Security -- for Linux Server - Security

This is a discussion on Security -- for Linux Server - Security ; Hello to All, I have a linux box which remain open all the time and is having internet connection. Actually I use this box for remote login. I am a basic user of linux and do not know how to ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Security -- for Linux Server

  1. Security -- for Linux Server

    Hello to All,

    I have a linux box which remain open all the time and is having
    internet connection.

    Actually I use this box for remote login. I am a basic user of linux
    and do not know how to protech it.

    What I noticed in secure file under /var/log

    ==============================================
    ct 10 04:35:45 Vicky sshd[5532]: Did not receive identification string
    from 201.25.192.198
    Oct 10 04:45:55 Vicky sshd[5552]: Failed password for root from
    201.25.192.198 port 38882 ssh2
    Oct 10 04:48:06 Vicky sshd[5554]: Did not receive identification string
    from 64.182.3.46
    Oct 10 04:55:36 Vicky sshd[5568]: Illegal user 123 from 64.182.3.46
    Oct 10 04:55:49 Vicky sshd[5568]: Failed password for illegal user 123
    from 64.182.3.46 port 46843 ssh2
    Oct 10 11:57:24 Vicky sshd[1829]: Server listening on 0.0.0.0 port 22.
    Oct 10 11:58:09 Vicky xinetd[1840]: START: sgi_fam pid=2301 from= address>
    Oct 10 13:41:03 Vicky sshd[2544]: Failed password for daemon from
    217.77.209.122 port 1936 ssh2
    Oct 10 17:30:04 Vicky sshd[2704]: Did not receive identification string
    from 210.73.87.71
    Oct 10 17:40:37 Vicky sshd[2710]: Illegal user staff from 210.73.87.71
    Oct 10 17:40:43 Vicky sshd[2710]: Failed password for illegal user
    staff from 210.73.87.71 port 29239 ssh2
    Oct 10 17:40:45 Vicky sshd[2712]: Illegal user sales from 210.73.87.71
    Oct 10 17:40:47 Vicky sshd[2712]: Failed password for illegal user
    sales from 210.73.87.71 port 30238 ssh2
    Oct 10 17:40:49 Vicky sshd[2714]: Illegal user recruit from
    210.73.87.71
    Oct 10 17:40:51 Vicky sshd[2714]: Failed password for illegal user
    recruit from 210.73.87.71 port 30722 ssh2
    Oct 10 17:40:53 Vicky sshd[2716]: Illegal user alias from 210.73.87.71
    Oct 10 17:40:55 Vicky sshd[2716]: Failed password for illegal user
    alias from 210.73.87.71 port 31205 ssh2
    Oct 10 17:40:57 Vicky sshd[2718]: Illegal user office from
    210.73.87.71ct 10 04:35:45 Vicky sshd[5532]: Did not receive
    identification string from 201.25.192.198
    Oct 10 04:45:55 Vicky sshd[5552]: Failed password for root from
    201.25.192.198 port 38882 ssh2
    Oct 10 04:48:06 Vicky sshd[5554]: Did not receive identification string
    from 64.182.3.46
    Oct 10 04:55:36 Vicky sshd[5568]: Illegal user 123 from 64.182.3.46
    Oct 10 04:55:49 Vicky sshd[5568]: Failed password for illegal user 123
    from 64.182.3.46 port 46843 ssh2
    Oct 10 11:57:24 Vicky sshd[1829]: Server listening on 0.0.0.0 port 22.
    Oct 10 11:58:09 Vicky xinetd[1840]: START: sgi_fam pid=2301 from= address>
    Oct 10 13:41:03 Vicky sshd[2544]: Failed password for daemon from
    217.77.209.122 port 1936 ssh2
    Oct 10 17:30:04 Vicky sshd[2704]: Did not receive identification string
    from 210.73.87.71
    Oct 10 17:40:37 Vicky sshd[2710]: Illegal user staff from 210.73.87.71
    Oct 10 17:40:43 Vicky sshd[2710]: Failed password for illegal user
    staff from 210.73.87.71 port 29239 ssh2
    Oct 10 17:40:45 Vicky sshd[2712]: Illegal user sales from 210.73.87.71
    Oct 10 17:40:47 Vicky sshd[2712]: Failed password for illegal user
    sales from 210.73.87.71 port 30238 ssh2
    Oct 10 17:40:49 Vicky sshd[2714]: Illegal user recruit from
    210.73.87.71
    Oct 10 17:40:51 Vicky sshd[2714]: Failed password for illegal user
    recruit from 210.73.87.71 port 30722 ssh2
    Oct 10 17:40:53 Vicky sshd[2716]: Illegal user alias from 210.73.87.71
    Oct 10 17:40:55 Vicky sshd[2716]: Failed password for illegal user
    alias from 210.73.87.71 port 31205 ssh2
    Oct 10 17:40:57 Vicky sshd[2718]: Illegal user office from 210.73.87.71
    ================================================== ===================

    My server name is Vicky

    Please tell me , Is someone trying to connect with my server ..
    What steps I can take to prevent this as I also need to connect this
    server remotely.

