subject:"\[CentOS\] CentOS6 \- Break in attempt\? What is the Exploit\?"

Re: [CentOS] CentOS6 - Break in attempt? What is the Exploit?

2015-09-22 Thread James B. Byrne

On Mon, September 21, 2015 15:37, m.r...@5-cent.us wrote:
> Gordon Messmer wrote:
>>
>>> > In other words, the
>>> >hostkeys would be identical.
>>
>> I think what the error indicates is that a client tried to connect
>> to SSH, and the host key there did not match the fingerprint in the
>> client's "known_hosts" database.
>>
>>> It seems to me that someone attempted an ssh connection while
>>> spoofing our internal address.  Is such a thing even possible?
>>> If so then how does it work?
>>
>> In the situation as you've described it, probably not.
>>
>> It would be best to go to your logs themselves for the full
>>> log entry and context, rather than relying on a report that
>>> summarizes log entries.
>
> Looks like someone trying to break in. You *are* running fail2ban, are
> you not? If not, you need to install and fire it up, now.

Yes, we run fail2ban.  No, fail2ban did not catch this because the
number of attempts was below the threshold for a single IP.

The logwatch message reported is incomplete.  Our address was the
destination address.  The source address was not reported by logwatch
but it was logged in the syslog and it was not an internal address. 
It did belong to an organisation that bills itself as "a leader in
enterprise security. . .".

We have contacted them requesting an explanation of the probe.  It
could have been an error on someone's part. I suppose.

We see a lot of cracker traffic from Chile, Romania, Russia and the
Ukraine.  China was such a PITA that eventually we simply cut off that
range of addresses from reaching us by any ports other than 25/80/443
so we do not even see it any more, except via proxy.  Taiwan is nearly
in the same boat and Vietnam is next in the queue.

-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS6 - Break in attempt? What is the Exploit?

2015-09-21 Thread Eero Volotinen

well. sounds like some automatic deploytment tool? error ip ip address or
other configuration failure?

http://stackoverflow.com/questions/6356212/ant-scp-task-failure

--
Eero

2015-09-21 11:29 GMT+03:00 James B. Byrne :

> This morning's log review revealed this sshd log entry on one of our
> web services hosts:
>
>  Received disconnect:
> 11: disconnected by user : 2 Time(s)
> 3: com.jcraft.jsch.JSchException: reject HostKey: 216.185.71.170 :
> 1 Time(s)
>
>
> The IP address used is that of a public facing database query page for
> our freight transit information. It is itself a virtual IP address
> hosted on the system reporting the error.  In other words, if this
> were a legitimate connection then the situation would be that of an
> ssh client connecting to an sshd server running on the same host
> albeit each using a different IP address.  In other words, the
> hostkeys would be identical.
>
> It seems to me that someone attempted an ssh connection while spoofing
> our internal address.  Is such a thing even possible? If so then how
> does it work?
>
> What is com.jcraft.jsch?
>
>
> --
> ***  e-Mail is NOT a SECURE channel  ***
> Do NOT transmit sensitive data via e-Mail
> James B. Byrnemailto:byrn...@harte-lyne.ca
> Harte & Lyne Limited  http://www.harte-lyne.ca
> 9 Brockley Drive  vox: +1 905 561 1241
> Hamilton, Ontario fax: +1 905 561 0757
> Canada  L8E 3C3
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS6 - Break in attempt? What is the Exploit?

2015-09-21 Thread m . roth

Gordon Messmer wrote:
>
>> > In other words, the
>> >hostkeys would be identical.
>
> I think what the error indicates is that a client tried to connect to
> SSH, and the host key there did not match the fingerprint in the
> client's "known_hosts" database.
>
>> >It seems to me that someone attempted an ssh connection while spoofing
>> >our internal address.  Is such a thing even possible? If so then how
>> >does it work?
>
> In the situation as you've described it, probably not.
>
> It would be best to go to your logs themselves for the full log entry
> and context, rather than relying on a report that summarizes log entries.

Looks like someone trying to break in. You *are* running fail2ban, are you
not? If not, you need to install and fire it up, now.

I see a *lot* of this... but then, I work for a US gov't federal
contractor (civilian sector), and let me assure you, I get tired of all
the attempts from China, Brazil, and other places trying to ssh in - it
really clutters my logfiles.

 mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS6 - Break in attempt? What is the Exploit?

2015-09-21 Thread Gordon Messmer




> In other words, the
>hostkeys would be identical.


I think what the error indicates is that a client tried to connect to 
SSH, and the host key there did not match the fingerprint in the 
client's "known_hosts" database.



>It seems to me that someone attempted an ssh connection while spoofing
>our internal address.  Is such a thing even possible? If so then how
>does it work?


In the situation as you've described it, probably not.

It would be best to go to your logs themselves for the full log entry 
and context, rather than relying on a report that summarizes log entries.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS6 - Break in attempt? What is the Exploit?

2015-09-21 Thread James B. Byrne

This morning's log review revealed this sshd log entry on one of our
web services hosts:

 Received disconnect:
11: disconnected by user : 2 Time(s)
3: com.jcraft.jsch.JSchException: reject HostKey: 216.185.71.170 :
1 Time(s)


The IP address used is that of a public facing database query page for
our freight transit information. It is itself a virtual IP address
hosted on the system reporting the error.  In other words, if this
were a legitimate connection then the situation would be that of an
ssh client connecting to an sshd server running on the same host
albeit each using a different IP address.  In other words, the
hostkeys would be identical.

It seems to me that someone attempted an ssh connection while spoofing
our internal address.  Is such a thing even possible? If so then how
does it work?

What is com.jcraft.jsch?


-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS6 - Break in attempt? What is the Exploit?

Re: [CentOS] CentOS6 - Break in attempt? What is the Exploit?

Re: [CentOS] CentOS6 - Break in attempt? What is the Exploit?

Re: [CentOS] CentOS6 - Break in attempt? What is the Exploit?

[CentOS] CentOS6 - Break in attempt? What is the Exploit?

5 matches

Site Navigation

Mail list logo

Footer information