiddie (or even serious foe) is going to break in with a

brute-force attack. Moving your sshd to an alternate port number is a

silly distraction.





-kb, the Kent who also recommends you keep your system up-to-date.





--

ubuntu-users mailing list

ubuntu-users@lists.ubuntu.com

Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users



--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 03:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org