Hacker and what to do about him

[dxkj]

I'm a server admin of sorts...not by choice, but I've got the job. Now things have been quiet lately, until this morning. My normal security logs are about 10-12k in size when they rotate every week, and today I noticed that one server it was 150k. In 2 days. So I take a look, like any good admin would do.

500+ SSH login attempts from this ip: 218.145.54.195

I check the next server: same thing. The next server: same thing.

Between 500 and 540 login attempts from that IP address on all my servers.

The ip is from somewhere in korea, and just on the odd chance that someone might have run into him before, I google'd it and this came up:

<a target=_blank class=ftalternatingbarlinklarge href="https://www.redhat.com/archives/fedora-list/2005-January/msg05519.html">https://www.redhat.com/archives/fedora-list/2005-January/msg05519.html</a>
A quick excerpt:

Hello everyone,

My Logwatch report this moring is below. It appears that IP
218.145.54.195 has attempted to connect to my SSH daemon 500 times.

So this person has, for 2 months at least, been brute attacking servers from the SAME IP and no one has done a thing about it?

Anywho, this pissed me off and I want to know if there is anything I can do.

*edit* this probably should be moved to off-topic...thought I created it there.

 

[InlineFive]

Block requests from his IP with your firewall.

 

[cleverhandle]

Well, if your passwords are good you can just let him beat his brains against it for as long as wants. You're more than likely to bump up against another idiot if you go to the trouble to shut out this one.

But you can deny him SSH access through tcpwrappers. man hosts_access

 

[thriemus]

Not that I am saying I know how hackers think or work but I would say that the chances are that the "hacker" is just running a ssh vunribility scan on a class b or c to see what machines are vunrable to the script kiddie binary he has picked up from whatever source he acuired it.

Best thing to do is to block his ip at first entry pont like Porbleemo says. This is easy done. Also send an email to abuse@kornet.net (registered owner of 218.145.54.195) stating what is happening and mention that you have seeked legal guidence and report this activity. If you can paste in logs detailing activity then this will help. Also ask for a reply and send a read reciept request with the email, if you recieve no response then try again. If you get no response then let us know.

PS You can contact Kornet on +82-2-766-1407

 

[skyking]

Who uses shell access now? If it is a very few people, I tend to move off port 22 to some random higher port also.
Security through obscurity is not security at all, mind you. There is no substitiution for a patched box.
I do it so that my emails from charlie root have Zero login failures

 

[thriemus]

I use shell access on a daily basis to maintain linux and sco boxes over vpns. The benifits of ssh and to a certain degree telnet as well is that IT Professionals can script regular maintenance routines for servers and routers.

 

[nweaver]

I got hit tons of times. And we just had a box at work get hacked via SSH. I moved my SSH for my home firewall/server to a higher port (over 2000) and I have had 0 login requests over the last 8 months (except my own, of course)

As I am rebuilding the hacked box at work (I told them this looked like a security sieve) I am: Changing auth from Blowfish (only allows 8 digit passwords) to MD5 and shutting off ALL nonessential services. SSH is required, but will be moved to another port, and the HTTP server (purpose of the box) will be chroot jailed (if I can ever figure that out.)

 

[foxkm]

on my web server I have noticed lots of people trying to gain access. I simply set up sshd to run through inet.d and when I see hack attempts in the log I simply add a line to my /etc/hosts.deny file to ban his subnet.

Stoopid people are easy to deal with.

KMF

 

[Boscoh]

Just block his IP at your gateway. Pursuing it any further will probably not get you anywhere and just frustrate you, especially if he's located in Korea.

If it continues to be a problem, you could block all SSH access from the outside and setup a VPN into your network. Then you could VPN in and access the SSH internally. Thats what I do, except on my VPN server...because if theres a problem with that box then VPN probably isnt working anyways.

 

[n0cmonkey]

Originally posted by: nweaver
I got hit tons of times. And we just had a box at work get hacked via SSH. I moved my SSH for my home firewall/server to a higher port (over 2000) and I have had 0 login requests over the last 8 months (except my own, of course)

Was it a bad password or did the admin not update SSH when he should have?

As I am rebuilding the hacked box at work (I told them this looked like a security sieve) I am: Changing auth from Blowfish (only allows 8 digit passwords) to MD5

blowfish allows plenty more than 8 digit passwords.

If you're going to go from blowfish to something else, go to something reasonable: AES. md5 is poop.

and shutting off ALL nonessential services. SSH is required, but will be moved to another port, and the HTTP server (purpose of the box) will be chroot jailed (if I can ever figure that out.)

OpenBSD chroots apache out of the box, but jails are a different matter.

Blowfish: 1, MD5: 0.

 

[nweaver]

Bad password (box name as login, craptastic password)


And it's Suse, when I had it set to Blowfish, it wouldn't allow me more then 8 characters. I changed to MD5 because it allowed more.....
I am not a guru on that stuff, so /shrug. Maybe it's time for some quality time with the google /grin

 

[n0cmonkey]

Originally posted by: nweaver
Bad password (box name as login, craptastic password)


And it's Suse, when I had it set to Blowfish, it wouldn't allow me more then 8 characters. I changed to MD5 because it allowed more.....
I am not a guru on that stuff, so /shrug. Maybe it's time for some quality time with the google /grin

Must be a SuSE issue. OpenSSH should connect through PAM, so maybe your PAM limits to 8 characters or something...

md5 is still poop.

 

[thriemus]

The limit is set to 8 characters in suse as this is all that gets encryped and validated using blowfish when you enter your password.

ie If you set your password to 1234567890abcdefghi. entering 12345678 will allow you to login.

EDIT: Ok I will rephase what I said earlier, I do know how hackers work and it isnt hackers trying to get into your box its crackers (not the no_cd patch variety) or script kiddies. Believe me when I say that 99% of hack attempts these days are kiddies scanning a range of ip address's to see which computers are vunrable. From one command line entry in linux its possible to scan a range of ip address in nmap for port 22 being open, pipe that to a vunrablility checker and then give a list of vunrable computers. I do this on a regular basis when pen testing. (Legal pen testing that my company gets paid for with a signed, witnessed contract to do so, I am not a script kiddie)