[Wien] Hilfe - Attacke?

Gerald Leier (spam-protected)
Sa Jul 18 13:44:48 CEST 2009


Hallo,

On Fri, 2009-07-17 at 20:42 +0200, Felix Ehritz wrote:
> habe nachdem ich ja wie schon berichtet auf einem meiner rechner den
> linux umstieg gewagt.
> habe auf meinem anderen rechner auf dem schon debian rennt jetzt mal in
> den logs gestöbert, nachdem mir ein freund sagte es wird alles
> aufgezeichnet, und da kam mir das grausen-ein kleiner auszug:
> 

> Jul 12 08:37:02 server sshd[19352]: Invalid user amanda from 83.18.244.4
> Jul 12 08:37:02 server sshd[19352]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!

Wenn es die Anwendung erlaubt ist auch port knocking eine Moeglichkeit
Dienste die nicht jeder erreichen soll zu Verstecken.

Vorneweg moechte ich Dich darauf Aufmerksam machen das es sich
hierbei um eine Anwendung aus dem Bereich "Security by Obscurity"
handelt die "mehr Sicherheit" als da simple verlegen des
Dienstes auf ein "nicht Standard Port" bietet.

Portknocking ergaenzt Sicherheitsmechanismen wie zb. Public Key
Authentication mit ausreichender Key Laenge und das dedizierte
Erlauben von Remotezugriffen nur mit bestimmten Benutzerkennungen
um eine zusaetzliche sehr obskure Huerde.

:: Die Sicherheit erhoehen:

/etc/ssh/sshd_config:
 ...
 PubkeyAuthentication yes
 PasswordAuthentication no
 HostbasedAuthentication no
 PermitRootLogin no
 AllowUsers unpriviligierterusername
 ...

--------

:: Vor Automatischen Scans verstecken:

http://de.wikipedia.org/wiki/Portknocking

Unter Debian GNU Linux ist sowas schnell zusammengebastelt.

apt-get install knockd

Die Lektuere von
   /usr/share/doc/knockd/README.Debian
..und
   /usr/share/doc/knockd/README
..ist Zwingend Erforderlich!

Die Ports der Vorkonfigurierten knocking Sequenzen zu Aendern kann
nicht schaden. Ebenso ist der seq_timeout Parameter ausreichend
zu dimensionieren. (Wenn zur Not auch mit einem Webbrowser ge'knockt
werden soll.)

