Results 1 to 12 of 12
  1. #1

    Exclamation freebsd system security - please urgent

    hi. i argued with a hosting customer some hours before. and he wrote about my websites and scrabbling me in some forum. so i just care about server's security. i have updated the ports 3 days ago. and now i checked again. the ports collection and the installed programs are up to date. and the version of operating system is freebsd 6.1 but i'm so angry and paranoid now...

    in ps aux command i see some lines like these:

    root 92173 0.0 0.2 4864 2392 ?? Ss 11:21PM 0:00.03 sshd: unknown [priv] (sshd)
    sshd 92174 0.0 0.2 4760 2264 ?? S 11:21PM 0:00.01 sshd: unknown [net] (sshd)
    root 92175 0.0 0.2 4708 2200 ?? Ss 11:21PM 0:00.02 sshd: [accepted] (sshd)
    sshd 92176 0.0 0.2 4720 2228 ?? S 11:21PM 0:00.01 sshd: [net] (sshd)
    sshd 92178 0.0 0.2 4720 2224 ?? S 11:21PM 0:00.01 sshd: [net] (sshd)
    root 91411 0.0 0.2 6120 2464 ?? Is 11:12PM 0:00.04 sshd: masterbb [priv] (sshd)

    do these line make any trouble??

    when i type "w" command, i don't see any other user rest of me.. i'm not seeing any foreign logged session. nobody have shell access for the server before..

    what can you suggest me about the security? what dot these "ps aux" outputs mean? do you think my server is secure in normal?? i'm regularly updating ports collection..

    thanks..

  2. #2
    eagle# tail /var/log/auth.log
    Dec 7 23:29:16 eagle sshd[92556]: Invalid user cesar from 208.98.219.212
    Dec 7 23:29:20 eagle sshd[92560]: Invalid user caesar from 208.98.219.212
    Dec 7 23:29:26 eagle sshd[92562]: Invalid user center from 208.98.219.212
    Dec 7 23:29:29 eagle sshd[92564]: Invalid user copy from 208.98.219.212
    Dec 7 23:29:33 eagle sshd[92568]: Invalid user cindy from 208.98.219.212
    Dec 7 23:29:37 eagle sshd[92575]: Invalid user chenst from 208.98.219.212
    Dec 7 23:29:41 eagle sshd[92589]: Invalid user chicago from 208.98.219.212
    Dec 7 23:29:46 eagle sshd[92598]: Invalid user cynthia from 208.98.219.212
    Dec 7 23:29:50 eagle sshd[92600]: Invalid user colleen from 208.98.219.212
    Dec 7 23:30:00 eagle sshd[92602]: Invalid user collins from 208.98.219.212

  3. #3
    Join Date
    Oct 2005
    Location
    Fleet Street
    Posts
    3,244
    Change your sshd port. There are other ways to secure it but you might as well just do that to cut down on any load issues.

  4. #4
    Also it would be usefull to install some kind of "intellectual firewall" which detects possible attacks and ban attaker IPs for some time. Like apf + bfd
    NIX Solutions Admins Team
    www.admins.nixsolutions.com
    email: dmarina@nixsolutions.com

  5. #5
    thanks. i changed the sshd port. what do you think about this ps aux outputs??

    root 92173 0.0 0.2 4864 2392 ?? Ss 11:21PM 0:00.03 sshd: unknown [priv] (sshd)
    sshd 92174 0.0 0.2 4760 2264 ?? S 11:21PM 0:00.01 sshd: unknown [net] (sshd)
    sshd 92176 0.0 0.2 4720 2228 ?? S 11:21PM 0:00.01 sshd: [net] (sshd)
    sshd 92178 0.0 0.2 4720 2224 ?? S 11:21PM 0:00.01 sshd: [net] (sshd)


    this lines dont mean any system-hacked signals? do you think i am secure?? i am regularly updating the ports collection and installed programs. and nobody rest of me have shell account before.. should not i fear?

    i dont have any firewall on the system now. but i decided to install one.

    thanks again..

  6. #6
    Join Date
    Apr 2005
    Location
    Tinterweb
    Posts
    556
    Install APF and BFD, also if you see 208.98.219.212 trying to login again ban the IP.

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by Excel Hosting UK
    Install APF and BFD, also if you see 208.98.219.212 trying to login again ban the IP.
    freebsd, those wont work
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  8. #8
    Quote Originally Posted by Steven
    freebsd, those wont work
    yes. i couldnt find them in ports security directory.. which firewall do you suggest for freebsd??

  9. #9
    The guy is talking about Freebsd and APF and BFD dont work on Freebsd. You need to install an IPFW firewall. Looks like maybe this server was compromised as those ssh lines dont look right there.

    You better contact a server security company and get your box checked out and your ssh moved to another port.
    << Please see the Rules page. >>

  10. #10
    hi. i was very stressed. when i see this lines, i feel terribled. they were only ssh login attempts. the attacker, trying passwords with a user wordlist. the hard think is to find my personal username. then crack the password. because of the system's being freebsd, you cant login with root remotely. first you must login as a standart user. now i changed the sshd port.

    and all programs are up to date. so i think it's hard system to be exploitable by a kiddie. i was hacked 2 years ago with a redhat 7.3 system. so i am very paranoic now.

    But anyway, i will format the machine soon.

    Thank you all..

  11. #11
    Have you read the Firewall chapter of the FreeBSD handbook? That'd be a good starting place if you aren't already familiar with FreeBSD's firewall options.

    ipfw is the more complete firewall solution, but pf is a little easier and still very feature-rich. Both are actively developed, but pf is maintained by the OpenBSD team. Pick whichever one you feel is easiest for you and install it. Personally, I prefer pf, since persistent tables are quite handy and the syntax is pretty straight-forward.

    As far as your brute force "problem" (debatable, in my opinion it's just log noise), you might consider looking into one of the several options available to you in the ports tree. For example, security/bruteforceblocker is a nice solution. It's better than the APF/BFD combo most people recommend for Linux simply because it's inline. The problem I have with BFD is it waits for the cron to run, then it has to parse the latest entries to to the security log. I think it's an ugly hack, particularly when syslogd (at least FreeBSD's implementation...) has the facility to pipe the output to an application -- i.e. a parser. It's simple to configure, too.

    You should also install security/portaudit if you haven't already. It'll attach an audit of your installed ports to the nightly security report, letting you know if anything is vulnerable. It'll even give you a link to the CVE notice.

    And finally, are you subscribed to the freebsd-security-notifications mailing list? If not, you should probably go ahead and subscribe. It'll keep you aware of any system-level vulnerabilities.

  12. #12
    @Anonymous Coward,

    thank you very very very much i will keen on what you have said. thanks again..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •