Can't tell if I have been hacked :( [Solved for one specificmachine]

jdow jdow at earthlink.net
Tue Mar 21 06:20:27 UTC 2006 

From: "Claude Jones" <claude_jones at levitjames.com>

> On Mon March 20 2006 8:45 pm, Claude Jones wrote:
>> Just to add something to this discussion. Today, I've just noticed that ssh
>> has become disabled on two separate machines, one at home, and one at my
>> office. Both are FC4 and are kept up to date with latest patches. I haven't
>> really dived in, yet, except to look at the ssh config files, where there
>> didn't seem to be anything amiss. So far, I've tried applying my firewall
>> rules from fwbuilder to both machines, and both give back ssh errors. I
>> then tried a simple log on via ssh to the local machine at work, and it
>> failed. I just tried to log in to my office machine from home, and it just
>> stalls. I don't know when this stopped working, but the fact that it's
>> happenning on two machines widely separate, makes me wonder if some recent
>> update broke things...
> 
> To prevent muddying the waters, I just discovered the cause on one of my 
> machines. For some reason, my LAN NIC's IP address had been added to 
> hosts.deny, presumably by "denyhosts", the utility that monitors ssh log-on 
> attempts, and adds unsuccessful IPs to the hosts.deny list, when log-in 
> attempts exceed the configured numbers. Removing my LAN NIC from the list 
> allowed me to apply my firewall rules, which uses ssh over the inside NIC to 
> connect and apply. 

A better trick exists. It works if your passwords are even modestly robust
or you use only keys.

===8<---
# Then setup the reject trap.
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
===8<---

Critter gets three tries in 120 seconds then is locked out until the retry
count goes below 3. They never stop trying as fast as they can so they get
one shot per attack. The Sun will grow cold before they get in even with a
password like "open sesame".

{^_-}

More information about the fedora-list mailing list