Suspicios activities??

[trencarbe]

My hard drive is lately running a lot, although I only have the 'Up and downloads' service activated.

First:
There're no users logged on or anything. What is all this disk activity about??


Second:
This made me think of:

How & where in Bubba can I check that there's no suspicious activities going on, like ...dunno... somebody hacked into Bubba and relaying traffic, or something else??

[moxieman]

Can you SSH into the server and run apt? If so, execute:

Code: Select all

apt-get install iftop 

then run iftop - it'll tell you what's going on on your network. That way if there's a connection that exists without your knowledge / permission you can identify it.

[trencarbe]

ok, thx!

[trencarbe]

My Bubba is connected to the router and accessible with ssh from outside. In

Code: Select all

/var/log/auth.log

I noticed unauthorized login attempts.

What can be done to minimize the attempts, stop them entirely or increase the security?

Output from /var/log/auth.log:

Code: Select all

Nov 26 08:44:27 bubba sshd[4170]: reverse mapping checking getaddrinfo for britannic-iss-medidean-working.e1-4-0-0-57.0.ar2.lon3.gblx.net failed - POSSIBLE BRN ATTEMPT!
Nov 26 08:44:27 bubba sshd[4172]: (pam_unix) check pass; user unknown
Nov 26 08:44:27 bubba sshd[4172]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=64.213.54.106
Nov 26 08:44:29 bubba sshd[4170]: error: PAM: User not known to the underlying authentication module for illegal user ciaran from 64.213.54.106
Nov 26 08:44:29 bubba sshd[4170]: Failed keyboard-interactive/pam for invalid user ciaran from 64.213.54.106 port 33865 ssh2
Nov 26 08:45:01 bubba CRON[4173]: (pam_unix) session opened for user root by (uid=0)
Nov 26 08:45:08 bubba CRON[4173]: (pam_unix) session closed for user root
Nov 26 08:50:01 bubba CRON[4176]: (pam_unix) session opened for user root by (uid=0)
Nov 26 08:50:07 bubba CRON[4176]: (pam_unix) session closed for user root
Nov 26 08:50:20 bubba sshd[4179]: Invalid user cicada from 217.98.80.5
Nov 26 08:50:20 bubba sshd[4181]: (pam_unix) check pass; user unknown
Nov 26 08:50:20 bubba sshd[4181]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=poczta.dls.pl
Nov 26 08:50:22 bubba sshd[4179]: error: PAM: User not known to the underlying authentication module for illegal user cicada from poczta.dls.pl
Nov 26 08:50:22 bubba sshd[4179]: Failed keyboard-interactive/pam for invalid user cicada from 217.98.80.5 port 14702 ssh2

[Xet]

If you want to be able to login via ssh to your Bubba from outside your LAN, there is little you can do about the attempts.
The only thing you can do is make it hard for anyone to actually login.
That is, make your username-password combination difficult to "guess", give root and admin difficult passwords and don't give ssh access to more users than you have to.

I can write in large, red, friendly letters, but here we go anyway: Don't Panic!

[whilbone]

You could change the default port for ssh and/or look into some kind of software that bans brute force attacks such as denyhost (which I run myself and I'm perfectly happy with

[mad]

Or look at setting up port-knocking (check out the knockd package). Its extremely simple to set up, very flexible and you avoid the connection attempts completely.

[Binkem]

Can anyone post a howto for denyhosts and/or knockd?

[mad]

Can anyone post a howto for denyhosts and/or knockd?

Here you go: http://forum.excito.net/viewtopic.php?t=1399

[Binkem]

thanks a lot

[MartinHageras]

My auth.log looks just like that too. Lots of random login attempts.

To secure the server I turned off "SSH over Wan". This stopped the login attempts over SSH naturally, but the log still has lots of entries:

