Koozali.org: home of the SME Server

No Access to my SME-Server

Offline lucaegloff

  • *
  • 21
  • +0/-0
Re: No Access to my SME-Server
« Reply #30 on: March 03, 2014, 03:03:11 PM »
Hi again  :D

Did I say some thing wrong, or can nobody help me?  :sad:

Greetings
Luca

Offline lucaegloff

  • *
  • 21
  • +0/-0
Re: No Access to my SME-Server
« Reply #31 on: March 03, 2014, 06:30:03 PM »
Hi

From an older log file of the sshd I copied this:

@4000000051b4243138b4edfc reverse mapping checking getaddrinfo for ras.beamtele.net failed - POSSIBLE BREAK-IN ATTEMPT!
@4000000051b424340dd684c4 Failed password for root from 183.82.140.11 port 58688 ssh2
@4000000051b42434185d53dc Received disconnect from 183.82.140.11: 11: Bye Bye
@4000000051b4243529b2ef34 reverse mapping checking getaddrinfo for ras.beamtele.net failed - POSSIBLE BREAK-IN ATTEMPT!
@4000000051b424372afb9bd4 Failed password for root from 183.82.140.11 port 58771 ssh2
@4000000051b424373515be9c Received disconnect from 183.82.140.11: 11: Bye Bye
@4000000051b424390b1eac0c reverse mapping checking getaddrinfo for ras.beamtele.net failed - POSSIBLE BREAK-IN ATTEMPT!
@4000000051b4243b19387584 Failed password for root from 183.82.140.11 port 58854 ssh2
@4000000051b4243b2356c69c Received disconnect from 183.82.140.11: 11: Bye Bye
@4000000051b4243c3527ac74 reverse mapping checking getaddrinfo for ras.beamtele.net failed - POSSIBLE BREAK-IN ATTEMPT!
@4000000051b4243e2878c184 Failed password for root from 183.82.140.11 port 58933 ssh2
@4000000051b4243e32aef3e4 Received disconnect from 183.82.140.11: 11: Bye Bye
@4000000051b424400a03cdfc reverse mapping checking getaddrinfo for ras.beamtele.net failed - POSSIBLE BREAK-IN ATTEMPT!
@4000000051b4244129d9208c Failed password for root from 183.82.140.11 port 59004 ssh2
@4000000051b4244134294f44 Received disconnect from 183.82.140.11: 11: Bye Bye
@4000000051b4244309cd7004 reverse mapping checking getaddrinfo for ras.beamtele.net failed - POSSIBLE BREAK-IN ATTEMPT!
@4000000051b424450641e3fc Failed password for root from 183.82.140.11 port 59071 ssh2
@4000000051b4244510684b64 Received disconnect from 183.82.140.11: 11: Bye Bye
@4000000051b4244621c170fc reverse mapping checking getaddrinfo for ras.beamtele.net failed - POSSIBLE BREAK-IN ATTEMPT!
@4000000051b4244822fea034 Failed password for root from 183.82.140.11 port 59144 ssh2
@4000000051b424482d132194 Received disconnect from 183.82.140.11: 11: Bye Bye
@4000000051b4244a041f07e4 reverse mapping checking getaddrinfo for ras.beamtele.net failed - POSSIBLE BREAK-IN ATTEMPT!
@4000000051b4244c126c1274 Failed password for root from 183.82.140.11 port 59215 ssh2
@4000000051b4244c1cbd46e4 Received disconnect from 183.82.140.11: 11: Bye Bye
@4000000051b4244d2ff853ac reverse mapping checking getaddrinfo for ras.beamtele.net failed - POSSIBLE BREAK-IN ATTEMPT!
@4000000051b4244f2f170fb4 Failed password for root from 183.82.140.11 port 59296 ssh2
@4000000051b4244f396b3224 Received disconnect from 183.82.140.11: 11: Bye Bye
@4000000051b424510ec7e5bc reverse mapping checking getaddrinfo for ras.beamtele.net failed - POSSIBLE BREAK-IN ATTEMPT!
@4000000051b424532e7cbfcc Failed password for root from 183.82.140.11 port 59361 ssh2
@4000000051b42453389874ec Received disconnect from 183.82.140.11: 11: Bye Bye
@4000000051b424550e8a9e3c reverse mapping checking getaddrinfo for ras.beamtele.net failed - POSSIBLE BREAK-IN ATTEMPT!
@4000000051b42457136eb564 Failed password for root from 183.82.140.11 port 59442 ssh2
@4000000051b424571d907d34 Received disconnect from 183.82.140.11: 11: Bye Bye
@4000000051b4245910079d64 reverse mapping checking getaddrinfo for ras.beamtele.net failed - POSSIBLE BREAK-IN ATTEMPT!
@4000000051b4245b0e0f4fd4 Failed password for root from 183.82.140.11 port 59517 ssh2
