Results 1 to 10 of 10

Thread: Does this look like someones shelled into my box?

  1. #1
    Biggus is offline Gee! These Aren't Roasted!
    Join Date
    Nov 2006
    Beans
    177

    Does this look like someones shelled into my box?

    Comment Deleted
    Attached Images Attached Images
    Last edited by Biggus; April 30th, 2008 at 12:22 PM. Reason: I have left the community

  2. #2
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Beans
    1,393
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: Does this look like someones shelled into my box?

    It looks to me like an established connection. Did you check auth.log to see what it shows?

  3. #3
    Biggus is offline Gee! These Aren't Roasted!
    Join Date
    Nov 2006
    Beans
    177

    Re: Does this look like someones shelled into my box?

    Comment Deleted
    Last edited by Biggus; April 30th, 2008 at 12:21 PM. Reason: I have left the community

  4. #4
    Join Date
    Nov 2005
    Location
    Nashville, TN
    Beans
    437
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Does this look like someones shelled into my box?

    No matter what you do you are never 'crackproof' security as it is is making yourself a hard target and keeping as low a profile as possible. Though two of the biggest things in making yourself a difficult target are using strong passphrases and changing your ssh service to a nonstandard port. Most bots and quick scans only look at the services in the first 1024 'known' ports. If you move your ssh service up to 2222 or such you'll dramatically decrease the number of attacks.
    -Chayak

  5. #5
    Join Date
    Apr 2006
    Location
    Alberta,Canada
    Beans
    1,135
    Distro
    Ubuntu Development Release

    Re: Does this look like someones shelled into my box?

    Since most hack attempts are brute force type attacks,denyhosts goes a long ways to protect SSH
    What color do Smurfs turn when you choke em?
    ____________________________

  6. #6
    Join Date
    Jan 2008
    Location
    /dev/null
    Beans
    2,793
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Does this look like someones shelled into my box?

    Quote Originally Posted by Chayak View Post
    No matter what you do you are never 'crackproof' security as it is is making yourself a hard target and keeping as low a profile as possible. Though two of the biggest things in making yourself a difficult target are using strong passphrases and changing your ssh service to a nonstandard port. Most bots and quick scans only look at the services in the first 1024 'known' ports. If you move your ssh service up to 2222 or such you'll dramatically decrease the number of attacks.
    A properly secured server wont be cracked by a script kiddie. Yes moving to a higher port will decrease the amount of script kiddies that probe you, but in itself it doesn't do anything for security.

    IMO the steps to securing SSH are more along the lines of:

    disable root login
    disable ssh1 protocol
    use allow users and limit the users list to those that need access (not all accounts "need" ssh)
    disable password authentication and require public key auth (if you do this you don't need fail2ban or denyhosts)

    Upping to port 2222 is an issue... because, well its a port above 1024. I know not everyone needs the lower privileged ports and its a throwback to the past. I guess i just have issue with using nonstandard ports for standard services If I were to change the port, I wouldn't select 2222 because it is commonly used for SSH by people that change the default port. I'm sure the advanced script kiddies know that too, so instead of every script kiddie banging on your box you'll only get half. Besides that, if a semi serious craker wants to probe your box they'll find the open services anyhow and they'll do it in a manner that doesn't set off the warning flags that the brute forcing SK's will. So instead of security by obscurity I'll opt for actually locking down the box.

    Just my 2 cents take it with a grain of salt and do as you will.

  7. #7
    Join Date
    Jan 2008
    Location
    /dev/null
    Beans
    2,793
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Does this look like someones shelled into my box?

    Quote Originally Posted by Anduu View Post
    Since most hack attempts are brute force type attacks,denyhosts goes a long ways to protect SSH
    +1

    to the OP if you use denyhosts be sure to setup /etc/hosts.allow so that you don't lock yourself out. Also monitor /etc/hosts.deny and use the info you gain there to deny access to all services since denyhosts only blocks SSH connections to "banned" hosts

  8. #8
    Biggus is offline Gee! These Aren't Roasted!
    Join Date
    Nov 2006
    Beans
    177

    Re: Does this look like someones shelled into my box?

    Comment Deleted
    Last edited by Biggus; April 30th, 2008 at 12:21 PM. Reason: I have left the community

  9. #9
    Join Date
    Nov 2006
    Location
    40.31996,-80.607213
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Does this look like someones shelled into my box?

    SSH Keybased Auth is easy. I use it for every machine on the network (that has SSH), and the key can be passwordless (but this decreases security if your private key would ever be stolen).

    But by setting up a SSH key, and enabling KeyBasedAuth in for the SSH Server, it will automatically reject requests without the proper private key. They wouldn't even be given the chance to bruteforce your password.

    I have a simple guide for setting it up at my blog, albeit for a passwordless key, you don't have to have passwordless. It should give you the fundamentals for setting up a SSH key and enabling KeyBasedAuth on the server.

    http://php.8ez.com/drsmall/blog/?p=218

    Dr Small
    "Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
    Linux User #441960 | Wiki: DrSmall

  10. #10
    Join Date
    Apr 2008
    Location
    UK
    Beans
    1,098

    Re: Does this look like someones shelled into my box?

    Quote Originally Posted by Biggus View Post
    Hi guys.

    I came home drunk last night, and, having upgraded to 8.04 the other day, thought I would have a mess around to see what sort of stuff had changed.

    I loaded firestarter up, and had a little mess around, when I noticed what looked to be someone shelled into my box.

    I've taken a screenshot, and attached it to this post hopefully, and, unless I'm reading the display incorrectly, it appears to show that a remote host has an open connection to my box on port 22.

    Could this be correct? If so, doesn't that mean that, essentially, my ssh server, and subsequently, my box, have been 'cracked'?

    (Oh yeah, my own IP is blurred in the attatchment)
    Looks like another one of these pathetic attempts to log into a box via ssh. Your logs will tell you for sure and confirm it did not succeed. Even if your password could be stronger it is highly doubtful a valid username was guessed so, if I were you, I'd go for ssh keys and have another few drinks.

    Oldsoldier2003 gives the best reason for not moving sshd from port 22 but another one is why let yourself be intimidated into changing the default port? Actually, it is can be fun keeping an eye on the doomed attempts at cracking.

    I'm unsure quite what role firestarter was supposed to play but it didn't appear to do much.
    Brian.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •