help needed after intrusion from a ssh dictionary attack - Security

This is a discussion on help needed after intrusion from a ssh dictionary attack - Security ; Hello One of our lab machine running Redhat Enterprise 3 has been intruded by somebody. He used a simple ssh dictionary attack but unfortunately our root is enabled through ssh and the root password was not strong enough. We got ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: help needed after intrusion from a ssh dictionary attack

  1. help needed after intrusion from a ssh dictionary attack

    Hello

    One of our lab machine running Redhat Enterprise 3 has been intruded by
    somebody. He used a simple ssh dictionary attack but unfortunately our
    root is enabled through ssh and the root password was not strong
    enough. We got report that there were 3GB of unexpected traffic during
    that day throught ssh.
    Now we are going to reset the root password but for some other reasons
    we don't want to disable root login through ssh.
    So I would like to do a dictionary attack on our machine first to make
    sure our password is strong enough. Is there any well-known hacking
    software that I can download and try to see if our system is secure?
    Thanks a lot.

    Shi


  2. Re: help needed after intrusion from a ssh dictionary attack

    jinzishuai@gmail.com wrote:
    > Hello
    >
    > One of our lab machine running Redhat Enterprise 3 has been intruded by
    > somebody. He used a simple ssh dictionary attack but unfortunately our
    > root is enabled through ssh and the root password was not strong
    > enough. We got report that there were 3GB of unexpected traffic during
    > that day throught ssh.


    Goodness...

    > Now we are going to reset the root password but for some other reasons
    > we don't want to disable root login through ssh.


    What you should do is unplug the compromised box from the net, backup
    your data, wipe out the rest and reinstall Linux. With regard to "for
    some other reasons we don't want to disable root login....", imho, is
    bad thinking. At least disable password login and use private/public
    RSA/DSA key authentication.

    > So I would like to do a dictionary attack on our machine first to make
    > sure our password is strong enough. Is there any well-known hacking
    > software that I can download and try to see if our system is secure?
    > Thanks a lot.


    Bad thinking...

  3. Re: help needed after intrusion from a ssh dictionary attack

    jinzishuai@gmail.com wrote:
    > Hello
    >
    > One of our lab machine running Redhat Enterprise 3 has been intruded by
    > somebody. He used a simple ssh dictionary attack but unfortunately our
    > root is enabled through ssh and the root password was not strong
    > enough. We got report that there were 3GB of unexpected traffic during
    > that day throught ssh.
    > Now we are going to reset the root password but for some other reasons
    > we don't want to disable root login through ssh.
    > So I would like to do a dictionary attack on our machine first to make
    > sure our password is strong enough. Is there any well-known hacking
    > software that I can download and try to see if our system is secure?
    > Thanks a lot.


    1. Your host has been compromised... nothing on the host can
    be trusted. If you choose to examine the data for forensics sake,
    do so using a forensics environment (something that won't damage
    anything else). Wipe an reinstall to bring the server back online.

    2. You'll just have to trust me.. you have NO good reason for
    allowing root via tunneled clear text passwords. Use passphrase
    protected keys... (more below)

    3. In general:

    a. Don't run ssh on port 22, put it somewhere else, somewhere
    hard to guess... use port knocking if you can.

    b. Reduce the number of ids allowed to login via ssh. No root...
    especially if using tunneled clear text passwords (that's a
    fancy phrase for what you normally do when using ssh... where
    you have to type in your password for the remote host).

    c. Switch to using passphrased protected key'd logins instead.
    That way your password, in whatever form, is NEVER sent
    on the wire during authentication. Just make sure that you
    protect your private key and use a good passphrase as well.

  4. Re: help needed after intrusion from a ssh dictionary attack

    jinzishuai@gmail.com wrote:
    > Hello
    >
    > One of our lab machine running Redhat Enterprise 3 has been intruded by
    > somebody. He used a simple ssh dictionary attack but unfortunately our
    > root is enabled through ssh and the root password was not strong
    > enough. We got report that there were 3GB of unexpected traffic during
    > that day throught ssh.
    > Now we are going to reset the root password but for some other reasons
    > we don't want to disable root login through ssh.
    > So I would like to do a dictionary attack on our machine first to make
    > sure our password is strong enough. Is there any well-known hacking
    > software that I can download and try to see if our system is secure?


    It's not. Period.

    You have to restore the OS from CD and data from backup.

    Once a host has been compromised, nothing on it can be
    trusted.

    After you restore it, you really need to disable root login
    and you probably want to install tcpwrappers or a firewall
    to further limit your exposure.

  5. Re: help needed after intrusion from a ssh dictionary attack

    base60 writes:

    >jinzishuai@gmail.com wrote:
    >> Hello
    >>
    >> One of our lab machine running Redhat Enterprise 3 has been intruded by
    >> somebody. He used a simple ssh dictionary attack but unfortunately our
    >> root is enabled through ssh and the root password was not strong
    >> enough. We got report that there were 3GB of unexpected traffic during
    >> that day throught ssh.
    >> Now we are going to reset the root password but for some other reasons
    >> we don't want to disable root login through ssh.
    >> So I would like to do a dictionary attack on our machine first to make
    >> sure our password is strong enough. Is there any well-known hacking
    >> software that I can download and try to see if our system is secure?


    >It's not. Period.


    >You have to restore the OS from CD and data from backup.


    And then you have to search for suid files.


    a) you can always get root by logging in as a user and then using
    su
    to get to root.

    b)Or use passwordless login (rsa or dsa login).



    >Once a host has been compromised, nothing on it can be
    >trusted.


    >After you restore it, you really need to disable root login
    >and you probably want to install tcpwrappers or a firewall
    >to further limit your exposure.


  6. Re: help needed after intrusion from a ssh dictionary attack

    jinzishuai@gmail.com wrote:
    > Hello
    >
    > One of our lab machine running Redhat Enterprise 3 has been intruded by
    > somebody. He used a simple ssh dictionary attack but unfortunately our
    > root is enabled through ssh and the root password was not strong
    > enough. We got report that there were 3GB of unexpected traffic during
    > that day throught ssh.
    > Now we are going to reset the root password but for some other reasons
    > we don't want to disable root login through ssh.
    > So I would like to do a dictionary attack on our machine first to make
    > sure our password is strong enough. Is there any well-known hacking
    > software that I can download and try to see if our system is secure?
    > Thanks a lot.


    You should make correct decision, u need find balance beetwen risk and
    benefits. You need know that your system has ben defaced, and it can be
    done almost anthing (but why?).
    You have few choices to do, one is find all changed files (comparing md5
    summ from your backup) and check all suspcious files, and try make sure
    that everything is under control

    About securing it, i belive in chrooting paradigma for providing safer
    systems. If you like read more, i'd like to suggest you visit those pages:
    http://www.linuxfocus.org/English/Ja...ticle225.shtml
    http://www.cgisecurity.com/webserver...he2-howto.html

    There is lot of ways for chrooting systems. Fell free for discous about
    it

    Marek Wawro
    --
    wawro.yawda.com

  7. Re: help needed after intrusion from a ssh dictionary attack

    In comp.os.linux.security jinzishuai@gmail.com:
    > Hello


    > One of our lab machine running Redhat Enterprise 3 has been intruded by
    > somebody. He used a simple ssh dictionary attack but unfortunately our
    > root is enabled through ssh and the root password was not strong
    > enough. We got report that there were 3GB of unexpected traffic during
    > that day throught ssh.


    The question is why is your important (presuming since you pay RH
    yearly cash) lab server accessible from the internet via ssh at
    all?

    > Now we are going to reset the root password but for some other reasons
    > we don't want to disable root login through ssh.


    As others already outlined there's no reason to enable direct
    root login via ssh.

    > So I would like to do a dictionary attack on our machine first to make
    > sure our password is strong enough. Is there any well-known hacking
    > software that I can download and try to see if our system is secure?
    > Thanks a lot.


    The cols (comp.os.linux.security) FAQ should be helpful on your
    way reinstalling + securing the new installation or recovering
    from the last backup (presuming you have one) + securing the
    system:

    http://www.linuxsecurity.com/docs/colsfaq.html

    Good luck

    BTW
    Please read this before posting anything else:

    http://cfaj.freeshell.org/google

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 370: Virus due to computers having unsafe sex.

  8. Re: help needed after intrusion from a ssh dictionary attack

    base60 wrote:
    > jinzishuai@gmail.com wrote:
    > > Hello
    > >


    > It's not. Period.
    >
    > You have to restore the OS from CD and data from backup.
    >
    > Once a host has been compromised, nothing on it can be
    > trusted.
    >


    This statement, although probably founded for this scenario, is not
    entirely true.

    There are numerous host and/or network integrity applications, as well
    as a multitude of hash algorithms, available that can in fact verify
    that a resource is cryptographically equivalent and has not been
    compromised.

    > After you restore it, you really need to disable root login
    > and you probably want to install tcpwrappers or a firewall
    > to further limit your exposure.


    I would proceed with these recommendations, and research the
    host/network integrity application(s) that may be available to you to
    further implement a layered security infrastructure approach to this
    node and your networks security posture.


  9. Re: help needed after intrusion from a ssh dictionary attack

    "Secure Buddha" wrote in the message
    <1136962941.462769.200860@g14g2000cwa.googlegroups. com>:
    > base60 wrote:
    >> It's not. Period.
    >> You have to restore the OS from CD and data from backup.
    >> Once a host has been compromised, nothing on it can be
    >> trusted.

    >
    > This statement, although probably founded for this scenario, is not
    > entirely true.
    > There are numerous host and/or network integrity applications, as well
    > as a multitude of hash algorithms, available that can in fact verify
    > that a resource is cryptographically equivalent and has not been
    > compromised.
    > [...]


    Only if the kernel and the verification applications themselves have
    _not_ been replaced with corrupted versions that always tell it's OK. You
    can boot on a floppy or a CD-ROM to do your check, but you can't trust the
    compromised host itself to tell wether it's secure or not.


    Laura

  10. Re: help needed after intrusion from a ssh dictionary attack

    Not all integrity verfication applications are host resident. For an
    example, google for "osiris host integrity monitor".

    Therefore, there is not a need to trust a suspect binary on the
    compromised host. As well, archiving the results on the host itself is
    a bad idea. This goes for hash checksums and logs.

    I would suggest a secure one-way connection from the network nodes to
    an archiving node.

    These procedures/processes are not new to the information security
    industry.


  11. Re: help needed after intrusion from a ssh dictionary attack

    Secure Buddha wrote:
    > base60 wrote:
    >
    >>jinzishuai@gmail.com wrote:
    >>
    >>>Hello
    >>>

    >
    >
    >
    >>It's not. Period.
    >>
    >>You have to restore the OS from CD and data from backup.
    >>
    >>Once a host has been compromised, nothing on it can be
    >>trusted.
    >>

    >
    >
    > This statement, although probably founded for this scenario, is not
    > entirely true.
    >
    > There are numerous host and/or network integrity applications, as well
    > as a multitude of hash algorithms, available that can in fact verify
    > that a resource is cryptographically equivalent and has not been
    > compromised.


    I know about tripwire etc.

    Given the context of the question, we both know that's unlikely
    to be a viable solution.

    >
    >
    >>After you restore it, you really need to disable root login
    >>and you probably want to install tcpwrappers or a firewall
    >>to further limit your exposure.

    >
    >
    > I would proceed with these recommendations, and research the
    > host/network integrity application(s) that may be available to you to
    > further implement a layered security infrastructure approach to this
    > node and your networks security posture.
    >


+ Reply to Thread