Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

I found someone is trying to hack my linux server through ssh. What should I do?

Posted on 2005-04-16
7
Medium Priority
?
365 Views
Last Modified: 2010-05-18
I was looking through some logs and I found that there was thousands of entries shown with

Failed password for invalid user $user from ::ffff:$ip port $port ssh2
where:
a) $user is a different user name each time
b) $port is a different port each time
c) $ip is the IP address the request came from.

I used some string manipulation commands and found there have been 57 different IP's with these failed password entries. Keep in mind that there is only 1 person other than me who knows the ssh password. With a few more commands I got the count for each IP. The highest one is 1071 and the second highest is 169. The user that tried 1071 times to hack my server must really want in. I have that user's IP. What should I do?

I used whois on the first hacker, who tried 1071 times, and found his ISP is based in Germany. The whois output lists the ISP's email address. Should I contact them? Do you think they would do anything? Is there anyway that this is not the real IP? I mean can the hacker make his IP address look like someone elses?

For the time being I have disabled the port redirect through the firewall. Now the server can only be accessed through ssh in the network.

Any ideas how to handle a situation like this?
0
Comment
Question by:itcdr
  • 3
  • 2
  • 2
7 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13800312
> What should I do?
nothing if you need ssh for your own login
enshure that you have the newest ssh installed, also check your sshd.config

> Should I contact them?
and then?
can you proove that the IP was not spoofed?

> Any ideas how to handle a situation like this?
you mean the login attempts?
you can do nothing, that's normal noice
just enshure that your server is up-to-date, or close/reject the ports at you firewall
0
 
LVL 1

Author Comment

by:itcdr
ID: 13801873
Do you know any way that I can proove the IP was not spoofed so I can report him to his ISP?

I did close the ports on the firewall, so we will just use ssh on the intranet.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13802063
the firewall should detect spoofed conections
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 1

Author Comment

by:itcdr
ID: 13802626
I have a Linksys RV082 Firewall. Do you know how I can check?
0
 
LVL 2

Accepted Solution

by:
Darshan_Jadav earned 2000 total points
ID: 13804992
This are part of "script-kit" trying to break-in thru a weak SSH passwd, or some worms tyring to expolit the same, the best is to tighten yr SSH security ...I get lot of em almost the other day, this is a secure SSH config file example
--------------------------------------------------
Deny Root Login
      PermitRootLogin  no
Uncomment the Protocol line and permit only SSH2
      Protocol  2
Enable Strict Mode, Which will check file modes and ownership of users files and home directory before accepting login
      StrictMode  yes
Disable PublicKey, Rhosts and Host base authentication
      PubKeyAuthentication  no
      RhostsRSAAuthentication  no
      HostbasedAuthentication  no
Do not allow login with empty password strings
      PermitEmptyPasswords  no
Specify Banner life, which will be displayed to users before attempting login
      Banner /etc/issue
----------------------------------------------------------
Add the lines in /etc/hosts, to avoid IP-spoofing

"nospoof on"

Tighten SSH from TCP Wrappers :
U can add paramters in tcp.warappers to give u loggin information on attemps made to SSH connection


0
 
LVL 1

Author Comment

by:itcdr
ID: 13820459
Thanks for your help.
0
 
LVL 2

Expert Comment

by:Darshan_Jadav
ID: 13821902
Welcome, Thx :-)
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question