Re: need help with openssh attack

[consul tores]

2011/12/29, Taz :
> Hello, we've got various debian servers, about 15, with different
> versions. All of them have been attacked today and granted root
> access.
> Can anybody help? We can give ssh access to attacked machine, it seems
> to be serious ssh vulnerability.
>
> How can i contact openssh mnt?
>
> Thank you.

Hello Taz

Could you please expand your technical explanation?
a. do you use keys+passphrases or keys or passwords?
b. how many people have a key or password?
c. could you show sshd_config at pastebin?
d. how many servers were really compromised?

Thanks so much for your attention.

PS:
You can determine how they were compromised by coincidences in
sshd_config or other config file.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAFxkjqmP7hWj3A+==5r1grtuedw4md-2rhljqi0brnscuht...@mail.gmail.com

Re: need help with openssh attack

[Poison Bit]

On Thu, Dec 29, 2011 at 4:51 PM, Thijs Kinkhorst  wrote:
> On Thu, December 29, 2011 16:37, Nicolas Carusso wrote:
>>
>> How about creating a Referense list with all the suggestions that we are
>> doing?
>> If all of you agree, Let's start now.
>>
>> SECURITY LIST
>> **
>
> There's already the Securing Debian HOWTO:
> http://www.debian.org/doc/manuals/securing-debian-howto/
>
> Perhaps it's an idea to see if your suggestions are in there, and if not,
> to suggest additions/changes/patches to the Debian Documentation project.
> You can get in contact through debian-...@lists.debian.org.

chroot is done other way than the guide now days, so the patch is indeed needed.

I've seen the "change port 22" tip since I know ssh, and I still see
servers "hacked" in 2012.

Also, I see neither in the guide, neither in the points stated here,
talk about disabling unneeded forwarding.

I think one big step, is to try to understand each option in the
sshd_config man page, and to test the results in each environment, and
each admin evaluate each option to _house_ policies.

SSH in the main firewall? is this the policy?

AllowTcpForwarding
 Specifies whether TCP forwarding is permitted.  The default is
 “yes”...

By fortune, the default for GatewayPorts is "no", but if that is not
your policy...

But maybe other defaults doesn't like you:

MaxAuthTries
 Specifies the maximum number of authentication attempts permitted
 per connection.  Once the number of failures reaches half this
 value, additional failures are logged.  The default is 6.

MaxSessions
 Specifies the maximum number of open sessions permitted per net‐
 work connection.  The default is 10.

There are lot of other options, about timeouts, MaxStartups,
PermitEmptyPasswords, PermitTunnel, StrictModes

Maybe that if you read the manual of the tool just installed, you
start finding incomplete "security lists", etc.

Anyway... at the end... As well as you can search for filezilla XMLs
indexed online (ip/user/pass of lot of environments), I've seen
public+private keys (+amazon IDs) in bitbucket pushed as "mydotfiles"
and indexed by search engines.

While the sysadmin fights to secure ARP, TCP, IP, DNS, SSL and then
the services over, and the ssh developer does privilege separations
and its security stuf, the web developer will index the credentials in
a search engine. Put the credentials in a plain email, worldwide
messenger service, post-it in the tasks table or in a shared folder
with anonymous access for a co-worker.

Step one to know how to secure a service in your server: do you know
how to attack such service ? Do you know the common threats available
in the net to attack such service ? then play chess

Not every SSH attack will be "a worm that exploits a code fault in
port 22 of random network ranges". But maybe you get an attack of just
another tech person like you trying to do "it" (DoS the service (or
the server), be root, do the machine heat ram and kill other process,
etc). Or maybe you get someone that just got the credentials from
anyplace. That young student doing practices by 1 month has access to
all company backups ?

And... last but not least: system/security updates is not enough in
some environments, so maybe add to the list:

* maintenance (renew ssh keys periodically or on events, delete rules
for old users/groups/hosts, etc)

As well as, if you follow best practices and makes some cpu parse your
logs by you... "report attackers" maybe other "task" of the
maintenance process. You "can" report any abuse to the responsible
internet providers, but that does not implies "results". Some attacks
will be in the ssh log, and others in the iptables ulogd.

Did you already configured your firewalls, network, and sshd_config?
good job! next chapter: your desktop ~/.ssh/config also allow the same
and more options (disable unused protos, ciphers, methods, etc). If
you're root of ssh client
 machines, you should do the same in each one.


Greetings,
this mail is too long to see if I can DoS Debian servers delivering it.  ;-P


--
Iñigo


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cakdtd8s_e7h_nsygnvczzdytb+k9djbi8ucxh5mxy8ulx-r...@mail.gmail.com

Re: need help with openssh attack

[Russell Coker]

On Fri, 30 Dec 2011, Taz  wrote:
> of course, i've double changed all password and regenerated ssh keys.

Are the SSH and PAM settings doing what you think?  I suggest carefully 
examining the contents of /etc to see what has been changed from the default.

A new sshd vulnerability that allows remote access would be worth a lot of 
money, it would initially only be used on the most important systems and 
people who use it would be careful not to reveal what they have.  When an 
exploit that is used by attackers becomes known and gets fixed the people who 
were using it lose money.

If there was a hole in sshd would your server be important enough to justify 
the risk?  Also would they use and risk a valuable sshd exploit on a mere 
spam-bot?

http://etbe.coker.com.au/2011/12/31/server-cracked/

As an aside, the above blog post has information on how one of my servers was 
cracked.  It could be the same way that yours was.

-- 
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201112311314.38787.russ...@coker.com.au

AW: need help with openssh attack

[Patrick Geschke]

Has this issue been resolved?
Can we be sure this doesn't lead back to a 
potentially vulnerable component of openssh?

Can you provide any further information?
Did you find the point of entry? (compromise)

Greetings,
Patrick

--
Patrick Geschke
Systemadministration

Top Arbeitgeber 2011!
KiKxxl wurde von TOP JOB als zweitbester Arbeitgeber in Deutschland 
ausgezeichnet.

KiKxxl GmbH
Mindener Strasse 127
49084 Osnabrück

Tel.: 0541 / 3305 0
Fax : 0541 / 3305 100 
Mail: pgesc...@kikxxl.de
WWW : http://www.kikxxl.de

Niederlassung Bremen
Hermann-Köhl-Straße 1a
28199 Bremen

Sitz der Gesellschaft Osnabrück, 
HRB 18841, Amtsgericht Osnabrück 
Geschäftsführer Andreas Kremer


-Ursprüngliche Nachricht-
Von: Noah Meyerhans [mailto:no...@debian.org] 
Gesendet: Donnerstag, 29. Dezember 2011 20:46
An: debian-security@lists.debian.org
Betreff: Re: need help with openssh attack

On Thu, Dec 29, 2011 at 11:30:27PM +0400, Taz wrote:
> Anybody want's to check it out?
> I can provide ssh access, if u will give me ssh key.