lg
 gerald


> Jul 12 08:37:02 server sshd[19352]: (pam_unix) check pass; user unknown
> Jul 12 08:37:02 server sshd[19352]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4 
> Jul 12 08:37:05 server sshd[19352]: Failed password for invalid user
> amanda from 83.18.244.4 port 42691 ssh2
> Jul 12 08:37:06 server sshd[19354]: Invalid user iris from 83.18.244.4
> Jul 12 08:37:06 server sshd[19354]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:06 server sshd[19354]: (pam_unix) check pass; user unknown
> Jul 12 08:37:06 server sshd[19354]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4 
> Jul 12 08:37:07 server sshd[19354]: Failed password for invalid user
> iris from 83.18.244.4 port 42825 ssh2
> Jul 12 08:37:08 server sshd[19356]: Invalid user bonnie from 83.18.244.4
> Jul 12 08:37:08 server sshd[1935P6]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:08 server sshd[19356]: (pam_unix) check pass; user unknown
> Jul 12 08:37:08 server sshd[19356]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4 
> Jul 12 08:37:10 server sshd[19356]: Failed password for invalid user
> bonnie from 83.18.244.4 port 42933 ssh2
> Jul 12 08:37:11 server sshd[19358]: Invalid user sparky from 83.18.244.4
> Jul 12 08:37:11 server sshd[19358]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:11 server sshd[19358]: (pam_unix) check pass; user unknown
> Jul 12 08:37:11 server sshd[19358]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4 
> Jul 12 08:37:14 server sshd[19358]: Failed password for invalid user
> sparky from 83.18.244.4 port 43061 ssh2
> Jul 12 08:37:15 server sshd[19360]: Invalid user clasic from 83.18.244.4
> Jul 12 08:37:15 server sshd[19360]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:15 server sshd[19360]: (pam_unix) check pass; user unknown
> Jul 12 08:37:15 server sshd[19360]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4 
> Jul 12 08:37:17 server sshd[19360]: Failed password for invalid user
> clasic from 83.18.244.4 port 43208 ssh2
> Jul 12 08:37:17 server sshd[19362]: Invalid user jamy from 83.18.244.4
> Jul 12 08:37:17 server sshd[19362]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:17 server sshd[19362]: (pam_unix) check pass; user unknown
> Jul 12 08:37:17 server sshd[19362]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4 
> Jul 12 08:37:19 server sshd[19362]: Failed password for invalid user
> jamy from 83.18.244.4 port 43307 ssh2
> Jul 12 08:37:20 server sshd[19364]: Invalid user david from 83.18.244.4
> Jul 12 08:37:20 server sshd[19364]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:20 server sshd[19364]: (pam_unix) check pass; user unknown
> Jul 12 08:37:20 server sshd[19364]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4 
> Jul 12 08:37:23 server sshd[19364]: Failed password for invalid user
> david from 83.18.244.4 port 43417 ssh2
> Jul 12 08:37:23 server sshd[19366]: Invalid user administrator from
> 83.18.244.4
> Jul 12 08:37:23 server sshd[19366]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:23 server sshd[19366]: (pam_unix) check pass; user unknown
> Jul 12 08:37:23 server sshd[19366]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4 
> Jul 12 08:37:26 server sshd[19366]: Failed password for invalid user
> administrator from 83.18.244.4 port 43546 ssh2
> Jul 12 08:37:27 server sshd[19368]: Invalid user info from 83.18.244.4
> Jul 12 08:37:27 server sshd[19368]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:27 server sshd[19368]: (pam_unix) check pass; user unknown
> Jul 12 08:37:27 server sshd[19368]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4 
> Jul 12 08:37:28 server sshd[19368]: Failed password for invalid user
> info from 83.18.244.4 port 43660 ssh2
> Jul 12 08:37:29 server sshd[19370]: Invalid user webmaster from
> 83.18.244.4
> Jul 12 08:37:29 server sshd[19370]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:29 server sshd[19370]: (pam_unix) check pass; user unknown
> Jul 12 08:37:29 server sshd[19370]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4 
> Jul 12 08:37:31 server sshd[19370]: Failed password for invalid user
> webmaster from 83.18.244.4 port 43760 ssh2
> Jul 12 08:37:32 server sshd[19372]: Invalid user rebeca from 83.18.244.4
> Jul 12 08:37:32 server sshd[19372]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:32 server sshd[19372]: (pam_unix) check pass; user unknown
> Jul 12 08:37:32 server sshd[19372]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4 
> Jul 12 08:37:34 server sshd[19372]: Failed password for invalid user
> rebeca from 83.18.244.4 port 43865 ssh2
> Jul 12 08:37:35 server sshd[19374]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:35 server sshd[19374]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4  user=root
> Jul 12 08:37:37 server sshd[19374]: Failed password for root from
> 83.18.244.4 port 43975 ssh2
> Jul 12 08:37:38 server sshd[19376]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:38 server sshd[19376]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4  user=root
> Jul 12 08:37:41 server sshd[19376]: Failed password for root from
> 83.18.244.4 port 44080 ssh2
> Jul 12 08:37:42 server sshd[19378]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:42 server sshd[19378]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4  user=root
> Jul 12 08:37:43 server sshd[19378]: Failed password for root from
> 83.18.244.4 port 44192 ssh2
> Jul 12 08:37:44 server sshd[19380]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:44 server sshd[19380]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4  user=root
> Jul 12 08:37:47 server sshd[19380]: Failed password for root from
> 83.18.244.4 port 44296 ssh2
> Jul 12 08:37:47 server sshd[19382]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:47 server sshd[19382]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4  user=root
> Jul 12 08:37:49 server sshd[19382]: Failed password for root from
> 83.18.244.4 port 44410 ssh2
> Jul 12 08:37:50 server sshd[19384]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:50 server sshd[19384]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4  user=root
> Jul 12 08:37:53 server sshd[19384]: Failed password for root from
> 83.18.244.4 port 44508 ssh2
> Jul 12 08:37:54 server sshd[19386]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:54 server sshd[19386]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4  user=root
> Jul 12 08:37:56 server sshd[19386]: Failed password for root from
> 83.18.244.4 port 44626 ssh2
> Jul 12 08:37:57 server sshd[19388]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:37:57 server sshd[19388]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4  user=root
> Jul 12 08:37:59 server sshd[19388]: Failed password for root from
> 83.18.244.4 port 44755 ssh2
> Jul 12 08:38:00 server sshd[19390]: Invalid user optic from 83.18.244.4
> Jul 12 08:38:00 server sshd[19390]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:38:00 server sshd[19390]: (pam_unix) check pass; user unknown
> Jul 12 08:38:00 server sshd[19390]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4 
> Jul 12 08:38:02 server sshd[19390]: Failed password for invalid user
> optic from 83.18.244.4 port 44862 ssh2
> Jul 12 08:38:02 server sshd[19392]: Invalid user service from
> 83.18.244.4
> Jul 12 08:38:02 server sshd[19392]: reverse mapping checking getaddrinfo
> for gw2-4.xnet.org.pl failed - POSSIBLE BREAK-IN ATTEMPT!
> Jul 12 08:38:02 server sshd[19392]: (pam_unix) check pass; user unknown
> Jul 12 08:38:02 server sshd[19392]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=83.18.244.4 
> Jul 12 08:38:05 server sshd[19392]: Failed password for invalid user
> service from 83.18.244.4 port 44955 ssh2
> Jul 12 08:38:06 server sshd[19394]: Invalid user admin from 83.18.244.4
> 
> 
> 
> und so gehts die ganze zeit weiter!
> was kann man da machen?
> 
> MFG Felix
> 
> 
> --
> Wien mailing list
> (spam-protected)
> http://lists.funkfeuer.at/mailman/listinfo/wien





Mehr Informationen über die Mailingliste Wien