sshd question

I am a newbie with Linux. A friend of mine setup a Linux box for me and
now I try to understand and learn about Linux.
Three days ago my Linux box stopped( dark screen, no response) and I
had to restart.
The server was possibly hacked.
How can I found out the way, the hacker used against my Linux box?


Today I saw( in log) again

Nov 4 07:21:45 myhope sshd[24543]: Invalid user piotrs from
201.63.24.60
Nov 4 07:21:45 myhope sshd[24543]: Failed password for invalid user
piotrs from 201.63.24.60 port 46229 ssh2
Nov 4 07:21:48 myhope sshd[24545]: reverse mapping checking
getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
Nov 4 07:21:48 myhope sshd[24545]: Invalid user misiek from
201.63.24.60
Nov 4 07:21:48 myhope sshd[24545]: Failed password for invalid user
misiek from 201.63.24.60 port 46309 ssh2
Nov 4 07:21:50 myhope sshd[24547]: reverse mapping checking
getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
Nov 4 07:21:50 myhope sshd[24547]: Invalid user opel from 201.63.24.60
Nov 4 07:21:50 myhope sshd[24547]: Failed password for invalid user
opel from 201.63.24.60 port 46392 ssh2
Nov 4 07:21:59 myhope sshd[24549]: reverse mapping checking
getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
Nov 4 07:21:59 myhope sshd[24549]: Invalid user pablo from
201.63.24.60
Nov 4 07:21:59 myhope sshd[24549]: Failed password for invalid user
pablo from 201.63.24.60 port 46468 ssh2
Nov 4 07:22:01 myhope sshd[24551]: reverse mapping checking
getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
....
.....
....



How shall I stop hackers attemps?
Thank you for help
L

On Fri, 03 Nov 2006 23:47:06 -0800, Pythoni wrote:

> I am a newbie with Linux. A friend of mine setup a Linux box for me and
> now I try to understand and learn about Linux.
> Three days ago my Linux box stopped( dark screen, no response) and I
> had to restart.
> The server was possibly hacked.
> How can I found out the way, the hacker used against my Linux box?
>
>
> Today I saw( in log) again
>
> Nov 4 07:21:45 myhope sshd[24543]: Invalid user piotrs from
> 201.63.24.60
> Nov 4 07:21:45 myhope sshd[24543]: Failed password for invalid user
> piotrs from 201.63.24.60 port 46229 ssh2
> Nov 4 07:21:48 myhope sshd[24545]: reverse mapping checking
> getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
> Nov 4 07:21:48 myhope sshd[24545]: Invalid user misiek from
> 201.63.24.60
> Nov 4 07:21:48 myhope sshd[24545]: Failed password for invalid user
> misiek from 201.63.24.60 port 46309 ssh2
> Nov 4 07:21:50 myhope sshd[24547]: reverse mapping checking
> getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
> Nov 4 07:21:50 myhope sshd[24547]: Invalid user opel from 201.63.24.60
> Nov 4 07:21:50 myhope sshd[24547]: Failed password for invalid user
> opel from 201.63.24.60 port 46392 ssh2
> Nov 4 07:21:59 myhope sshd[24549]: reverse mapping checking
> getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
> Nov 4 07:21:59 myhope sshd[24549]: Invalid user pablo from
> 201.63.24.60
> Nov 4 07:21:59 myhope sshd[24549]: Failed password for invalid user
> pablo from 201.63.24.60 port 46468 ssh2
> Nov 4 07:22:01 myhope sshd[24551]: reverse mapping checking
> getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
> ...
> ....
> ...
>
>
>
> How shall I stop hackers attemps?
> Thank you for help
> L


Couple of things on securing ssh.

1) Do you really need outside access to your box?
if not, make ssh bind to your local, private
ip address.

2) if you need outside access, disable passwords and only use
keys. This means that anyone that wants to connect has to
already have a ssh setup on your box. in the sshd_config file
use:
PasswordAuthentication no
just make sure you have your keys set up so you can access it.

