:ohdear:
I was just looking at /var/log/messages because I just crashed my kernel about 15 minutes ago (lol radeon drm)
And I just noticed that on Feb 1 I had some guy from two different IPs was trying to connect to ssh. One was 124.93.240.115 and then at 12:30 pm it switched to 218.108.236.216.
The attack lasted from 10:30 am to 4:30 pm. And apparently he never even guessed my username, which is just my first name. :v:
But the odds of this guy getting in were really slim. He kept guessing different usernames, but ssh doesn't come back and say "That username is wrong, try another", it just says it couldn't log in. So if he did find my name, he'd have one shot to get my password too otherwise it'd just go straight to the next name on the list.
The funny part was I interrupted him by shutting off my PC, and I didn't even know I was being attacked.
[code]
//Thousands of Invalid user errors from sshd
Feb 1 16:33:34 gentoobox sshd[21486]: Invalid User klein from 218.108.236.216
Feb 1 16:33:34 gentoobox shutdown[21568]: shutting down for system reboot
[/code]
Apparently I had just got home from work and updated my kernel from git. :v:
So lets discuss ways to secure SSH.
I already disabled root login, now I'm going to disable password logins.
Is there some way to have sshd block somebody if they have 5 failed login attempts in a minute? I don't think it'd block them from pinging me, but sshd would just ignore whatever they sent. So even if they did find my username and my encrypted key, ssh would be like fuck you.
[editline]12:56AM[/editline]
Oh, another tip. Don't use port 22 like me.
real men use port 28 and only allow connections from certain IPs.
Wasn't me... What is your password? If it is more complicated than a dictionary word, then it wouldn't be difficult for brute force to get it.
[editline]08:10AM[/editline]
wut
fail2ban. Alternatively DenyHosts, which is probably easier to set up, but only supports SSH.
[editline]02:21PM[/editline]
Happened to vladh's server as well he told me sometime. I should check the logs on mine sometimes, they're probably doing to mine too.
[url]http://www.configserver.com/cp/csf.html[/url]
Go.
Go go.
[QUOTE=Maccabee;20076771]Wasn't me... What is your password? If it is more complicated than a dictionary word, then it wouldn't be difficult for brute force to get it.
[editline]08:10AM[/editline]
wut[/QUOTE]
My password is just a six digit number. :v:
I think I'll change it to something more secure, but I just disabled password logins over SSH, so it doesn't matter as much anymore. So now the hacker guy would need to match one of the keys in my authorized_keys file. And he'd need to figure out the password to that key which is an 11 digit hex string.
Mine is a combination of numbers, lowercase letters, and uppercase letters.
also just numbers is very easy to crack. Your system would only have 60 possible combinations. It could probably be cracked in less than a second.
[QUOTE=ButtsexV2;20084690]Mine is a combination of numbers, lowercase letters, and uppercase letters.
also just numbers is very easy to crack. Your system would only have 60 possible combinations. It could probably be cracked in less than a second.[/QUOTE]
Actually there are 10^6 combinations for a six digit number. And that's assuming they know it's only six digits; which they won't.
And if they're just going to guess passwords through SSH, SSH has a nice feature of waiting 3 seconds before saying the login failed. So 1000 guesses would take about 3000 seconds over SSH. Which is 50 minutes.
Just looking at /var/log/messages, I could see that he was guessing one username every three seconds or so.
[QUOTE=PvtCupcakes;20085173]Actually there are 10^6 combinations for a six digit number. And that's assuming they know it's only six digits; which they won't.
And if they're just going to guess passwords through SSH, SSH has a nice feature of waiting 3 seconds before saying the login failed. So 1000 guesses would take about 3000 seconds over SSH. Which is 50 minutes.
Just looking at /var/log/messages, I could see that he was guessing one username every three seconds or so.[/QUOTE]
Yeah that's right, I was thinking 10*6 instead of 10**6.
But either way, just numbers is really easy to hack into.
[QUOTE=ButtsexV2;20086447]Yeah that's right, I was thinking 10*6 instead of 10**6.
But either way, just numbers is really easy to hack into.[/QUOTE]
+1 agree. Ratings aren't working. I hope garry didn't turn them off.
