Loading ...
Sorry, an error occurred while loading the content.
 

OpenSSH Server being hacked ???

Expand Messages
  • wifimax
    I installed OpenSSH Server on my Openslug 2.7 beta and recently got alot of message from /var/log/messages: Nov 2 09:00:17 (none) auth.info sshd[2855]:
    Message 1 of 10 , Nov 2, 2005
      I installed OpenSSH Server on my Openslug 2.7 beta and recently got
      alot of message from /var/log/messages:

      Nov 2 09:00:17 (none) auth.info sshd[2855]: Invalid user anna from
      61.111.255.133
      Nov 2 09:00:17 (none) auth.err sshd[2855]: error: Could not get
      shadow information for NOUSER
      Nov 2 09:00:17 (none) auth.info sshd[2855]: Failed password for
      invalid user anna from 61.111.255.133 port 49137 ssh2
      Nov 2 09:00:22 (none) auth.info sshd[2859]: Invalid user arthur from
      61.111.255.133
      Nov 2 09:00:22 (none) auth.err sshd[2859]: error: Could not get
      shadow information for NOUSER
      Nov 2 09:00:22 (none) auth.info sshd[2859]: Failed password for
      invalid user arthur from 61.111.255.133 port 49172 ssh2

      Does it mean my ssh server is being hacked and how can I stop these
      messages?

      Thanks in advance
    • Brian Wood
      Well it certainly looks like somebody is trying to log on via ssh from 66.111.255.133 (that address could be spoofed, but if it is then the attempter would
      Message 2 of 10 , Nov 2, 2005
        Well it certainly looks like somebody is trying to log on via ssh
        from 66.111.255.133 (that address could be spoofed, but if it is then
        the attempter would never get a logon).

        I don't know your setup. Since I only log on from my local network I
        have my (hardware) firewall drop all incoming ssh packets. I don't
        know what if any FW you might have, if it is flexible enough you
        could drop logon attempts from that IP address if you have to keep
        your system open to the internet.

        You should disable password authentication for ssh if you can, this
        will increase your security.

        I'd just keep an eye on things, if the "user" never gets in, then ssh
        is doing its job :-)


        On Nov 2, 2005, at 5:53 PM, wifimax wrote:

        > I installed OpenSSH Server on my Openslug 2.7 beta and recently got
        > alot of message from /var/log/messages:
        >
        > Nov 2 09:00:17 (none) auth.info sshd[2855]: Invalid user anna from
        > 61.111.255.133
        > Nov 2 09:00:17 (none) auth.err sshd[2855]: error: Could not get
        > shadow information for NOUSER
        > Nov 2 09:00:17 (none) auth.info sshd[2855]: Failed password for
        > invalid user anna from 61.111.255.133 port 49137 ssh2
        > Nov 2 09:00:22 (none) auth.info sshd[2859]: Invalid user arthur from
        > 61.111.255.133
        > Nov 2 09:00:22 (none) auth.err sshd[2859]: error: Could not get
        > shadow information for NOUSER
        > Nov 2 09:00:22 (none) auth.info sshd[2859]: Failed password for
        > invalid user arthur from 61.111.255.133 port 49172 ssh2
        >
        > Does it mean my ssh server is being hacked and how can I stop these
        > messages?
        >
        > Thanks in advance
      • Dale VanZile
        ... Wifimax--- Yup. Easiest way to get rid of this problem is to pick a port # above 1024 that you re sure you ll never use, and use that for SSH access
        Message 3 of 10 , Nov 2, 2005
          wifimax wrote:

