Attempting breach?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by corbywan, Dec 8, 2009.

  1. corbywan macrumors regular

    Joined:
    Feb 4, 2008
    Location:
    Forest Grove, OR
    #1
    I checked my secure.log and say several lines like this.

    Dec 8 22:01:40 exchangechurch sshd[20829]: Invalid user director from 201.217.215.66
    Dec 8 22:01:40 exchangechurch sshd[20833]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
    Dec 8 22:01:40 exchangechurch sshd[20829]: error: PAM: authentication error for illegal user director from 201-217-215-66-host.ifx.net.co via 10.0.1.2
    Dec 8 22:01:40 exchangechurch sshd[20829]: Failed keyboard-interactive/pam for invalid user director from 201.217.215.66 port 41439 ssh2

    Is this someone trying to hack into my server?
     
  2. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #2
    If you are connected to the Internet, you can be assured that someone, either intentionally or accidentally, is always trying to log into your server.

    A.
     
  3. corbywan thread starter macrumors regular

    Joined:
    Feb 4, 2008
    Location:
    Forest Grove, OR
    #3
    I knew that, I just want to be able to identify it better.
     
  4. shadyMedia macrumors newbie

    Joined:
    Apr 6, 2009
    #4
    I Have been getting allot of this right not to combat it I have just disabled SSH
    Were running a New Mac Mini Server we noticed that pretty much right at 11:30 pm EST The CPU load will jump to sometimes %40 once we disable SSH connections everything calms back down

    Were looking into steps on how to block it and how to make sure everything is working ok

    Ether Apple's Software Firewall or a 3rd party Firewall

    What are you guys thinks?
     
  5. shadyMedia macrumors newbie

    Joined:
    Apr 6, 2009
    #5
    Just a taste of mine




    Dec 9 11:37:43 server sshd[55810]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
    Dec 9 11:37:43 server sshd[55806]: error: PAM: authentication error for illegal user ftpuser from 58.247.222.163 via 10.0.1.2
    Dec 9 11:37:43 server sshd[55806]: Failed keyboard-interactive/pam for invalid user ftpuser from 58.247.222.163 port 55947 ssh2
    Dec 9 11:40:41 server sshd[55871]: Invalid user ftpuser from 135.196.243.201
    Dec 9 11:40:41 server sshd[55875]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
    Dec 9 11:40:41 server sshd[55871]: error: PAM: authentication error for illegal user ftpuser from 135.196.243.201 via 10.0.1.2
    Dec 9 11:40:41 server sshd[55871]: Failed keyboard-interactive/pam for invalid user ftpuser from 135.196.243.201 port 51986 ssh2
    Dec 9 11:43:36 server sshd[55922]: Invalid user gabi from 201.217.215.66
    Dec 9 11:43:36 server sshd[55926]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
    Dec 9 11:43:36 server sshd[55922]: error: PAM: authentication error for illegal user gabi from 201-217-215-66-host.ifx.net.co via 10.0.1.2
    Dec 9 11:43:36 server sshd[55922]: Failed keyboard-interactive/pam for invalid user gabi from 201.217.215.66 port 46040 ssh2
    Dec 9 11:46:55 server sshd[55982]: Invalid user gabi from 190.136.177.61
    Dec 9 11:46:55 server sshd[55996]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
    Dec 9 11:46:56 server sshd[55982]: error: PAM: authentication error for illegal user gabi from host61.190-136-177.telecom.net.ar via 10.0.1.2
    Dec 9 11:46:56 server sshd[55982]: Failed keyboard-interactive/pam for invalid user gabi from 190.136.177.61 port 3525 ssh2
    Dec 9 11:49:32 server sshd[56041]: reverse mapping checking getaddrinfo for 65-114-92-158.ussonet.net [65.114.92.158] failed - POSSIBLE BREAK-IN ATTEMPT!
    Dec 9 11:49:32 server sshd[56041]: Invalid user gabo from 65.114.92.158
    Dec 9 11:49:32 server sshd[56045]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
    Dec 9 11:49:32 server sshd[56041]: error: PAM: authentication error for illegal user gabo from 65.114.92.158 via 10.0.1.2
    Dec 9 11:49:32 server sshd[56041]: Failed keyboard-interactive/pam for invalid user gabo from 65.114.92.158 port 21662 ssh2
    Dec 9 11:55:30 server sshd[56183]: reverse mapping checking getaddrinfo for bt-212-231.bta.net.cn [202.106.212.231] failed - POSSIBLE BREAK-IN ATTEMPT!
    Dec 9 11:55:30 server sshd[56183]: Invalid user gabriela from 202.106.212.231
    Dec 9 11:58:30 server sshd[56238]: Invalid user gabriele from 211.115.234.143
    Dec 9 11:58:30 server sshd[56242]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
    Dec 9 11:58:30 server sshd[56238]: error: PAM: authentication error for illegal user gabriele from 211.115.234.143 via 10.0.1.2
    Dec 9 11:58:30 server sshd[56238]: Failed keyboard-interactive/pam for invalid user gabriele from 211.115.234.143 port 41563 ssh2
    Dec 9 12:01:29 server sshd[56333]: Invalid user gaby from 194.78.48.108
    Dec 9 12:01:29 server sshd[56337]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
    Dec 9 12:01:30 server sshd[56333]: error: PAM: authentication error for illegal user gaby from 108.48-78-194.adsl-static.isp.belgacom.be via 10.0.1.2
    Dec 9 12:01:30 server sshd[56333]: Failed keyboard-interactive/pam for invalid user gaby from 194.78.48.108 port 30490 ssh2
     
  6. nullx86 macrumors 6502a

    nullx86

    Joined:
    Jun 26, 2009
    Location:
    Wilmington/Jacksonville, NC
    #6
    looks like both OP and above post have the same IP... if your really paranoid, do an IP trace on it :p
     
  7. AdamR01 macrumors 6502

    Joined:
    Feb 2, 2003
    #7
  8. OMGWTFBBQ macrumors member

    OMGWTFBBQ

    Joined:
    Oct 5, 2007
    #8
    Thanks for the link, I'm going to give this a shot.
     
  9. TXbug macrumors member

    TXbug

    Joined:
    Aug 24, 2009
    Location:
    Austin, Texas
    #9
    There is a way around this without disabling SSH. On your router, port forward from an oddball port number, not already assigned. Make up a number. Then have the router forward it to port 22 on the IP of your server/computer. You may have to disable port 22 on the router.

    Then you ssh using -p oddball port number

    It works every time. These guys are trying to do a brute force breakin using ssh on port 22. This change will stop that dead.
     
  10. timd.mackey macrumors member

    Joined:
    Jun 8, 2010
    #10
    Help getting sshguard to work on Mac

    Could anyone here run through how they got sshguard set up on their machines? I'm running Snow Leopard, and I got sshguard installed using macports, but I'm not sure how to get it set up properly. How do I turn it on?
     
  11. Eric-PTEK macrumors 6502

    Joined:
    Mar 3, 2009
    #11
    Doesn't the server have a lock out policy?

    We did a test on our web servers at the data center(Win2K8R2) without a lockout policy we had over 14,000 attempts to break in within 4 days without a lock out policy.

    Put the lock out policy and now they can only do 60 attempts a day, if they happen to figure out the admin name.
     
  12. Les Kern macrumors 68040

    Les Kern

    Joined:
    Apr 26, 2002
    Location:
    Alabama
    #12
    ssxt.mlp/k0900-0
     
  13. OMGWTFBBQ macrumors member

    OMGWTFBBQ

    Joined:
    Oct 5, 2007
    #13
    Were you ever able to figure this out? If so, can you give me detailed instructions of installing it? I've done it the macports way, but I want the version from the website. The macports version is called sshguard-ipfw...

    Thanks
     
  14. micm macrumors newbie

    Joined:
    Jun 30, 2010
    #14
    The MacPorts version is called sshguard-ipfw because it is sshguard, compiled with the "ipfw" backend (which is the firewall OS X offers). So technically it is sshguard as from the website, just a bit outdated -- the maintainer is probably waiting for 1.5 to be released after the paranoid-long release candidate line :)

    So if you install from the MacPorts, you should get a message printed after installing, going:
    Code:
    ###########################################################
    # A startup item has been generated that will aid in
    # starting sshguard-ipfw with launchd. It is disabled
    # by default. Execute the following command to start it,
    # and to cause it to launch at startup:
    #
    # sudo port load sshguard-ipfw
    ###########################################################
    
    just run that command and then "ps" will show you sshguard running on the system.

    The MacPort is well done and convenient because it installs the OS X startupitem for you. However, there are many changes in sshguard since version 1.4. You can still compile and install a newer version yourself; then it's easy to run it e.g. with the log sucker.
     
  15. mrubioroy macrumors newbie

    Joined:
    Aug 11, 2010
    #15
    Hi micm,
    I've compiled the 1.5rc4 sources without problems, but when it comes to create the launchd plist file I'm not managing to get it work. Could you paste the MacPort plist file or the sshguard-ipfw script? Where should I put the plist file on? I've been trying in /Library/LaunchAgents but when I launchctl load it I don't see it with "ps".

    Thanks!

    Miguel
     
  16. robvas macrumors 68030

    Joined:
    Mar 29, 2009
    Location:
    USA
    #16
    There are many things you can do to enhance SSH security.

    Disable password logins. You will have to store the key on the computer you wish to access your server from remotely.

    Disallow root users! Also, you can only allow certain users SSH access.

    Limit login attempts to 1

    Force SSH protocol version 2

    The sshd_config file has a bunch of options you can set.
     
  17. mlts22 macrumors 6502a

    Joined:
    Oct 28, 2008
    #17
    Here is what I do to lock down ssh:

    1: Consider having a hardened host just for ssh-ing, or require a VPN connection.

    2: Oddball ports are OK, but any blackhat worth their salt will find them.

    3: If you can, disable password and interactive authentication, and use RSA keys. This blocks out password brute forcing. Another item to consider is using one time passwords or SecurID cards.

    4: If you know the range of IPs that people use for sshing in, limit the access to that. I use this in combination with a VPN service like strongvpn.com so no matter where I am, my IP range will be known to the server.

    5: As stated above, sshguard is an immense help. You want to keep a lid on attempts.

    6: This goes without saying. Disallow access to root. This way, an attacker has to compromise a user account, then find a priv escalation, rather than just be handed the keys to the city.

    7: Have a strong hardware router/VPN/firewall. At the minimum an AEBU or a unified security gateway like http://tinyurl.com/2bmr6vn, or one of its bigger brothers. If the blackhats cannot reach the machine, they can't compromise it.

    8: Keep good backups. If your server gets compromised, you will have to reinstall completely, so it can't hurt to keep good backups of everything. Ideally, a completely locked down backup server that is a separate machine would be the best, so a blackhat that compromises the server won't be able to mess with the already stored backups.
     

Share This Page