@4000000051b4245b187e495c Received disconnect from 183.82.140.11: 11: Bye Bye
@4000000051b4245c2908d83c Invalid user  from 183.82.140.11
@4000000051b4245c291a8794 reverse mapping checking getaddrinfo for ras.beamtele.net failed - POSSIBLE BREAK-IN ATTEMPT!
@4000000051b4245c291cdd3c input_userauth_request: invalid user
@4000000051b4245c33254cc4 Failed none for invalid user  from 183.82.140.11 port 59601 ssh2
@4000000051b4245d019981fc Received disconnect from 183.82.140.11: 11: Bye Bye
@4000000051b43a641962e8b4 Received signal 15; terminating.
@40000000525d726e0e2d3814 Server listening on 192.168.1.44 port 22.
@40000000525d7273015b678c Invalid user lucaegloff from 192.168.1.60
@40000000525d7273016a731c input_userauth_request: invalid user lucaegloff
@40000000525d727b00cb0e6c Failed password for invalid user lucaegloff from 192.168.1.60 port 56840 ssh2
@40000000525d7281239a8a44 Failed password for invalid user lucaegloff from 192.168.1.60 port 56840 ssh2
@40000000525d728f2f307f6c Failed password for invalid user lucaegloff from 192.168.1.60 port 56840 ssh2
@40000000525d728f2f308b24 Disconnecting: Too many authentication failures for lucaegloff
@40000000525d7296170d5824 Invalid user lucaegloff from 192.168.1.60
@40000000525d72961714979c input_userauth_request: invalid user lucaegloff
@40000000525d729d2c8719ec Failed password for invalid user lucaegloff from 192.168.1.60 port 56841 ssh2
@40000000525d72a52c0f694c Failed password for invalid user lucaegloff from 192.168.1.60 port 56841 ssh2
@40000000525d72ad146c89dc Failed password for invalid user lucaegloff from 192.168.1.60 port 56841 ssh2
@40000000525d72ad146c91ac Disconnecting: Too many authentication failures for lucaegloff
@40000000525d72af15ebfa04 Invalid user lucaegloff from 192.168.1.60
@40000000525d72af15fbc114 input_userauth_request: invalid user lucaegloff
@40000000525d72b50158333c Failed password for invalid user lucaegloff from 192.168.1.60 port 56844 ssh2
@40000000525d72b935fa4e54 Failed password for invalid user lucaegloff from 192.168.1.60 port 56844 ssh2
@40000000525d72c53a125734 Failed password for invalid user lucaegloff from 192.168.1.60 port 56844 ssh2
@40000000525d72c53a1262ec Disconnecting: Too many authentication failures for lucaegloff
@40000000525d72c924333c1c Invalid user lucaegloff from 192.168.1.60
@40000000525d72c924431e84 input_userauth_request: invalid user lucaegloff
@40000000525d72cd15f1e5a4 Failed password for invalid user lucaegloff from 192.168.1.60 port 56849 ssh2
@40000000525d72d426479944 Failed password for invalid user lucaegloff from 192.168.1.60 port 56849 ssh2
@40000000525d72d913c46eb4 Failed password for invalid user lucaegloff from 192.168.1.60 port 56849 ssh2
@40000000525d72d913c47684 Disconnecting: Too many authentication failures for lucaegloff
@40000000525e2bea20d5828c Invalid user lucaegloff from 192.168.1.60
@40000000525e2bea20e5ca84 input_userauth_request: invalid user lucaegloff
@40000000525e2bf818e0d3ec Failed none for invalid user lucaegloff from 192.168.1.60 port 58053 ssh2
@40000000525e2c0028957cfc Failed password for invalid user lucaegloff from 192.168.1.60 port 58053 ssh2
@40000000525e2c071f428e4c Failed password for invalid user lucaegloff from 192.168.1.60 port 58053 ssh2
@40000000525e2c071f42961c Disconnecting: Too many authentication failures for lucaegloff
@40000000525e2c173882f8ec Accepted password for root from 192.168.1.60 port 58054 ssh2
@40000000525e2c8137348f8c Received disconnect from 192.168.1.60: 11: disconnected by user
@40000000525e2c910fd07c1c Failed password for admin from 192.168.1.60 port 58075 ssh2
@40000000525e2c9f1a0dedf4 Accepted password for admin from 192.168.1.60 port 58075 ssh2
@40000000525e2d533542356c Server listening on 192.168.1.44 port 22.