    Regards,
    Jagjeet Singh


  2. Re: Security -- for Linux Server

    Jagjeet_Singh wrote:
    > Hello to All,
    >
    > I have a linux box which remain open all the time and is having
    > internet connection.
    >
    > Actually I use this box for remote login. I am a basic user of linux
    > and do not know how to protech it.
    >
    > What I noticed in secure file under /var/log
    >


    Someone is running a ssh hack script against your host.

    If you have an internet connection and an open ssh port, this
    is what you should expect.

  3. Re: Security -- for Linux Server

    Jagjeet_Singh :
    > Hello to All,
    >
    > I have a linux box which remain open all the time and is having
    > internet connection.
    >
    > Actually I use this box for remote login. I am a basic user of linux
    > and do not know how to protech it.
    >
    > What I noticed in secure file under /var/log
    >
    > ==============================================
    > ct 10 04:35:45 Vicky sshd[5532]: Did not receive identification string
    > from 201.25.192.198


    Do you need to run sshd? You can still ssh out without sshd. Turn
    off sshd if you don't need to ssh in to Vicky.


    --
    Any technology distinguishable from magic is insufficiently advanced.
    (*) http://www.spots.ab.ca/~keeling Linux Counter #80292
    - - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.
    Spammers! http://www.spots.ab.ca/~keeling/emails.html

  4. Re: Security -- for Linux Server

    On Sat, 28 Oct 2006 08:21:50 -0700, Jagjeet_Singh wrote:

    > Hello to All,
    >
    > I have a linux box which remain open all the time and is having internet
    > connection.
    >
    > Actually I use this box for remote login. I am a basic user of linux and
    > do not know how to protech it.
    >
    > What I noticed in secure file under /var/log
    >
    > ============================================== ct 10 04:35:45 Vicky
    > sshd[5532]: Did not receive identification string from 201.25.192.198
    > Oct 10 04:45:55 Vicky sshd[5552]: Failed password for root from
    > 201.25.192.198 port 38882 ssh2
    > Oct 10 04:48:06 Vicky sshd[5554]: Did not receive identification string
    > from 64.182.3.46
    > Oct 10 04:55:36 Vicky sshd[5568]: Illegal user 123 from 64.182.3.46 Oct 10
    > 04:55:49 Vicky sshd[5568]: Failed password for illegal user 123 from
    > 64.182.3.46 port 46843 ssh2
    > Oct 10 11:57:24 Vicky sshd[1829]: Server listening on 0.0.0.0 port 22. Oct
    > 10 11:58:09 Vicky xinetd[1840]: START: sgi_fam pid=2301 from=
    > Oct 10 13:41:03 Vicky sshd[2544]: Failed password for daemon from
    > 217.77.209.122 port 1936 ssh2
    > Oct 10 17:30:04 Vicky sshd[2704]: Did not receive identification string
    > from 210.73.87.71
    > Oct 10 17:40:37 Vicky sshd[2710]: Illegal user staff from 210.73.87.71 Oct
    > 10 17:40:43 Vicky sshd[2710]: Failed password for illegal user staff from
    > 210.73.87.71 port 29239 ssh2 Oct 10 17:40:45 Vicky sshd[2712]: Illegal
    > user sales from 210.73.87.71 Oct 10 17:40:47 Vicky sshd[2712]: Failed
    > password for illegal user sales from 210.73.87.71 port 30238 ssh2 Oct 10
    > 17:40:49 Vicky sshd[2714]: Illegal user recruit from 210.73.87.71
    > Oct 10 17:40:51 Vicky sshd[2714]: Failed password for illegal user recruit
    > from 210.73.87.71 port 30722 ssh2 Oct 10 17:40:53 Vicky sshd[2716]:
    > Illegal user alias from 210.73.87.71 Oct 10 17:40:55 Vicky sshd[2716]:
    > Failed password for illegal user alias from 210.73.87.71 port 31205 ssh2
    > Oct 10 17:40:57 Vicky sshd[2718]: Illegal user office from 210.73.87.71ct
    > 10 04:35:45 Vicky sshd[5532]: Did not receive identification string from
    > 201.25.192.198 Oct 10 04:45:55 Vicky sshd[5552]: Failed password for root
    > from 201.25.192.198 port 38882 ssh2
    > Oct 10 04:48:06 Vicky sshd[5554]: Did not receive identification string
    > from 64.182.3.46
    > Oct 10 04:55:36 Vicky sshd[5568]: Illegal user 123 from 64.182.3.46 Oct 10
    > 04:55:49 Vicky sshd[5568]: Failed password for illegal user 123 from
    > 64.182.3.46 port 46843 ssh2
    > Oct 10 11:57:24 Vicky sshd[1829]: Server listening on 0.0.0.0 port 22. Oct
    > 10 11:58:09 Vicky xinetd[1840]: START: sgi_fam pid=2301 from=
    > Oct 10 13:41:03 Vicky sshd[2544]: Failed password for daemon from
    > 217.77.209.122 port 1936 ssh2
    > Oct 10 17:30:04 Vicky sshd[2704]: Did not receive identification string
    > from 210.73.87.71
    > Oct 10 17:40:37 Vicky sshd[2710]: Illegal user staff from 210.73.87.71 Oct
    > 10 17:40:43 Vicky sshd[2710]: Failed password for illegal user staff from
    > 210.73.87.71 port 29239 ssh2 Oct 10 17:40:45 Vicky sshd[2712]: Illegal
    > user sales from 210.73.87.71 Oct 10 17:40:47 Vicky sshd[2712]: Failed
    > password for illegal user sales from 210.73.87.71 port 30238 ssh2 Oct 10
    > 17:40:49 Vicky sshd[2714]: Illegal user recruit from 210.73.87.71
    > Oct 10 17:40:51 Vicky sshd[2714]: Failed password for illegal user recruit
    > from 210.73.87.71 port 30722 ssh2 Oct 10 17:40:53 Vicky sshd[2716]:
    > Illegal user alias from 210.73.87.71 Oct 10 17:40:55 Vicky sshd[2716]:
    > Failed password for illegal user alias from 210.73.87.71 port 31205 ssh2
    > Oct 10 17:40:57 Vicky sshd[2718]: Illegal user office from 210.73.87.71
    > ================================================== ===================
    >
    > My server name is Vicky
    >
    > Please tell me , Is someone trying to connect with my server .. What steps
    > I can take to prevent this as I also need to connect this server remotely.
    >
    > Regards,
    > Jagjeet Singh