>From the sound of things, we're not going to find much.  It's clear that the 
>attackers have already cleaned up their tracks by editing auth.log, etc.  The 
>detailed forensics needed here would likely take a fair bit of time.  Also, 
>because we'd be working on a compromised host, we likely couldn't even trust 
>our own tools to give us accurate information.
File-system level forensics would be best performed on a block-level image of 
the disk itself (e.g. made using something like dd).

One recommendation I've got for future deployments, if you can allocate the 
resources for it, is to have a dedicated syslog host.  This host should not run 
any services other than syslogd, including ssh.  Any access would need to be 
via the console.  You should be careful to give it a unique root password, and 
probably don't even bother to create any non-root accounts on it.  Configure 
the rest of your hosts to send their logs to this host.  Having a copy of 
things like auth.log whose integrity can be trusted would be most helpful here.

noah


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/8D42310D957CFB46AA11921A711D4D16057DB6BCBF@X2007.kikxxl.local

Re: need help with openssh attack

[Noah Meyerhans]

On Thu, Dec 29, 2011 at 11:30:27PM +0400, Taz wrote:
> Anybody want's to check it out?
> I can provide ssh access, if u will give me ssh key.

From the sound of things, we're not going to find much.  It's clear that
the attackers have already cleaned up their tracks by editing auth.log,
etc.  The detailed forensics needed here would likely take a fair bit of
time.  Also, because we'd be working on a compromised host, we likely
couldn't even trust our own tools to give us accurate information.
File-system level forensics would be best performed on a block-level
image of the disk itself (e.g. made using something like dd).

One recommendation I've got for future deployments, if you can allocate
the resources for it, is to have a dedicated syslog host.  This host
should not run any services other than syslogd, including ssh.  Any
access would need to be via the console.  You should be careful to give
it a unique root password, and probably don't even bother to create any
non-root accounts on it.  Configure the rest of your hosts to send their
logs to this host.  Having a copy of things like auth.log whose
integrity can be trusted would be most helpful here.

noah



signature.asc
Description: Digital signature

Re: need help with openssh attack

[Taz]

Anybody want's to check it out?
I can provide ssh access, if u will give me ssh key.



On Thu, Dec 29, 2011 at 11:06 PM, Noah Meyerhans  wrote:
> On Thu, Dec 29, 2011 at 04:39:24PM +0100, Kees de Jong wrote:
>> I guess I already pointed out everything. I added the updating part to it.
>>
>> * Use private not public keys with strong passwords
>
> This doesn't make any sense at all.  You need both private and public
> keys for key-based authentication, and it's very important that you
> recognize the difference between the two.
>
> Also, one of the real problems with ssh key authentication is that
> there's no way to enforce a strong password policy on the private keys.
> Plenty of times I've seen an otherwise secure host compromised when a
> user did something silly like drop their passwordless private key in
> their public_html folder.
>
> noah
>
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iD8DBQFO/LoqYrVLjBFATsMRAsg9AJ9aUkRhLNaFMgU0i/dfdM3RIhOe1gCfSZRu
> wOkLOurLw9E1VIg3k8Lshvg=
> =gcLw
> -END PGP SIGNATURE-
>


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CA+0W4NnTeJ-i-=hef78+0-b1ptvqw3dnx+xkieusnquajxt...@mail.gmail.com

Re: need help with openssh attack

[Bartosz Feński]

On 29.12.2011 18:08, Taz wrote:

md5sum`s of sshd files seems to be same comparing to non infected
system. I do not have any /etc/xinet.d .sshd_config are defaults
ones.I will try to run find / -mtime -5 but i guess nothing
interesting will come.


Any another ideas? I still can provide ssh access.


Still can't believe it's security hole in sshd. Especially since it's 
dozens of machines with different versions of distros.


You're able to give ssh access to machine where after allowing input on 
22 port it's matter of seconds to have running this perl script?


regards
fEnIo


On Thu, Dec 29, 2011 at 8:42 PM, Todd Wheeler  wrote:

I'm wondering based on this if there is anything in /etc/xinetd.d or if
there is anything in /etc/ssh/sshd_config that would point you in the right
direction. Sounds like something is spawning based on a connection to port
22. (if OpenSSH itself wasn't exploited)

Times like this: I've found that it helps to use the 'find' command and
print a list of files modified within the last 'x' days. ('find / -mtime -5'
will show last 5 days, obviously change the '5' for shorter windows) That
may indicate anything that has been replaced system-wise and also point you
in the right direction. I also find that if a system has been exploited,
most automated scripts will chattr the files to make them slightly more
difficult for someone that doesn't understand that - there may be a way to
search for these directly, but I can't remember off hand. It's just another
signature of automated rootkits, though.

Good luck!

On Dec 29, 2011, at 11:32 AM, Taz wrote:

Some of them yes, some of them no. Almost every server has the only
nginx installed without PHP or Perl backend with the simple location /
that just serves static files.perl script was launched from ssh. I am
sure. How could you describe then such environ file of the perl PID?
Where it is clearly mentioned that command was launched throgh ssh on
SSH port from a concrete IP that does not belong to me .  -j DROP rule
on 22 port prevented that script to appear again but i`s not a
solution.








--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4efcb1d2.5060...@fenski.pl

Re: need help with openssh attack

[Noah Meyerhans]

On Thu, Dec 29, 2011 at 04:39:24PM +0100, Kees de Jong wrote:
> I guess I already pointed out everything. I added the updating part to it.
> 
> * Use private not public keys with strong passwords

This doesn't make any sense at all.  You need both private and public
keys for key-based authentication, and it's very important that you
recognize the difference between the two.

Also, one of the real problems with ssh key authentication is that
there's no way to enforce a strong password policy on the private keys.
Plenty of times I've seen an otherwise secure host compromised when a
user did something silly like drop their passwordless private key in
their public_html folder.

noah



signature.asc
Description: Digital signature

Re: need help with openssh attack

[Taz]

md5sum`s of sshd files seems to be same comparing to non infected
system. I do not have any /etc/xinet.d .sshd_config are defaults
ones.I will try to run find / -mtime -5 but i guess nothing
interesting will come.


Any another ideas? I still can provide ssh access.
On Thu, Dec 29, 2011 at 8:42 PM, Todd Wheeler  wrote:
> I'm wondering based on this if there is anything in /etc/xinetd.d or if
> there is anything in /etc/ssh/sshd_config that would point you in the right
> direction. Sounds like something is spawning based on a connection to port
> 22. (if OpenSSH itself wasn't exploited)
>
> Times like this: I've found that it helps to use the 'find' command and
> print a list of files modified within the last 'x' days. ('find / -mtime -5'
> will show last 5 days, obviously change the '5' for shorter windows) That
> may indicate anything that has been replaced system-wise and also point you
> in the right direction. I also find that if a system has been exploited,
> most automated scripts will chattr the files to make them slightly more
> difficult for someone that doesn't understand that - there may be a way to
> search for these directly, but I can't remember off hand. It's just another
> signature of automated rootkits, though.
>
> Good luck!
>
> On Dec 29, 2011, at 11:32 AM, Taz wrote:
>
> Some of them yes, some of them no. Almost every server has the only
> nginx installed without PHP or Perl backend with the simple location /
> that just serves static files.perl script was launched from ssh. I am
> sure. How could you describe then such environ file of the perl PID?
> Where it is clearly mentioned that command was launched throgh ssh on
> SSH port from a concrete IP that does not belong to me .  -j DROP rule
> on 22 port prevented that script to appear again but i`s not a
> solution.
>
>
>


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/ca+0w4nntrk6ysrqpwgu-sq9phde+k76747qnn-phi52kfcf...@mail.gmail.com

Re: need help with openssh attack

[Taz]

Some of them yes, some of them no. Almost every server has the only
nginx installed without PHP or Perl backend with the simple location /
that just serves static files.perl script was launched from ssh. I am
sure. How could you describe then such environ file of the perl PID?
Where it is clearly mentioned that command was launched throgh ssh on
SSH port from a concrete IP that does not belong to me .  -j DROP rule
on 22 port prevented that script to appear again but i`s not a
solution.
On Thu, Dec 29, 2011 at 8:19 PM, Todd Wheeler  wrote:
> Any chance you have a web server on these boxes? Anything that allows file 
> upload? A very common attack is to upload a .pl file through a form, and if 
> that form is sending to a path in your web root, that .pl file basically 
> becomes executable via a URL. Once it's run, it can do just about anything 
> your web server process can do, and from there local exploits are possible. 
> This includes running standalone SSH daemons, etc.
>
> I'm with everyone else - if you haven't cut them to the outside world 
> already, you should.
>
>
> On Dec 29, 2011, at 10:56 AM, Taz wrote:
>
>>  I use fail2ban but the fact is there absolutly no records of
>> connections in auth.logI am sure ssh is used because after i blocked
>> ssh port at all "perl" process does not start anymore.Besides on
>> different machines i use different ports and in all environ files of
>> the perl process in /proc there is a right port written. It shoud be
>> also mentioned that SSLVL variable is always 1, while i think it
>> should be 2.
>> On Thu, Dec 29, 2011 at 7:47 PM, Taz  wrote:
>>> of course, i've double changed all password and regenerated ssh keys.
>>>
>>> On Thu, Dec 29, 2011 at 7:44 PM, Taz  wrote:
 http://security.stackexchange.com/questions/10202/perl-script-rootkit

 here it is, all the details. please check out

 On Thu, Dec 29, 2011 at 7:31 PM, Kees de Jong  wrote:
> If you are absolutely sure that they gained root access then there is no
> other alternative then to kill the internet on those machines.
> And then you should back up all the data you want to preserve so that you
> can reinstall those machines safely. There is no telling if they installed
> another SSH server or other nasty things like rootkits.
> Most attackers install their own SSH server so that any changes your make 
> to
> patch your security holes aren't putting them out of business.
> Unless you have aide installed and made regular checksums of all the files
> and configs then you have no idea if anything is changed since the attack.
> You can also try rkhunter and chkrootkit to find any rootkits on your
> system, but they aren't conclusive.
>
> The only way to be sure that you are in the clear is a total new start on
> all the affected machines.
>
>
> PS: We all got it now, fail2ban is a great tool ;-)
>
>
>
>
> On Thu, Dec 29, 2011 at 15:04, Taz  wrote:
>>
>> Hello, we've got various debian servers, about 15, with different
>> versions. All of them have been attacked today and granted root
>> access.
>> Can anybody help? We can give ssh access to attacked machine, it seems
>> to be serious ssh vulnerability.
>>
>> How can i contact openssh mnt?
>>
>> Thank you.
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmas...@lists.debian.org
>> Archive:
>> http://lists.debian.org/CA+0W4N=at0esj+y3d8drzw8u+s6tcr6bcuha+w+u5rl-80v...@mail.gmail.com
>>
>
>
>
> --
> Met vriendelijke groet,
> Kees de Jong
>
>
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
> uitsluitend bestemd voor de geadresseerde(n).
> Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet 
> te
> gebruiken en de afzender direct te informeren door het bericht te
> retourneren.
> --
> The information contained in this message may be confidential and is
> intended to be exclusively for the addressee(s).
> Should you receive this message unintentionally, please do not use the
> contents herein and notify the sender immediately by return e-mail.
>
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
>> Archive: 
>> http://lists.debian.org/CA+0W4Nmh1iUJ3u=2uxp0hhzqw5-j03fdsoch1w1adosty3c...@mail.gmail.com
>>
>
>


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CA+0W4N=q1nu80-du-ak7owwuytqw1ygv3k6ycsxjmrdsccs...@mail.gmail.com

Re: need help with openssh attack

[Todd Wheeler]

I'm wondering based on this if there is anything in /etc/xinetd.d or if there 
is anything in /etc/ssh/sshd_config that would point you in the right 
direction. Sounds like something is spawning based on a connection to port 22. 
(if OpenSSH itself wasn't exploited)

Times like this: I've found that it helps to use the 'find' command and print a 
list of files modified within the last 'x' days. ('find / -mtime -5' will show 
last 5 days, obviously change the '5' for shorter windows) That may indicate 
anything that has been replaced system-wise and also point you in the right 
direction. I also find that if a system has been exploited, most automated 
scripts will chattr the files to make them slightly more difficult for someone 
that doesn't understand that - there may be a way to search for these directly, 
but I can't remember off hand. It's just another signature of automated 
rootkits, though.

Good luck!

On Dec 29, 2011, at 11:32 AM, Taz wrote:

> Some of them yes, some of them no. Almost every server has the only
> nginx installed without PHP or Perl backend with the simple location /
> that just serves static files.perl script was launched from ssh. I am
> sure. How could you describe then such environ file of the perl PID?
> Where it is clearly mentioned that command was launched throgh ssh on
> SSH port from a concrete IP that does not belong to me .  -j DROP rule
> on 22 port prevented that script to appear again but i`s not a
> solution.

Re: need help with openssh attack

[Todd Wheeler]

Any chance you have a web server on these boxes? Anything that allows file 
upload? A very common attack is to upload a .pl file through a form, and if 
that form is sending to a path in your web root, that .pl file basically 
becomes executable via a URL. Once it's run, it can do just about anything your 
web server process can do, and from there local exploits are possible. This 
includes running standalone SSH daemons, etc. 

I'm with everyone else - if you haven't cut them to the outside world already, 
you should.


On Dec 29, 2011, at 10:56 AM, Taz wrote:

>  I use fail2ban but the fact is there absolutly no records of
> connections in auth.logI am sure ssh is used because after i blocked
> ssh port at all "perl" process does not start anymore.Besides on
> different machines i use different ports and in all environ files of
> the perl process in /proc there is a right port written. It shoud be
> also mentioned that SSLVL variable is always 1, while i think it
> should be 2.
> On Thu, Dec 29, 2011 at 7:47 PM, Taz  wrote:
>> of course, i've double changed all password and regenerated ssh keys.
>> 
>> On Thu, Dec 29, 2011 at 7:44 PM, Taz  wrote:
>>> http://security.stackexchange.com/questions/10202/perl-script-rootkit
>>> 
>>> here it is, all the details. please check out
>>> 
>>> On Thu, Dec 29, 2011 at 7:31 PM, Kees de Jong  wrote:
 If you are absolutely sure that they gained root access then there is no
 other alternative then to kill the internet on those machines.
 And then you should back up all the data you want to preserve so that you
 can reinstall those machines safely. There is no telling if they installed
 another SSH server or other nasty things like rootkits.
 Most attackers install their own SSH server so that any changes your make 
 to
 patch your security holes aren't putting them out of business.
 Unless you have aide installed and made regular checksums of all the files
 and configs then you have no idea if anything is changed since the attack.
 You can also try rkhunter and chkrootkit to find any rootkits on your
 system, but they aren't conclusive.
 
 The only way to be sure that you are in the clear is a total new start on
 all the affected machines.
 
 
 PS: We all got it now, fail2ban is a great tool ;-)
 
 
 
 
 On Thu, Dec 29, 2011 at 15:04, Taz  wrote:
> 
> Hello, we've got various debian servers, about 15, with different
> versions. All of them have been attacked today and granted root
> access.
> Can anybody help? We can give ssh access to attacked machine, it seems
> to be serious ssh vulnerability.
> 
> How can i contact openssh mnt?
> 
> Thank you.
> 
> 
> --
> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive:
> http://lists.debian.org/CA+0W4N=at0esj+y3d8drzw8u+s6tcr6bcuha+w+u5rl-80v...@mail.gmail.com
> 
 
 
 
 --
 Met vriendelijke groet,
 Kees de Jong
 
 
 De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
 uitsluitend bestemd voor de geadresseerde(n).
 Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te
 gebruiken en de afzender direct te informeren door het bericht te
 retourneren.
 --
 The information contained in this message may be confidential and is
 intended to be exclusively for the addressee(s).
 Should you receive this message unintentionally, please do not use the
 contents herein and notify the sender immediately by return e-mail.
 
> 
> 
> --
> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: 
> http://lists.debian.org/CA+0W4Nmh1iUJ3u=2uxp0hhzqw5-j03fdsoch1w1adosty3c...@mail.gmail.com
> 



--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4cdd3060-159e-40b7-ba57-7ed6c2f7c...@wedu.com

Re: need help with openssh attack

[Taz]

 I use fail2ban but the fact is there absolutly no records of
connections in auth.logI am sure ssh is used because after i blocked
ssh port at all "perl" process does not start anymore.Besides on
different machines i use different ports and in all environ files of
the perl process in /proc there is a right port written. It shoud be
also mentioned that SSLVL variable is always 1, while i think it
should be 2.
On Thu, Dec 29, 2011 at 7:47 PM, Taz  wrote:
> of course, i've double changed all password and regenerated ssh keys.
>
> On Thu, Dec 29, 2011 at 7:44 PM, Taz  wrote:
>> http://security.stackexchange.com/questions/10202/perl-script-rootkit
>>
>> here it is, all the details. please check out
>>
>> On Thu, Dec 29, 2011 at 7:31 PM, Kees de Jong  wrote:
>>> If you are absolutely sure that they gained root access then there is no
>>> other alternative then to kill the internet on those machines.
>>> And then you should back up all the data you want to preserve so that you
>>> can reinstall those machines safely. There is no telling if they installed
>>> another SSH server or other nasty things like rootkits.
>>> Most attackers install their own SSH server so that any changes your make to
>>> patch your security holes aren't putting them out of business.
>>> Unless you have aide installed and made regular checksums of all the files
>>> and configs then you have no idea if anything is changed since the attack.
>>> You can also try rkhunter and chkrootkit to find any rootkits on your
>>> system, but they aren't conclusive.
>>>
>>> The only way to be sure that you are in the clear is a total new start on
>>> all the affected machines.
>>>
>>>
>>> PS: We all got it now, fail2ban is a great tool ;-)
>>>
>>>
>>>
>>>
>>> On Thu, Dec 29, 2011 at 15:04, Taz  wrote:

 Hello, we've got various debian servers, about 15, with different
 versions. All of them have been attacked today and granted root
 access.
 Can anybody help? We can give ssh access to attacked machine, it seems
 to be serious ssh vulnerability.

 How can i contact openssh mnt?

 Thank you.


 --
 To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
 with a subject of "unsubscribe". Trouble? Contact
 listmas...@lists.debian.org
 Archive:
 http://lists.debian.org/CA+0W4N=at0esj+y3d8drzw8u+s6tcr6bcuha+w+u5rl-80v...@mail.gmail.com

>>>
>>>
>>>
>>> --
>>> Met vriendelijke groet,
>>> Kees de Jong
>>>
>>>
>>> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
>>> uitsluitend bestemd voor de geadresseerde(n).
>>> Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te
>>> gebruiken en de afzender direct te informeren door het bericht te
>>> retourneren.
>>> --
>>> The information contained in this message may be confidential and is
>>> intended to be exclusively for the addressee(s).
>>> Should you receive this message unintentionally, please do not use the
>>> contents herein and notify the sender immediately by return e-mail.
>>>


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CA+0W4Nmh1iUJ3u=2uxp0hhzqw5-j03fdsoch1w1adosty3c...@mail.gmail.com

Re: need help with openssh attack

[Taz]

of course, i've double changed all password and regenerated ssh keys.

