Re: Can't tell if I have been hacked :( [Solved for one specificmachine]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: "Claude Jones" <claude_jones@xxxxxxxxxxxxxx>


On Mon March 20 2006 8:45 pm, Claude Jones wrote:

Just to add something to this discussion. Today, I've just noticed that ssh
has become disabled on two separate machines, one at home, and one at my
office. Both are FC4 and are kept up to date with latest patches. I haven't
really dived in, yet, except to look at the ssh config files, where there
didn't seem to be anything amiss. So far, I've tried applying my firewall
rules from fwbuilder to both machines, and both give back ssh errors. I
then tried a simple log on via ssh to the local machine at work, and it
failed. I just tried to log in to my office machine from home, and it just
stalls. I don't know when this stopped working, but the fact that it's
happenning on two machines widely separate, makes me wonder if some recent
update broke things...
To prevent muddying the waters, I just discovered the cause on one of my machines. For some reason, my LAN NIC's IP address had been added to hosts.deny, presumably by "denyhosts", the utility that monitors ssh log-on attempts, and adds unsuccessful IPs to the hosts.deny list, when log-in attempts exceed the configured numbers. Removing my LAN NIC from the list allowed me to apply my firewall rules, which uses ssh over the inside NIC to connect and apply. 

A better trick exists. It works if your passwords are even modestly robust
or you use only keys.

===8<---
# Then setup the reject trap.
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
 --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
 --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
===8<---

Critter gets three tries in 120 seconds then is locked out until the retry
count goes below 3. They never stop trying as fast as they can so they get
one shot per attack. The Sun will grow cold before they get in even with a
password like "open sesame".

{^_-}
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux