[kwlug-disc] server compromised

john at netdirect.ca john at netdirect.ca
Thu May 14 11:37:14 EDT 2009 

kwlug-disc-bounces at kwlug.org wrote on 05/14/2009 11:10:27 AM:
> If you want ssh/sftp remote access for a small number of people, disable
> password authentication on their accounts and securely deliver each of
> them a key generated by ssh-keygen Eg.

I'd also recommend you use the "AllowUsers" sshd_config option to 
explicitly state who can login. And if you can, restrict firewall access 
to port 22.

Password dictionary attacks are common on SSH ports, just check the logs 
of any system with ssh exposed to the Internet. We have put throttling in 
place to tarpit these attacks and reduce the impact on our logs. IPTables 
can be used for it but the rules are a little complicated and can impact 
how you interact as well. The throttling works like this: if an IP address 
connects more than x times in y minutes the block access by this user for 
z minutes. Be careful not to choose too small of a number for x/y or 
you'll lock yourself out. Don't forget automated SSH connections.
 
> Detection:
> 
> Turn on all logging on the system.  Disk space is cheap. Install
> logwatch on all servers and have it send reports to an external e-mail
> account daily.  Read the logs and look for anything out of the ordinary,
> especially network activity.  Look for numerous failed logon attempts, 
etc.
> 
> Here is a snippet of an entertaining log from my home trixbox:
> 
> > [Feb 16 07:59:14] NOTICE[17157] chan_sip.c: Registration from 
> '"112"<sip:112 at 76.64.107.18>' failed for '212.174.78.60' - No 
> matching peer found
> 
> Someone connecting from Turkey wanted to make a free phone call.

My logwatch is sometimes so large it hangs my email client. Do you write 
your own logwatch configs to collapse reports (e.g. 212.174.78.60 failed 
SIP registration x time(s))?
 
> You can also install rkhunter - a rootkit hunter and configure it to
> mail daily reports.  It does a superficial check if the state of various
> system files have changed.  rkhunter would probably be the first thing
> to be hacked by a savvy intruder.

I've recommended tripwire a lot but rarely put it in place myself. It 
signs its database of check sums so that changes are recognized and it can 
detect changes in any file, binary, config or data.

John Van Ostrand
Net Direct Inc.
 
CTO, co-CEO
564 Weber St. N. Unit 12
map
 
Waterloo, ON N2L 5C6
 
john at netdirect.ca
Ph: 866-883-1172
ext.5102
Linux Solutions / IBM Hardware
Fx: 519-883-8533
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20090514/b9e60dca/attachment.htm>

More information about the kwlug-disc mailing list