Getting hacking on SSH

Place to discuss Fedora and/or Red Hat
Post Reply
User avatar
Basher52
guru
guru
Posts: 919
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Getting hacking on SSH

Post by Basher52 » Fri Sep 09, 2005 2:27 am

Running FC3, kernel: 2.6.12-1.1376_FC3


the past two days ive seen this in the root mail:
and alot of them

Failed password for invalid user richard from ::ffff:212.124.0.3 port 3546 ssh2
Invalid user alka from ::ffff:212.124.0.3
Failed password for invalid user alka from ::ffff:212.124.0.3 port 3656 ssh2
Invalid user alka from ::ffff:212.124.0.3


Ive set the iptables script to drop all on 212.124.0.0/24
but i still get these :(
ive also run the 'rkhunter' with the latest update and nothing is found.

the result is:

MD5
MD5 compared: 86
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 1

where the 'Vulnerable applications' is - OpenSSL 0.9.7a [ Old or patched version ] but as ive heard is that this one is patched already



can anyone tell me some other feature to find the whole?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Fri Sep 09, 2005 6:15 am

http://www.whitedust.net/article/27/Rec ... 20Attacks/

The above article pretty much sums it up even though I didn't see what I consider to be the best advice. Restrict your SSH daemon to only allow logins from a specific address or range of addresses. I use Shorewall firewall that works very good but here is an iptables example:

https://www.redhat.com/archives/rhn-use ... 00192.html

You could also specify in the sshd_config file hosts to allow logins from.

User avatar
Basher52
guru
guru
Posts: 919
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Post by Basher52 » Fri Sep 09, 2005 6:38 am

the funny for me is that i DROP everything first in my iptables script then later i add accept for the IPs i accept.
but how can SSH write this "errors" when the ip address cant even go thru the firewall, and the firewall(ulog) wont show the ip address either.

is the ssh session "before" the firewall?
nah, cant be

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Fri Sep 09, 2005 8:27 am

Your iptables rules are obviously incorrect or you would not see the log messages. Are you using straight iptables via the /etc/sysconfig/iptables or are you running some sort of firewall wrapper? What I usually do on individual clients is run the system-config-securitylevel and set up a basic firewall (this does nothing more than create an /etc/sysconfig/iptables file and start the iptables service. I usually then configure the iptables file to my liking. Here's an example with only allowing SSH in from one specific host (10.10.10.1) and http from anywhere:

Code: Select all

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.10.10.1/32 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
After making changes to the iptables file just restart iptables (service iptables restart).

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 » Sun Sep 11, 2005 5:07 pm

If your running ssh open on the internet this type of thing is going to happen, I get it a lot myself. I don't really care, my passwords are pretty safe and they never even guess the right username (and they cant log in as root). However if you really want it can help to listen on a different port and allow your NAT to forward that instead of 22. You can listen on 22 and another address, so it doesn't annoy you to much with your local network.

Just add a ListenAddress to your /etc/ssh/sshd_config

example:

Code: Select all

ListenAddress 192.168.1.4:2222

User avatar
Basher52
guru
guru
Posts: 919
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Post by Basher52 » Mon Sep 12, 2005 12:54 am

@Void:
The firewall have been checked over and over by a LinuxGuru friend of mine and if he tries to connect he get blocked in the firewall and no log like this will even be shown, only the firewall log will show it, like DROP.

@X11:
Ive been thinking of this, but the new port will soon discovered and all the nasty messages will show up again.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Mon Sep 12, 2005 7:51 am

Basher52 wrote:@Void:
The firewall have been checked over and over by a LinuxGuru friend of mine and if he tries to connect he get blocked in the firewall and no log like this will even be shown, only the firewall log will show it, like DROP.
This is the way it is supposed to work, but if you are seeing the messages you say you are seeing:
Failed password for invalid user richard from ::ffff:212.124.0.3 port 3546 ssh2
Invalid user alka from ::ffff:212.124.0.3
That is not an iptables message but someone is actually connecting to your ssh daemon, which means your iptables rules are wrong somewhere. The best thing to do is to run "nmap" against your box from a machine out on the net and see what ports are open.

Post Reply