[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 483: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 112: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 112: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 112: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4668: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3815)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4670: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3815)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4671: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3815)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4672: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3815)
Void's Forums • View topic - Getting hacking on SSH

Getting hacking on SSH

Place to discuss Fedora and/or Red Hat

Getting hacking on SSH

Postby Basher52 » Fri Sep 09, 2005 2:27 am

Running FC3, kernel: 2.6.12-1.1376_FC3


the past two days ive seen this in the root mail:
and alot of them

Failed password for invalid user richard from ::ffff:212.124.0.3 port 3546 ssh2
Invalid user alka from ::ffff:212.124.0.3
Failed password for invalid user alka from ::ffff:212.124.0.3 port 3656 ssh2
Invalid user alka from ::ffff:212.124.0.3


Ive set the iptables script to drop all on 212.124.0.0/24
but i still get these :(
ive also run the 'rkhunter' with the latest update and nothing is found.

the result is:

MD5
MD5 compared: 86
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 1

where the 'Vulnerable applications' is - OpenSSL 0.9.7a [ Old or patched version ] but as ive heard is that this one is patched already



can anyone tell me some other feature to find the whole?
User avatar
Basher52
guru
guru
 
Posts: 907
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Postby Void Main » Fri Sep 09, 2005 6:15 am

http://www.whitedust.net/article/27/Rec ... 20Attacks/

The above article pretty much sums it up even though I didn't see what I consider to be the best advice. Restrict your SSH daemon to only allow logins from a specific address or range of addresses. I use Shorewall firewall that works very good but here is an iptables example:

https://www.redhat.com/archives/rhn-use ... 00192.html

You could also specify in the sshd_config file hosts to allow logins from.
User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby Basher52 » Fri Sep 09, 2005 6:38 am

the funny for me is that i DROP everything first in my iptables script then later i add accept for the IPs i accept.
but how can SSH write this "errors" when the ip address cant even go thru the firewall, and the firewall(ulog) wont show the ip address either.

is the ssh session "before" the firewall?
nah, cant be
User avatar
Basher52
guru
guru
 
Posts: 907
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Postby Void Main » Fri Sep 09, 2005 8:27 am

User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Postby X11 » Sun Sep 11, 2005 5:07 pm

X11
guru
guru
 
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia

Postby Basher52 » Mon Sep 12, 2005 12:54 am

@Void:
The firewall have been checked over and over by a LinuxGuru friend of mine and if he tries to connect he get blocked in the firewall and no log like this will even be shown, only the firewall log will show it, like DROP.

@X11:
Ive been thinking of this, but the new port will soon discovered and all the nasty messages will show up again.
User avatar
Basher52
guru
guru
 
Posts: 907
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Postby Void Main » Mon Sep 12, 2005 7:51 am

User avatar
Void Main
Site Admin
Site Admin
 
Posts: 5705
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA


Return to Fedora/Red Hat

Who is online

Users browsing this forum: No registered users and 2 guests

cron