Default configuration sshd:
“PasswordAuthentication no
UsePAM yes”
Apparently this configuration permits to connect with just a login and a password (no public key required). If you have an easy combination login/password it can be found.
Using this hole a hacker have just entered my computer.
Up to know I was really thinking that Linux and particularly Opensuse was safe…
If you want to make fun here is the IP address of the hacker: 91.193.157.206
Bruno.
Was the hacker malicious or known to you?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well, you must configure it before use it, and you may not use an easy
combination of login/password…
VampirD
Microsoft Windows is like air conditioning
Stops working when you open a window.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAkwWhCgACgkQJQ+0ABWtaVlQYACgmKPeSN6z6dJYFJHiBf05mo6Z
Mb8AoPVOg8zhskf35ZSPkueD/mnzYZds
=4kys
-----END PGP SIGNATURE-----
A hacker is always malicious I think. He only succeeded in guessing one user login and installed some hacker tools I guess.
However if this is really the default configuration, it is a major security hole: reading “PasswordAuthentication no” you would think you are completely safe and don’t need to bother about complex passwords…
Any user is exposed. May I suggest to disable any other authentication than public key?
Bruno.
The thing is the default ssh doesn’t allow outside connections through the firewall(Local network only iirc).
The moment someone decides they are to allow this is the moment they educate them selves on how to secure it.
So by default ssh is secure it is by user interaction it weakens.
Indeed, you do have to first make ssh an allowed service for the external zone of firewall2 (port 22 is the default). The wiki contains documents on how to further secure the connection. The OP should search and read them asap.
@bchampag, no not all hackers are malicious. I wouldn’t have asked, had you been clearer in your post. I guess your choice of simple password, against all the advice, was really your undoing.
bchampag wrote:
> Up to know I was really thinking that Linux and particularly Opensuse
> was safe…
Linux, Mac, BSD, M$, and etc are only as safe as the system
administrator’s knowledge will allow it to be.
it is entirely possible to have a pretty dang secure Linux system
delivered in a default install but then be made so totally open to
attack via so many different vectors that it would make Redmond’s
default seem virtually impenetrable–all you have to do is set it up
that way, intentionally or through ignorance of system security…
–
DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio
OK thanks for the feedback.
I’d better re-install everything just in case…
The only thing is that I have no trace of the intrusion attempts (I mean the unsuccessful attempts) so I’ve no idea how long it took, how many attempts.
Regards,
bchampag
bchampag wrote:
> The only thing is that I have no trace of the intrusion attempts (I
> mean the unsuccessful attempts) so I’ve no idea how long it took, how
you may have to go far back in your firewall logs…if they are set to
archive and hang around long enough…
some folks check /var/log/firewall routinely looking for
attempts…there are lots of scripts around to help automate such…
and some then use such routine (or real time) observation to plug
those potential holes (maybe by blacklisting IPs, and some folks just
lock out entire countries)…
some folks find it more effective be proactive, and not just waiting
for a breech and rootkit installation and then reacting…
–
DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio
Just a note to the NNTP users - this thread has been moved from the forum suggestions forum (it really belongs in this forum instead).
Why dont you just use fail2ban. Every attempt will be automatically blocked through iptables mechanism and you will be notified. Exactly what a administrator needs
On Wed, 16 Jun 2010 20:16:02 +0000, darkmac wrote:
> Why dont you just use fail2ban. Every attempt will be automatically
> blocked through iptables mechanism and you will be notified. Exactly
> what a administrator needs
Even then, it’s generally advisable to keep an eye on it; there are
injection attacks that can make for denial-of-service.
Myself, I use blockhosts, but again, neither solution is a “set it and
forget it” solution.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Hello there,
After the hacker “visit”, I did a full re-installation to make sure nothing is left.
The fact that port 22 was open on the router was a mistake of me but the default settings of parameters of sshd (PAM = on) seems to be too weak while the signification of ‘PAM’ is probably mysterious for most of us.
Now I’ve made a clone of my OpenSuse on a second hard disk, which is physically disconnected in normal operation. I will do a cloning on regular time basis. The cloning can be done on a live system using rsync, at least if we take care at which files should not be mirrored and set differently on the clone (fstab, grub/menu.lst). Finally, I also make a sha1 checksum of all system files to verify that no abnormal modification has been done since the previous update. An other solution would be to restore the system from the clone at every startup.
The only annoying thing is that I really need to physically isolate the clone (disconnect power) as the super user can always gain access to this disk if not isolated. The only alternative would be to run the system on a virtual machine, use snapshot (or equivalent) to restore the system at reboot.
Now I believe it won’t happen me again but I’m just thinking that there are so many Linux users with weak sshd settings (ssh need to be enabled for example for NX) ignoring this fact and exposed to get hacked one of these days.
Regards.
bchampag.
BTW, there are software programs to do this checksumming for you, one of the oldest free ones is called tripwire. There are others mentioned here:
Open Source Tripwire - Wikipedia, the free encyclopedia
If you find yourself writing these things yourself, you’re not being lazy enough. 
As they often say, security is a process. Nothing should be taken for granted. You have to constantly evaluate the relative risks and not trust that defaults will save your skin. On the other hand it is counterproductive to be paranoid and spend more time than warranted in countermeasures. You have to get some work done and have some fun with the computer after all.
On Thu, 24 Jun 2010 15:26:01 +0000, bchampag wrote:
> Hello there,
>
> After the hacker “visit”, I did a full re-installation to make sure
> nothing is left.
I’d second the use of checksumming - even RPM can do validation of files
for you. NX doesn’t seem to be affected (AFAIK) by using public-key
authentication only as well - so that can be an option, as can using
something like blockhosts (with the caveat that you should still monitor
it). The number of attempts on my system has dropped dramatically
since I set up blockhosts.
Jim
–
Jim Henderson
openSUSE Forums Administrator