Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Is There A Solution for Hackers?

  1. #1
    Join Date
    Dec 2007
    Location
    Austin, Texas USA
    Beans
    250
    Distro
    Ubuntu

    Exclamation Is There A Solution for Hackers?

    I recently got to check my auth.log file on one of my servers (which is a xen/virtual server running Ubuntu 7.04 Feisty) and is the root server for other virtual/xen servers and one of those v-servers is our company's web server and I noticed there has been several attempts for breaking in!

    I am a Newbie in Linux and wondered if there is any files where I could put these IP addresses in a blacklist so they cant even connect let alone try to log in?
    (I would really like to have a script where if any IP address tried 3 times to get in and failed, then their IP would automatically go in that file (the *hit-list file)!?but I know that is a little too much...for now I'll be happy with any info...)



    The log file states the same IP addresses and several names (including root) trying to hack in and that has us worried as to what if the idiots get in?

    I know it is not so easy...specially after I ran the recent updates I can't log in as root my self via ssh any more and have to log in as another user then su or log in to the master server then do a xm console to the server I want to log in and only then I can get in.

    Still looks like some one is running a script and taking a guess at the names of users and passwords...

    I have a difficult password installed (not any word in dictionary or anything just a long, random alphanumeric password)...


    My other Question is, is there any thing I can do to get rid of these hackers?

    look at this idiot please:
    (just a couple of lines from 100s of lines in that log file):

    Sep 1 04:37:21 tyr sshd[32765]: Failed password for invalid user gerbertus from 79.187.241.62 port 29389 ssh2
    Sep 1 04:37:25 tyr sshd[344]: Invalid user hupertus from 79.187.241.62
    Sep 1 05:09:32 tyr sshd[18848]: Failed password for invalid user max from 79.187.241.62 port 15211 ssh2
    Sep 1 05:09:36 tyr sshd[18896]: Invalid user maximilian from 79.187.241.62
    Sep 1 05:09:36 tyr sshd[18896]: (pam_unix) check pass; user unknown



    or this one:

    Sep 1 13:53:20 tyr sshd[25487]: Failed password for root from 82.179.130.135 port 54748 ssh2
    Sep 1 13:53:20 tyr sshd[25519]: Invalid user sbin from 82.179.130.135
    Sep 1 13:53:20 tyr sshd[25519]: (pam_unix) check pass; user unknown
    Sep 1 13:53:20 tyr sshd[25519]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=unixway.tversu.ru
    Sep 1 13:53:22 tyr sshd[25519]: Failed password for invalid user sbin from 82.179.130.135 port 55187 ssh2
    Sep 1 13:53:23 tyr sshd[25545]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=unixway.tversu.ru user=root


    and at least 3 more IP addresses since Aug 29th,( 2008 )from different parts of the world...


    Thank You!
    Last edited by matey3; September 1st, 2008 at 02:09 PM.

  2. #2
    Join Date
    Nov 2005
    Location
    South Yorkshire, UK
    Beans
    237
    Distro
    Xubuntu 10.04 Lucid Lynx

    Re: Is There A Solution for Hackers?

    You can use denyhosts to block the IP after x failed attempts:

    http://www.ubuntugeek.com/securing-ssh.html

  3. #3
    Join Date
    Apr 2007
    Location
    Belgium
    Beans
    1,528

    Re: Is There A Solution for Hackers?

    You could also change the port the ssh server listens to for incoming connections. Most of these attacks are only scripts that target port 22 (the default ssh port).
    Disclaimer: I am currently suffering from severe CSD (Compulsive Sarcasm Disorder).
    My Site | Linux User #452328 | Running Arch Linux on Sony Vaio VGN-SZ61XN/C since October 2008

  4. #4
    Join Date
    Dec 2007
    Location
    Austin, Texas USA
    Beans
    250
    Distro
    Ubuntu

    Re: Is There A Solution for Hackers?

    Quote Originally Posted by yaztromo View Post
    You can use denyhosts to block the IP after x failed attempts:

    http://www.ubuntugeek.com/securing-ssh.html
    Thank You for the link...

    I was wondering about that file myself but I could Not find a clear example off google yet!? I am not sure how the IP addresses go in that .deny file? Many ppl suggested using a firewall but I have not had a very good experience with firewall before and I dont want to lock myself out lol..
    Thanks for the reply !


    Quote Originally Posted by Nepherte View Post
    You could also change the port the ssh server listens to for incoming connections. Most of these attacks are only scripts that target port 22 (the default ssh port).
    Thanks very much for the suggestion. You are right bcs I saw the port 22 in that log file.
    I appreciate your reply as well!
    Last edited by matey3; September 1st, 2008 at 04:18 PM.

  5. #5
    Join Date
    Nov 2007
    Location
    South African in London
    Beans
    1,092
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Is There A Solution for Hackers?

    You could also set up a vpn, a refuse any connections not going through that vpn

  6. #6
    Join Date
    Aug 2008
    Location
    Lisbon, Portugal
    Beans
    101
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Is There A Solution for Hackers?

    Just changing the SSH port will dramatically decrease to 0% of hacking attempts.

    I had an ssh server running for one day, with the default port and had like, 90 attemps, which is insane. After I changed the port to a higher one, the server is running for about half a year, and still no attempts.

  7. #7
    Join Date
    Nov 2007
    Location
    South African in London
    Beans
    1,092
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Is There A Solution for Hackers?

    Quote Originally Posted by rogeriopvl View Post
    Just changing the SSH port will dramatically decrease to 0% of hacking attempts.

    Decrease yes, 0% no

  8. #8
    Join Date
    Aug 2008
    Location
    Lisbon, Portugal
    Beans
    101
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Is There A Solution for Hackers?

    Quote Originally Posted by mellowd View Post
    Decrease yes, 0% no
    Well, that's the experience I had with my personal server. So far is 0%.

    I never that experience with big servers because changing the SSH port was out of question.

  9. #9
    Join Date
    Nov 2006
    Location
    40.31996,-80.607213
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Is There A Solution for Hackers?

    Just install denyhosts and you should be fine. Unless you have a weak password on a user called root, the script attacks won't do anything but fill your logs. I really wouldn't worry with it.
    "Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
    Linux User #441960 | Wiki: DrSmall

  10. #10
    Join Date
    Jan 2008
    Location
    /dev/null
    Beans
    2,793
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: Is There A Solution for Hackers?

    Quote Originally Posted by Dr Small View Post
    Just install denyhosts and you should be fine. Unless you have a weak password on a user called root, the script attacks won't do anything but fill your logs. I really wouldn't worry with it.
    +1
    Denyhosts and a strong password is rock solid. If you are even more paranoid go with public key auth, and allow authorized ssh users only.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •