Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: Guessing passwords
« previous next »
Pages: [1]   Go Down

Guessing passwords

  • 11 Replies
  • 4721 Views

alejandro

Guessing passwords
« on: November 07, 2005, 05:11:03 PM »
So says my logs:
..........
Nov  7 02:40:53 server sshd[10033]: Illegal user test from 218.108.231.72
Nov  7 02:41:02 server sshd[10035]: Illegal user guest from 218.108.231.72
Nov  7 02:41:07 server sshd[10042]: Illegal user webmaster from 218.108.231.72
Nov  7 02:41:23 server sshd[10046]: Illegal user oracle from 218.108.231.72
Nov  7 02:41:29 server sshd[10048]: Illegal user library from 218.108.231.72
Nov  7 02:41:36 server sshd[10050]: Illegal user info from 218.108.231.72
Nov  7 02:41:44 server sshd[10052]: Illegal user shell from 218.108.231.72
Nov  7 02:41:50 server sshd[10054]: Illegal user linux from 218.108.231.72
Nov  7 02:41:57 server sshd[10056]: Illegal user unix from 218.108.231.72
Nov  7 02:42:06 server sshd[10063]: Illegal user webadmin from 218.108.231.72
Nov  7 02:42:19 server sshd[10067]: Illegal user test from 218.108.231.72......
... many many lines like this
so somebody is trying to get in.
Turning off ssh is of course first option, strong paswwords is a must also,
but it could be a good security measure try to block an IP address for a while after a few failed login attempts,to prevent this, Seems to be a robot trying a list of names against my server.
Any ideas?
Logged

alex_kain

Guessing passwords
« Reply #1 on: November 07, 2005, 06:44:14 PM »
Tocayo Mendocino: Puedes utilizar combinados los sistemas snort, acid y guardian. Snort es un sistema IDS (Intrusion Detection System) que detecta quien esta tratando de "entrometerse" en tu server, acid te da reportes por paginas web de los intentos de intrusion y guardian deniega el acceso del ip ofensor por 24 horas.
Si esto te pudiera servir, reponde y te envio los links para decsrgarlos y un howto para instalarlos.

Saludos desde Sanrafael en el sur de Mendoza

Alex_Kain
Logged

alejandro

Tocayo
« Reply #2 on: November 07, 2005, 11:07:53 PM »
Por Favor!
Me serĂ­a de mucha utilidad,tuve instalado snort hace tiempo pero solo como vigilancia.
Muchas Gracias
Logged

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
Guessing passwords
« Reply #3 on: November 08, 2005, 01:37:41 AM »
I would love to see a how-to too.
Me gusta mucho uno how-to  :-D
Logged

alex_kain

Guessing passwords
« Reply #4 on: November 08, 2005, 02:50:35 PM »
En el primer links tenes las descargas, en el segundo, las descargas y un howto.

In the first link you have any donwloads, in the second downloads and howto

http://mirror.contribs.org/smeserver/contribs/cbharda/contrib/snort/
http://mirror.contribs.org/smeserver/contribs/star/mitel/contrib/snort/


Exitos
Logged

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
Guessing passwords
« Reply #5 on: November 11, 2005, 10:56:51 PM »
Great, do they work on 6.01?
Logged

egerards

Guessing passwords
« Reply #6 on: November 11, 2005, 11:17:35 PM »
On my server I also noticed frequent ssh hack attempts. What I did to minimize the risk of an actual hack is to disable username/password logins (adjust /etc/ssh/sshd_config and restart sshd) and switch to the use of ssh key pairs.

The only way you can ssh to my server is when you have a private key which uniquely matches with a public key that is stored in ~ACCOUNT/.ssh/authorized_keys .

If someone wants to know more details, please let me know.
Logged

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
Guessing passwords
« Reply #7 on: November 11, 2005, 11:28:39 PM »
Oh yes,
How-to's always welcomed ;-)
Logged

alejandro

Guessing passwords
« Reply #8 on: November 12, 2005, 02:17:55 PM »
(about snort-acid-guardian) It seems not to be working (sme 6.0.1)
so Egerards, I'l wait for your help
Thanks in advance
Logged

Offline chris burnat

  • ****
  • 1,135
  • +2/-0
    • http://www.burnat.com
Guessing passwords
« Reply #9 on: November 14, 2005, 12:33:44 AM »
"Turning off ssh is of course first option, strong paswwords is a must also, but it could be a good security measure try to block an IP address for a while after a few failed login attempts,to prevent this, Seems to be a robot trying a list of names against my server.
Any ideas?"

If you do not want to implement the use of ssh key pairs, you could move the ssh port to a high port, say 2233 or whetever. I have found that this will quieten your logs very effectively.  Doing a scan on the box will show the high port as "open", however, it is not identified as SSH - robots to dates are flying blind on this one.... Good password are a must.
Logged
- chris
If it does not work out of the box, please fill in a Bug Report @ Bugzilla (http://bugs.contribs.org)  - check: http://wiki.contribs.org/Bugzilla_Help .  Thanks.

Offline gordonr

  • *
  • 646
  • +0/-0
    • http://www.smeserver.com.au/
Guessing passwords
« Reply #10 on: November 14, 2005, 01:11:12 AM »
Quote from: "burnat"

If you do not want to implement the use of ssh key pairs, you could move the ssh port to a high port, say 2233 or whetever. I have found that this will quieten your logs very effectively.  Doing a scan on the box will show the high port as "open", however, it is not identified as SSH - robots to dates are flying blind on this one.... Good password are a must.


IMO, SSH public keys are a must. Moving the port doesn't add significant additional security - the bots will get more sophisticed.
Logged
............

alejandro

Thanks
« Reply #11 on: November 14, 2005, 01:22:28 AM »
Many thanks all of you for all the help.
it makes me easier to decide,
I think public/private keys should be enough with strong passwords.
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: Guessing passwords