Hacking attempts - any additional software available

Support for security such as Firewalls and securing linux
rtcary
Posts: 88
Joined: 2005/10/13 18:40:55
Contact:

Hacking attempts - any additional software available

Postby rtcary » 2016/08/13 16:15:35

First my disclaimer: I have had a Linux server running for at least 15 years so that I can share things with my fellow Rotarian's and test some website coding (LAMP). Though I have taken some Admin courses at a JC, I know just enough about Linux to keep the faithful box up and running (which hardly takes much).

Everyday I receive my Log Watch report with entries like this snippet:

--------------------- pam_unix Begin ------------------------

sshd:
Authentication Failures:
unknown (81-7-100-148.static.zebra.lt): 760 Time(s)
root (221.229.172.114): 722 Time(s)
root (221.194.44.194): 94 Time(s)
root (221.194.44.218): 94 Time(s)
root (221.194.44.227): 70 Time(s)
root (121.18.238.20): 69 Time(s)

I have the sshd service disabled, so I do not understand why there are the above listings. Should I disable the SSH port on my router?

Is there a program that I can add to my Centos5 (yes, I will have to upgrade to at least 6) that would add a delay to attempts after 3 times?

Thank you for helping someone that loves Linux (Centos) but does not have the skill that many of you do.

Rtcary

User avatar
TrevorH
Forum Moderator
Posts: 21174
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Hacking attempts - any additional software available

Postby TrevorH » 2016/08/13 23:06:38

How do you connect to your machine if not over ssh?

You might want to investigate something called fail2ban - it'll be in the EPEL repo. It can be used to look at the log messages and add iptables rules to kill persistent offenders.

As you seem to know, you will shortly need to reinstall a newer version of CentOS because CentOS 5 has only 7 or 8 months left. Although CentOS 6 is more similar to 5 it also has a shorter lifespan than CentOS 7 so you might just want to bite the bullet and go from 5 to 7 in one jump. It's less similar but has an extra 4 years of lifespan left - until 2024 rather than 2020.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

rtcary
Posts: 88
Joined: 2005/10/13 18:40:55
Contact:

Re: Hacking attempts - any additional software available

Postby rtcary » 2016/08/13 23:21:32

Thank you for the encouragement about biting the bullet and going to Centos 7. Down the road I'll have a question about restoring with rsync the critical DB's and PHP code. In the meantime, I use Samba to connect to my Centos box. Quite convenient but not not a true Linux approach :-)!

Todd

User avatar
TrevorH
Forum Moderator
Posts: 21174
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Hacking attempts - any additional software available

Postby TrevorH » 2016/08/13 23:47:26

What about when you need to administer the machine? How do you connect to it to e.g run yum update ?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

rtcary
Posts: 88
Joined: 2005/10/13 18:40:55
Contact:

Re: Hacking attempts - any additional software available

Postby rtcary » 2016/08/14 00:27:15

The server sits alongside my desk, so I have a separate monitor, keyboard and mouse. The only time I used ssh was when I was taking an admin course.

Todd

User avatar
TrevorH
Forum Moderator
Posts: 21174
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Hacking attempts - any additional software available

Postby TrevorH » 2016/08/14 01:04:03

Ok. Well the fact that you are seeing those connection attempts either means your CentOS machine has an external IP address or that you have set up port forwarding on your router to make ssh accessible from outside. Can you post the output of the iptables-save command run as root please? Despite it's name, it just prints the currently running rules. I am a touch concerned about what else might be accessible from outside if your machine has an external IP.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

rtcary
Posts: 88
Joined: 2005/10/13 18:40:55
Contact:

Re: Hacking attempts - any additional software available

Postby rtcary » 2016/08/14 02:55:14

I closed port 22 in the router however it shows in the iptables:

# Generated by iptables-save v1.3.5 on Sat Aug 13 19:49:18 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28608:19927579]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Aug 13 19:49:18 2016


Is that because the iptable was configured to monitor port 22 and has nothing to do with with the port being open or closed?

Todd

User avatar
TrevorH
Forum Moderator
Posts: 21174
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Hacking attempts - any additional software available

Postby TrevorH » 2016/08/14 08:16:54

I closed port 22 in the router however it shows in the iptables:


And now that it is closed, are you still getting more ssh connection denied in /var/log/secure?

Does your machine have an ip address that starts with 192.168 or 172.16 or 10.?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

rtcary
Posts: 88
Joined: 2005/10/13 18:40:55
Contact:

Re: Hacking attempts - any additional software available

Postby rtcary » 2016/08/14 13:56:43

Yes, closing port 22 (not forwarding it) stopped the entries.

The server is 192.168.0.22 and a SQL Server that has gone to the happy hunting ground for old servers was 192.168.0.11.

So, stopping the sshd service does not prevent ssh intrusion attempts??

WOW, in reading the Logwatch this morning, there is still a lot of stuff for network guys to know. If you are one, I applaud you.

Todd


################### Logwatch 7.3 (03/24/06) ####################
Processing Initiated: Sun Aug 14 04:02:22 2016
Date Range Processed: yesterday
( 2016-Aug-13 )
Period is day.
Detail Level of Output: 0
Type of Output: unformatted
Logfiles for Host: centos5
##################################################################

--------------------- Selinux Audit Begin ------------------------

Number of audit daemon stops: 1

---------------------- Selinux Audit End -------------------------


--------------------- Automount Begin ------------------------


**Unmatched Entries**
lookup_read_master: lookup(nisplus): couldn't locate nis+ table auto.master: 2 Time(s)

---------------------- Automount End -------------------------


--------------------- httpd Begin ------------------------


A total of 1 sites probed the server
137.226.113.4

Requests with error response codes
404 Not Found
/CFIDE/administrator/: 1 Time(s)
/favicon.ico: 1 Time(s)
/invoker/JMXInvokerServlet: 1 Time(s)
/myadmin/scripts/setup.php: 1 Time(s)
/new_gbrc/calendar/%3C?=$this-%3EgetThemeP ... %3E/favicon.ico: 1 Time(s)
/new_gbrc/current-happenings/%3C?=$this-%3 ... %3E/favicon.ico: 1 Time(s)
/phpMyAdmin: 1 Time(s)
/phpMyAdmin/scripts/setup.php: 1 Time(s)
/pma/scripts/setup.php: 1 Time(s)
http://testp1.piwo.pila.pl/testproxy.php: 1 Time(s)
http://testp3.pospr.waw.pl/testproxy.php: 1 Time(s)
http://testp4.pospr.waw.pl/testproxy.php: 2 Time(s)
405 Method Not Allowed
/backu: 1 Time(s)
/backup: 5 Time(s)
/hom: 1 Time(s)
/home/aristesoftware: 1 Time(s)
/home/aristesoftware/download: 1 Time(s)
/tm: 1 Time(s)
/tod: 1 Time(s)
/var/www: 5 Time(s)
/var/www/html: 5 Time(s)
/ww: 1 Time(s)
/www: 21 Time(s)
501 Not Implemented
null: 1 Time(s)

---------------------- httpd End -------------------------


--------------------- pam_unix Begin ------------------------

su:
Sessions Opened:
todd(uid=500) -> root: 2 Time(s)


---------------------- pam_unix End -------------------------


--------------------- samba Begin ------------------------


Connections Refused
Connection refused by 192.168.0.11 : 51 Time(s)

**Unmatched Entries**
auth/auth_server.c:check_smbserver_security(248) password server is not connected (cli not initilised) : 1 Time(s)
auth/auth_server.c:server_cryptkey(90) password server not available : 51 Time(s)
smbd/service.c:make_connection_snum(1013) '/media/disk/var/www/html' does not exist or permission denied when connecting to [backup] Error was No such file or directory : 10 Time(s)
smbd/service.c:set_current_service(184) chdir (/home/todd) failed : 20 Time(s)

---------------------- samba End -------------------------


--------------------- Connections (secure-log) Begin ------------------------


Userhelper executed applications:
todd -> system-config-services as root: 2 Time(s)
todd -> system-config-samba.py as root: 2 Time(s)

**Unmatched Entries**
webmin[3050]: Webmin starting
webmin[3020]: Webmin starting

---------------------- Connections (secure-log) End -------------------------


--------------------- Smartd Begin ------------------------


**Unmatched Entries**
smartd 5.42 2011-10-20 r3458 [i686-linux-2.6.18-411.el5] (local build)
Copyright (C) 2002-11 by Bruce Allen, http://smartmontools.sourceforge.net
Device: /dev/hda, packet devices [this device CD/DVD] not SMART capable
Device: /dev/hdc, Maxtor 6L250R0, S/N:L51P3LVG, FW:BAJ41G20, 251 GB
Device: /dev/hdd, Maxtor 6L160P0, S/N:L30ME4GH, FW:BAJ41G20, 163 GB
smartd 5.42 2011-10-20 r3458 [i686-linux-2.6.18-411.el5] (local build)
Copyright (C) 2002-11 by Bruce Allen, http://smartmontools.sourceforge.net
Device: /dev/hda, packet devices [this device CD/DVD] not SMART capable
Device: /dev/hdc, Maxtor 6L250R0, S/N:L51P3LVG, FW:BAJ41G20, 251 GB
Device: /dev/hdd, Maxtor 6L160P0, S/N:L30ME4GH, FW:BAJ41G20, 163 GB

---------------------- Smartd End -------------------------


--------------------- XNTPD Begin ------------------------


XNTPD Killed: 1 Time(s)

XNTPD Started: 2 Time(s)

Time Reset 1 times (total: -0.446120 s average: -0.446120 s)

Total interfaces 6 (non-local: 2)

Total synchronizations 5 (hosts: 4)

---------------------- XNTPD End -------------------------


--------------------- Disk Space Begin ------------------------

Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00 225G 29G 185G 14% /
/dev/hdc1 99M 53M 42M 56% /boot


---------------------- Disk Space End -------------------------


###################### Logwatch End #########################