Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Servers & Networking
FedoraForum Search

Forgot Password? Join Us!

Servers & Networking Discuss any Fedora server problems and Networking issues such as dhcp, IP numbers, wlan, modems, etc.

Reply
 
Thread Tools Search this Thread Display Modes
  #16  
Old 17th November 2010, 08:47 AM
pete_1967 Online
Clueless in a Cuckooland
 
Join Date: Mar 2006
Location: Here now, elsewhere tomorrow.
Posts: 4,360
linuxfedorafirefox
Re: How to investigate possible Virus using Linux to port scan edu sites?

Since stevea already mentioned key based authentication, no need to repeat that, just to make one thing clear: denying root logins does not prevent user from logging in to system as root, it only prevents user from logging in as root via ssh (ssh root@domain). If they guess user password, they can login as usual and then start cracking root's password on machine itself. Makes it bit harder but far from impossible to get root access.
__________________
A Drink is Not Just For Christmas - SaskyCom :thumb:


“Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime” so now go and...
RTFM FIRST: http://docs.fedoraproject.org/ & http://rute.2038bug.com/index.html.gz
Reply With Quote
  #17  
Old 17th November 2010, 02:15 PM
scott32746 Offline
Registered User
 
Join Date: Jun 2007
Location: Lake Mary, Florida
Age: 50
Posts: 1,088
windows_xp_2003firefox
Re: How to investigate possible Virus using Linux to port scan edu sites?

With fail2ban I have it setup to allow 3 attempts to login, if you fail it locks you out for 10 mins.
this has helped to reduce the number of attempts from bad guys using a script to get in with.
Went from one bad guy trying 20 times down to 3
Reply With Quote
  #18  
Old 18th November 2010, 02:17 AM
stevea Offline
Registered User
 
Join Date: Apr 2006
Location: Ohio, USA
Posts: 8,989
linuxfedorafirefox
Re: How to investigate possible Virus using Linux to port scan edu sites?

Quote:
Originally Posted by Vector View Post
Ha, thanks .
...
Yeahhhhh.... that would have been me; and that's not something i normally do. Lesson learned.
Not that I haven't done things considerably dumber, but you need a good beat-down for that one.


Quote:
I know, i see this all the time in my server logs. But afaik a successful dictionary attack IS a hack, technically speaking?
What I typically see is that a script kiddie will try 15 or 30 easy passwords for a few obvious account like root. Maybe you saw a more tenacious hacker, but the security log also shows the number of failed tries.

Quote:
I'll have to look into that; that's new to me
Dead easy just add this to /etc/ssh/sshd_config, then restart the sshd service.
AllowUsers vector,stevea
Then vector and stevea are the ONLY uses able to ssh authenticate. Every script-kiddie knows there is a root and a bin account, but that won't spend hours trying non-obvious names. NEVER put a name on that list of anyone likely to set a simplisitic passwd. If you need root then login as vector and use "su -" or sudo. Use this in addition to key only logins then the "password too simple" problem disappears.


Quote:
Originally Posted by pete_1967 View Post
Since stevea already mentioned key based authentication, no need to repeat that, just to make one thing clear: denying root logins does not prevent user from logging in to system as root, it only prevents user from logging in as root via ssh (ssh root@domain). If they guess user password, they can login as usual and then start cracking root's password on machine itself. Makes it bit harder but far from impossible to get root access.
Absolutely !

There are lots of tutorials on setting up ssh key based authentication:
http://www.petefreitag.com/item/532.cfm
http://www.debian-administration.org/articles/530
http://pkeck.myweb.uga.edu/ssh/

*AFTER* yo uhave key based authentication working do this to the server sshd_config
GSSAPIAuthentication no
KerberosAuthentication no
PasswordAuthentication no
RhostsRSAAuthentication no
PubkeyAuthentication yes
RSAAuthentication yes
ChallengeResponseAuthentication yes


If you do that then opening port 22 won't even give you a login prompt. No one will guess your 2048 bit key in less than a million years.

If you want extra security, setup host based authentication so the system will only recognize attempts to login from well known hosts (you have to copy the client host public key (not user key) to the server. That takes more work tho'.


There is also something called singe packet authentication - (unrelated to ssh). I can't explain how here - but the point is you can firewall all ports except the magic-packet UDP port. If the server receives the "magic packet" then it opens port 22 for a few minutes. and you have a short window to ssh by key.

The magic packet is typically a shared key encrypted message with a time stamp - so this prevents replay attempts. Your magic packet is only good for a few seconds.
__________________
None are more hopelessly enslaved than those who falsely believe they are free.
Johann Wolfgang von Goethe

Last edited by stevea; 18th November 2010 at 02:21 AM.
Reply With Quote
  #19  
Old 18th November 2010, 02:51 AM
Vector Offline
Banned
 
Join Date: Jul 2006
Location: Transgression
Age: 34
Posts: 1,183
linuxfedorafirefox
Re: How to investigate possible Virus using Linux to port scan edu sites?

Quote:
Originally Posted by stevea View Post
...Maybe you saw a more tenacious hacker, but the security log also shows the number of failed tries...
Yeah, some of my servers get hit with dictionaries with several tens of thousands of name attempts against user accounts, and then several thousand password attempts against the ubiquitous root account. I see two or three people trying this once in a while, totaling more that 100,000 attempts in a few days.

I'd been keying their ips into hosts.deny by hand, but thanks to all who've posted in this thread, i've found several more efficient and more secure ways to handle this (i installed and configured denyhosts as soon as it was mentioned).

So, thanks all!
Reply With Quote
  #20  
Old 18th November 2010, 02:55 AM
stevea Offline
Registered User
 
Join Date: Apr 2006
Location: Ohio, USA
Posts: 8,989
linuxfedorafirefox
Re: How to investigate possible Virus using Linux to port scan edu sites?

Don't care how you slice it - a list of bad-IPs can never predict the next bad-IP. No matter how smart the list.

Get rid of passwd authentication !
__________________
None are more hopelessly enslaved than those who falsely believe they are free.
Johann Wolfgang von Goethe
Reply With Quote
Reply

Tags
investigate, linux, port, scan, sites, virus

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to virus scan windows from linux DeadPark121 Using Fedora 6 16th April 2009 02:40 PM
how to scan networked computers for virus? Wiles Servers & Networking 3 23rd April 2008 01:18 PM
What Applications Do You Use to Scan Virus in Email? dealmaker Using Fedora 2 16th October 2005 08:19 AM
Scan sites Curmudgeon Security and Privacy 1 8th June 2005 06:51 PM


Current GMT-time: 17:13 (Sunday, 23-11-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Benghazi Instagram Photos - Whitehall Township Photos - Crema Instagram Photos