3) do you have a list of specific ip addresses that will use ssh to
connect to your box? If so, use iptables to limit what IP Addresses
can use port 22.

if you only use keys that will reduce the guessing at userid's and
passwords. If you can further limit access by IP Address, they will
reduce hack attemps even more.

--
D.A.M. - Mothers Against Dyslexia

see http://www.jacksnodgrass.com for my contact info.

jack - Grapevine/Richardson

On Fri, 03 Nov 2006 23:47:06 -0800, Pythoni wrote:

> I am a newbie with Linux. A friend of mine setup a Linux box for me and
> now I try to understand and learn about Linux.
> Three days ago my Linux box stopped( dark screen, no response) and I
> had to restart.
> The server was possibly hacked.
> How can I found out the way, the hacker used against my Linux box?

you can use
rpm -V package-name
to verify that the files that came with an RPM are the files
that are on your system. It might be useful.
rpm -V util-linux
will tell you if someone changed any files that were part of util-linux.
you can
rpm -qf util-linux
to get a list of files in the rpm.

jack

>
>
> How shall I stop hackers attemps?
> Thank you for help
> L

--
D.A.M. - Mothers Against Dyslexia

see http://www.jacksnodgrass.com for my contact info.

jack - Grapevine/Richardson

Pythoni wrote:
> I am a newbie with Linux. A friend of mine setup a Linux box for me and
> now I try to understand and learn about Linux.
> Three days ago my Linux box stopped( dark screen, no response) and I
> had to restart.
> The server was possibly hacked.
> How can I found out the way, the hacker used against my Linux box?

Not so easy. Compare the system with your backups, packages lists, whatever (be
sure, they are not affected by cracker too). There may be rootkit screwed in,
which may be hard to find. Try rootkit finder or something to detect such piece
of ...

> Today I saw( in log) again
>
> Nov 4 07:21:45 myhope sshd[24543]: Invalid user piotrs from
> 201.63.24.60
> Nov 4 07:21:45 myhope sshd[24543]: Failed password for invalid user
> piotrs from 201.63.24.60 port 46229 ssh2
> Nov 4 07:21:48 myhope sshd[24545]: reverse mapping checking
> getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
> Nov 4 07:21:48 myhope sshd[24545]: Invalid user misiek from
> 201.63.24.60
> Nov 4 07:21:48 myhope sshd[24545]: Failed password for invalid user
> misiek from 201.63.24.60 port 46309 ssh2
> Nov 4 07:21:50 myhope sshd[24547]: reverse mapping checking
> getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
> Nov 4 07:21:50 myhope sshd[24547]: Invalid user opel from 201.63.24.60
> Nov 4 07:21:50 myhope sshd[24547]: Failed password for invalid user
> opel from 201.63.24.60 port 46392 ssh2
> Nov 4 07:21:59 myhope sshd[24549]: reverse mapping checking
> getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
> Nov 4 07:21:59 myhope sshd[24549]: Invalid user pablo from
> 201.63.24.60
> Nov 4 07:21:59 myhope sshd[24549]: Failed password for invalid user
> pablo from 201.63.24.60 port 46468 ssh2
> Nov 4 07:22:01 myhope sshd[24551]: reverse mapping checking
> getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
> ...
> ....
> ...

This is normal if you have and want opened 22 port. Hopwever you may use port
knocking.

> How shall I stop hackers attemps?
> Thank you for help

It's hard. There are many ways, how to achieve more secured box. You may block
IPs where the attacks come from by logwatch for example. You may permit root to
logon via ssh. You should choose strong password or permit login only by keys.

regards,
--
http://www.fi.muni.cz/~xslaby/ Jiri Slaby

>
> Couple of things on securing ssh.
>
> 1) Do you really need outside access to your box?
> if not, make ssh bind to your local, private
> ip address.
>
> 2) if you need outside access, disable passwords and only use
> keys. This means that anyone that wants to connect has to
> already have a ssh setup on your box. in the sshd_config file
> use:
> PasswordAuthentication no
> just make sure you have your keys set up so you can access it.


