[SATLUG] /var/log/secure: ssh attack
Tom Weeks
tweeksjunk2 at theweeks.org
Sun Sep 5 04:13:06 CDT 2004
On Friday 03 September 2004 06:23 pm, Luis wrote:
> It appears that some one has found out that I have been using linux.
>
> In my /var/log/secure, I have found:
>
> Failed password for illegal user admin from 202.114.88.96 port 36122 ssh2
> sshd[2479]: Failed password for illegal user test from 212.234.101.249
> port 53231 ssh2
> sshd[2573]: scanned from 66.15.86.156 with SSH-1.0-SSH_Version_Mapper.
> Don't panic.
Yeah... standard attempts when you're right on the internet...
Couple of things to do...
1) Shut off sshv1 if not already off.. It's weak and has vulnerabilities:
# cat /etc/ssh/sshd_config
...
#Port 22
Protocol 2
#Protocol 2,1
#ListenAddress 0.0.0.0
...
(sshv1 CRC exploit is actually how trinity hacked into the Matrix in reloaded:
http://www.insecure.org/nmap/nmap_inthenews.html
Guess they don't even patch against 200 year old exploits.. ;)
Unless... getting portscanned by trinity is appealing to you.. ;)
no.. never mind..
(not a word Craig!)...
next...
2) Block all SSH access accept from your "Ok" IP range w/iptables
("/etc/sysconfig/iptables" in RedHat systems):
-A INPUT -p tcp -s 192.168.0.0/23 -d 0/0 -m tcp --dport 22 -j ACCEPT
...
-A input -p tcp -s 0/0 -d 0/0 -j REJECT
(warning.. this last one blocks is all... only use to lock out everything out
you don't allow in. Also... stop using hosts.allow/deny after turning this
on)
3) I recommend running portsentry along with your iptables:
http://sourceforge.net/projects/sentrytools/
This'll keep portscanning kiddies off your back.
Here's an article I wrote on it:
http://www.unixreview.com/documents/s=7459/uni1030462740022/
(if anyone sees any typos.. let me know.. my glassea are proken, it's 3am, and
I'm a bit groggy...)
Cheers,
Tweeks
More information about the Satlug
mailing list