On Thu, Dec 29, 2011 at 7:44 PM, Taz  wrote:
> http://security.stackexchange.com/questions/10202/perl-script-rootkit
>
> here it is, all the details. please check out
>
> On Thu, Dec 29, 2011 at 7:31 PM, Kees de Jong  wrote:
>> If you are absolutely sure that they gained root access then there is no
>> other alternative then to kill the internet on those machines.
>> And then you should back up all the data you want to preserve so that you
>> can reinstall those machines safely. There is no telling if they installed
>> another SSH server or other nasty things like rootkits.
>> Most attackers install their own SSH server so that any changes your make to
>> patch your security holes aren't putting them out of business.
>> Unless you have aide installed and made regular checksums of all the files
>> and configs then you have no idea if anything is changed since the attack.
>> You can also try rkhunter and chkrootkit to find any rootkits on your
>> system, but they aren't conclusive.
>>
>> The only way to be sure that you are in the clear is a total new start on
>> all the affected machines.
>>
>>
>> PS: We all got it now, fail2ban is a great tool ;-)
>>
>>
>>
>>
>> On Thu, Dec 29, 2011 at 15:04, Taz  wrote:
>>>
>>> Hello, we've got various debian servers, about 15, with different
>>> versions. All of them have been attacked today and granted root
>>> access.
>>> Can anybody help? We can give ssh access to attacked machine, it seems
>>> to be serious ssh vulnerability.
>>>
>>> How can i contact openssh mnt?
>>>
>>> Thank you.
>>>
>>>
>>> --
>>> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
>>> with a subject of "unsubscribe". Trouble? Contact
>>> listmas...@lists.debian.org
>>> Archive:
>>> http://lists.debian.org/CA+0W4N=at0esj+y3d8drzw8u+s6tcr6bcuha+w+u5rl-80v...@mail.gmail.com
>>>
>>
>>
>>
>> --
>> Met vriendelijke groet,
>> Kees de Jong
>>
>>
>> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
>> uitsluitend bestemd voor de geadresseerde(n).
>> Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te
>> gebruiken en de afzender direct te informeren door het bericht te
>> retourneren.
>> --
>> The information contained in this message may be confidential and is
>> intended to be exclusively for the addressee(s).
>> Should you receive this message unintentionally, please do not use the
>> contents herein and notify the sender immediately by return e-mail.
>>


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/ca+0w4nnjvu54+zfj-1hh2jyrcmrwlg1jfymon_ji4x5pgh7...@mail.gmail.com

RE: need help with openssh attack

[Marcelo Andres Puebla Brescia]

1. SSH. Deny
root access setting "no" in PermitRootLogin option in sshd_config
file

2. SSH. Change default port

3. OS Update. Keep debian Updated.

4. Install fail2ban

5. 



 De: Nicolas Carusso [mailto:ncaru...@hotmail.com] 

Enviado el: jueves, 29 de diciembre de 2011 12:37

Para: serge.dewai...@openevents.fr; debian-security@lists.debian.org

Asunto: RE: need help with openssh attack

 

How
about creating a Referense list with all the suggestions that we are doing?

If all of you agree, Let's start now.



SECURITY LIST

**



1. SSH. Deny root access setting "no" in PermitRootLogin option in
sshd_config file

2. SSH. Change default port

3. OS Update. Keep debian Updated.

4



> Date: Thu, 29 Dec 2011 16:16:45
+0100

> From: serge.dewai...@openevents.fr

> To: debian-security@lists.debian.org

> Subject: Re: need help with openssh attack

> 

> Hi,

> 

> To prevent brute-force attack, you can also use the package named 

> "fail2ban" which does not need lots of configuration or tweeking
in many 

> situation.

> 

> -- 

> Serge Dewailly - Administrateur Système

> 

> 

> Le 29/12/11 15:04, Taz a écrit :

> > Hello, we've got various debian servers, about 15, with different

> > versions. All of them have been attacked today and granted root

> > access.

> > Can anybody help? We can give ssh access to attacked machine, it
seems

> > to be serious ssh vulnerability.

> >

> > How can i contact openssh mnt?

> >

> > Thank you.

> >

> >

> 

> 

> -- 

> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org

> with a subject of "unsubscribe". Trouble? Contact
listmas...@lists.debian.org

> Archive: http://lists.debian.org/4efc845d.7000...@openevents.fr

> 

  

Re: need help with openssh attack

[Taz]

http://security.stackexchange.com/questions/10202/perl-script-rootkit

here it is, all the details. please check out

On Thu, Dec 29, 2011 at 7:31 PM, Kees de Jong  wrote:
> If you are absolutely sure that they gained root access then there is no
> other alternative then to kill the internet on those machines.
> And then you should back up all the data you want to preserve so that you
> can reinstall those machines safely. There is no telling if they installed
> another SSH server or other nasty things like rootkits.
> Most attackers install their own SSH server so that any changes your make to
> patch your security holes aren't putting them out of business.
> Unless you have aide installed and made regular checksums of all the files
> and configs then you have no idea if anything is changed since the attack.
> You can also try rkhunter and chkrootkit to find any rootkits on your
> system, but they aren't conclusive.
>
> The only way to be sure that you are in the clear is a total new start on
> all the affected machines.
>
>
> PS: We all got it now, fail2ban is a great tool ;-)
>
>
>
>
> On Thu, Dec 29, 2011 at 15:04, Taz  wrote:
>>
>> Hello, we've got various debian servers, about 15, with different
>> versions. All of them have been attacked today and granted root
>> access.
>> Can anybody help? We can give ssh access to attacked machine, it seems
>> to be serious ssh vulnerability.
>>
>> How can i contact openssh mnt?
>>
>> Thank you.
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmas...@lists.debian.org
>> Archive:
>> http://lists.debian.org/CA+0W4N=at0esj+y3d8drzw8u+s6tcr6bcuha+w+u5rl-80v...@mail.gmail.com
>>
>
>
>
> --
> Met vriendelijke groet,
> Kees de Jong
>
>
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
> uitsluitend bestemd voor de geadresseerde(n).
> Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te
> gebruiken en de afzender direct te informeren door het bericht te
> retourneren.
> --
> The information contained in this message may be confidential and is
> intended to be exclusively for the addressee(s).
> Should you receive this message unintentionally, please do not use the
> contents herein and notify the sender immediately by return e-mail.
>


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CA+0W4NkGtAZxBD4=5yop-3funtb7bfnwyxxsvtgb8cybbww...@mail.gmail.com

RE: need help with openssh attack

[Thijs Kinkhorst]

On Thu, December 29, 2011 16:37, Nicolas Carusso wrote:
>
> How about creating a Referense list with all the suggestions that we are
> doing?
> If all of you agree, Let's start now.
>
> SECURITY LIST
> **

There's already the Securing Debian HOWTO:
http://www.debian.org/doc/manuals/securing-debian-howto/

Perhaps it's an idea to see if your suggestions are in there, and if not,
to suggest additions/changes/patches to the Debian Documentation project.
You can get in contact through debian-...@lists.debian.org.


