Is this a successful intrusion

[Jonssonlae]

Been looking through auth.log and found this. I call my hostname for whatever in this post.

Jul 16 22:46:25 whatever sshd[2172]: Received signal 15; terminating.
Jul 16 22:46:25 whatever sshd[593]: Server listening on 0.0.0.0 port 22.
Jul 16 22:46:25 whatever sshd[593]: Server listening on :: port 22.
Jul 16 22:47:02 whatever groupadd[793]: group added to /etc/group: name=davfs2, GID=120
Jul 16 22:47:02 whatever groupadd[793]: group added to /etc/gshadow: name=davfs2
Jul 16 22:47:02 whatever groupadd[793]: new group: name=davfs2, GID=120
Jul 16 22:47:02 whatever useradd[797]: new user: name=davfs2, UID=118, GID=120, home=/var/cache/davfs2, shell=/bin/false
Jul 16 22:47:02 whatever usermod[802]: change user 'davfs2' password
Jul 16 22:47:02 whatever chage[807]: changed password expiry for davfs2

Jul 16 22:47:09 whatever groupadd[842]: group added to /etc/group: name=fuse, GID=121
Jul 16 22:47:09 whatever groupadd[842]: group added to /etc/gshadow: name=fuse
Jul 16 22:47:09 whatever groupadd[842]: new group: name=fuse, GID=121

[Gordon]

It appears that you installed davfs2, a package that allows you to access files on a web based filesystem, and fuse, a virtual file system with similar functionality.

[RandomUsername]

I think this was added as part of the recent upgrade. Noticed the dav user being created myself.

[johannes]

Correct, davfs is needed for the Hidrive backup feature.

[Jonssonlae]

Thanks for the reply. I have problems with intrusion attempts via sshd. A real stubborn source is

Jul 19 06:50:01 whatever sshd[9232]: reverse mapping checking getaddrinfo for [212.252.221.250] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 19 06:50:02 whatever CRON[9235]: pam_unix(cron:session): session closed for user root
Jul 19 06:50:02 whatever sshd[9245]: reverse mapping checking getaddrinfo for [212.252.221.250] failed - POSSIBLE BREAK-IN ATTEMPT!

A tracert on this place the IP in Turkey as a internet provider.

The most common intrusion attempts coming from China and are not as stubborn but more of port scans and logon attempts. Do you have any advice on whether I should strengthen up the default firewall.

[RandomUsername]

I'd have a look at implementing something like fail2ban. I think there are posts on the forum about it.

[gonk]

Code: Select all

apt-get install denyhosts

[Ubi]

i used to have denyhosts on my serverfarm, but IMO fail2ban is a much more friendly tool for beginners. My suggestion would be to start there.

[Gordon]

Might I ask why you have SSH access from the internet enabled anyway?

A good defence against this type of attacks is to map SSH to a different port number, somewhere in the four of five digit range. Hackers can usually not be bothered with doing port scans anywhere above the two digit numbers or will confine themselves to well known ports. For instance, I do get people trying to hack apache on port 80 but the logs only show an occasional/accidental hit on the SSL enabled index page at port 443.

Also I installed the xtables-addons with the geoip target for iptables. This allows me to restrict access to selected ports to my own country's ISO code, thereby stopping over 99% of internet users from being even able to start attempting to break in.

[Ubi]

and, for additional fun, if you are not using port 443 for HTTPS traffic, you can also use this as the port for SSH. Wide port scans that find open ports on strange places create interest. An open port on 443 is easily dismissed as a on-interesting HTTPS.

[Jonssonlae]

Thanks for your replies. I have removed the sshd login option and changed my hostname, Will take me some time to think about sshd via the internet. Right now the log are 140 pages with four new people. Less than 2 seconds between the logs. Seeing that they use script now to crack the login. You are right in that I am a beginner in linux yet so old that DOS and NT is the environment that I learned in. Possibly I will use these skills to see if I can find these guys and go Jumpin 'Jack Flash with them. With this I will end the discussion so thanks again.

[Cheeseboy]

Hi,

I use denyhosts, but I find it a bit ineffective, probably because I have customized it a bit too much (because it was too effective to begin with).
I've never tried fail2ban as mentioned by Ubi.

However I do check my logs regularly, and when I find entries like yours:

Jul 19 06:50:02 whatever sshd[9245]: reverse mapping checking getaddrinfo for [212.252.221.250] failed - POSSIBLE BREAK-IN ATTEMPT!

I just add them to /etc/hosts.deny manually. Or rather with a simple script:

Code: Select all

#!/bin/sh
# This script belongs in /usr/local/bin/denyhost.sh
# A local copy is kept in the home directory for backup reasons...

if [ "$(id -u)" != "0" ]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi
if [ $# -ne 1 ]; then
  echo "Usage: `basename $0` IPADDRESS"
  exit 1
fi
grep -i $1 /etc/hosts.deny > /dev/null
if [ $? -ne 0 ]; then
	echo 'ALL:' $1 >> /etc/hosts.deny
	echo $1 'has been added to /etc/hosts.deny.'
else
	echo $1 'is already in /etc/hosts.deny.'
fi

So:

Code: Select all

$ whois 212.252.221.250
.....
$ sudo denyhost.sh 212.252.221.250
212.252.221.250 is already in /etc/hosts.deny.

But please be aware that not all things are safe with the offending IP added to hosts.deny.
ProFTP ignores it, unless you change the original configuration http://forum.excito.net/viewtopic.php?f=9&t=4377
So does Apache.
The Web interface that comes with the Bubbas doesn't even bother to log failed login attempts in auth.log...

EDIT:
You should also be aware that /etc/hosts.allow takes precedence over /etc/hosts.deny, so if anyone has managed to put something in there, your /etc/hosts.deny entries are ignored.

[Ubi]

yeah this is why I use fail2ban. It works directly on iptables and you are spared all this other configuration.

Oh and dont worry too much about this dictionary attacks in your logs. As long as you have a non-obvious username (i.e. not admin or root or john) and a good password, these attacks are just line noise by amateurs. Installing protection would be better, but you're more likely to get hit by a bus than one of these scriptkiddies getting into your box.

[Gordon]

The problem with these "scriptkiddies" as you call them is that they don't use a single address (their own) for their attacks. As a result, if you only have a few of those guys around you'll have literally millions of lines in your firewall config in no time. That will cause a issue at some time because all authorized traffic needs to pass all these rules as well before being accepted, meaning lengthy connect times that may approach or even surpass the timeout values of the client.

Point being that if you put up a honeypot you should expect people to go for it. To the point of SSH: if you want to be able to access your box this way while being away from home, you should consider disabling login all together and use certificates instead. And even that much security still makes it useful to not try to attract attention by having port 22 accessible to everyone.

[Ubi]

Although you are correct in theory, in my experience the fail2ban lines never really exceed a few dozen and in the last 10 years or so I never experienced issues with oversized ban-tables. SO I guess everyone has to take the option most suitable to his/her situation. I guess pretty much every option has been discussed by now.