          >I installed OpenSSH Server on my Openslug 2.7 beta and recently got
          >alot of message from /var/log/messages:
          >
          >Nov 2 09:00:17 (none) auth.info sshd[2855]: Invalid user anna from
          >61.111.255.133
          >Nov 2 09:00:17 (none) auth.err sshd[2855]: error: Could not get
          >shadow information for NOUSER
          >Nov 2 09:00:17 (none) auth.info sshd[2855]: Failed password for
          >invalid user anna from 61.111.255.133 port 49137 ssh2
          >Nov 2 09:00:22 (none) auth.info sshd[2859]: Invalid user arthur from
          >61.111.255.133
          >Nov 2 09:00:22 (none) auth.err sshd[2859]: error: Could not get
          >shadow information for NOUSER
          >Nov 2 09:00:22 (none) auth.info sshd[2859]: Failed password for
          >invalid user arthur from 61.111.255.133 port 49172 ssh2
          >
          >Does it mean my ssh server is being hacked and how can I stop these
          >messages?
          >
          >

          Wifimax---
          Yup. Easiest way to get rid of this problem is to pick a port # above
          1024 that you're sure you'll never use, and use that for SSH access
          instead of the common port #22. Most of the script kiddies' scripts are
          only looking for the popular "standard" ports for the types of programs
          that will allow them to take control of a box, so this really helps you
          avoid having a giant bullseye painted on your posterior. The other even
          more secure thing you can do, as Brian Moore suggests, is to eliminate
          password ID in favor of public/private key authentication. It's more of
          a pain to set up (you have to generate a private key for each user you
          want to allow into your box) but you are virutally inaccessible then.
          Combined, it'd make for a darned safe SSH portal....

          HTH!

          C ya,
          Dutch
        • dlubinsk
          Hi, Take at look at my howto on port knocking...this is one of the reasons I set this up...see if it s of use to you:
          Message 4 of 10 , Nov 2, 2005
            Hi,
            Take at look at my howto on port knocking...this is one of
            the reasons I set this up...see if it's of use to you:

            http://www.nslu2-linux.org/wiki/HowTo/SecurityByPortKnocking

            My howto explains how to lock down ssh and gain entry when YOU want
            via knock.

            Regards,
            Don

            --- In nslu2-linux@yahoogroups.com, "wifimax" <wifimax@y...> wrote:
            >
            > I installed OpenSSH Server on my Openslug 2.7 beta and recently got
            > alot of message from /var/log/messages:
            >
            > Nov 2 09:00:17 (none) auth.info sshd[2855]: Invalid user anna from
            > 61.111.255.133
            > Nov 2 09:00:17 (none) auth.err sshd[2855]: error: Could not get
            > shadow information for NOUSER
            > Nov 2 09:00:17 (none) auth.info sshd[2855]: Failed password for
            > invalid user anna from 61.111.255.133 port 49137 ssh2
            > Nov 2 09:00:22 (none) auth.info sshd[2859]: Invalid user arthur
            from
            > 61.111.255.133
            > Nov 2 09:00:22 (none) auth.err sshd[2859]: error: Could not get
            > shadow information for NOUSER
            > Nov 2 09:00:22 (none) auth.info sshd[2859]: Failed password for
            > invalid user arthur from 61.111.255.133 port 49172 ssh2
            >
            > Does it mean my ssh server is being hacked and how can I stop these
            > messages?
            >
            > Thanks in advance
            >
          • Brian Wood
            Wow, what a great concept. I d never run into this idea before, I m impressed. The main problem is that it won t work inside a firewall. Oh well, I d been
            Message 5 of 10 , Nov 2, 2005
              Wow, what a great concept. I'd never run into this idea before, I'm impressed.

              The main problem is that it won't work inside a firewall. Oh well, I'd been wanting to set up a slug as a firewall anyway, but that means I need two ethernet interfaces, and I have to deal with the endian problem if I want to use the internal interface...

              Guess I'll buy a third slug to experiment with.

              Thanks for the pointer.


              On Nov 2, 2005, at 8:10 PM, dlubinsk wrote:

              Hi,
                       Take at look at my howto on port knocking...this is one of
              the reasons I set this up...see if it's of use to you:

              http://www.nslu2-linux.org/wiki/HowTo/SecurityByPortKnocking

              My howto explains how to lock down ssh and gain entry when YOU want
              via knock.