Thank you all for help

Jack, how can I use keys instead of passwords?

Jiri Slaby, you mentioned that a system can be infected. How can I
check that?

Thank you for replies
Lad.

Pythoni wrote:
>> Couple of things on securing ssh.
>>
>> 1) Do you really need outside access to your box?
>> if not, make ssh bind to your local, private
>> ip address.
>>
>> 2) if you need outside access, disable passwords and only use
>> keys. This means that anyone that wants to connect has to
>> already have a ssh setup on your box. in the sshd_config file
>> use:
>> PasswordAuthentication no

here ^^^

>> just make sure you have your keys set up so you can access it.
>
>
> Thank you all for help
>
> Jack, how can I use keys instead of passwords?

see above + search the net for 'ssh key login' or something (hint: ssh-keygen)

> Jiri Slaby, you mentioned that a system can be infected. How can I
> check that?

If the intruder was in, not so easy to detect if he is good at it, try some
rootkit finder as I mentioned before and check your files-from-packages checksum
as jack sugested (rpm -V or whichever packaging system you use) or compare with
backups.

regards,
--
http://www.fi.muni.cz/~xslaby/ Jiri Slaby

On 2006-11-04, Pythoni <(E-Mail Removed)> wrote:

> Three days ago my Linux box stopped( dark screen, no response) and I
> had to restart.
> The server was possibly hacked.

If it was hacked, you should take it off the net, wipe and reinstall
before coming back on the net.

> How can I found out the way, the hacker used against my Linux box?

First you have to determine if it actually was hacked. That's a job for
an expert.

> Today I saw( in log) again
>
> Nov 4 07:21:45 myhope sshd[24543]: Invalid user piotrs from
> 201.63.24.60
> Nov 4 07:21:45 myhope sshd[24543]: Failed password for invalid user
> piotrs from 201.63.24.60 port 46229 ssh2
> Nov 4 07:21:48 myhope sshd[24545]: reverse mapping checking
> getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
> Nov 4 07:21:48 myhope sshd[24545]: Invalid user misiek from
> 201.63.24.60
> Nov 4 07:21:48 myhope sshd[24545]: Failed password for invalid user
> misiek from 201.63.24.60 port 46309 ssh2
> Nov 4 07:21:50 myhope sshd[24547]: reverse mapping checking
> getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
> Nov 4 07:21:50 myhope sshd[24547]: Invalid user opel from 201.63.24.60
> Nov 4 07:21:50 myhope sshd[24547]: Failed password for invalid user
> opel from 201.63.24.60 port 46392 ssh2
> Nov 4 07:21:59 myhope sshd[24549]: reverse mapping checking
> getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
> Nov 4 07:21:59 myhope sshd[24549]: Invalid user pablo from
> 201.63.24.60
> Nov 4 07:21:59 myhope sshd[24549]: Failed password for invalid user
> pablo from 201.63.24.60 port 46468 ssh2
> Nov 4 07:22:01 myhope sshd[24551]: reverse mapping checking
> getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
> ...
> ....
> ...
>
> How shall I stop hackers attemps?

These are scripted attacks looking for weak passwords. You'll get
hundreds of them daily. You have to make sure your system is secure.
Disable any services you don't actually use or need, e.g. telnet, ftp,
apache, etc. Configure the services you do need to only accept
connections from trusted users and/or addresses. Many programs can use
tcp_wrappers, which allows inetd or xinetd to limit connections to
user-defined patterns. Sshd can be configured to only allow access by
certain users -- read "man sshd_config" and at a minimum deny root
logins over ssh. This will force attackers to guess two passwords
instead of only one and will make exploit attempts more obvious. Use a
script like "breakinguard" (http://breakinguard.sourceforge.net/) to
temporarily block connection attampts after a number of failed attempts.

--

John ((E-Mail Removed))