Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 399
  • Last Modified:

Help i think someone is hacking into my redhat 9 firewall

I was hoping someone could help me to determine how to find out how to prevent this bit of log file below from happing again,
 --------------------- SSHD Begin ------------------------


SSHD Started: 1 Time(s)

Failed logins from these:
   admin/password from 213.22.23.246: 1 Time(s)
   guest/password from 213.22.23.246: 1 Time(s)
   test/password from 213.22.23.246: 1 Time(s)

**Unmatched Entries**
Illegal user test from 213.22.23.246
Illegal user guest from 213.22.23.246
Illegal user admin from 213.22.23.246
 succeeded

 ---------------------- SSHD End -------------------------

The first thing i have done is add this unknown persons IP address to the hosts.deny file.
next could you please tell me the command to find out what new files have been created
and also how to prevent this from happening again.
This would be most apreciated.
0
jaxxman
Asked:
jaxxman
1 Solution
 
bobgunzelCommented:
You might try chkrootkit from http://www.chkrootkit.org. Compile it on another computer though.

Bob Gunzel
0
 
jaxxmanAuthor Commented:
i am sorry i am a newbie to linux and i don't have another linux box to compile it on i could probably compile it on same computer with a couple of steps if you tell me what the commands are.
Is there not a quick command i can type to find new created files.

 could i compile chkrootkit on a windows pc or get a rpm version
0
 
marko020397Commented:
If someone breaks into your computer usualy wants to cover up his precense. Usualy programs like ps, top, w, last,... which show processes or users are altered to hide the intruder.

Use tha command "rpm -Va" to check which files installed on your computer were changed and how they were changed. This will not show you newly installed files but it will show you changed files. It is a pretty good indicator to see it someone uninvited is in your computer. Type "man rpm" for details about it.

Of course intruder can also replace your rpm program to hide changed filed but is usualy not done. And try "which [command]". For instance "which rpm" or "which ps" to see if the right one program is called.

Too see if some files were added you could generate a list of all files and check them periodically. You can also use find command with some of options amin, atime, anewer, cnewer,...

For instance "find / -atime 1" should find all the files accessed within last 24 hours. Again look at "man find" for details.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
jaxxmanAuthor Commented:
thank for this, i am also going to use the chkrootkit do you use it too
0
 
jaxxmanAuthor Commented:
i can't download chkrootkit where else can i download it
can you help me to get it and install it, i have read the install instructions and it looks pretty easy all i have to do is extract it using tar command and run the command:- make sense
then to run the program its.
./chkrootkit


Is this correct?
0
 
admin0Commented:
apart from chkrootkit, another great tool is rootkithunter(rkhunter) from http://www.rootkit.nl/

Chkrootkit and rkhunter will give you a detailed security summary.

for chkrootkit,
download, extract, change into the directory
make sense ENTER
./chkrootkit   <- to run the app and see the output

for rkhunter,
download, extract, change into the directory
./installer.sh  ENTEr

rkhunter -c  <- to run the app and see the detail output.


rkhunter will provide you with many reports!.

If you continue to run SSH on port 22, there will always be someone trying to login and try his luck.
so best is to change the SSH port to something else.

to do that
login to the server as root
edit the file /etc/ssh/sshd_config

#Port 22
#Protocol 2,1

change that line to read

Port 5335  
Protocol 2

<- you can replace 5335 with anything that you wish.. probably a higher number .  5555

0
 
admin0Commented:
I forgot to add, after you made changes to the file, you need to

/etc/rc.d/init.d/sshd restart  

to activate the changes.
Next time you want to login, use the port that u have specified above.


Cheers,
0
 
jaxxmanAuthor Commented:
thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now