Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me
at all.
I am the only one knowing the root password, and I have not logged in those
times that last are showing.
root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8 character long, using numbers
and letters.
This is from my old config, are plaintext-password supposed to be blank?
# show system login
user root {
authentication {
encrypted-password: $1$nZxxsgXC/
plaintext-password:
}
}
user vyatta {
authentication {
encrypted-password: $1$yyyt0/
plaintext-password:
}
}
2008/2/4, Dave Strydom [EMAIL PROTECTED]:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine which you do not
recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED]
wrote:
I got mail from another linux user today. He complained about login
attempts
to his boxes, from my vyatta router!
Am I haxored or what? This is from his log and the ip 12.34.56.78 are
my
router.
Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid
user
root from 12.34.56.78 port 42492 ssh2
Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78not
allowed because not listed in AllowUsers
Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid
user
root from 12.34.56.78 port 42926 ssh2
Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78not
allowed because not listed in AllowUsers
Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid
user
root from 12.34.56.78 port 43408 ssh2
Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from
12.34.56.78
(12.34.56.78)
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
Hi
I am only using ssh. Is it possible to have rsa-keys for all users,
including vyatta?
Maybe the attackers managed to brute force my password?
This is very anoying since I have to reinstall the machine tomorrow and
doesn't know what went wrong. Haven't had time to check the logs either.
How does the user configuration look for you other guys and girls?
2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]:
Hi Jostein,
Are you using telnet or ssh to access the box? Using telnet in not secure
from a public network as the username/password is in clear text.
stig
--
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Jostein
Martinsen-Jones
*Sent:* Monday, February 04, 2008 2:43 AM
*To:* Dave Strydom
*Cc:* vyatta-users@mailman.vyatta.com
*Subject:* Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me
at all.
I am the only one knowing the root password, and I have not logged in
those times that last are showing.
root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8 character long, using numbers
and letters.
This is from my old config, are plaintext-password supposed to be blank?
# show system login
user root {
authentication {
encrypted-password: $1$nZxxsgXC/
plaintext-password:
}
}
user vyatta {
authentication {
encrypted-password: $1$yyyt0/
plaintext-password:
}
}
2008/2/4, Dave Strydom [EMAIL PROTECTED]:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine which you do not
recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones [EMAIL PROTECTED]
wrote:
I got mail from another linux user today. He complained about login
attempts
to his boxes, from my vyatta router!
Am I haxored or what? This is from his log and the ip 12.34.56.78 are
my
router.
Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid
user
root from 12.34.56.78 port 42492 ssh2
Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78not
allowed because not listed in AllowUsers
Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid
user
root from 12.34.56.78 port 42926 ssh2
Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78not
allowed because not listed in AllowUsers
Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid
user
root from 12.34.56.78 port 43408 ssh2
Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from
12.34.56.78
(12.34.56.78)
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
Yes, i did change the root password asap!
I would much like to see a configuration snippet on how to use rsa-keys.
Can I use several rsa-keys so i can login as different users?
2008/2/4, Nathan McBride [EMAIL PROTECTED]:
Yup sure is. I have setup my vyatta router to only allow rsa keys.
Did you change your root password from 'vyatta'?
Nate
On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote:
Hi
I am only using ssh. Is it possible to have rsa-keys for all users,
including vyatta?
Maybe the attackers managed to brute force my password?
This is very anoying since I have to reinstall the machine tomorrow
and doesn't know what went wrong. Haven't had time to check the logs
either.
How does the user configuration look for you other guys and girls?
2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]:
Hi Jostein,
Are you using telnet or ssh to access the box? Using telnet
in not secure from a public network as the username/password
is in clear text.
stig
__
From:[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jostein Martinsen-Jones
Sent: Monday, February 04, 2008 2:43 AM
To: Dave Strydom
Cc: vyatta-users@mailman.vyatta.com
Subject: Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip 202.172.171.217 isn't
known to me at all.
I am the only one knowing the root password, and I have not
logged in those times that last are showing.
root pts/0202.172.171.217 Mon Feb 4 05:21 -
07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2 14:54 -
16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1 23:51 -
23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1 13:49 -
17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8 character long,
using numbers and letters.
This is from my old config, are plaintext-password supposed to
be blank?
# show system login
user root {
authentication {
encrypted-password: $1$nZxxsgXC/
plaintext-password:
}
}
user vyatta {
authentication {
encrypted-password: $1$yyyt0/
plaintext-password:
}
}
2008/2/4, Dave Strydom [EMAIL PROTECTED]:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine which you do
not recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones
[EMAIL PROTECTED] wrote:
I got mail from another linux user today. He complained
about login attempts
to his boxes, from my vyatta router!
Am I haxored or what? This is from his log and the ip
12.34.56.78 are my
router.
Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password
for invalid user
root from 12.34.56.78 port 42492 ssh2
Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from
12.34.56.78 not
allowed because not listed in AllowUsers
Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password
for invalid user
root from 12.34.56.78 port 42926 ssh2
Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from
12.34.56.78 not
allowed because not listed in AllowUsers
Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix)
authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=12.34.56.78 user=root
Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password
for invalid user
root from 12.34.56.78 port 43408 ssh2
Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect
from 12.34.56.78
(12.34.56.78)
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
No problemo, will do.
I'm still annoyed that someone managed to get in.
Maybe tripwire would be nice on the box?
2008/2/4, Nathan McBride [EMAIL PROTECTED]:
Correct, you have to drop down to the linux cli, not vyatta's.
On Mon, 2008-02-04 at 14:08 -0500, Aubrey Wells wrote:
As far as I could tell, you cant set up key-only auth in the CLI. If
you drop an authorized_keys file in to each user's ~/.ssh directory,
and set PasswordAuthentication=no in sshd.conf you will enable
key-only auth.
--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
404.478.2790
Support: [EMAIL PROTECTED]
www.sheltonjohns.com
On Feb 4, 2008, at 2:00 PM, Jostein Martinsen-Jones wrote:
Yes, i did change the root password asap!
I would much like to see a configuration snippet on how to use
rsa-keys.
Can I use several rsa-keys so i can login as different users?
2008/2/4, Nathan McBride [EMAIL PROTECTED]:
Yup sure is. I have setup my vyatta router to only allow
rsa keys.
Did you change your root password from 'vyatta'?
Nate
On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones
wrote:
Hi
I am only using ssh. Is it possible to have rsa-keys for
all users,
including vyatta?
Maybe the attackers managed to brute force my password?
This is very anoying since I have to reinstall the machine
tomorrow
and doesn't know what went wrong. Haven't had time to
check the logs
either.
How does the user configuration look for you other guys
and girls?
2008/2/4, Stig Thormodsrud [EMAIL PROTECTED]:
Hi Jostein,
Are you using telnet or ssh to access the
box? Using telnet
in not secure from a public network as the
username/password
is in clear text.
stig
__
From:[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of
Jostein Martinsen-Jones
Sent: Monday, February 04, 2008 2:43 AM
To: Dave Strydom
Cc: vyatta-users@mailman.vyatta.com
Subject: Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip
202.172.171.217 isn't
known to me at all.
I am the only one knowing the root password, and I
have not
logged in those times that last are showing.
root pts/0202.172.171.217 Mon Feb 4
05:21 -
07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2
14:54 -
16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1
23:51 -
23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1
13:49 -
17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8
character long,
using numbers and letters.
This is from my old config, are plaintext-password
supposed to
be blank?
# show system login
user root {
authentication {
encrypted-password: $1$nZxxsgXC/
plaintext-password:
}
}
user vyatta {
authentication {
encrypted-password: $1
$yyyt0/
plaintext-password:
}
}
2008/2/4, Dave Strydom [EMAIL PROTECTED]:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine
which you do
not recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones
[EMAIL PROTECTED] wrote:
I got mail from another linux user today. He
Re: [Vyatta-users] Unable to login, solved by reboot
How production ready are Glendale. I'm using vyatta as router/firewall in front of a couple of servers that soon will go live... Since it's alpha, do you think I should do it? Just printed the whole manual... 2008/1/30, Justin Fletcher [EMAIL PROTECTED]: Maybe . . . However, much of this has been resolved with associated changes in Glendale. Give Alpha 1 a try - I doubt you'll see it there :-) Best, Justin On Jan 30, 2008 12:43 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: But i feel that the only reason I didn't have to reboot is luck :( Maybe next time i'm unable to login with any account? 2008/1/30, Justin Fletcher [EMAIL PROTECTED]: As you can see, nothing jumps out in the log. A detailed search may turn up more information; otherwise, at least you've got a work-around :-) Justin On Jan 29, 2008 2:48 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Log result attached. I managed to login if I changed the passwords for my troubled users. Somethimes the encrypted-password didn't get encrypted. 2008/1/29, Justin Fletcher [EMAIL PROTECTED]: Give show log | match ERROR a try. Justin On Jan 29, 2008 2:00 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I have this problem again. Now i was able to login to a user account I created, but unable to view logfiles since im in xorpsh. 2008/1/28, Justin Fletcher [EMAIL PROTECTED]: Anything untoward in the log files? Justin On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Today I had a wierd experience with Vyatta. I was unable to login on any account. Did a reboot, then everything was normal. What is going on? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Unable to login, solved by reboot
Log result attached. I managed to login if I changed the passwords for my troubled users. Somethimes the encrypted-password didn't get encrypted. 2008/1/29, Justin Fletcher [EMAIL PROTECTED]: Give show log | match ERROR a try. Justin On Jan 29, 2008 2:00 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I have this problem again. Now i was able to login to a user account I created, but unable to view logfiles since im in xorpsh. 2008/1/28, Justin Fletcher [EMAIL PROTECTED]: Anything untoward in the log files? Justin On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Today I had a wierd experience with Vyatta. I was unable to login on any account. Did a reboot, then everything was normal. What is going on? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ;; This buffer is for notes you don't want to save, and for Lisp evaluation. ;; If you want to create a file, visit that file with C-x C-f, ;; then enter the text in that file's own buffer. show log | match ERROR Jan 27 14:20:41 localhost xorp_rtrmgr: [ 2008/01/27 15:20:41 ERROR xorp_rtrmgr:3758 LIBXORP +741 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/libxorp/run_command.cc done ] Command /opt/vyatta/sbin/xorp_tmpl_tool: exited with exit status 1. Jan 27 14:20:41 localhost xorp_rtrmgr: [ 2008/01/27 15:20:41 ERROR xorp_rtrmgr:3758 RTRMGR +1647 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/task.cc execute_done ] Error found on program stderr! Jan 27 14:20:41 localhost xorp_rtrmgr: [ 2008/01/27 15:20:41 ERROR xorp_rtrmgr:3758 RTRMGR +701 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc commit_pass2_done ] Commit failed: VPN configuration error. The IKE group IKE-1W specified for peer 0.0.0.0 has not been configured. VPN configuration error. The ESP group ESP-1W specified for peer 0.0.0.0 tunnel 1 has not been configured. VPN configuration commit aborted due to error(s). Jan 27 14:22:41 localhost xorp_rtrmgr: [ 2008/01/27 15:22:41 ERROR xorp_rtrmgr:3758 LIBXORP +741 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/libxorp/run_command.cc done ] Command /opt/vyatta/sbin/xorp_tmpl_tool: exited with exit status 1. Jan 27 14:22:41 localhost xorp_rtrmgr: [ 2008/01/27 15:22:41 ERROR xorp_rtrmgr:3758 RTRMGR +1647 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/task.cc execute_done ] Error found on program stderr! Jan 27 14:22:41 localhost xorp_rtrmgr: [ 2008/01/27 15:22:41 ERROR xorp_rtrmgr:3758 RTRMGR +701 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc commit_pass2_done ] Commit failed: VPN configuration error. The IKE group IKE-1W specified for peer 0.0.0.0 has not been configured. VPN configuration error. The ESP group ESP-1W specified for peer 0.0.0.0 tunnel 1 has not been configured. VPN configuration commit aborted due to error(s). Jan 28 14:33:36 localhost pluto[4670]: ERROR: peer-yyy.xxx.zzz.qqq-tunnel-1 #1: sendto on eth0 to yyy.xxx.zzz.qqq:500 failed in main_outI1. Errno 101: Network is unreachable Jan 28 14:33:36 localhost ipsec__plutorun: 003 ERROR: peer-yyy.xxx.zzz.qqq-tunnel-1 #1: sendto on eth0 to yyy.xxx.zzz.qqq:500 failed in main_outI1. Errno 101: Network is unreachable Jan 28 14:33:40 localhost pluto[4670]: ERROR: peer-yyy.xxx.zzz.qqq-tunnel-1 #2: sendto on eth0 to yyy.xxx.zzz.qqq:500 failed in STATE_MAIN_R0. Errno 101: Network is unreachable Jan 28 14:33:46 localhost pluto[4670]: ERROR: peer-yyy.xxx.zzz.qqq-tunnel-1 #1: sendto on eth0 to yyy.xxx.zzz.qqq:500 failed in EVENT_RETRANSMIT. Errno 101: Network is unreachable Jan 28 14:33:50 localhost pluto[4670]: ERROR: peer-yyy.xxx.zzz.qqq-tunnel-1 #3: sendto on eth0 to yyy.xxx.zzz.qqq:500 failed in STATE_MAIN_R0. Errno 101: Network is unreachable ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] VPN: clients to router configuration
Hi all I am looking for information on how to setup my Vyatta router so clients using Linux can get access to our VPN. Any help is appreciated! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] VPN: clients to router configuration
Ok, I have a site-to-site up and runing between my Vyatta and a Netgear FVS338 VPN/Firewall box. I also have several road warriors that need access to a LAN behind the Netgear box, so I want them to connect to the Vyatta router (because it's to hard make a client connect to the netgear box). I think this is like a hub and spoke setup. I am not using Glendale. 2008/1/27, Justin Fletcher [EMAIL PROTECTED]: A few questions - are you terminating the VPN on the Vyatta router? Is it site-to-site, or are you running Glendale alpha and trying out the remote access VPN? Or is the VPN a separate system? If it's site-to-site, just set up an Openswan connection. If it's remote access, see http://stuff.pulkes.org/l2tp/ as an option. Otherwise, the Vyatta router should just forward traffic -- Best, Justin On Jan 27, 2008 7:56 AM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Hi all I am looking for information on how to setup my Vyatta router so clients using Linux can get access to our VPN. Any help is appreciated! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