I'd so laugh if the attacker was a FP user and was reading this thread where you explained what your login name was and your password.
There may not be an actual person behind this, could just be a worm or something.
[QUOTE=ButtsexV2;20076764]real men use port 28 and only allow connections from certain IPs.[/QUOTE]
real men use certificate based authentication
[QUOTE=Roo-kie;20239271]real men use certificate based authentication[/QUOTE]
real men don't use any authentication because everyone knows they're gonna get their ass kicked if they dare connect to their server.
[QUOTE=ButtsexV2;20086447]Yeah that's right, I was thinking 10*6 instead of 10**6.
But either way, just numbers is really easy to hack into.[/QUOTE]
Assuming he knows that the password is just numbers to begin with.
I mostly rely on having password authentication disabled to guard against these attacks, but I installed [url=http://denyhosts.sourceforge.net/]DenyHosts[/url] a few days ago and I'm pretty happy with it. It keeps my logs from filling up with thousands of access-denied messages, and makes me feel safer about the idea of possibly turning password authentication back on at some point.
LoginGraceTime 2m
MaxAuthTries 6
Strong password and dont use the default port and you should be fine.
The no-root logins is also good to have.
Ya know, he's got port 22 open, why don't you just try and get him back?
[IMG]http://imgkk.com/i/crhByC.png[/IMG]
[editline]11:20PM[/editline]
PS: Dunno why it took so long to scan. Maybe he has a slow ping?
[QUOTE=Maccabee;20619839]Ya know, he's got port 22 open, why don't you just try and get him back?
[IMG]http://imgkk.com/i/crhByC.png[/IMG]
[editline]11:20PM[/editline]
PS: Dunno why it took so long to scan. Maybe he has a slow ping?[/QUOTE]
I'm too lazy to learn how to brute force. :saddowns:
My gosh man, 6 people have tried to brute force me in 3 days. I doubt anyone will be able to get past my password. I guess that's what I get for accidentally posting my ip on /g/.
I posted my IP on /g/ once. One guy pinged the crap out of me, nothing else showed up in any of my logs.
[QUOTE=ButtsexV2;20925781]I posted my IP on /g/ once. One guy pinged the crap out of me, nothing else showed up in any of my logs.[/QUOTE]
Well then you are lucky. Like I said, this is in 3 days. And between the 15th and the 20th people 14 tried to get in. Also, one guys ip was: 123.125.127.196 :eek:
You can and maybe should also restrict ssh access from all but a few known IP addresses and certainly limit the users allowed to ssh in. If you do those 2 things as well as changing to a higher, random, port you can greatly cut down on these brute force attempts. You should probably also disable root login and force version 2 while youre at it.
Oh, and in case the point has not yet been impressed, use a really hard password for SSH like H98f#juWdeepL&
Also, something else I read. Just add MaxAuthTries 6 (or any other number) to /etc/ssh/sshd_config, that will stop any hacker form brute forcing because they only get 6 tries.
[QUOTE=Dordixs;20977706]You can and maybe should also restrict ssh access from all but a few known IP addresses and certainly limit the users allowed to ssh in. If you do those 2 things as well as changing to a higher, random, port you can greatly cut down on these brute force attempts.[/QUOTE]
Using a non-standard port doesn't actually add any security, and if your system is already secure then it doesn't provide any added benefit. All it does is inconvenience you, the legitimate user. Restricting login to certain IPs is also likely to turn out to be an inconvenience at some point, when you want to log in from a friend's house or a café or airport or something.
[QUOTE=Dordixs;20977706]You should probably also disable root login and force version 2 while youre at it.[/QUOTE]
These ones are actually good ideas.
[QUOTE=Maccabee;20981199]Also, something else I read. Just add MaxAuthTries 6 (or any other number) to /etc/ssh/sshd_config, that will stop any hacker form brute forcing because they only get 6 tries.[/QUOTE]
The default is 6 already, but that's the limit of failed attempts [i]per connection[/i]. An attacker who fails six times and gets disconnected can just reconnect and try again, unless you're using something like [url=http://denyhosts.sourceforge.net/]DenyHosts[/url] that blocks further connections.
My school has some stuff with port 22 opened up, of which atleast some seem to run linux.
Sorry, you need to Log In to post a reply to this thread.
