Stopping hack attempts

First, I apologize in advance for being such a noobie in the linux system.
I have lots of years in computers but this is my first linux box setup.

We are running Debain with the INN newsgroup software, and it seems someone
is attempting to hack in or DOS the sever since the auth.log file shows
multiple connection attempts from one ip, repeating every day from other
ip's. So someone is probably using a tojan or hack or whatever, to use
these systems to do the attacks.

My questions are...

1) Is there a program that already exists, where that log file could be
actively scanned, and if those types of entries appear they could be added
to some form of block list?

2) In Windows, there is the "hosts" file that you can use to block IP's...
is there a similar feature in linux?

3) Ultimately, however it could be accomplished... would blocking those
ip's actually stop the network traffic and reduce the load on the server as
it tries to process them? Is there a better way?

I have piles of programming experience, but have done nothing in this
platform. I am not asking anyone to teach me, for if I am pointed in the
right direction I will work hard to figure out whats needed and attempt to
ask much more informed questions when I get stuck.

Thanks ever so much in advance for any assistance you can provide.

Gary

On Fri, 12 May 2006 16:33:45 GMT, Gary wrote:
> First, I apologize in advance for being such a noobie in the linux system.
> I have lots of years in computers but this is my first linux box setup.
>
> We are running Debain with the INN newsgroup software, and it seems someone
> is attempting to hack in or DOS the sever since the auth.log file shows
> multiple connection attempts from one ip, repeating every day from other
> ip's. So someone is probably using a tojan or hack or whatever, to use
> these systems to do the attacks.
>
> My questions are...
>
> 1) Is there a program that already exists, where that log file could be
> actively scanned, and if those types of entries appear they could be added
> to some form of block list?

Yes, you could.

>
> 2) In Windows, there is the "hosts" file that you can use to block IP's...
> is there a similar feature in linux?

Oddly enough, it is called /etc/hosts

> 3) Ultimately, however it could be accomplished... would blocking those
> ip's actually stop the network traffic and reduce the load on the server as
> it tries to process them?

Blocking the attempt is less load and improves security but there is
very little you can do to stop the network traffic attempts.

> Is there a better way?

Yes.
First thing is to block all inbound attempts with your firewall.
Then set the firewall to allow only trusted ip addresses to connect to any
needed service. If the service is for the world to use, you can then use the
firewall logs to create a blacklist.

I use a blacklist to mute normal internet noise attempts.
Now all you have to do is learn how to manage your firewall rules.

man iptables for your basic commands.

You can pick other frontends for iptable management. I happen to use
Shorewall which is the default supplied my Mandriva Linux. No idea
what is supplied by you debian vendor.

"Gary" <(E-Mail Removed)> writes:

>First, I apologize in advance for being such a noobie in the linux system.
>I have lots of years in computers but this is my first linux box setup.

>We are running Debain with the INN newsgroup software, and it seems someone
>is attempting to hack in or DOS the sever since the auth.log file shows
>multiple connection attempts from one ip, repeating every day from other
>ip's. So someone is probably using a tojan or hack or whatever, to use
>these systems to do the attacks.

>My questions are...

>1) Is there a program that already exists, where that log file could be
>actively scanned, and if those types of entries appear they could be added
>to some form of block list?

The internet is free. Anyone can plug in any address they want to. Thus it
becomes up to you to protect yourself. It sounds like there are just
attempts. You do not say what kind of attempts. You should certainly lock
down your server so that only those hosts whom you want to serve can be
served. HOwever first look to see what those attempts are. Are they ssh
attempts, are they attempts specifically at your server? Post some of the
entries from your logs.

Such programs exist, but it is not at all clear to me that they are worth
anything. Your system must still intereact with them. Also as a news server
you are presumably only serving a select bunch of IP addresses. Have your
firewall software eliminate anything except from those select addresses.



>2) In Windows, there is the "hosts" file that you can use to block IP's...
>is there a similar feature in linux?

/etc/hosts
but it is not for blocking
Or maybe you mean
/etc/hosts.allow and /etc/hosts.deny for programs which use tcpwrapper.


>3) Ultimately, however it could be accomplished... would blocking those
>ip's actually stop the network traffic and reduce the load on the server as
>it tries to process them? Is there a better way?

What is the load now?


