code red!

Random things go here

code red!

Post by pretentious on Thu Jan 16, 2014 6:40 am
([msg=78968]see code red![/msg])

Code: Select all
Jan 16 19:19:56 arbitrary_host_name sshd[2428]: Failed password for invalid user a from 65.181.118.14 port 56472 ssh2
Jan 16 19:20:01 arbitrary_host_name sshd[2431]: Failed password for invalid user abc123 from 65.181.118.14 port 56668 ssh2
Jan 16 19:20:08 arbitrary_host_name sshd[2433]: Failed password for invalid user abc from 65.181.118.14 port 56855 ssh2
Jan 16 19:20:13 arbitrary_host_name sshd[2435]: Failed password for invalid user abcd from 65.181.118.14 port 57211 ssh2
Jan 16 19:20:18 arbitrary_host_name sshd[2437]: Failed password for invalid user abcde from 65.181.118.14 port 57399 ssh2
Jan 16 19:20:22 arbitrary_host_name sshd[2439]: Failed password for invalid user abcdef from 65.181.118.14 port 57655 ssh2
Jan 16 19:20:27 arbitrary_host_name sshd[2441]: Failed password for invalid user account from 65.181.118.14 port 57863 ssh2

When i first got started with the whole 'having a computer hooked up to the internet' thing, I checked my logs on a regular basis, performed some basic recon on IP's that were poking around, looked through apache logs for attempted exploits(anything with url encoding pretty much got my attention) and tried to set up complex systems of authentication so even if someone got it and deleted logs, without having an intimate knowledge of my system, wil leave prints. In recent weeks however, my guard has lowered a bit. I don't know how many of you guys have personal servers which get attention or have seen an attempt to gain access to a machine. So yeah, here's the most recent event on my personal server. The user was no doubt locked out after too many failed attempts.
Goatboy wrote:Oh, that's simple. All you need to do is dedicate many years of your life to studying security.

IF you feel like exchanging ASCII arrays, let me know ;)
pretentious wrote:Welcome to bat country
User avatar
pretentious
Contributor
Contributor
 
Posts: 573
Joined: Wed Mar 03, 2010 12:48 am
Blog: View Blog (0)


Re: code red!

Post by hellow533 on Thu Jan 16, 2014 12:50 pm
([msg=78970]see Re: code red![/msg])

It looks like, by the names attempted, a web crawler was poking around random servers looking for exploits. It looks as if it was trying to brute force its way in, but luckily you were smart to automatically lock out after x number of attempts.

I wouldn't worry too much about it unless it happens a second time. Then someone may be directly targeting you.

Tell me, does your server notify the device connecting that the username is invalid?
“Teach me how to hack!”
"What, like, with an axe?"
User avatar
hellow533
Contributor
Contributor
 
Posts: 506
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)


Re: code red!

Post by Tentra on Fri Jan 17, 2014 1:52 am
([msg=78972]see Re: code red![/msg])

My servers are constantly subjected to this sort of attack, I never even worry about it. Just install fail2ban and forget about it. As long as you have a decent password, or hopefully public key authentication, you likely won't fall victim to these attacks.
User avatar
Tentra
Poster
Poster
 
Posts: 161
Joined: Wed Apr 30, 2008 4:52 pm
Blog: View Blog (0)


Re: code red!

Post by pretentious on Fri Jan 17, 2014 2:22 am
([msg=78973]see Re: code red![/msg])

@hello
I've got ubuntu server running with things mostly default.
I dont know for sure tbh but I figure they're smart enough to not confirm or deny the user name. just
tried on my mobile ssh client with a nonexistent account and just got 'password incorrect '

@tentra
I have a strong password. public key authentication never occurred to me. I want to acces my server
from many different devices so I don't think having a keyfile thing would suit. is that what public key authentication is? You log in wth your pruvate key or something?
Goatboy wrote:Oh, that's simple. All you need to do is dedicate many years of your life to studying security.

IF you feel like exchanging ASCII arrays, let me know ;)
pretentious wrote:Welcome to bat country
User avatar
pretentious
Contributor
Contributor
 
Posts: 573
Joined: Wed Mar 03, 2010 12:48 am
Blog: View Blog (0)


Re: code red!

Post by fashizzlepop on Fri Jan 17, 2014 3:46 pm
([msg=78978]see Re: code red![/msg])

If you disable password auth and root login, you should be fine. The chances of them cracking that are basically nil. Also, make sure you only have ports open that you need. Ie. 22 for ssh and 80 for HTTP (assuming http).
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2304
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: code red!

Post by Kage on Sat Jan 18, 2014 9:04 pm
([msg=78984]see Re: code red![/msg])

~ Kage ~

HackThisSite Manager
User avatar
Kage
Administrator
Administrator
 
Posts: 148
Joined: Sat Apr 12, 2008 11:07 pm
Location: Inside The HTS Servers
Blog: View Blog (0)


Re: code red!

Post by tgoe on Wed Jan 22, 2014 2:58 am
([msg=79037]see Re: code red![/msg])

Move ssh off of port 22
User avatar
tgoe
Contributor
Contributor
 
Posts: 633
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: code red!

Post by pretentious on Wed Jan 22, 2014 3:44 am
([msg=79038]see Re: code red![/msg])

I've read that changing the ssh port actually isn't a good idea. The issue is that anyone can open a socket on a port >1024 so you can't varify the security of the connection or something. Havn't looked to far into it. Due to the type of attention I get, I don't think it's necessary.

I've installed fail2ban as backup for denyhosts and because it can be configured to handle ftp which i might set up in the future. I've also been eyeing honeypot software for the lulz but I've already made character judgements about the people doing the attacks and I'm not sure it will weild much juicy info
Goatboy wrote:Oh, that's simple. All you need to do is dedicate many years of your life to studying security.

IF you feel like exchanging ASCII arrays, let me know ;)
pretentious wrote:Welcome to bat country
User avatar
pretentious
Contributor
Contributor
 
Posts: 573
Joined: Wed Mar 03, 2010 12:48 am
Blog: View Blog (0)


Re: code red!

Post by Drug5bitz on Wed Jan 22, 2014 1:56 pm
([msg=79050]see Re: code red![/msg])

fashizzlepop wrote:If you disable password auth and root login, you should be fine. The chances of them cracking that are basically nil. Also, make sure you only have ports open that you need. Ie. 22 for ssh and 80 for HTTP (assuming http).


You're assuming port 80 for http? I was just wondering is it because he could only be hosting an ftp server instead? Is there something I don't know, like other ports for http or browser access. I think I need a port chart taped to my laptop.

Also awesome site and everything involved!
Drug5bitz
New User
New User
 
Posts: 1
Joined: Wed Jan 22, 2014 1:30 pm
Blog: View Blog (0)


Re: code red!

Post by Goatboy on Wed Jan 22, 2014 6:41 pm
([msg=79051]see Re: code red![/msg])

pretentious wrote:I've read that changing the ssh port actually isn't a good idea. The issue is that anyone can open a socket on a port >1024 so you can't varify the security of the connection or something.

By "anyone" you mean "any user on the system". The security of ports 1-1023 is the fact that only root can start a process on those ports, even if the program then drops privileges (which it should). If you're the only one on your sever it's fine to run SSH on a high port. And really, nobody is gonna waste time scanning all your ports (unless they wanna get blocked right away) so if you hit something in the high 20,000s you'll be fine.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2788
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Next

Return to Off-Topic

Who is online

Users browsing this forum: No registered users and 0 guests