From: "Chasecreek Systemhouse" <chasecreek.systemhouse@xxxxxxxxx>
On 12/11/05, Craig White <craigwhite@xxxxxxxxxxx> wrote:
> Whats the general removal procedure for this, and better yet, how did
> they get in?
----
it would seem that ssh, root allowed to login via password would be the
magic combination of bad judgement...it's been so thoroughly discussed
on this list as of late.
About three months ago I reported a box I admin'ed was accessed thru
DDoS on the ssh access port -- the sshd was hit 90,000 times a hour
and the attacker gained access. They didn't get to do much as the box
had no compiler, no Perl, and was locked up by SELinux. I made the
report to both openssh and to the RedHat ssh developers. I was
running FC4 with the then current patches up-to-date.
Anyhow... After they (the attacker, who arrived via S.America) spent
a few minutes trying to install a eBay spammer and a sendmail backdoor
-- both attempts failed -- they deleted some files and gave up. This
attack, access, and discovery all happened in less than a 5 hour
period. The attacker either was a novice or didn't care to cover
their tracks.
Now, before you say that ssh allowed root access - I can assure you
that root was not allowed to access the system -- not via ssh; only
via the local console. Since that attack I have reformatted the
drives and tossed out all the data and installed clean backups. I
have also limited - via cron -- when ssh is available for remote use;
hopefully that will reduce the window of opportunity.
I would say there is a ssh brute force hack floating around that has
not been documented yet; as such it is all Server admins best
interests to remain vigilant.
If there is only light ssh traffic to your system this also will reduce
the hacker's ability to get in.
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
I figure a nice random four letter password would be good for about
90 days on the average if somebody tried all possible character
combinations from a 50 character set of characters. <drily>I use a
few more characters than that.
3 failed tries in the last 120 seconds means you cannot get in anymore
until it's down to 2 failed tries in the last 120 seconds. So he gets
one try every 40 seconds. That makes hacking into the system a slow SLOW
operation, one I'd notice pretty quickly.
{^_^}