              Regards,
              Don
            • dlubinsk
              Well I get around this with a linux box as one of my firewalls; this linux box has a secondary non-routable connection to my slug (which does sit behind a
              Message 6 of 10 , Nov 2, 2005
                Well I get around this with a linux box as one of my firewalls; this
                linux box has a secondary non-routable connection to my slug (which
                does sit behind a hardware firewall). I "knock" my linux box which
                in turn "knocks" my slug (via the non-routable connection). This
                opens the port on my slug and away I go.

                Regards,
                Don


                > Wow, what a great concept. I'd never run into this idea before,
                I'm
                > impressed.
                >
                > The main problem is that it won't work inside a firewall. Oh
                well,
                > I'd been wanting to set up a slug as a firewall anyway, but that
                > means I need two ethernet interfaces, and I have to deal with the
                > endian problem if I want to use the internal interface...
                >
                > Guess I'll buy a third slug to experiment with.
                >
                > Thanks for the pointer.
                >
                >
                > On Nov 2, 2005, at 8:10 PM, dlubinsk wrote:
                >
                > > Hi,
                > > Take at look at my howto on port knocking...this is one
                of
                > > the reasons I set this up...see if it's of use to you:
                > >
                > > http://www.nslu2-linux.org/wiki/HowTo/SecurityByPortKnocking
                > >
                > > My howto explains how to lock down ssh and gain entry when YOU
                want
                > > via knock.
                > >
                > > Regards,
                > > Don
                >
              • Brian Wood
                Well for Linux box as one of my firewalls I want to insert slug . It seems like a natural for such a purpose if I can easily get two interfaces going. At
                Message 7 of 10 , Nov 2, 2005
                  Well for "Linux box as one of my firewalls" I want to insert "slug".
                  It seems like a natural for such a purpose if I can easily get two
                  interfaces going.

                  At present I'm using a commercially-available firewall box, but I
                  need something I can hack on and not be limited to what the firmware
                  lets me do.

                  Anybody have an easy way to get two interfaces on a slug? Preferably
                  using Unslung and not having to go with an entire Debian install.

                  I have an old Cobalt Qube-2 (MIPS machine) with two interfaces, but
                  that seems like overkill for a F/W.


                  On Nov 2, 2005, at 8:54 PM, dlubinsk wrote:

                  > Well I get around this with a linux box as one of my firewalls; this
                  > linux box has a secondary non-routable connection to my slug (which
                  > does sit behind a hardware firewall). I "knock" my linux box which
                  > in turn "knocks" my slug (via the non-routable connection). This
                  > opens the port on my slug and away I go.
                  >
                  > Regards,
                  > Don
                  >
                • Tommy B
                  Brian Wood wrote: A Pre-production round of Lofts are heading my way. Firewalling/QoS/IDS/IPS is an area I m starting to look at.
                  Message 8 of 10 , Nov 3, 2005
                    Brian Wood wrote:

                    A Pre-production round of Lofts are heading my way.
                    Firewalling/QoS/IDS/IPS is an area I'm starting to look at.

                    >Well for "Linux box as one of my firewalls" I want to insert "slug".
                    >It seems like a natural for such a purpose if I can easily get two
                    >interfaces going.
                    >
                    >At present I'm using a commercially-available firewall box, but I
                    >need something I can hack on and not be limited to what the firmware
                    >lets me do.
                    >
                    >Anybody have an easy way to get two interfaces on a slug? Preferably
                    >using Unslung and not having to go with an entire Debian install.
                    >
                    >I have an old Cobalt Qube-2 (MIPS machine) with two interfaces, but
                    >that seems like overkill for a F/W.
                    >
                    >
                    >On Nov 2, 2005, at 8:54 PM, dlubinsk wrote:
                    >
                    >
                    >
                    >>Well I get around this with a linux box as one of my firewalls; this
                    >>linux box has a secondary non-routable connection to my slug (which
                    >>does sit behind a hardware firewall). I "knock" my linux box which
                    >>in turn "knocks" my slug (via the non-routable connection). This
                    >>opens the port on my slug and away I go.
                    >>
                    >>Regards,
                    >>Don
                    >>
                    >>
                    >>
                    >
                    >
                    >
                    >
                    >Yahoo! Groups Links
                    >
                    >
                    >
                    >
                    >
                    >
                    >
                    >
                    >
                  • wifimax
                    Thanks for all reply. I am reading and reading to find the best solution to prevent hackers login to my NSLU2 server. 1. Change port number - It might work but
                    Message 9 of 10 , Nov 3, 2005
                      Thanks for all reply. I am reading and reading to find the best
                      solution to prevent hackers login to my NSLU2 server.