Thijs


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/5ef4f2cdc3c21e465735821893ad10a8.squir...@wm.kinkhorst.nl

Re: need help with openssh attack

[Serge Dewailly]

Others things you can do :
  * install chkrootkit
  * look if no ssh authorized key have been installed (/root/.ssh/)
  * look at /etc/passwd file to be sure no new user has been created
  * look at sudo (visudo) to be sure that no unsecure rule has been added
  * change your root password
  * change your sshd port

It should let you some time to backup and analyse what appened in 
details...


--
Serge Dewailly - Administrateur Système


Le 29/12/11 15:04, Taz a écrit :

Hello, we've got various debian servers, about 15, with different
versions. All of them have been attacked today and granted root
access.
Can anybody help? We can give ssh access to attacked machine, it seems
to be serious ssh vulnerability.

How can i contact openssh mnt?

Thank you.





--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4efc8ac5.3070...@openevents.fr

Re: need help with openssh attack

[Kees de Jong]

I guess I already pointed out everything. I added the updating part to it.

* Use private not public keys with strong passwords
* Do not allow root login to the SSH server
* Don't use the default port 22 but choose one of the high order ports
* Use a port knocker to hide your SSH port (install and configure: knockd)
* Configure your iptables to allow only certain addressees (only if you
connect from static places for example your work or home)
* Also configure your /etc/hosts.deny and /etc/hosts.allow for sshd
* Use fail2ban to defend yourself from bruteforce attacks
* Use fwsnort to have SNORT rules in your iptables which will protect you
against exploits for example. You do need to configure this: fwsnort
--update-rules && fwsnort
Then run the sh script in /etc/fwsnort and save your iptables with for
example: iptables-persistent
* Use and configure PSAD for port scan protection
* Only allow certain users to connect to the SSH deamon
* Perform regular security and system updates


On Thu, Dec 29, 2011 at 16:37, Nicolas Carusso  wrote:

>  How about creating a Referense list with all the suggestions that we are
> doing?
> If all of you agree, Let's start now.
>
> SECURITY LIST
> **
>
> 1. SSH. Deny root access setting "no" in PermitRootLogin option in
> sshd_config file
> 2. SSH. Change default port
> 3. OS Update. Keep debian Updated.
> 4
>
>
> > Date: Thu, 29 Dec 2011 16:16:45 +0100
> > From: serge.dewai...@openevents.fr
> > To: debian-security@lists.debian.org
>
> > Subject: Re: need help with openssh attack
> >
> > Hi,
> >
> > To prevent brute-force attack, you can also use the package named
> > "fail2ban" which does not need lots of configuration or tweeking in many
> > situation.
> >
> > --
> > Serge Dewailly - Administrateur Système
> >
> >
> > Le 29/12/11 15:04, Taz a écrit :
> > > Hello, we've got various debian servers, about 15, with different
> > > versions. All of them have been attacked today and granted root
> > > access.
> > > Can anybody help? We can give ssh access to attacked machine, it seems
> > > to be serious ssh vulnerability.
> > >
> > > How can i contact openssh mnt?
> > >
> > > Thank you.
> > >
> > >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> > Archive: http://lists.debian.org/4efc845d.7000...@openevents.fr
> >
>



-- 
Met vriendelijke groet,
Kees de Jong

*
*
*De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
uitsluitend bestemd voor de geadresseerde(n).
Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te
gebruiken en de afzender direct te informeren door het bericht te
retourneren.
--
The information contained in this message may be confidential and is
intended to be exclusively for the addressee(s).
Should you receive this message unintentionally, please do not use the
contents herein and notify the sender immediately by return e-mail.
*
**
**

RE: need help with openssh attack

[Nicolas Carusso]

How about creating a Referense list with all the suggestions that we are doing?
If all of you agree, Let's start now.

SECURITY LIST
**

1. SSH. Deny root access setting "no" in PermitRootLogin option in sshd_config 
file
2. SSH. Change default port
3. OS Update. Keep debian Updated.
4


> Date: Thu, 29 Dec 2011 16:16:45 +0100
> From: serge.dewai...@openevents.fr
> To: debian-security@lists.debian.org
> Subject: Re: need help with openssh attack
> 
> Hi,
> 
> To prevent brute-force attack, you can also use the package named 
> "fail2ban" which does not need lots of configuration or tweeking in many 
> situation.
> 
> -- 
> Serge Dewailly - Administrateur Système
> 
> 
> Le 29/12/11 15:04, Taz a écrit :
> > Hello, we've got various debian servers, about 15, with different
> > versions. All of them have been attacked today and granted root
> > access.
> > Can anybody help? We can give ssh access to attacked machine, it seems
> > to be serious ssh vulnerability.
> >
> > How can i contact openssh mnt?
> >
> > Thank you.
> >
> >
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: http://lists.debian.org/4efc845d.7000...@openevents.fr
> 
  

Re: need help with openssh attack

[Kees de Jong]

If you are absolutely sure that they gained root access then there is no
other alternative then to kill the internet on those machines.
And then you should back up all the data you want to preserve so that you
can reinstall those machines safely. There is no telling if they installed
another SSH server or other nasty things like rootkits.
Most attackers install their own SSH server so that any changes your make
to patch your security holes aren't putting them out of business.
Unless you have aide installed and made regular checksums of all the files
and configs then you have no idea if anything is changed since the attack.
You can also try rkhunter and chkrootkit to find any rootkits on your
system, but they aren't conclusive.

The only way to be sure that you are in the clear is a total new start on
all the affected machines.


PS: We all got it now, fail2ban is a great tool ;-)




On Thu, Dec 29, 2011 at 15:04, Taz  wrote:

> Hello, we've got various debian servers, about 15, with different
> versions. All of them have been attacked today and granted root
> access.
> Can anybody help? We can give ssh access to attacked machine, it seems
> to be serious ssh vulnerability.
>
> How can i contact openssh mnt?
>
> Thank you.
>
>
> --
> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive:
> http://lists.debian.org/CA+0W4N=at0esj+y3d8drzw8u+s6tcr6bcuha+w+u5rl-80v...@mail.gmail.com
>
>


-- 
Met vriendelijke groet,
Kees de Jong

*
*
*De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
uitsluitend bestemd voor de geadresseerde(n).
Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te
gebruiken en de afzender direct te informeren door het bericht te
retourneren.
--
The information contained in this message may be confidential and is
intended to be exclusively for the addressee(s).
Should you receive this message unintentionally, please do not use the
contents herein and notify the sender immediately by return e-mail.
*
**
**

Re: need help with openssh attack

[Serge Dewailly]

Hi,

To prevent brute-force attack, you can also use the package named 
"fail2ban" which does not need lots of configuration or tweeking in many 
situation.


