Gack!  My home PC got cracked earlier in the week!

There was a load of network traffic when there shouldn't have been, so I had a rummage and found loads of short-term ssh connections, all seemingly using one of my spare accounts.  Of course, I immediately shut down the sshd and httpd (Apache) servers just in case, killed off the couple of dozen ‘ssh 150’ (?) processes that were kicking about, and changed the root and spare account (only used for people visiting the house who want to browse the Net) passwords.

The really paranoid suggest rebuilding a box once ssh attacks and the like have happened, but, frankly, life's too short.  I run rkhunter and chkrootkit regularly and nothing seems broken, and the spare account doesn't have access to any personal stuff, so I'm just going to watch out for a while and see.

It's worrying, though;  I run a service called DenyHosts, a Python script that watches for failed logins and immediately blocks the IP address in question for a goodly period, to try to prevent dictionary attacks and the like, but it doesn't seem to have had any more hits than usual.  In retrospect, I suppose I can accept that the spare account's username and password were somewhat guessable, but still.  Anyway, it's changed now.

A couple of things I did do were to limit ssh access to my box to just those users who need it.  I always deny root access.

# /etc/ssh/sshd_config
PermitRootLogin no
AllowUsers  user_a user_b user_c

Another thing I did, after a bit of a rummage on the Net, was enhance my iptables firewall settings;  these have remained pretty much unchanged since I ported them from the original ipchains settings years ago, and there are loads of cool things that iptables can do that I wasn't aware of.

Should you be interested, here's a snippet of the ssh-related part of the config:

# /etc/sysconfig/iptables
# the tables
:internet - [0:0]
:ssh - [0:0]
# Accept localhost and anything else off my trusted LAN
-A INPUT -s me.me.me.0/ -j ACCEPT
# Ethernet or dialup is otherwise 'internet' trust level
-A INPUT -i eth0 -j internet
-A INPUT -i ppp0 -j internet
# Allow anything already established
-A internet -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
# And go to special rules for new ssh connections
-A internet -p tcp -m tcp --dport 22 -m state --state NEW -j ssh
#  ... and the rest, blocking most everything
# ssh rules: create a 'recent' bin called SSH
-A ssh -m recent --set --name SSH
# Count packets in the SSH bin, logging any over 3 in one minute
-A ssh -m recent --update --seconds 60 --hitcount 4 --name SSH -j LOG --log-tcp-options --log-ip-options --log-prefix "REJECT RATE_LIMIT "
# ... and then binning them
-A ssh -m recent --update --seconds 60 --hitcount 4 --name SSH -j REJECT --reject-with icmp-port-unreachable
# Any other ssh connection must be OK (I hope)
-A ssh -j ACCEPT

This prevents more that 3 attempts at an ssh connection (valid or invalid) from one IP address in any minute.

You should always prefer iptables-restore over a script with lots of iptables commands in it to make the operation more atomic.


About fnx

PSN: the_phoenix
This entry was posted in Tech and tagged , . Bookmark the permalink.

One Response to 0wned

  1. fnx says:

    FWIW, instead of the older syslog-only DenyHosts, I now run Fail2ban (https://www.fail2ban.org/).

    rklhunter seems to have gone, but chkrootkit is still around.

Leave a Reply

Your email address will not be published. Required fields are marked *