>I have piles of programming experience, but have done nothing in this
>platform. I am not asking anyone to teach me, for if I am pointed in the
>right direction I will work hard to figure out whats needed and attempt to
>ask much more informed questions when I get stuck.

>Thanks ever so much in advance for any assistance you can provide.

>Gary

On Fri, 12 May 2006 16:33:45 GMT
"Gary" <(E-Mail Removed)> wrote:

> someone is attempting to hack in or DOS the sever since
> the auth.log file shows multiple connection attempts from one
> ip, repeating every day from other ip's. So someone is
> probably using a tojan or hack or whatever, to use these
> systems to do the attacks.
>
> My questions are...
>
> 1) Is there a program that already exists, where that log
> file could be actively scanned, and if those types of entries
> appear they could be added to some form of block list?
>
> 3) Ultimately, however it could be accomplished... would
> blocking those ip's actually stop the network traffic and
> reduce the load on the server as it tries to process them?
> Is there a better way?

Iptables is very good in blocking IP and port vulnerabilities.
However, if you really have an intruder, they have probably
deposited a trojan somewhere to allow them some kind of shell
or executable access to your system.

In the case of individual intruders using trojans, I found it
best to run a background monitor with a cleaner, that you
configure for the the hacker(s) in question and/or the type of
tampering they are attempting.

When I was under constant intruder attacks, this approach
succeeded in making it a pain for hackers to constantly be
adjusting to my countermeasures, when there were so many other
targets they could more easily invade.

The anti-intruder monitor is called surivno and you run it from
your crontab. It is included in the following archive and might
help:

ftp://ftp.sysdev.org/pub/lintools/LT...i486-3.tar.bz2

TonyB

--
__ __ _ I N C. http://www.sysdev.org
/ __|\\// __|| \ __ __ / (E-Mail Removed)
\__ \ \/\__ \||)|/ O_)\/ / \/ System Tools / Utilities
|___/ || ___/|_ /\___|\_/ WIntel / Linux Device Drivers

Many thanks for the tips Bit Twister, Unruh and Hufnus. Lots of
possibilities to explore and lots of man reading to do. I appreciate the
advice and fast responses...

Gary wrote:

> is attempting to hack in or DOS the sever since the auth.log file shows
> multiple connection attempts from one ip, repeating every day from other
> ip's. So someone is probably using a tojan or hack or whatever, to use
> these systems to do the attacks.

Provided you have strong passwords the hack attempts will always fail.
They're probably using some sort of password guessing program and hitting
on all sorts of user names up and down the open ports and with ssh.

> 1) Is there a program that already exists, where that log file could be
> actively scanned, and if those types of entries appear they could be added
> to some form of block list?

Yes, iptables. Generally hack attempts like these can be ignored, they use
up very little bandwidth and don't generally present availability issues. I
find most of these ssh hack attacks come from universities in Korea, Mexico
and Europe. What you do is edit /etc/sysconfig/iptables and add this line

-A INPUT -s www.xxx.yyy.zzz/255.255.255.255 -j DROP

then, service iptables restart

In your /etc/hosts.deny file put this:

egrep : libwrap /sbin/* /usr/sbin/* | sort
portmap ALL : spawn (usr/bin/logger -t) WRAPPER_DENY sunrpc host %a

Which will increase logging verbosity and try to get more info about the
machine attacking you. You need to have libwrap installed.

> 3) Ultimately, however it could be accomplished... would blocking those
> ip's actually stop the network traffic and reduce the load on the server
as
> it tries to process them? Is there a better way?

No and no. Your loading won't be affected by more than a fraction and
provided your passwords are strong they won't be able to get in anyhow. For
the most part you can just ignore them.

> I have piles of programming experience, but have done nothing in this
> platform. I am not asking anyone to teach me, for if I am pointed in the
> right direction I will work hard to figure out whats needed and attempt to
> ask much more informed questions when I get stuck.

Be aware that these paswwork cracking programs have a spoof setting so it
tells your logger some IP number. This is usually not the IP number of the
machine actually doing the attacking. What I've noticed is that as soon as
you block an IP the attacker realises it and hits some other service with
his real IP and so that's how you find them.

--
Regards,
Peter.
http://www.pelicom.net.nz

Hi Peter.. thanks for the advice.
You had said...

> find most of these ssh hack attacks come from universities in Korea,
> Mexico
> and Europe. What you do is edit /etc/sysconfig/iptables and add this line

On our Debian system, it appears that the only sysconfig is in
/etc/x11/sysconfig and that particular folder has nothing about iptables in
it. There is a "text file" called iptables located in the
/usr/share/lintian/overrides folder, and the iptables executable is located
in the /sbin folder. Would the above text file be the one to edit, would it
need to be placed someplace else?

And yes, libwrap is installed...

Thanks again.
Gary

Wot i wonder is if iptables is installed at all. If not, install it. Since I
use the MDK distro I'm not familiar with Debian. There will be a text file
somewhere in /etc where your iptables file is. Not to be confused
with /etc/rc.d/init.d/iptables, the iptables file should have stuff in it
with your routing rules. And another thing is that iptables should be on
your firewall/gateway. Avoid front ends like shorewall.


Gary wrote:

> Hi Peter.. thanks for the advice.
> You had said...
>
>> find most of these ssh hack attacks come from universities in Korea,
>> Mexico
>> and Europe. What you do is edit /etc/sysconfig/iptables and add this line
>
> On our Debian system, it appears that the only sysconfig is in
> /etc/x11/sysconfig and that particular folder has nothing about iptables
in
> it. There is a "text file" called iptables located in the
> /usr/share/lintian/overrides folder, and the iptables executable is
located
> in the /sbin folder. Would the above text file be the one to edit, would
it
> need to be placed someplace else?
>
> And yes, libwrap is installed...
>
> Thanks again.
> Gary

--
Regards,
Peter.
http://www.pelicom.net.nz

Yes, according to the package manager, iptables is installed and latest
version is the same as the installed version.

I suspect the main difference is that we are running pretty much the canned
version of Debian, and not a HUGE amount of effort has been made to deviate
from whatever the standard installs provide. The system is very basic in
the security set as this is just a little private newsgroup with essentially
nothing more installed. Hackers won't have a great deal of fun even if they
got in.

Yes, I realize that there is some spoofing potential possibilities, and I am
sure some little wiz kid may get in and disrupt things somewhat. *shrug*

Anyway, regardless of where our files are in relation to your structure....
I don't think those are really going to be a concern. The fact that both
those programs are installed (according to the package manager) then we
should be able to track things down, create a few commands... throw a few
tests at it, and see if it works. If not, then I suppose we may need to
look at actual file placement. Its possible that since there may not have
been any of those "rules" setup before, the file that should be in "that"
directory hasn't yet been created and the others I have found maybe just
samples.

I hate being so "green" in this side of the OS. Back in the good old DOS
and CP/M days I did everything at the prompt since consoles didn't exist. I
fondly remember very archaic (sp?) commands using VEDIT (ah, esc esc EA esc
esc) and the internal editors for linux boxes seem to operate on all those
old ways of doing things that I have conveniently forgotten about. I figure
at the rate I am going, I should know and understand all those commands for
"ls" in oh... 10 years? LOL

Thanks again, I guess I am at the point where I now have to stumble through
this and from trial and error, get a better understanding. Your
professionalism and assistance on this has been super.

Gary

"Peter Lowrie" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Wot i wonder is if iptables is installed at all. If not, install it. Since
> I
> use the MDK distro I'm not familiar with Debian. There will be a text file
> somewhere in /etc where your iptables file is. Not to be confused
> with /etc/rc.d/init.d/iptables, the iptables file should have stuff in it
> with your routing rules. And another thing is that iptables should be on
> your firewall/gateway. Avoid front ends like shorewall.
>
>
> Gary wrote:
>
>> Hi Peter.. thanks for the advice.
>> You had said...
>>
>>> find most of these ssh hack attacks come from universities in Korea,
>>> Mexico
>>> and Europe. What you do is edit /etc/sysconfig/iptables and add this
>>> line
>>
>> On our Debian system, it appears that the only sysconfig is in
>> /etc/x11/sysconfig and that particular folder has nothing about iptables
> in
>> it. There is a "text file" called iptables located in the
>> /usr/share/lintian/overrides folder, and the iptables executable is
> located
>> in the /sbin folder. Would the above text file be the one to edit, would
> it
>> need to be placed someplace else?
>>
>> And yes, libwrap is installed...
>>
>> Thanks again.
>> Gary
>
> --
> Regards,
> Peter.
> http://www.pelicom.net.nz