    Yep, someone's trying to hack into your computer. You might want to
    consider using a non-standard port for your ssh server. In sshd_config you
    simply need to change the port number, restart the ssh server, and you'll
    need to reconfigure and restart your firewall for the non-standard port.
    You'll want to disable root account access, also, in sshd_config and
    specify which user accounts are permitted to connect to the ssh server
    (don't forget to restart the server each time you make a change to the
    sshd_config file). And when you try to remotely connect to your box you'll
    need to specify the port number. This will probably stop most of these
    attacks.


  5. Re: Security -- for Linux Server

    Thanks for all this information.

    Actually I do not need to ssh my I can use telnet to connect these
    servers.

    Do I need to protect my telnet server also, if yes then how.

    I am not using any firewall [ if it is not there by default ].

    Is there any that I can disable ping to my server and port scanning to
    my server using tools like nmap or others.

    Regards,
    Jagjeet Singh

    johnny wrote:
    > On Sat, 28 Oct 2006 08:21:50 -0700, Jagjeet_Singh wrote:
    >
    > > Hello to All,
    > >
    > > I have a linux box which remain open all the time and is having internet
    > > connection.
    > >
    > > Actually I use this box for remote login. I am a basic user of linux and
    > > do not know how to protech it.
    > >
    > > What I noticed in secure file under /var/log
    > >
    > > ============================================== ct 10 04:35:45 Vicky
    > > sshd[5532]: Did not receive identification string from 201.25.192.198
    > > Oct 10 04:45:55 Vicky sshd[5552]: Failed password for root from
    > > 201.25.192.198 port 38882 ssh2
    > > Oct 10 04:48:06 Vicky sshd[5554]: Did not receive identification string
    > > from 64.182.3.46
    > > Oct 10 04:55:36 Vicky sshd[5568]: Illegal user 123 from 64.182.3.46 Oct 10
    > > 04:55:49 Vicky sshd[5568]: Failed password for illegal user 123 from
    > > 64.182.3.46 port 46843 ssh2
    > > Oct 10 11:57:24 Vicky sshd[1829]: Server listening on 0.0.0.0 port 22. Oct
    > > 10 11:58:09 Vicky xinetd[1840]: START: sgi_fam pid=2301 from=
    > > Oct 10 13:41:03 Vicky sshd[2544]: Failed password for daemon from
    > > 217.77.209.122 port 1936 ssh2
    > > Oct 10 17:30:04 Vicky sshd[2704]: Did not receive identification string
    > > from 210.73.87.71
    > > Oct 10 17:40:37 Vicky sshd[2710]: Illegal user staff from 210.73.87.71 Oct
    > > 10 17:40:43 Vicky sshd[2710]: Failed password for illegal user staff from
    > > 210.73.87.71 port 29239 ssh2 Oct 10 17:40:45 Vicky sshd[2712]: Illegal
    > > user sales from 210.73.87.71 Oct 10 17:40:47 Vicky sshd[2712]: Failed
    > > password for illegal user sales from 210.73.87.71 port 30238 ssh2 Oct 10
    > > 17:40:49 Vicky sshd[2714]: Illegal user recruit from 210.73.87.71
    > > Oct 10 17:40:51 Vicky sshd[2714]: Failed password for illegal user recruit
    > > from 210.73.87.71 port 30722 ssh2 Oct 10 17:40:53 Vicky sshd[2716]:
    > > Illegal user alias from 210.73.87.71 Oct 10 17:40:55 Vicky sshd[2716]:
    > > Failed password for illegal user alias from 210.73.87.71 port 31205 ssh2
    > > Oct 10 17:40:57 Vicky sshd[2718]: Illegal user office from 210.73.87.71ct
    > > 10 04:35:45 Vicky sshd[5532]: Did not receive identification string from
    > > 201.25.192.198 Oct 10 04:45:55 Vicky sshd[5552]: Failed password for root
    > > from 201.25.192.198 port 38882 ssh2
    > > Oct 10 04:48:06 Vicky sshd[5554]: Did not receive identification string
    > > from 64.182.3.46
    > > Oct 10 04:55:36 Vicky sshd[5568]: Illegal user 123 from 64.182.3.46 Oct 10
    > > 04:55:49 Vicky sshd[5568]: Failed password for illegal user 123 from
    > > 64.182.3.46 port 46843 ssh2
    > > Oct 10 11:57:24 Vicky sshd[1829]: Server listening on 0.0.0.0 port 22. Oct
    > > 10 11:58:09 Vicky xinetd[1840]: START: sgi_fam pid=2301 from=
    > > Oct 10 13:41:03 Vicky sshd[2544]: Failed password for daemon from
    > > 217.77.209.122 port 1936 ssh2
    > > Oct 10 17:30:04 Vicky sshd[2704]: Did not receive identification string
    > > from 210.73.87.71
    > > Oct 10 17:40:37 Vicky sshd[2710]: Illegal user staff from 210.73.87.71 Oct
    > > 10 17:40:43 Vicky sshd[2710]: Failed password for illegal user staff from
    > > 210.73.87.71 port 29239 ssh2 Oct 10 17:40:45 Vicky sshd[2712]: Illegal
    > > user sales from 210.73.87.71 Oct 10 17:40:47 Vicky sshd[2712]: Failed
    > > password for illegal user sales from 210.73.87.71 port 30238 ssh2 Oct 10
    > > 17:40:49 Vicky sshd[2714]: Illegal user recruit from 210.73.87.71
    > > Oct 10 17:40:51 Vicky sshd[2714]: Failed password for illegal user recruit
    > > from 210.73.87.71 port 30722 ssh2 Oct 10 17:40:53 Vicky sshd[2716]:
    > > Illegal user alias from 210.73.87.71 Oct 10 17:40:55 Vicky sshd[2716]:
    > > Failed password for illegal user alias from 210.73.87.71 port 31205 ssh2
    > > Oct 10 17:40:57 Vicky sshd[2718]: Illegal user office from 210.73.87.71
    > > ================================================== ===================
    > >
    > > My server name is Vicky
    > >
    > > Please tell me , Is someone trying to connect with my server .. What steps
    > > I can take to prevent this as I also need to connect this server remotely.
    > >
    > > Regards,
    > > Jagjeet Singh

    >
    > Yep, someone's trying to hack into your computer. You might want to
    > consider using a non-standard port for your ssh server. In sshd_config you
    > simply need to change the port number, restart the ssh server, and you'll
    > need to reconfigure and restart your firewall for the non-standard port.
    > You'll want to disable root account access, also, in sshd_config and
    > specify which user accounts are permitted to connect to the ssh server
    > (don't forget to restart the server each time you make a change to the
    > sshd_config file). And when you try to remotely connect to your box you'll
    > need to specify the port number. This will probably stop most of these
    > attacks.



  6. Re: Security -- for Linux Server

    On Mon, 30 Oct 2006 13:35:11 -0800, Jagjeet_Singh wrote:

    > Thanks for all this information.
    >
    > Actually I do not need to ssh my I can use telnet to connect these
    > servers.


    Jagjeet, is this a joke?

    > Do I need to protect my telnet server also, if yes then how.


    If you can't answer this question, reach around behind your server and
    pull that funny blue wire that looks like a big phone line out of it's
    socket and don't stick it back in again until you can answer this question
    for yourself.

    > I am not using any firewall [ if it is not there by default ].


    why pray tell not? are your servers built of teflon perhaps?

    > Is there any that I can disable ping to my server and port scanning to
    > my server using tools like nmap or others.


    read grasshopper, and then read some more (but first pull that blue wire
    out)

  7. Re: Security -- for Linux Server

    On 2006-10-30, mr.b wrote:
    > On Mon, 30 Oct 2006 13:35:11 -0800, Jagjeet_Singh wrote:
    >
    >> Actually I do not need to ssh my I can use telnet to connect these
    >> servers.

    >
    > Jagjeet, is this a joke?
    >
    >> Do I need to protect my telnet server also, if yes then how.

    >
    > If you can't answer this question, reach around behind your server and
    > pull that funny blue wire that looks like a big phone line out of it's
    > socket and don't stick it back in again until you can answer this question
    > for yourself.
    >
    >> I am not using any firewall [ if it is not there by default ].

    >
    > why pray tell not? are your servers built of teflon perhaps?
    >
    >> Is there any that I can disable ping to my server and port scanning to
    >> my server using tools like nmap or others.

    >
    > read grasshopper, and then read some more (but first pull that blue wire
    > out)


    My wire is gray. What should I do?!?

    --keith

    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me)
    AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


  8. Re: Security -- for Linux Server

    On 30 Oct 2006 13:35:11 -0800, "Jagjeet_Singh"
    wrote:
    > Actually I do not need to ssh my I can use telnet to connect these
    >servers.


    telnet is about the most insecure way to connect to anything - ssh
    replaces telnet for most systems and does a much better job but *any*
    server routine running on your machines should be protected in some
    way.

    > Do I need to protect my telnet server also, if yes then how.


    Disable telnet and investigate using ssh instead. But reconfigure your
    sshd to: disable direct 'root' access; only allow SSH2; and listen on
    a non-standard port (any free port except 22). This is all very simple
    and will prevent 99% of scripted ssh attacks.

    > I am not using any firewall [ if it is not there by default ].


    You should - otherwise your server *will* be hacked sooner or later.
    Start by setting up a simple iptables configuration and DROPing all
    new incoming connections. Then change the configuration bit by bit and
    only let through stuff that you absolutely have to allow. For
    instance, if you only connect to the server from PCs on the local
    network then allow only that. If you decide you need external
    command-line connections via ssh then allow traffic on the port your
    ssh is listening on.

    Also, if you do need external access by ssh investigate the 'recent'
    module for iptables. It allows you to simply create 3 new rules that
    will prevent anyone connecting more than 3 times in a given period
    (say, 60 seconds). This will frustrate/stop any hacking scripts from
    testing passwords on your system.

    All output can be allowed but for a more advanced firewall you could
    consider only allowing outbound traffic that you trust. This will
    prevent users doing things that they shouldn't do.

    Just using Google will get you all of this information free. I once
    made the mistake of leaving an ssh server unprotected and it was
    hacked. I didn't loose any information but the downtime was
    frustrating. After a few days of Googling I had enough information to
    reduce my ssh attacks from 100s/day to nothing.

    > Is there any that I can disable ping to my server and port scanning to
    >my server using tools like nmap or others.


    You just need to have a good firewall - like I said, investigate
    iptables. Also, remember if your server is behind a gateway/router
    then that is your first point of attack so disable ping there and only
    port-forward the minimum of ports to the server.

    Chris R.

  9. Re: Security -- for Linux Server

    On Mon, 30 Oct 2006 17:04:18 -0800, Keith Keller wrote:

    > My wire is gray. What should I do?!?


    Grecian formula?

    or learn to live with it graciously?

  10. Re: Security -- for Linux Server

    Chris R.

    Thank you very much for detailed answer.

    I will search google and try to implement the suggesstions you gave
    me.

    Thanks once agani --

    Regards,
    Jagjeet Singh


+ Reply to Thread