--
Serge Dewailly - Administrateur Système


Le 29/12/11 15:04, Taz a écrit :

Hello, we've got various debian servers, about 15, with different
versions. All of them have been attacked today and granted root
access.
Can anybody help? We can give ssh access to attacked machine, it seems
to be serious ssh vulnerability.

How can i contact openssh mnt?

Thank you.





--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4efc845d.7000...@openevents.fr

RE: need help with openssh attack

[Nicolas Carusso]

Same as Ville, Disable the "Permit root login" feature in your sshd_config file.
Check the auth.log, and install fail2ban.
And, of course, keep your servers updated!!!

Regards, 

Nico

> Date: Thu, 29 Dec 2011 16:33:08 +0200
> From: vi...@tiensuu.eu
> To: taz.ins...@gmail.com
> CC: debian-security@lists.debian.org
> Subject: Re: need help with openssh attack
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hello,
> 
> Could you please paste /var/log/auth.log message of attack?
> Are you sure about it's not any bruteforce attack or similar?
> I think the problem is not in SSH server itself, it's in your server's
> security. Are you using weak password, and allowing direct root access
> to the server via SSH?
> If problem persists in your other servers, try to use fail2ban or similar.
> 
> - -Ville
> 
> 29.12.2011 16:04, Taz wrote:
> > Hello, we've got various debian servers, about 15, with different 
> > versions. All of them have been attacked today and granted root 
> > access. Can anybody help? We can give ssh access to attacked
> > machine, it seems to be serious ssh vulnerability.
> > 
> > How can i contact openssh mnt?
> > 
> > Thank you.
> > 
> > 
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQEcBAEBAgAGBQJO/HokAAoJEFg15w+Y7E/mDL0IAItgyj5TSWgTILUE7l/cF7PS
> BwG71ypgQf/uMlsNnkbylspnvBj9edZfKfer844NvrG6yJbLw25sNI4eOLlvO1xQ
> nQJHwSNPhWVRHt3gwu5QlHSv0r0qbBdcXjQXDwqG6adp8qY3Qx7BIzvU0DThb08K
> Kbk0/4WcUHb7GtphJUIENPnyaC6xksb413fyT2RW3/m3xm7bRWqXH5bSAvs4/NIP
> 1m9oqxPO+HNnTF1U1KV+fdubLGIYeMHrskKSubBQ7U/+mn7/uhANT6Ke4XFtWsu8
> Mgwr11j2/trCTxBNJvAEyjdpK2/vn+LRgNF12THOeCVFNQcgVyY+iWwGddY6IyU=
> =8DkS
> -END PGP SIGNATURE-
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: http://lists.debian.org/4efc7a24.3030...@tiensuu.eu
> 
  

Re: need help with openssh attack

[André Schild]

It's always a good idea to move ssh not a non standard port,
so at least automated attacks are almost stopped.

André

Am 29.12.2011 15:50, schrieb Nikolay Yatsyshyn:
As a temporary solution you could use my ssh bruteforce preventing 
script of iptables


I use this to prevent ssh and ftp bruteforce where AAA.BBB.CCC.DDD is 
your trusted ip, which never will be blocked. This script will block 
ip, if it make >3 connections per 5 minute.


iptables -N SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshbr --set
iptables -A INPUT -p tcp --dport 22 --syn -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshbr 
--update --rttl --hitcount 3 --seconds 300 -j REJECT --reject-with 
tcp-reset
iptables -A SSH_WHITELIST -s AAA.BBB.CCC.DDD -p tcp --dport 22 --syn 
-m recent --rttl --remove


To increase security change MaxAuthTries 1 in /etc/ssh/sshd_config, so 
remote user can do only 2 connection attempts with 2 password retries.


On Thu, Dec 29, 2011 at 4:33 PM, Ville Tiensuu > wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,

Could you please paste /var/log/auth.log message of attack?
Are you sure about it's not any bruteforce attack or similar?
I think the problem is not in SSH server itself, it's in your server's
security. Are you using weak password, and allowing direct root access
to the server via SSH?
If problem persists in your other servers, try to use fail2ban or
similar.

- -Ville

29.12.2011 16:04, Taz wrote:
> Hello, we've got various debian servers, about 15, with different
> versions. All of them have been attacked today and granted root
> access. Can anybody help? We can give ssh access to attacked
> machine, it seems to be serious ssh vulnerability.
>
> How can i contact openssh mnt?
>
> Thank you.
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO/HokAAoJEFg15w+Y7E/mDL0IAItgyj5TSWgTILUE7l/cF7PS
BwG71ypgQf/uMlsNnkbylspnvBj9edZfKfer844NvrG6yJbLw25sNI4eOLlvO1xQ
nQJHwSNPhWVRHt3gwu5QlHSv0r0qbBdcXjQXDwqG6adp8qY3Qx7BIzvU0DThb08K
Kbk0/4WcUHb7GtphJUIENPnyaC6xksb413fyT2RW3/m3xm7bRWqXH5bSAvs4/NIP
1m9oqxPO+HNnTF1U1KV+fdubLGIYeMHrskKSubBQ7U/+mn7/uhANT6Ke4XFtWsu8
Mgwr11j2/trCTxBNJvAEyjdpK2/vn+LRgNF12THOeCVFNQcgVyY+iWwGddY6IyU=
=8DkS
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact
listmas...@lists.debian.org 
Archive: http://lists.debian.org/4efc7a24.3030...@tiensuu.eu






--
BR, Nikolay Yatsyshyn



--
Aarboard AGPhone: +41 32 332 97 14
Egliweg 10 Fax:   +41 32 332 97 14
2560 Nidau
Switzerlandwww.aarboard.ch

Re: need help with openssh attack

[Kees de Jong]

Just some advice to make your SSH server more secure:

* Use private not public keys with strong passwords
* Do not allow root login to the SSH server
* Don't use the default port 22 but choose one of the high order ports
* Use a port knocker to hide your SSH port (install and configure: knockd)
* Configure your iptables to allow only certain addressees (only if you
connect from static places for example your work or home)
* Also configure your /etc/hosts.deny and /etc/hosts.allow for sshd
* Use fail2ban to defend yourself from bruteforce attacks
* Use fwsnort to have SNORT rules in your iptables which will protect you
against exploits for example. You do need to configure this: fwsnort
--update-rules && fwsnort
Then run the sh script in /etc/fwsnort and save your iptables with for
example: iptables-persistent
* Use and configure PSAD for port scan protection
* Only allow certain users to connect to the SSH deamon

If you need more detail on any of these tips then just ask and I'll provide
;-)




On Thu, Dec 29, 2011 at 15:38, Russell Coker  wrote:

