Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: alejandro on November 07, 2005, 05:11:03 PM

Title: Guessing passwords
Post by: alejandro on November 07, 2005, 05:11:03 PM

So says my logs:
..........
Nov  7 02:40:53 server sshd[10033]: Illegal user test from 218.108.231.72
Nov  7 02:41:02 server sshd[10035]: Illegal user guest from 218.108.231.72
Nov  7 02:41:07 server sshd[10042]: Illegal user webmaster from 218.108.231.72
Nov  7 02:41:23 server sshd[10046]: Illegal user oracle from 218.108.231.72
Nov  7 02:41:29 server sshd[10048]: Illegal user library from 218.108.231.72
Nov  7 02:41:36 server sshd[10050]: Illegal user info from 218.108.231.72
Nov  7 02:41:44 server sshd[10052]: Illegal user shell from 218.108.231.72
Nov  7 02:41:50 server sshd[10054]: Illegal user linux from 218.108.231.72
Nov  7 02:41:57 server sshd[10056]: Illegal user unix from 218.108.231.72
Nov  7 02:42:06 server sshd[10063]: Illegal user webadmin from 218.108.231.72
Nov  7 02:42:19 server sshd[10067]: Illegal user test from 218.108.231.72......
... many many lines like this
so somebody is trying to get in.
Turning off ssh is of course first option, strong paswwords is a must also,
but it could be a good security measure try to block an IP address for a while after a few failed login attempts,to prevent this, Seems to be a robot trying a list of names against my server.
Any ideas?

Title: Guessing passwords
Post by: alex_kain on November 07, 2005, 06:44:14 PM

Tocayo Mendocino: Puedes utilizar combinados los sistemas snort, acid y guardian. Snort es un sistema IDS (Intrusion Detection System) que detecta quien esta tratando de "entrometerse" en tu server, acid te da reportes por paginas web de los intentos de intrusion y guardian deniega el acceso del ip ofensor por 24 horas.
Si esto te pudiera servir, reponde y te envio los links para decsrgarlos y un howto para instalarlos.

Saludos desde Sanrafael en el sur de Mendoza

Alex_Kain

Title: Tocayo
Post by: alejandro on November 07, 2005, 11:07:53 PM

Por Favor!
Me sería de mucha utilidad,tuve instalado snort hace tiempo pero solo como vigilancia.
Muchas Gracias

Title: Guessing passwords
Post by: Franco on November 08, 2005, 01:37:41 AM

I would love to see a how-to too.
Me gusta mucho uno how-to  :-D

Title: Guessing passwords
Post by: alex_kain on November 08, 2005, 02:50:35 PM

En el primer links tenes las descargas, en el segundo, las descargas y un howto.

In the first link you have any donwloads, in the second downloads and howto

http://mirror.contribs.org/smeserver/contribs/cbharda/contrib/snort/
http://mirror.contribs.org/smeserver/contribs/star/mitel/contrib/snort/


Exitos

Title: Guessing passwords
Post by: Franco on November 11, 2005, 10:56:51 PM

Great, do they work on 6.01?

Title: Guessing passwords
Post by: egerards on November 11, 2005, 11:17:35 PM

On my server I also noticed frequent ssh hack attempts. What I did to minimize the risk of an actual hack is to disable username/password logins (adjust /etc/ssh/sshd_config and restart sshd) and switch to the use of ssh key pairs.

The only way you can ssh to my server is when you have a private key which uniquely matches with a public key that is stored in ~ACCOUNT/.ssh/authorized_keys .

If someone wants to know more details, please let me know.

Title: Guessing passwords
Post by: Franco on November 11, 2005, 11:28:39 PM

Oh yes,
How-to's always welcomed ;-)

Title: Guessing passwords
Post by: alejandro on November 12, 2005, 02:17:55 PM

(about snort-acid-guardian) It seems not to be working (sme 6.0.1)
so Egerards, I'l wait for your help
Thanks in advance

Title: Guessing passwords
Post by: chris burnat on November 14, 2005, 12:33:44 AM

"Turning off ssh is of course first option, strong paswwords is a must also, but it could be a good security measure try to block an IP address for a while after a few failed login attempts,to prevent this, Seems to be a robot trying a list of names against my server.
Any ideas?"

If you do not want to implement the use of ssh key pairs, you could move the ssh port to a high port, say 2233 or whetever. I have found that this will quieten your logs very effectively.  Doing a scan on the box will show the high port as "open", however, it is not identified as SSH - robots to dates are flying blind on this one.... Good password are a must.

Title: Guessing passwords
Post by: gordonr on November 14, 2005, 01:11:12 AM

Quote from: "burnat"

If you do not want to implement the use of ssh key pairs, you could move the ssh port to a high port, say 2233 or whetever. I have found that this will quieten your logs very effectively.  Doing a scan on the box will show the high port as "open", however, it is not identified as SSH - robots to dates are flying blind on this one.... Good password are a must.

IMO, SSH public keys are a must. Moving the port doesn't add significant additional security - the bots will get more sophisticed.

Title: Thanks
Post by: alejandro on November 14, 2005, 01:22:28 AM

Many thanks all of you for all the help.
it makes me easier to decide,
I think public/private keys should be enough with strong passwords.