possibility of being hacked

wriggary · 2010-04-01 01:46:15

Hi, I've had an SSH server set up on my network for a few days. Within hours, I started to see mass connection attempts from random addresses across the internets. So, I installed (and thought configured) fail2ban. Problem solved, I thought. Either the fail2ban jail rules aren't set up properly or something else went wrong. I'll look into that later. (definitely going to pubkeys, left password auth available for my brother)

But for right now, I noticed a bunch of connection attempts again, so I stopped the ssh server and tore down the port forward on my DSL modem, so they start bouncing. Then, I checked ps aux as root, and found nothing out of the ordinary. So, I checked ss -l and netstat -l, and found something listening on port 1020/tcp and 1009/udp. I'm not sure about the udp port being a port thats always been listened to, but I'm sure i've never seen port 1020/tcp listening for connections. I do check ss -l && netstat -l quite often, and I'm sure I've never seen it listening before.

So, I run #netstat -npl to see which process is listening to those ports. It comes back to something fairly benign, famd. I've searched for any or all combinations of "exploit and famd and port 1020", with no interesting results. I checked the wikipedia page, and it at least pointed me to the config file. local_only is set to false. Not sure if that was the default setting. Anyway, I am not using NFS currently, so I set to true, and restarted famd. My rpcbind port I did leave open (left netfs in the daemons line of rc.conf, but I did stop it), and now famd is listening on port 705, and rpcbind is still listening.

Long story short, should I be worried? (I've already used chkrootkit, and it came back negative)

EDIT: installed gamin. duh....

Last edited by wriggary (2010-04-01 02:11:43)

ewaller · 2010-04-03 16:36:51

Be afraid, be very afraid.

But seriously worry yes, panic no. I always find it entertaining to look at logs when someone tries to brute force passwords on your box. Anyone who has opened an ssh port on the network can attest to wave after wave of script kiddie bots trying to break in.

fail2ban works great -- it solves the problem very effectively.

Try moving your sshd port to use port 443 (HTTPS) The kiddies don't seem to bang on it because, most of the time, there is a web server on that port. I like it also because (1) if you are someplace that offers "Internet access" but blocks all non-www ports you can still get to your machine, and (2) port 443 always carries encrypted data, so ssh packets on that port don't attract the attention of whomever is running the access point.

Every time I read my logs I remember to be paranoid, enforce the use of keys, and use strong passwords.
If you are really paranoid, take a look at tripwire.

wriggary · 2010-04-03 18:47:02

ewaller wrote:

II always find it entertaining to look at logs when someone tries to brute force passwords on your box.

I found it quite amusing as well to see what usernames they were trying. Mostly, they would use names native to their locale, e.g. Jose, Raul, Jesus on a crack attempt from Ecuador, and Chinese names (both Glyph and Romanizations) on one from China, even though my IP correctly geo-locates me down to the correct city in the United States. That, and does anybody anywhere permit root login anymore? I must have seen ~1000 attempts for something that isn't on by default for years.

fail2ban works great -- it solves the problem very effectively.

Yes, if you read all of the wiki page. I had everything set up correctly, except I was still using fam, instead of installing gamin, so it started up correctly, it just couldn't monitor the log files. Which is kinda the point of fail2ban

Try moving your sshd port to use port 443 (HTTPS) The kiddies don't seem to bang on it because, most of the time, there is a web server on that port. I like it also because (1) if you are someplace that offers "Internet access" but blocks all non-www ports you can still get to your machine, and (2) port 443 always carries encrypted data, so ssh packets on that port don't attract the attention of whomever is running the access point.

Brilliant idea! (seriously, I've never read of anyone recommending this port before!) I tried it on a high port for a while, but I wasn't sure it was working, due to the fact that my dsl modem filters NAT redirects, and hadn't had the opportunity to test it from another IP. Also, must that port be added (or changed) in /etc/services? I was under the impression that only (x)inetd used that file. (sshd was added to hosts.allow)

Every time I read my logs I remember to be paranoid, enforce the use of keys, and use strong passwords.
If you are really paranoid, take a look at tripwire.

Well, I'm paranoid to the point that I watch my network status on conky, for any sizable amount of network traffic to be moving when it shouldn't be. But there is nothing really mission-critical on this machine, besides my music collection. I reinstalled the yesterday, so if by some miracle someone did make it in, its been wiped. Although, now that I think about it, for my account, pubkey was the only auth method, while for my brother, I left password as an auth method until he generated a pubkey. But his account was totally non-privileged, to the point that he couldn't even see what was in the top level of the other users folders, so I guess I shouldn't have been that worried.

Anyway, I'll give setting it up on 443 a try. Thanks for the help.

pyther · 2010-04-03 22:28:09

I'm just amazed at the amount of port scanners out there I've had 147 attacks within the last month or so (this is just a home connection)!

pyther · 2010-04-03 22:40:45

In light of the thread I parsed my log files to get all the attempted usernames: http://paste.pocoo.org/show/197338/

wriggary · 2010-04-03 22:58:48

That must have been a high quality script/username list they were using... some leftover Carriage Returns in there (/r)

R00KIE · 2010-04-04 11:30:25

wriggary wrote:

That, and does anybody anywhere permit root login anymore? I must have seen ~1000 attempts for something that isn't on by default for years.

Yes, people do allow remote root login, even if not knowing about it. Take a peek at most "user friendly" distros that are meant to install and forget and see that it is allowed, some even setup sshd during install. To make it worse, I've seen a case where setting "PermitRootLogin no" is not enough, you need to change another setting, took me a good while to figure that one out.

I have found that blocking access to the ssh port from countries you don't expect to receive connections does work fine too (as in block anything that doesn't come from your country). Changing the port is also a good way to stop many of the attempts and port 443 is a brilliant idea. However if you have more people accessing the machine it may get a bit complicated (as in some don't even know what ssh is, not to mention saying "hey you need to use port 443 instead").

Arch Linux

#1 2010-04-01 01:46:15

possibility of being hacked

#2 2010-04-03 16:36:51

Re: possibility of being hacked

#3 2010-04-03 18:47:02

Re: possibility of being hacked

#4 2010-04-03 22:28:09

Re: possibility of being hacked

#5 2010-04-03 22:40:45

Re: possibility of being hacked

#6 2010-04-03 22:58:48

Re: possibility of being hacked

#7 2010-04-04 11:30:25

Re: possibility of being hacked

Board footer