Code: Select all

Nov 29 10:17:02 bubba CRON[6842]: (pam_unix) session closed for user root
Nov 29 10:20:01 bubba CRON[6845]: (pam_unix) session opened for user root by (uid=0)
Nov 29 10:20:08 bubba CRON[6845]: (pam_unix) session closed for user root
Nov 29 10:25:01 bubba CRON[6857]: (pam_unix) session opened for user root by (uid=0)
Nov 29 10:25:07 bubba CRON[6857]: (pam_unix) session closed for user root
Nov 29 10:30:01 bubba CRON[6860]: (pam_unix) session opened for user root by (uid=0)
Nov 29 10:30:07 bubba CRON[6860]: (pam_unix) session closed for user root
Nov 29 10:35:01 bubba CRON[6872]: (pam_unix) session opened for user root by (uid=0)
Nov 29 10:35:08 bubba CRON[6872]: (pam_unix) session closed for user root
Nov 29 10:39:01 bubba CRON[6875]: (pam_unix) session opened for user root by (uid=0)
Nov 29 10:39:01 bubba CRON[6875]: (pam_unix) session closed for user root
Nov 29 10:40:01 bubba CRON[6888]: (pam_unix) session opened for user root by (uid=0)
Nov 29 10:40:07 bubba CRON[6888]: (pam_unix) session closed for user root
Nov 29 10:45:01 bubba CRON[6900]: (pam_unix) session opened for user root by (uid=0)
Nov 29 10:45:08 bubba CRON[6900]: (pam_unix) session closed for user root
Nov 29 10:50:01 bubba CRON[6913]: (pam_unix) session opened for user root by (uid=0)
Nov 29 10:50:07 bubba CRON[6913]: (pam_unix) session closed for user root

Every five minutes a root session opens and closes. Is it supposed to look like this?

I run the Bubba2 as a router with a Linksys router working as a switch for my home network. I don't use any of the services (except for DHCP), though most of them are enabled in the web interface.

/Martin

[Hape]

The CRON entries have absolutely nothing to do with SSH logins or 'attacks', but indicate that cron 'fires up' root to do some systemtasks where root permission is needed.

I would advise you not to put your *changed* Bubba exposed to the internet if you are unfamiliar with these subjects.

Bubba in its standard config (factory) settings is well protected, as long as you follow the advice and use STRONG passwords.
As soon you start tampering without knowing exactly what you are doing, you do risk opening up for intruders.

You should not be worried with "failed" or "invalid user" lines in the log, these indicate that the attempts were not succesful. Either live with the fact that internet is a hostile environment, or close all access to you Bubba from internet.

To inspect who DID get to a loginprompt, check the log for sshd lines with Accepted code:

Code: Select all

cat /var/log/auth.log | grep 'sshd.*Accepted'

and to see IF they got it right and actually logged in:

Code: Select all

cat /var/log/auth.log | grep 'sshd.*session opened'

Regards

[MartinHageras]

Ok, thanks for the info!

Will the auth.log show _all_ access attempts? Or are there some ways to connect that will not show up in the log?

I'm not sure what you mean by 'changed'. I just turned off the Wan access to SSH and FTP using the web interface.
That shouldn't make the server more vulnerable to attacks should it?

[Binkem]

Two things:

1. I'm not allowed to use symbols (like , . : ' etc. etc.) in my passwords. Is this a debian-thing or would it be possible to allow these symbols to be used?

2. The login-attempt seem to be coming from one single source: all user-names were starting with a C a few days ago, now all names start with F. Does this mean that there is a single hacker (botnet) behind all the hacking attempts? (just curious about this)

[Hape]

Will the auth.log show _all_ access attempts? Or are there some ways to connect that will not show up in the log?

It shows all the attempts LOGGING IN (to a shell).

If you enable an anonymous service (like public website), it won't show up in the auth log but in the apache log.

I'm not sure what you mean by 'changed'. I just turned off the Wan access to SSH and FTP using the web interface.

Changes in critical system parts, like the firewall or changes in who is allowed to log in remotely.

If you MUST be able to log in (SSH) from the outside, it would be wise to use the function of hosts.allow and hosts.deny to regulate who is allowed from where.

FIRST* include your internal network for ALL services in

Code: Select all

# hosts.allow
# dont forget to change this into YOUR internal IP range and end with the dot!
# following line will grant access to all services to all clients connecting from an IP starting with 192.168.
ALL: 192.168.

# set up allowed clients for ssh connect:
# this IP is allowed 
sshd: 123.xyx.xyz.xyz

After doing that, block further (default) access in

Code: Select all

# hosts.deny
# for the service sshd (ssh daemon)
sshd: ALL

# note that this does NOT block anyone from connecting to any other service like ftp, http etc.

* Be careful! Don't forget to first include your own local address in the hosts.allow or you won't be able to log in anymore!!

Best you read some info on hosts.allow / hosts.deny on internet if you are unsure if you understand it right.

Have fun!