Topic: Have I been hacked?

[crazybob]

I have installed server admin panel on a couple of servers, and this morning I received emails that there had been open ssh connections during the night. I check the message log and saw where there were attempts, but were denied for wrong password. The log show my legal attempt.

The boxes are SME 6.0-1. only a few contribs (antivirus, raid monitor) have been added.

Are there any other logs I should be looking at?

Thanks

Bob

[smeghead]

Not really, cos if it was me getting in I'd be covering my tracks.

Make sure your openssh/openssl is upgraded to fix a coupla major bugs.

Perhaps use a good router in front of the SME to lock down who can access which service on the SME; since I setup my 20-30 port forwarding rules in my router I have very little garbage hitting my SME box.

My SME box is running in public server/gateway mode so I have 2 firewalls in place & double NAT protecting my network.

HTH

[crazybob]

Thanks for the info. I will do the updates. I Hope to turn off ssh soon, and use ipsec to allow remote access. I need to find how to set up frees/wan client on a windoze box so I can take care of administration.

Bob

[egerards]

I've also a router in front of my SME box. My ssh service is always available to the 'evil outside world', but using custom port forwarding of the router, the ssh service is available at a non-standard, hard-to-guess port number.

When I was running a setup without this router, my messages file also regurlarly showed (failed) login attempts, but now 'they' don't seem to able to find me anymore, although I have full ssh access (at the alternative port number).

[chris burnat]

I've also a router in front of my SME box. My ssh service is always available to the 'evil outside world', but using custom port forwarding of the router, the ssh service is available at a non-standard, hard-to-guess port number.

Hello Egerards, would you kindly provide some details of how to set port forwarding from a router placed in front of an SME server - or perhaps point me in the right direction.  I have a few boxes used as sftp server, and I am bombarded by attempts at loggin, sometimes for hours at the rate a 2-3 try a second...   What you are doing is most likely what I need, but I do not understand port forwarding much unfortunately.  Many thanks.  christian

[funkusmunkus]

I had one big break in attempt on my SME a few months back, 2:30 hours of 3-4 attepts per 10 seconds, to stop that from ever happening again, I started using pptp and disabled ssh remotly, another good thing to look at is rkhuner, there's a contrib here for it, one good think it tells you apart from any changes that have been made behind your back, is if ssh1 is alowed, and it shouldn't be, look at the update script, don't run the whole thing just check out what it updates, and install them your self.

hope that helps
cheers

[chris burnat]

I started using pptp and disabled ssh remotly, another good thing to look at is rkhuner, there's a contrib here for it,

Thank you Funkusmunkus. It make sense and helps a lot. Two questions: (i) which pptp solution are you using?  OpenVPN from Jesper?   (ii) I cannot find the SME rpms for rootkit on this site, meaning rpms patched for SME, where did you find them - a search brings nothing...

Cheers and thanks
christian

[crazybob]

This is the latest version I can find

http://mirror.contribs.org/smeserver/contribs/dthomas/smeserver/6.x/Contrib/rkhunter/

Bob

[egerards]

I've also a router in front of my SME box. My ssh service is always available to the 'evil outside world', but using custom port forwarding of the router, the ssh service is available at a non-standard, hard-to-guess port number.

Hello Egerards, would you kindly provide some details of how to set port forwarding from a router placed in front of an SME server - or perhaps point me in the right direction.  I have a few boxes used as sftp server, and I am bombarded by attempts at loggin, sometimes for hours at the rate a 2-3 try a second...   What you are doing is most likely what I need, but I do not understand port forwarding much unfortunately.  Many thanks.  christian

The most simple way of port forwarding is telling your router to forward a certain port (e.g. port 80 (http)) to the same port number at an ip address on your local lan. For public services such as http / https / smtp you forward from external port 80 to an internal port 80 and from 443 to 443 and from 25 to 25. This because everybody expects those services available at those ports. Although the services behind the port numbers are running on a machine on the local lan, they are available to the whole outside world (because of the port forwarding).
Regarding the ssh service you don't want people (hackers) to find the service. The most easy thing to do, is to make the service available at a non standard port (e.g. 9965). With a router this is normally very easy to do: simply 'tell' your router that incoming traffic at port 9965 (or pick another available port number) has to be forwarded to port 22 of the ip address of the server on your local lan.

Although most routers have the possibility to forward an external port number to a different port number on your local lan, I know there are routers which permit port forwarding only to the same port number on your local lan. In this unfortunate case you will have to resort to other methods.

I hope I made it a bit clear to you. Otherwise: just ask.  

[funkusmunkus]

Well I just use the normal pptp connection, but I have updated my SME using the suggestions of the unofficial update script
it can be found here http://no.longer.valid/phpwiki/index.php?pagename=Latest%20version%20of%20update%20scripts
You don't have to run the whole script just go through it and see what needs updating.
on the link is also the location for rkhunter and a few other good tools.

one last thing, don't always go by what rkhuner says about some application being vulnerable, it only follows the version number, and not if it's been patched.

hope that helps

[chris burnat]

Many thanks funkusmunkus and egerards for pointing me in right directions, this forum is alive and well. Hope I can assist one day.  Regards, christian.

[ngomes]

The SME Server development (aka, the new releases) and maintenance (aka, the updates) depends entirely on the Contribs.org community.

Just to keep all of you up to date, Ian Wells, Floyd Hartog, Dave Kainer and Matthew Copple (sorry if I left someone out) are the people trying to give to this community the SME Server 6.x maintenance and bugfix updates and  bring to live the SME Server 6.5 final stable release.

Contribs.org needs your help on this project.
What can you do for Contribs.org?

# Read the maintenance process:
http://no.longer.valid/phpwiki/index.php/Maintenance%20Process

# Join the devinfo mailing list and offer your help to test, debug, etc:
http://lists.contribs.org/mailman/listinfo/devinfo

# Go to the Contribs.org Bug Tracker and study some of the listed bugs with new or feedback status, simulate them, give your feedback, try to find some sort of solution. Also if you have some packager skills try to build some rpm packages to the listed bugs with resolved or closed status:
http://no.longer.valid/mantis/view_all_bug_page.php

Finally, take these thoughts into seriously consideration (taken from Charlie Brady, a SME core developer):

If maintenance of distribution updates is not a "core role" for contribs.org, then what is?

Don't ask what contribs.org can do for me, ask what I can do for contribs.org.

-Nuno