> On Fri, 30 Dec 2011, Taz  wrote:
> > Hello, we've got various debian servers, about 15, with different
> > versions. All of them have been attacked today and granted root
> > access.
> > Can anybody help? We can give ssh access to attacked machine, it seems
> > to be serious ssh vulnerability.
>
>
> http://blog.sesse.net/blog/tech/2011-11-15-21-44_ebury_a_new_ssh_trojan.html
>
> The above blog post may be of use to you.  One of my servers was
> compromised
> via that one.
>
> > How can i contact openssh mnt?
>
> Colin Watson 
>
> The changelog for the openssh-server package gives Colin as the maintainer.
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Bloghttp://doc.coker.com.au/
>
>
> --
> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive: http://lists.debian.org/201112300138.11707.russ...@coker.com.au
>
>


-- 
Met vriendelijke groet,
Kees de Jong

*
*
*De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
uitsluitend bestemd voor de geadresseerde(n).
Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te
gebruiken en de afzender direct te informeren door het bericht te
retourneren.
--
The information contained in this message may be confidential and is
intended to be exclusively for the addressee(s).
Should you receive this message unintentionally, please do not use the
contents herein and notify the sender immediately by return e-mail.
*
**
**

Re: need help with openssh attack

[Nikolay Yatsyshyn]

As a temporary solution you could use my ssh bruteforce preventing script
of iptables

I use this to prevent ssh and ftp bruteforce where AAA.BBB.CCC.DDD is your
trusted ip, which never will be blocked. This script will block ip, if it
make >3 connections per 5 minute.

iptables -N SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshbr --set
iptables -A INPUT -p tcp --dport 22 --syn -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshbr --update
--rttl --hitcount 3 --seconds 300 -j REJECT --reject-with tcp-reset
iptables -A SSH_WHITELIST -s AAA.BBB.CCC.DDD -p tcp --dport 22 --syn -m
recent --rttl --remove

To increase security change MaxAuthTries 1 in /etc/ssh/sshd_config, so
remote user can do only 2 connection attempts with 2 password retries.

On Thu, Dec 29, 2011 at 4:33 PM, Ville Tiensuu  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hello,
>
> Could you please paste /var/log/auth.log message of attack?
> Are you sure about it's not any bruteforce attack or similar?
> I think the problem is not in SSH server itself, it's in your server's
> security. Are you using weak password, and allowing direct root access
> to the server via SSH?
> If problem persists in your other servers, try to use fail2ban or similar.
>
> - -Ville
>
> 29.12.2011 16:04, Taz wrote:
> > Hello, we've got various debian servers, about 15, with different
> > versions. All of them have been attacked today and granted root
> > access. Can anybody help? We can give ssh access to attacked
> > machine, it seems to be serious ssh vulnerability.
> >
> > How can i contact openssh mnt?
> >
> > Thank you.
> >
> >
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJO/HokAAoJEFg15w+Y7E/mDL0IAItgyj5TSWgTILUE7l/cF7PS
> BwG71ypgQf/uMlsNnkbylspnvBj9edZfKfer844NvrG6yJbLw25sNI4eOLlvO1xQ
> nQJHwSNPhWVRHt3gwu5QlHSv0r0qbBdcXjQXDwqG6adp8qY3Qx7BIzvU0DThb08K
> Kbk0/4WcUHb7GtphJUIENPnyaC6xksb413fyT2RW3/m3xm7bRWqXH5bSAvs4/NIP
> 1m9oqxPO+HNnTF1U1KV+fdubLGIYeMHrskKSubBQ7U/+mn7/uhANT6Ke4XFtWsu8
> Mgwr11j2/trCTxBNJvAEyjdpK2/vn+LRgNF12THOeCVFNQcgVyY+iWwGddY6IyU=
> =8DkS
> -END PGP SIGNATURE-
>
>
> --
> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive: http://lists.debian.org/4efc7a24.3030...@tiensuu.eu
>
>
>
>


-- 
BR, Nikolay Yatsyshyn

Re: need help with openssh attack

[Russell Coker]

On Fri, 30 Dec 2011, Taz  wrote:
> Hello, we've got various debian servers, about 15, with different
> versions. All of them have been attacked today and granted root
> access.
> Can anybody help? We can give ssh access to attacked machine, it seems
> to be serious ssh vulnerability.

http://blog.sesse.net/blog/tech/2011-11-15-21-44_ebury_a_new_ssh_trojan.html

The above blog post may be of use to you.  One of my servers was compromised 
via that one.

> How can i contact openssh mnt?

Colin Watson 

The changelog for the openssh-server package gives Colin as the maintainer.

-- 
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201112300138.11707.russ...@coker.com.au

Re: need help with openssh attack

[Ville Tiensuu]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,

Could you please paste /var/log/auth.log message of attack?
Are you sure about it's not any bruteforce attack or similar?
I think the problem is not in SSH server itself, it's in your server's
security. Are you using weak password, and allowing direct root access
to the server via SSH?
If problem persists in your other servers, try to use fail2ban or similar.

- -Ville

29.12.2011 16:04, Taz wrote:
> Hello, we've got various debian servers, about 15, with different 
> versions. All of them have been attacked today and granted root 
> access. Can anybody help? We can give ssh access to attacked
> machine, it seems to be serious ssh vulnerability.
> 
> How can i contact openssh mnt?
> 
> Thank you.
> 
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO/HokAAoJEFg15w+Y7E/mDL0IAItgyj5TSWgTILUE7l/cF7PS
BwG71ypgQf/uMlsNnkbylspnvBj9edZfKfer844NvrG6yJbLw25sNI4eOLlvO1xQ
nQJHwSNPhWVRHt3gwu5QlHSv0r0qbBdcXjQXDwqG6adp8qY3Qx7BIzvU0DThb08K
Kbk0/4WcUHb7GtphJUIENPnyaC6xksb413fyT2RW3/m3xm7bRWqXH5bSAvs4/NIP
1m9oqxPO+HNnTF1U1KV+fdubLGIYeMHrskKSubBQ7U/+mn7/uhANT6Ke4XFtWsu8
Mgwr11j2/trCTxBNJvAEyjdpK2/vn+LRgNF12THOeCVFNQcgVyY+iWwGddY6IyU=
=8DkS
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4efc7a24.3030...@tiensuu.eu

need help with openssh attack

[Taz]

Hello, we've got various debian servers, about 15, with different
versions. All of them have been attacked today and granted root
access.
Can anybody help? We can give ssh access to attacked machine, it seems
to be serious ssh vulnerability.

How can i contact openssh mnt?

Thank you.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CA+0W4N=at0esj+y3d8drzw8u+s6tcr6bcuha+w+u5rl-80v...@mail.gmail.com