Re: Xubuntu 12.04/64, OpenSSH Server Hacked
Adding a small clarification: AV in general is awesome at finding malware we know about, but it completely sucks at finding customized or modified malware. Since we've pretty well established that your little Romanian hacker is not the kind of guy that rolls his own 0-days, the odds are high that AV will find some of what he dropped.
Re: Xubuntu 12.04/64, OpenSSH Server Hacked
Quote:
Originally Posted by
brokenhachi
+1 for this. I'm a huge fan of malwarebytes and clamav. Also, the Kaspersky rescue disk is great for offline scanning (i.e livecd). If you dont know it, this is a great little gui for iptables based firewalls (among others):
http://www.fwbuilder.org/
Personally, I would rather someone learn about iptables and what the various rules does than use a wizard to build rules.
This is a good start, if you want to learn about iptables:
http://bodhizazen.net/Tutorials/iptables
I use CSF on my VPSes, but plain IP tables on my home server, so take that for what it's worth. ;)
Re: Xubuntu 12.04/64, OpenSSH Server Hacked
You need to take a look at everything on your network. Game machines, smart TVs, and pretty much anything that has a network presence is theoretically hackable.
If you open a port on your firewall, it should be restricted to exactly one place in your network, and if possible change the port to a non-default port above 5000.
Frankly I would put a second firewall in, leave all your game machines and TV sets, and your game server on the DMZ and put everything else behind the second firewall. Don't allow anything at all to initiate a connection to the inside network, everything should come from inside.
Then start reading here: https://wiki.ubuntu.com/BasicSecurity
Re: Xubuntu 12.04/64, OpenSSH Server Hacked
It is most likely my router that has a security problem that has been used to get through to the OpenSSH-server. After all it is made by one of the large companies that have given NSA a back-door, and surely one that over time gets shared with common hackers too.
It seems like I have been lucky after all as it seems that an unexperienced from Romania succeed and tried to gain BitCoins. In log there are lots of attempts from all over China and some from Mexico and Washington (US) so it may have many hackers that have tried. And yes, I do not have any log on his successful login as he deleted auth.
My BIG mistake was to install OpenSSH-server without IP range limits, or simply local IP access only. SSH is uninstalled and will not be installed again unless I really need it, and only after I have gone through the security of program and my network. So yes, my SSD was open to my local LAN and was exposed to any "leak" in my router...
At the moment I search through the server files that should not be there, in system SSD and on the network shares on the 3T HDD, but that takes some time to get through. Reinstall needs some hours work that I do not have at the moment...
Thank everyone for advices !
Re: Xubuntu 12.04/64, OpenSSH Server Hacked
I doubt this person got thru to your server from another local machine because the IP address is not a private one, and unless all the machines on your network are using public IPs, that isn't possible.
More likely the server was placed in the DMZ or port forwarding placed the port SSH uses outside the firewall on the router. With that being said, I use keys for public access to my server but I sometimes use passwords for local access, especially if I am running a VM or something and I need to pull files from my server.
In my case, I have set up iptables to whitelist a few specific IP addresses to let thru the firewall and connect. Everything else gets dropped.
Re: Xubuntu 12.04/64, OpenSSH Server Hacked
I agree, with many logged SSH attempts with public IP it is 100% sure he got through directly from Internet.
But still, there is no possibility to connect my Linux server directly to internet, the ADSL router has four RJ45 network sockets, all inside firewall, only telephone line and power is other connections. One Ethernet plug goes from Router into a 1G switch that then feeds server and everything else online, through several switches around the house. So it is not possible to expose the server to Internet without a firewall (not other than switching it off in Router with web interface, that is closed for external IPs)
My Routers firewall have always been enabled, and only port 9987 and 25565 have been opened to the server. When he still had got in with a public IP on port 22 he must have used a weakness in the Router. Hacking my Hamachi VPN is hardly possible, and if so, IP would have started on 25.x.x.x (or 5)
So this is really not a "Linux problem" at all but more that I started to use SSH (even that I did not really needed it) without making sure my SSH filtering configuration was safe.
When I reinstall my server I would consider to install a firewall on it.