Seems, as if someone has done some damage to my system ...

Offline lucaegloff

  • *
  • 21
  • +0/-0
Re: No Access to my SME-Server
« Reply #32 on: March 03, 2014, 06:31:42 PM »
And from the messages log file I copied this:

Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 108: Duplicate column name 'File_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 114: Duplicate column name 'Grant_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 115: Duplicate column name 'Grant_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 116: Duplicate column name 'Grant_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 127: Duplicate column name 'ssl_type'
Mar  3 15:55:32 lupra mysql.init: ERROR 1061 (42000) at line 138: Duplicate key name 'Grantor'
Mar  3 15:55:32 lupra mysql.init: ERROR 1054 (42S22) at line 164: Unknown column 'Type' in 'columns_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 186: Duplicate column name 'type'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 196: Duplicate column name 'Show_db_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 213: Duplicate column name 'max_questions'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 223: Duplicate column name 'Create_tmp_table_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 226: Duplicate column name 'Create_tmp_table_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 320: Duplicate column name 'Create_view_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 323: Duplicate column name 'Create_view_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 326: Duplicate column name 'Create_view_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 332: Duplicate column name 'Show_view_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 335: Duplicate column name 'Show_view_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 338: Duplicate column name 'Show_view_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 355: Duplicate column name 'Create_routine_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 358: Duplicate column name 'Create_routine_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 361: Duplicate column name 'Create_routine_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 367: Duplicate column name 'Alter_routine_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 370: Duplicate column name 'Alter_routine_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 373: Duplicate column name 'Alter_routine_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 376: Duplicate column name 'Execute_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 379: Duplicate column name 'Execute_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 392: Duplicate column name 'max_user_connections'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 401: Duplicate column name 'Create_user_priv'
Mar  3 15:55:32 lupra mysql.init: ERROR 1060 (42S21) at line 423: Duplicate column name 'Routine_type'
Mar  3 15:55:33 lupra mysql.init: @hadGrantPriv:=1
Mar  3 15:55:33 lupra mysql.init: 1
Mar  3 15:55:33 lupra last message repeated 4 times
Mar  3 15:55:33 lupra mysql.init: @hadShowDbPriv:=1
Mar  3 15:55:33 lupra mysql.init: 1
Mar  3 15:55:33 lupra last message repeated 4 times
Mar  3 15:55:33 lupra mysql.init: @hadCreateViewPriv:=1
Mar  3 15:55:33 lupra mysql.init: 1
Mar  3 15:55:33 lupra last message repeated 4 times
Mar  3 15:55:33 lupra mysql.init: @hadCreateRoutinePriv:=1
Mar  3 15:55:33 lupra mysql.init: 1
Mar  3 15:55:33 lupra last message repeated 4 times
Mar  3 15:55:33 lupra mysql.init: @hadCreateUserPriv:=1
Mar  3 15:55:33 lupra mysql.init: 1
Mar  3 15:55:33 lupra last message repeated 4 times
Mar  3 15:55:33 lupra mysql.init: waiting for mysqld to restart
Mar  3 15:55:33 lupra noip2[3992]: supra….  was already set to 85….
Mar  3 15:55:35 lupra last message repeated 2 times
Mar  3 15:55:38 lupra esmith::event[4151]: Processing event: local 
Mar  3 15:55:38 lupra esmith::event[4151]: Running event handler: /etc/e-smith/events/actions/generic_template_expand
Mar  3 15:55:38 lupra esmith::event[4151]: expanding /etc/sysconfig/kernel 
Mar  3 15:55:38 lupra esmith::event[4151]: expanding /boot/grub/grub.conf 
Mar  3 15:55:38 lupra esmith::event[4151]: generic_template_expand=action|Event|local|Action|generic_template_expand|Start|1393858538 153826|End|1393858538 665951|Elapsed|0.512125
Mar  3 15:55:38 lupra esmith::event[4151]: Running event handler: /etc/e-smith/events/local/S50clear-pptp-interfaces
Mar  3 15:55:38 lupra esmith::event[4151]: S50clear-pptp-interfaces=action|Event|local|Action|S50clear-pptp-interfaces|Start|1393858538 666213|End|1393858538 726987|Elapsed|0.060774
Mar  3 15:55:38 lupra esmith::event[4151]: Running event handler: /etc/e-smith/events/actions/adjust-services
Mar  3 15:55:38 lupra esmith::event[4151]: adjusting supervised yum (once) 
Mar  3 15:55:38 lupra esmith::event[4151]: adjust-services=action|Event|local|Action|adjust-services|Start|1393858538 727276|End|1393858538 810183|Elapsed|0.082907


I don't know how this was produced. Can anyone help?

Greetings
Luca

Offline lucaegloff

  • *
  • 21
  • +0/-0
Re: No Access to my SME-Server
« Reply #33 on: March 20, 2014, 11:46:24 AM »
Hi to all

It seems, that there was Hacker attack. I couldn't repair the database. So I had to install all from scratch.
Thanks for your help.
Greetings
Luca

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: No Access to my SME-Server
« Reply #34 on: March 20, 2014, 01:58:18 PM »
Hi to all

It seems, that there was Hacker attack. I couldn't repair the database. So I had to install all from scratch.
Thanks for your help.
Greetings
Luca

in this case you should keep up to date the web apps you expose on wan side

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: No Access to my SME-Server
« Reply #35 on: March 20, 2014, 02:01:11 PM »
in this case you should keep up to date the web apps you expose on wan side

Disable ssh access whenever possible. Use RSA keys for authentication, in preference to passwords. Use only very good passwords.

Offline Charles2008

  • *
  • 174
  • +0/-0
Re: No Access to my SME-Server
« Reply #36 on: March 22, 2014, 01:10:37 PM »
I am a bit surprised by this thread.

Here is a user who has concluded that his SME Server has been compromised by hacker attack.

Isn't security one of the key strengths of SME Server?

lucaegloff - do you have any idea how this breach of your server occurred?
Which apps are you running and are they up-to-date (ref. Stefano's suggestion)? 
Are you using "very good passwords" (ref. CharlieBrady's suggestion)?

Quote from: CharlieBrady on: March 20, 2014, 07:01:11 AM
Disable ssh access whenever possible. Use RSA keys for authentication, in preference to passwords
Charlie, for clarification - are you suggesting that SSH access be disabled totally (WAN and LAN), or only from WAN-side. Also, I am assuming that you are saying that if you have to use SSH from WAN then strongly suggest RSA-keys for authentication.

Is SSH (RSA-key authentication) the most secure/robust option that SME-users now have for remote access?

By the way, I came across this website that explains very well 'password strength' for anyone interested:
https://www.grc.com/passwords.htm
https://www.grc.com/haystack.htm
« Last Edit: March 22, 2014, 01:13:04 PM by Charles2008 »

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: No Access to my SME-Server
« Reply #37 on: March 22, 2014, 02:03:56 PM »
Charles2008

ssh key access has been recommended standard practice for many many years, see
http://wiki.contribs.org/SSH_Public-Private_Keys
« Last Edit: March 22, 2014, 02:07:16 PM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: No Access to my SME-Server
« Reply #38 on: March 22, 2014, 04:24:17 PM »
Charlie, for clarification - are you suggesting that SSH access be disabled totally (WAN and LAN), or only from WAN-side.

I am saying *whenever possible*. So disable completely if possible, and disable WAN if that is possible.

Isn't security one of the key strengths of SME Server?

Sure it is. But it isn't a magic bullet. If a user enables WAN password-authenticated ssh access with weak passwords then the system will be broken. Ditto if the user installs additional software which has security flaws. Even without those things, it's not perfect. Nobody ever claimed that it was flawless or unbreakable. Sorry to disillusion you.
« Last Edit: March 22, 2014, 04:26:17 PM by CharlieBrady »