                      1. Change port number - It might work but I think about the hackers
                      can use some port scanning program to know new port.
                      2. Frequently changing my login password.
                      3. Create a private/public key to login instead of using password
                      4. Port knocking. I have to read more about this stuff. very interesting.

                      Thanks

                      --- In nslu2-linux@yahoogroups.com, "dlubinsk" <dlubinsk@y...> wrote:
                      >
                      > Well I get around this with a linux box as one of my firewalls; this
                      > linux box has a secondary non-routable connection to my slug (which
                      > does sit behind a hardware firewall). I "knock" my linux box which
                      > in turn "knocks" my slug (via the non-routable connection). This
                      > opens the port on my slug and away I go.
                      >
                      > Regards,
                      > Don
                      >
                      >
                      > > Wow, what a great concept. I'd never run into this idea before,
                      > I'm
                      > > impressed.
                      > >
                      > > The main problem is that it won't work inside a firewall. Oh
                      > well,
                      > > I'd been wanting to set up a slug as a firewall anyway, but that
                      > > means I need two ethernet interfaces, and I have to deal with the
                      > > endian problem if I want to use the internal interface...
                      > >
                      > > Guess I'll buy a third slug to experiment with.
                      > >
                      > > Thanks for the pointer.
                      > >
                      > >
                      > > On Nov 2, 2005, at 8:10 PM, dlubinsk wrote:
                      > >
                      > > > Hi,
                      > > > Take at look at my howto on port knocking...this is one
                      > of
                      > > > the reasons I set this up...see if it's of use to you:
                      > > >
                      > > > http://www.nslu2-linux.org/wiki/HowTo/SecurityByPortKnocking
                      > > >
                      > > > My howto explains how to lock down ssh and gain entry when YOU
                      > want
                      > > > via knock.
                      > > >
                      > > > Regards,
                      > > > Don
                      > >
                      >
                    • jimmyfergus
                      ... interesting. I d have said 1 & 3 is enough for most of us. 2 will only help if they first hacked into your remote machine, and then failed to collect your
                      Message 10 of 10 , Nov 4, 2005
                        --- In nslu2-linux@yahoogroups.com, "wifimax" <wifimax@y...> wrote:
                        > Thanks for all reply. I am reading and reading to find the best
                        > solution to prevent hackers login to my NSLU2 server.
                        >
                        > 1. Change port number - It might work but I think about the hackers
                        > can use some port scanning program to know new port.
                        > 2. Frequently changing my login password.
                        > 3. Create a private/public key to login instead of using password
                        > 4. Port knocking. I have to read more about this stuff. very
                        interesting.

                        I'd have said 1 & 3 is enough for most of us. 2 will only help if
                        they first hacked into your remote machine, and then failed to collect
                        your private key when they harvested your password.

                        Anyway, changing the port number will be effective unless someone is
                        determined to target *you* specifically. Most of the attacks are
                        scripts looking for the easiest targets. They're unlikely to do a
                        full on port scan of you, unless they know who you are and are
                        specifically motivated to get you.

                        J.
                      Your message has been successfully submitted and would be delivered to recipients shortly.