Hi,
I am seeing this in /var/log/messages for my web server:
Apr 30 12:52:24 ********** sshd[7303]: Failed password for root from ************* port 37129 ssh2
Apr 30 12:52:26 ******** sshd[7355]: reverse mapping checking getaddrinfo for *********** failed - POSSIBLE BREAK-IN ATTEMPT!
There are literally hundreds, if not thousands of entries…
/jlar
On 04/30/2010 08:36 PM, eeijlar wrote:
>
> Hi,
>
> I am seeing this in /var/log/messages for my web server:
>
>
> Code:
> --------------------
> Apr 30 12:52:24 ********** sshd[7303]: Failed password for root from ************* port 37129 ssh2
> Apr 30 12:52:26 ******** sshd[7355]: reverse mapping checking getaddrinfo for *********** failed - POSSIBLE BREAK-IN ATTEMPT!
> --------------------
>
>
> There are literally hundreds, if not thousands of entries…
>
> /jlar
>
>
You can stop it if you like.
See my notes:
http://waxborg.servepics.com/howto/harden-ssh
For configuring blockhosts
and
http://waxborg.servepics.com/opensuse/blockhosts
for one-click-install
http://waxborg.servepics.com
openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default
20:41pm up 35 days 23:59, 12 users, load average: 4.07, 4.08, 4.08
On Fri, 30 Apr 2010 17:36:01 +0000, eeijlar wrote:
> Hi,
>
> I am seeing this in /var/log/messages for my web server:
>
>
> Code:
> --------------------
> Apr 30 12:52:24 ********** sshd[7303]: Failed password for root from
> ************* port 37129 ssh2
> Apr 30 12:52:26 ******** sshd[7355]: reverse mapping checking
> getaddrinfo for *********** failed - POSSIBLE BREAK-IN ATTEMPT!
> --------------------
>
>
> There are literally hundreds, if not thousands of entries…
>
> /jlar
If you’re not using ssh on the system, disable it. You can also change
the port for SSH, or use a tool like blockhosts, but when using something
like blockhosts, be aware that there are some DoS opportunities available
to anyone who knows that you’re using that tool.
Jim
–
Jim Henderson
openSUSE Forums Administrator
On 04/30/2010 09:39 PM, Jim Henderson wrote:
> On Fri, 30 Apr 2010 17:36:01 +0000, eeijlar wrote:
>
>> Hi,
>>
>> I am seeing this in /var/log/messages for my web server:
>>
>>
>> Code:
>> --------------------
>> Apr 30 12:52:24 ********** sshd[7303]: Failed password for root from
>> ************* port 37129 ssh2
>> Apr 30 12:52:26 ******** sshd[7355]: reverse mapping checking
>> getaddrinfo for *********** failed - POSSIBLE BREAK-IN ATTEMPT!
>> --------------------
>>
>>
>> There are literally hundreds, if not thousands of entries…
>>
>> /jlar
>
> If you’re not using ssh on the system, disable it.
It’s disabled by default so it looks like the OP has sshd running on
purpose.
> You can also change
> the port for SSH, or use a tool like blockhosts,
Could you elaborate this:
>but when using something
> like blockhosts, be aware that there are some DoS opportunities available
> to anyone who knows that you’re using that tool.
>
Almost like you’re trying to make it sound “I know stuff, but I won’t
tell you”
http://waxborg.servepics.com
openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default
22:15pm up 36 days 1:33, 14 users, load average: 4.34, 4.24, 4.20
I installed that, great thanks! 
Seems to be working, it said it was blocking 5 ip addresses.
/jlar
On Fri, 30 Apr 2010 19:24:30 +0000, Vahis wrote:
> On 04/30/2010 09:39 PM, Jim Henderson wrote:
>> On Fri, 30 Apr 2010 17:36:01 +0000, eeijlar wrote:
>>
>>> Hi,
>>>
>>> I am seeing this in /var/log/messages for my web server:
>>>
>>>
>>> Code:
>>> --------------------
>>> Apr 30 12:52:24 ********** sshd[7303]: Failed password for root
>>> from ************* port 37129 ssh2
>>> Apr 30 12:52:26 ******** sshd[7355]: reverse mapping checking
>>> getaddrinfo for *********** failed - POSSIBLE BREAK-IN ATTEMPT!
>>> --------------------
>>>
>>>
>>> There are literally hundreds, if not thousands of entries…
>>>
>>> /jlar
>>
>> If you’re not using ssh on the system, disable it.
>
> It’s disabled by default so it looks like the OP has sshd running on
> purpose.
I prefer not to make the assumption that the OP enabled it intentionally.
>>but when using something
>> like blockhosts, be aware that there are some DoS opportunities
>> available to anyone who knows that you’re using that tool.
>>
>>
> Almost like you’re trying to make it sound “I know stuff, but I won’t
> tell you”
There was an earlier discussion on this - that discussion pointed to a
URL that talked about how to make a target system think it was being
attacked in a way as to cause it to block hosts that weren’t actually
doing anything.
When talking about how to cause DoS or engage in other unsavory details,
I tend to be very conservative in what I disclose because I don’t want to
teach people how to DoS other peoples’ systems, so I’m intentionally
vague. The info is out there on the 'net for those who want more details.
Jim Henderson
openSUSE Forums Administrator
On 05/01/2010 01:02 AM, Jim Henderson wrote:
> On Fri, 30 Apr 2010 19:24:30 +0000, Vahis wrote:
>
>> On 04/30/2010 09:39 PM, Jim Henderson wrote:
>>> On Fri, 30 Apr 2010 17:36:01 +0000, eeijlar wrote:
>>>
>>>> Hi,
>>>>
>>>> I am seeing this in /var/log/messages for my web server:
>>>>
>>>>
>>>> Code:
>>>> --------------------
>>>> Apr 30 12:52:24 ********** sshd[7303]: Failed password for root
>>>> from ************* port 37129 ssh2
>>>> Apr 30 12:52:26 ******** sshd[7355]: reverse mapping checking
>>>> getaddrinfo for *********** failed - POSSIBLE BREAK-IN ATTEMPT!
>>>> --------------------
>>>>
>>>>
>>>> There are literally hundreds, if not thousands of entries…
>>>>
>>>> /jlar
>>>
>>> If you’re not using ssh on the system, disable it.
>>
>> It’s disabled by default so it looks like the OP has sshd running on
>> purpose.
>
> I prefer not to make the assumption that the OP enabled it intentionally.
>
>>> but when using something
>>> like blockhosts, be aware that there are some DoS opportunities
>>> available to anyone who knows that you’re using that tool.
>>>
>>>
>> Almost like you’re trying to make it sound “I know stuff, but I won’t
>> tell you”
>
> There was an earlier discussion on this - that discussion pointed to a
> URL that talked about how to make a target system think it was being
> attacked in a way as to cause it to block hosts that weren’t actually
> doing anything.
The current blockhosts has been fixed as for the then discussed issue.
>
> When talking about how to cause DoS or engage in other unsavory details,
> I tend to be very conservative in what I disclose because I don’t want to
> teach people how to DoS other peoples’ systems, so I’m intentionally
> vague. The info is out there on the 'net for those who want more details.
>
OK.
Anyway, what you were referring to has been fixed.
Just like any other bug in GNU/Linux, they are being found and fixed
constantly.
Blockhosts has not caused any real trouble anywhere AFAIK.
http://waxborg.servepics.com
openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default
07:21am up 36 days 10:39, 14 users, load average: 4.46, 4.28, 4.23
On Sat, 01 May 2010 04:31:46 +0000, Vahis wrote:
> OK.
>
> Anyway, what you were referring to has been fixed. Just like any other
> bug in GNU/Linux, they are being found and fixed constantly.
That’s good to know - I had suspected it was, but whenever a piece of
software is designed to restrict access, it’s entirely possible for it to
be used in ways that aren’t expected, hence the caution.
> Blockhosts has not caused any real trouble anywhere AFAIK.
Yes, I agree - which is why I didn’t recommend against using it, but just
cautioned that one should be aware of potential issues rather than just
blindly it.
Jim Henderson
openSUSE Forums Administrator
On Sat, 01 May 2010 05:02:31 +0000, Jim Henderson wrote:
> On Sat, 01 May 2010 04:31:46 +0000, Vahis wrote:
>
>> OK.
>>
>> Anyway, what you were referring to has been fixed. Just like any other
>> bug in GNU/Linux, they are being found and fixed constantly.
>
> That’s good to know - I had suspected it was, but whenever a piece of
> software is designed to restrict access, it’s entirely possible for it
> to be used in ways that aren’t expected, hence the caution.
>
>> Blockhosts has not caused any real trouble anywhere AFAIK.
>
> Yes, I agree - which is why I didn’t recommend against using it, but
> just cautioned that one should be aware of potential issues rather than
> just blindly it.
In fact, I use blockhosts myself, if it comes to that. But I also keep
an eye on the hosts.allow file to see what’s being added to it (I really
need to sort out the mail option so I receive the notifications like I’m
supposed to).
I certainly do agree that it’s a narrow window of opportunity; first you
need to know that someone is specifically using that tool, second, you
need to know which version (so you know which vulns to exploit), and
third you need to have a user who’s running it blindly and not keeping an
eye on things.
Jim Henderson
openSUSE Forums Administrator
On 05/01/2010 08:04 AM, Jim Henderson wrote:
> In fact, I use blockhosts myself, if it comes to that. But I also keep
> an eye on the hosts.allow file to see what’s being added to it (I really
> need to sort out the mail option so I receive the notifications like I’m
> supposed to).
>
> I certainly do agree that it’s a narrow window of opportunity; first you
> need to know that someone is specifically using that tool, second, you
> need to know which version (so you know which vulns to exploit), and
> third you need to have a user who’s running it blindly and not keeping an
> eye on things.
Your last sentence has it all.
Blindly running stuff is really bad.
As for logging in:
Strong passwords
Preferably no password auth at all, but
SSH keys
No root access
SSH2 only
Oh, and did I mention strong passwords?
(+20 characters long, with lower case, upper case and numbers.
They must not be found in any dictionaries, in any languages)
http://waxborg.servepics.com
openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default
08:11am up 36 days 11:29, 14 users, load average: 4.16, 4.31, 4.33
eeijlar wrote:
>
> Hi,
>
> I am seeing this in /var/log/messages for my web server:
>
>
> Code:
> --------------------
> Apr 30 12:52:24 ********** sshd[7303]: Failed password for root from
> ************* port 37129 ssh2
> Apr 30 12:52:26 ******** sshd[7355]: reverse mapping checking
> getaddrinfo for *********** failed - POSSIBLE BREAK-IN ATTEMPT!
> --------------------
>
>
> There are literally hundreds, if not thousands of entries…
This is the downside of running an internet-accessible ssh server … people
and botnets are always scanning for open ssh ports and will be trying to
continuously break in using brute-force password guessing.
Make sure you’ve disabled root ssh login THIS IS ABSOLUTELY IMPORTANT. If
they don’t know the username or the password then that’s two things they
have to guess right; if they know the username (root) that’s half the break
in done.
Consider not using port 22 for ssh
Consider having the ssh server only on at certain times of day
Consider limiting the IPs that are allowed to even attempt to login (e.g.
if you only ever ssh in from one other location, security becomes much
simpler)
Consider using port-knocking to open your ssh port (though this can be a
bit tricky to set up right)
If you must leave your ssh server exposed, use blockhosts, or denyhosts
(http://denyhosts.sourceforge.net/), or fail2ban (http://www.fail2ban.org/),
which I think are available as openSUSE packages. Make sure you read the
manual and configure them correctly though, or you may end up locking
yourself out / or not actually being secure at all / being vulnerable to
DoS.
Basically just limit your exposure to the open internet.
On Sat, 01 May 2010 05:20:45 +0000, Vahis wrote:
> Your last sentence has it all.
> Blindly running stuff is really bad.
>
> As for logging in:
> Strong passwords
> Preferably no password auth at all, but SSH keys
> No root access
> SSH2 only
>
> Oh, and did I mention strong passwords?
>
> (+20 characters long, with lower case, upper case and numbers. They must
> not be found in any dictionaries, in any languages)
But of course.
And strong passwords don’t matter to SSH much if you disable password
access, at least not to SSH.
Jim Henderson
openSUSE Forums Administrator
I was just thinking… could I not achieve the same result by blocking everything (through hosts.allow) except access from my own IP range?
AFAICS yes. There’s many ways to block access, too many to mention here. It all depends on what you want to achieve. IMHO what needs to be mentioned is already there.
On 05/04/2010 12:36 PM, eeijlar wrote:
>
> I was just thinking… could I not achieve the same result by blocking
> everything (through hosts.allow) except access from my own IP range?
>
>
That depends totally what you mean by your own IP range.
And what you mean by same result (as what?)
http://waxborg.servepics.com
openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default
18:14pm up 22:26, 8 users, load average: 0.29, 0.18, 0.17
If I just limited access (in hosts.allow) to my ip address (provided by my ISP) and maybe one or two other addresses, would that not achieve the same result as blockhosts? I don’t want anyone to attempt login via ssh except me, so I would be happy to block everything else - permanently…
eeijlar wrote:
> If I just limited access (in hosts.allow) to my ip address (provided by
> my ISP) and maybe one or two other addresses, would that not achieve the
> same result as blockhosts? I don’t want anyone to attempt login via ssh
> except me, so I would be happy to block everything else - permanently…
as far as i know that would be a rather easily reversible experiment
(assuming you will have local physical access to the machine and won’t
be locking yourself out, from afar)…so, why not just try it (but
read my sig caveat first)…
i’d also like to know if it works, or not…
–
DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio
On 05/05/2010 02:56 AM, eeijlar wrote:
>
> Vahis;2161085 Wrote:
>> On 05/04/2010 12:36 PM, eeijlar wrote:
>>>
>>> I was just thinking… could I not achieve the same result by
>> blocking
>>> everything (through hosts.allow) except access from my own IP range?
>>>
>>
>> That depends totally what you mean by your own IP range.
>
> If I just limited access (in hosts.allow) to my ip address (provided by
> my ISP)
If the address you’re connecting from is static, yes.
If it’s dynamic, no.
and maybe one or two other addresses, would that not achieve the
> same result as blockhosts?
From static addresses, yes.
I don’t want anyone to attempt login via ssh
> except me, so I would be happy to block everything else - permanently…
Then allow just you.
http://waxborg.servepics.com
openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default
10:24am up 1 day 14:36, 3 users, load average: 0.00, 0.03, 0.00
Great thanks… not sure if my ISP provided address is static, I think it might be though.
I came across a useful tool called Nessus to check your machine security
settings. It probes the machine from the inside and outside and produces a report.
(software search in YAST should get it)
/jlar