PaulDotCom mailing list archives

Ssh break in attempt

From: arch3angel at gmail.com (Robert Miller)
Date: Thu, 11 Mar 2010 13:52:13 -0500

Hello Brett,

As others have said these are extremely common, many times being run by 
systems the users are completely unaware of anything even going on, and 
I know the universities i have gone to they don't block much outbound 
but Paul would be a better adviser on that one.  Both of the suggestions 
by Jody and Matt are spot on and i would follow each others.  One little 
addition to those would be when you configure denyhosts make sure to 
allow the downloading of known bad IPs, along with having the system 
email you new denied IPs.

Another thing to look into as a precautionary measure is tripwire 
(http://www.tripwire.com/) and make sure you have it emailing you 
notices as well.

Here is a link to understanding log files that came across tweeter a 
couple days ago but serves as a great cheat sheet or reference: 
http://zeltser.com/log-management/security-incident-log-review-checklist.html

You can also setup Nagios or Zenoss to look for failed logins or 
successful logins and give you a web interface to review them.

If you are running a web server look into suhosin 
(http://www.hardened-php.net/suhosin/), phpids (http://php-ids.org/), 
modsecurity (http://www.modsecurity.org/), grsecurity 
(http://www.grsecurity.net/), and bastille 
(http://bastille-linux.sourceforge.net/).  On the last two watch your 
keneral patch level, never remove your current kernel from the grub menu 
until you are 100% sure the grsecurity patched kernel is fully 
functions.  If you don't pay close attention you could really hose 
things up and make it very hard on yourself to fix it.

- Robert
(arch3angel)

On 3/10/2010 6:49 PM, Brett wrote:

I realized I haven't checked my logs on my new server ( bad me ). But
I figured I wouldn't find anything, it's only my personal server. I
checked the logs today to find thousands of login attempts. Most tried
to brute my root password, though I don't have a root user. There were
a bunch of user name attempts for what looked like a name dictionary
attack. Some were from busness static ip's and there were even some
from perdu.edu

Now for my questions. What should I look for to find out if they
actually got in? Parse the auth log for those ip's for a successfull
login? I also run a web server on that machine, is there something I
can look for to see If they got into that? Also is there any recourse
I have? Or should I just let it go and harden my server even more?

Sent from my iPhone
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Ssh break in attempt Brett (Mar 10)
- Ssh break in attempt Jody & Jennifer McCluggage (Mar 10)
- Ssh break in attempt Matt Erasmus (Mar 10)
  - Ssh break in attempt Dimitrios Kapsalis (Mar 11)
    - Ssh break in attempt Brett (Mar 11)
    - Ssh break in attempt Joshua Smith (Mar 11)
    - Ssh break in attempt Jody & Jennifer McCluggage (Mar 11)
    - Ssh break in attempt PJ McGarvey (Mar 12)
- Ssh break in attempt Robert Miller (Mar 11)
- <Possible follow-ups>
- Ssh break in attempt iamnowonmai (Mar 10)