Results 1 to 7 of 7

Thread: [SOLVED] is a lack of hack attempts a problem

  1. #1
    Join Date
    Feb 2008
    Location
    US
    Beans
    2,782
    Distro
    Ubuntu 8.04 Hardy Heron

    [SOLVED] is a lack of hack attempts a problem

    I was just reading this thread: http://ubuntuforums.org/showthread.php?t=888199 and i ran the command listed in post #4
    Code:
    sudo grep sshd /var/log/auth.log | less
    All i found in there were all of my logins all of the originating from my internal IP address and the IP address of my office (I log in from work fairly often via ssh) so they are definitely not hack attempts. This however appears out of the ordinary according to the above thread as it appears I should see some dictionary attacks or something every couple of days. I checked the entire month and didnt find anything out of the ordinary.

    This seems suspicious to me so I was wondering what you guys think about it. Am I just really lucky to never get targeted or do I have some sort of security hole.
    Desktop: Q6600 OC: 343 x 9, 4 GB RAM, 8600 GTS Twinview (22",17"), 1.5 TB RAID 5
    Laptop: Lenovo T61 T7300 @ 2 GHz, 2GB RAM, Nvidia 140M Quadro, 160 GB harddrive
    Remember to mark posts as [SOLVED] when your problem is resolved

  2. #2
    Join Date
    Nov 2006
    Location
    40.31996,-80.607213
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: is a lack of hack attempts a problem

    You just haven't been hit by the botnets. Don't worry.
    "Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
    Linux User #441960 | Wiki: DrSmall

  3. #3
    Join Date
    Apr 2007
    Location
    Lelystad, Netherlands
    Beans
    104

    Re: is a lack of hack attempts a problem

    Give me your IP and I'll fix that for you!

  4. #4
    Join Date
    Feb 2008
    Location
    US
    Beans
    2,782
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: is a lack of hack attempts a problem

    Quote Originally Posted by Dr Small View Post
    You just haven't been hit by the botnets. Don't worry.
    So your saying im just lucky or is there a reason why my IP is special and doesnt get targeted.
    Desktop: Q6600 OC: 343 x 9, 4 GB RAM, 8600 GTS Twinview (22",17"), 1.5 TB RAID 5
    Laptop: Lenovo T61 T7300 @ 2 GHz, 2GB RAM, Nvidia 140M Quadro, 160 GB harddrive
    Remember to mark posts as [SOLVED] when your problem is resolved

  5. #5
    Join Date
    Apr 2008
    Location
    Austin, TX
    Beans
    39
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: is a lack of hack attempts a problem

    Am I just really lucky to never get targeted or do I have some sort of security hole.


    You could look at the touch times on your old logs to see if they've been modified. Of course, if an attacker is being so careful as to excise his own (and others') login attempts, he'll probably just re-touch the files to their original write times.

    If you're worried that your logs are being tampered with, store them offline routinely, echo them out to another machine using snmp and then store /those/ logs offline, etc.

    But yeah, paranoia will only get you so far.

    Here's a quick experiment to see if your logging is working; try a bunch of failed ssh logins to the suspect machine. If you don't see them in the logs, then you have a problem (either with writing or reading your logs)

    In fact, with the command given here, /that/ command should match the grep, since the act of sudo'ing will (by default) be logged in auth.log.

  6. #6
    Join Date
    Feb 2008
    Location
    US
    Beans
    2,782
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: is a lack of hack attempts a problem

    Quote Originally Posted by todb View Post


    You could look at the touch times on your old logs to see if they've been modified. Of course, if an attacker is being so careful as to excise his own (and others') login attempts, he'll probably just re-touch the files to their original write times.

    If you're worried that your logs are being tampered with, store them offline routinely, echo them out to another machine using snmp and then store /those/ logs offline, etc.

    But yeah, paranoia will only get you so far.

    Here's a quick experiment to see if your logging is working; try a bunch of failed ssh logins to the suspect machine. If you don't see them in the logs, then you have a problem (either with writing or reading your logs)

    In fact, with the command given here, /that/ command should match the grep, since the act of sudo'ing will (by default) be logged in auth.log.
    Okay that looks good. I tried remoting in as root and it was caught in my logs. Thanks
    Desktop: Q6600 OC: 343 x 9, 4 GB RAM, 8600 GTS Twinview (22",17"), 1.5 TB RAID 5
    Laptop: Lenovo T61 T7300 @ 2 GHz, 2GB RAM, Nvidia 140M Quadro, 160 GB harddrive
    Remember to mark posts as [SOLVED] when your problem is resolved

  7. #7
    Join Date
    Mar 2008
    Beans
    1,755

    Re: [SOLVED] is a lack of hack attempts a problem

    There shouldn't be any need to log in as root on a debian based os.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •