[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh: Kücük bir gece yarisi saldirisi... (görüsler, öneriler, vs.)

Merhabalar,
Kullandığım sunucuyu (apache için) uzun süre açık tutmaya çalıştığım
zamanlarda bununla ben de karşılaşmıştım. Recai hocamızın dediğine
katılıyorum. Şifre deneyen otomatik programlar olsa gerek bunlar.

Bu durumda eğlence olarak,
http://www.geobytes.com/IpLocator.htm?GetLocation
http://www.searchbug.com/peoplefinder/location-by-ip-address.aspx?ipaddress=143.248.138.18&submit1=Submit
http://www.antionline.com/tools-and-toys/ip-locate/

adreslerinin herhangi birisinden saldırgan ip nin nerede olduğunu
öğrenebilirsin. Benim durumumda Buenos Aires, Japonya, Avrupa'nın
çeşitli yerleri gibi enteresan yerler çıkmıştı. Sonra bu ip lere
mozilla/firefox gibi bir taracıyı ile siteleri var mı diye bakabilirsin,
oradan adres bulursan eposta atabilirsin, hatta karşılık olarak ssh ile
onların bilgisayarlarını bir yoklayabilirsin : )

Çözüm olarak da bir kaç şey önerebilirim, ip adresini değiştirmek (kısa
süreli bir koruma), sshd yi kaldırmak (gerekli değilse bunu
yapabilirsin, ssh i kullanmak için sshd ye gerek yok), bildiğim en şık
çözüm ise sshd_config dosyasındaki

Port 22

satırını, unutmayacağın başka bir port numarasına değiştirmek. google
dan ports diye yazıp kontrol ederek, genel olarak kullanılmayan
birtanesini seçebilirsin, ileride bir karışıklık olmasın diye (seçtiğini
başka bir program kullanmaya kalkmasın diye). Buradaki olay, bu tip
genel saldırıların standart kurulumları hedef alması, bir listedeki
bütün ip lerin 22. kapısını (port) taramak, bir ip nin bütün kapılarını
taramaktan daha hızlı olacaktır. O yüzden olsa gerek, bu değişikliği
yaptıktan sonra /var/log/auth.log dosyası baya bi rahat etmişti.

Kolay gelsin.
Can Kavaklıoğlu


> Merhaba,
> 
> gkrellm sayesinde bir anda eth0 arayüzü üzerinden beklenmedik
> bir trafik oldugunu gördüm, bayram degil seyran degil bir sey 
> yollamiyorum, bir sey almiyorum, nereden cikti bu trafik dedim.
> 
> netstat ile biraz bakinca bol bol ssh ile karsilastim ve beklenmedik bir 
> durum oldugunu düsündüm, sshd'yi hemen durdurdum ve sonra da /var/log/auth.log'a bakinca
> asagida göreceginiz satirlar ile karsilastim.
> 
> Anlayabildigim kadari ile tek bir makina, otomatik
> bir program araciligi ile bazi kullanici isimlerini/parolalarini
> deneyerek benim sistemi bombardimana tuttu ve ssh üzerinden giris
> yapmaya calisti (hangi programla? nasil? bilemiyorum tabii).
> 
> Sistemim Debian GNU/Linux (unstable). ADSL router/firewall modem arkasindayim.
> 
> Asagidaki loga bakip daha detayli analiz yapabilecek
> ve önerilerde bulunabilecek olan varsa sevinirim. 
> 
> Bu arada fail2ban diye bir programin farkina vardim:
> 
>  http://fail2ban.sourceforge.net
> 
> Bu tür durumlari engellemek icin anlamli mi, kullanmis olan var mi?
> 
> Simdiden tesekkürler, log dosyasi asagida, ayrica sshd_config dosyami
> da aktardim, herhangi bir sorun var mi diye (bu olay basima
> geldikten sonra "apt-get install ssh" ile sshd sunucuyu güncelledim):
> 
> Sep 10 00:52:46 debian sshd[16576]: Did not receive identification string from ::ffff:83.170.72.51
> Sep 10 00:53:01 debian CRON[16581]: (pam_unix) session opened for user mail by (uid=0)
> Sep 10 00:53:01 debian CRON[16581]: (pam_unix) session closed for user mail
> Sep 10 01:00:01 debian CRON[16697]: (pam_unix) session opened for user root by (uid=0)
> Sep 10 01:00:04 debian CRON[16697]: (pam_unix) session closed for user root
> Sep 10 01:00:18 debian sshd[16704]: Illegal user admin from ::ffff:83.170.72.51
> Sep 10 01:00:19 debian sshd[16704]: error: Could not get shadow information for NOUSER
> Sep 10 01:00:19 debian sshd[16704]: Failed password for illegal user admin from ::ffff:83.170.72.51 port 37887 ssh2
> Sep 10 01:00:20 debian sshd[16706]: Illegal user administrator from ::ffff:83.170.72.51
> Sep 10 01:00:20 debian sshd[16706]: error: Could not get shadow information for NOUSER
> Sep 10 01:00:20 debian sshd[16706]: Failed password for illegal user administrator from ::ffff:83.170.72.51 port 38063 ssh2
> Sep 10 01:00:21 debian sshd[16709]: Illegal user jack from ::ffff:83.170.72.51
> Sep 10 01:00:22 debian sshd[16709]: error: Could not get shadow information for NOUSER
> Sep 10 01:00:22 debian sshd[16709]: Failed password for illegal user jack from ::ffff:83.170.72.51 port 38231 ssh2
> Sep 10 01:00:23 debian sshd[16711]: Illegal user marvin from ::ffff:83.170.72.51
> Sep 10 01:00:23 debian sshd[16711]: error: Could not get shadow information for NOUSER
> Sep 10 01:00:23 debian sshd[16711]: Failed password for illegal user marvin from ::ffff:83.170.72.51 port 38411 ssh2
> Sep 10 01:00:25 debian sshd[16713]: Illegal user andres from ::ffff:83.170.72.51
> Sep 10 01:00:25 debian sshd[16713]: error: Could not get shadow information for NOUSER
> Sep 10 01:00:25 debian sshd[16713]: Failed password for illegal user andres from ::ffff:83.170.72.51 port 38595 ssh2
> Sep 10 01:00:26 debian sshd[16716]: Illegal user barbara from ::ffff:83.170.72.51
> Sep 10 01:00:26 debian sshd[16716]: error: Could not get shadow information for NOUSER
> Sep 10 01:00:26 debian sshd[16716]: Failed password for illegal user barbara from ::ffff:83.170.72.51 port 38773 ssh2
> Sep 10 01:00:28 debian sshd[16718]: Illegal user adine from ::ffff:83.170.72.51
> Sep 10 01:00:28 debian sshd[16718]: error: Could not get shadow information for NOUSER
> Sep 10 01:00:28 debian sshd[16718]: Failed password for illegal user adine from ::ffff:83.170.72.51 port 38966 ssh2
> Sep 10 01:00:29 debian sshd[16720]: Illegal user test from ::ffff:83.170.72.51
> Sep 10 01:00:29 debian sshd[16720]: error: Could not get shadow information for NOUSER
> Sep 10 01:00:29 debian sshd[16720]: Failed password for illegal user test from ::ffff:83.170.72.51 port 39126 ssh2
> Sep 10 01:00:31 debian sshd[16723]: Illegal user guest from ::ffff:83.170.72.51
> Sep 10 01:00:31 debian sshd[16723]: error: Could not get shadow information for NOUSER
> Sep 10 01:00:31 debian sshd[16723]: Failed password for illegal user guest from ::ffff:83.170.72.51 port 39324 ssh2
> Sep 10 01:00:32 debian sshd[16725]: Illegal user db from ::ffff:83.170.72.51
> Sep 10 01:00:32 debian sshd[16725]: error: Could not get shadow information for NOUSER
> Sep 10 01:00:32 debian sshd[16725]: Failed password for illegal user db from ::ffff:83.170.72.51 port 39497 ssh2
> Sep 10 01:00:34 debian sshd[16727]: Illegal user ahmed from ::ffff:83.170.72.51
> Sep 10 01:00:34 debian sshd[16727]: error: Could not get shadow information for NOUSER
> Sep 10 01:00:34 debian sshd[16727]: Failed password for illegal user ahmed from ::ffff:83.170.72.51 port 39675 ssh2
> Sep 10 01:00:35 debian sshd[16729]: Illegal user alan from ::ffff:83.170.72.51
> Sep 10 01:00:35 debian sshd[16729]: error: Could not get shadow information for NOUSER
> Sep 10 01:00:35 debian sshd[16729]: Failed password for illegal user alan from ::ffff:83.170.72.51 port 39832 ssh2
> Sep 10 01:00:37 debian sshd[16732]: Illegal user albert from ::ffff:83.170.72.51
> Sep 10 01:00:37 debian sshd[16732]: error: Could not get shadow information for NOUSER
> 
> [...] bu sekilde birkac bin satir 
> 
> Sep 10 01:11:13 debian sshd[17711]: Failed password for illegal user admins from ::ffff:83.170.72.51 port 50218 ssh2
> Sep 10 01:11:14 debian sshd[17713]: Failed password for root from ::ffff:83.170.72.51 port 50353 ssh2
> Sep 10 01:11:16 debian sshd[17715]: Failed password for root from ::ffff:83.170.72.51 port 50651 ssh2
> Sep 10 01:11:17 debian sshd[17718]: Failed password for root from ::ffff:83.170.72.51 port 51318 ssh2
> Sep 10 01:11:19 debian sshd[17720]: Failed password for root from ::ffff:83.170.72.51 port 51482 ssh2
> Sep 10 01:11:20 debian sshd[17722]: Failed password for root from ::ffff:83.170.72.51 port 51770 ssh2
> 
> [...] 
> 
> Sep 10 01:12:03 debian sshd[17789]: Failed password for root from ::ffff:83.170.72.51 port 33967 ssh2
> Sep 10 01:12:04 debian sshd[17791]: Failed password for root from ::ffff:83.170.72.51 port 34290 ssh2
> Sep 10 01:12:06 debian sshd[17794]: Failed password for root from ::ffff:83.170.72.51 port 34412 ssh2
> Sep 10 01:12:07 debian sshd[17796]: Failed password for root from ::ffff:83.170.72.51 port 35084 ssh2
> Sep 10 01:12:09 debian sshd[17798]: Failed password for root from ::ffff:83.170.72.51 port 35179 ssh2
> Sep 10 01:12:10 debian sshd[17800]: Failed password for root from ::ffff:83.170.72.51 port 36468 ssh2
> Sep 10 01:12:12 debian sshd[17803]: Failed password for root from ::ffff:83.170.72.51 port 39287 ssh2
> Sep 10 01:13:28 debian sshd[17922]: Failed password for root from ::ffff:83.170.72.51 port 35609 ssh2
> Sep 10 01:13:29 debian su[17924]: + pts/0 fz:root
> Sep 10 01:13:29 debian su[17924]: (pam_unix) session opened for user root by fz(uid=1000)
> Sep 10 01:13:29 debian sshd[17925]: Failed password for root from ::ffff:83.170.72.51 port 35718 ssh2
> Sep 10 01:13:31 debian sshd[17928]: Failed password for root from ::ffff:83.170.72.51 port 36332 ssh2
> Sep 10 01:13:32 debian sshd[17931]: Failed password for root from ::ffff:83.170.72.51 port 36605 ssh2
> Sep 10 01:13:34 debian sshd[17933]: Failed password for root from ::ffff:83.170.72.51 port 36843 ssh2
> Sep 10 01:15:50 debian sshd[18169]: Failed password for root from ::ffff:83.170.72.51 port 49164 ssh2
> Sep 10 01:15:52 debian sshd[18172]: Failed password for root from ::ffff:83.170.72.51 port 50317 ssh2
> Sep 10 01:15:53 debian sshd[18174]: Failed password for root from ::ffff:83.170.72.51 port 51059 ssh2
> Sep 10 01:15:55 debian sshd[18176]: Failed password for root from ::ffff:83.170.72.51 port 52225 ssh2
> Sep 10 01:15:57 debian sshd[18179]: Failed password for root from ::ffff:83.170.72.51 port 53013 ssh2
> Sep 10 01:15:58 debian sshd[18183]: Failed password for root from ::ffff:83.170.72.51 port 54437 ssh2
> Sep 10 01:16:00 debian sshd[18185]: Failed password for root from ::ffff:83.170.72.51 port 55263 ssh2
> Sep 10 01:16:02 debian sshd[18188]: Failed password for root from ::ffff:83.170.72.51 port 56625 ssh2
> Sep 10 01:16:03 debian sshd[18190]: Failed password for root from ::ffff:83.170.72.51 port 57807 ssh2
> Sep 10 01:16:04 debian sshd[3837]: Received signal 15; terminating.
> Sep 10 01:16:05 debian sshd[18192]: Failed password for root from ::ffff:83.170.72.51 port 58675 ssh2
> Sep 10 01:16:51 debian su[18207]: + pts/0 fz:root
> Sep 10 01:16:51 debian su[18207]: (pam_unix) session opened for user root by fz(uid=1000)
> Sep 10 01:17:01 debian CRON[18211]: (pam_unix) session opened for user root by (uid=0)
> Sep 10 01:17:01 debian CRON[18211]: (pam_unix) session closed for user root
> Sep 10 01:23:01 debian CRON[18375]: (pam_unix) session opened for user mail by (uid=0)
> Sep 10 01:23:01 debian CRON[18375]: (pam_unix) session closed for user mail
> Sep 10 01:30:01 debian CRON[18519]: (pam_unix) session opened for user root by (uid=0)
> Sep 10 01:30:07 debian CRON[18519]: (pam_unix) session closed for user root
> Sep 10 01:38:01 debian CRON[18661]: (pam_unix) session opened for user mail by (uid=0)
> Sep 10 01:38:01 debian CRON[18661]: (pam_unix) session closed for user mail
> Sep 10 01:53:01 debian CRON[18896]: (pam_unix) session opened for user mail by (uid=0)
> Sep 10 01:53:01 debian CRON[18896]: (pam_unix) session closed for user mail
> 
> 
> 
> 
> 
> 
> /etc/ssh/sshd_config
> ==========================================
> 
> # Package generated configuration file
> # See the sshd(8) manpage for defails
> 
> # What ports, IPs and protocols we listen for
> Port 22
> # Use these options to restrict which interfaces/protocols sshd will bind to
> #ListenAddress ::
> #ListenAddress 0.0.0.0
> Protocol 2
> # HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
> #Privilege Separation is turned on for security
> UsePrivilegeSeparation yes
> 
> # ...but breaks Pam auth via kbdint, so we have to turn it off
> # Use PAM authentication via keyboard-interactive so PAM modules can
> # properly interface with the user (off due to PrivSep)
> #PAMAuthenticationViaKbdInt no
> # Lifetime and size of ephemeral version 1 server key
> KeyRegenerationInterval 3600
> ServerKeyBits 768
> 
> # Logging
> SyslogFacility AUTH
> LogLevel INFO
> 
> # Authentication:
> LoginGraceTime 600
> #PermitRootLogin yes
> PermitRootLogin no
> StrictModes yes
> 
> RSAAuthentication yes
> PubkeyAuthentication yes
> #AuthorizedKeysFile     %h/.ssh/authorized_keys
> 
> # rhosts authentication should not be used
> #RhostsAuthentication no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # For this to work you will also need host keys in /etc/ssh_known_hosts
> RhostsRSAAuthentication no
> # similar for protocol version 2
> HostbasedAuthentication no
> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
> #IgnoreUserKnownHosts yes
> 
> # To enable empty passwords, change to yes (NOT RECOMMENDED)
> PermitEmptyPasswords no
> 
> # Uncomment to disable s/key passwords 
> #ChallengeResponseAuthentication no
> 
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication yes
> 
> 
> # To change Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #AFSTokenPassing no
> #KerberosTicketCleanup no
> 
> # Kerberos TGT Passing does only work with the AFS kaserver
> #KerberosTgtPassing yes
> 
> X11Forwarding no
> X11DisplayOffset 10
> PrintMotd no
> #PrintLastLog no
> KeepAlive yes
> #UseLogin no
> 
> #MaxStartups 10:30:60
> #Banner /etc/issue.net
> #ReverseMappingCheck yes
> 
> Subsystem sftp /usr/lib/openssh/sftp-server
> 
> 
> UsePAM yes
>
Reply to: