Results 1 to 12 of 12
-
12-07-2006, 05:22 PM #1Newbie
- Join Date
- May 2006
- Posts
- 26
freebsd system security - please urgent
hi. i argued with a hosting customer some hours before. and he wrote about my websites and scrabbling me in some forum. so i just care about server's security. i have updated the ports 3 days ago. and now i checked again. the ports collection and the installed programs are up to date. and the version of operating system is freebsd 6.1 but i'm so angry and paranoid now...
in ps aux command i see some lines like these:
root 92173 0.0 0.2 4864 2392 ?? Ss 11:21PM 0:00.03 sshd: unknown [priv] (sshd)
sshd 92174 0.0 0.2 4760 2264 ?? S 11:21PM 0:00.01 sshd: unknown [net] (sshd)
root 92175 0.0 0.2 4708 2200 ?? Ss 11:21PM 0:00.02 sshd: [accepted] (sshd)
sshd 92176 0.0 0.2 4720 2228 ?? S 11:21PM 0:00.01 sshd: [net] (sshd)
sshd 92178 0.0 0.2 4720 2224 ?? S 11:21PM 0:00.01 sshd: [net] (sshd)
root 91411 0.0 0.2 6120 2464 ?? Is 11:12PM 0:00.04 sshd: masterbb [priv] (sshd)
do these line make any trouble??
when i type "w" command, i don't see any other user rest of me.. i'm not seeing any foreign logged session. nobody have shell access for the server before..
what can you suggest me about the security? what dot these "ps aux" outputs mean? do you think my server is secure in normal?? i'm regularly updating ports collection..
thanks..
-
12-07-2006, 05:27 PM #2Newbie
- Join Date
- May 2006
- Posts
- 26
eagle# tail /var/log/auth.log
Dec 7 23:29:16 eagle sshd[92556]: Invalid user cesar from 208.98.219.212
Dec 7 23:29:20 eagle sshd[92560]: Invalid user caesar from 208.98.219.212
Dec 7 23:29:26 eagle sshd[92562]: Invalid user center from 208.98.219.212
Dec 7 23:29:29 eagle sshd[92564]: Invalid user copy from 208.98.219.212
Dec 7 23:29:33 eagle sshd[92568]: Invalid user cindy from 208.98.219.212
Dec 7 23:29:37 eagle sshd[92575]: Invalid user chenst from 208.98.219.212
Dec 7 23:29:41 eagle sshd[92589]: Invalid user chicago from 208.98.219.212
Dec 7 23:29:46 eagle sshd[92598]: Invalid user cynthia from 208.98.219.212
Dec 7 23:29:50 eagle sshd[92600]: Invalid user colleen from 208.98.219.212
Dec 7 23:30:00 eagle sshd[92602]: Invalid user collins from 208.98.219.212
-
12-07-2006, 06:14 PM #3antitheistic atheist
- Join Date
- Oct 2005
- Location
- Fleet Street
- Posts
- 3,244
Change your sshd port. There are other ways to secure it but you might as well just do that to cut down on any load issues.
-
12-07-2006, 06:24 PM #4Newbie
- Join Date
- Nov 2006
- Posts
- 26
Also it would be usefull to install some kind of "intellectual firewall" which detects possible attacks and ban attaker IPs for some time. Like apf + bfd
-
12-08-2006, 01:07 PM #5Newbie
- Join Date
- May 2006
- Posts
- 26
thanks. i changed the sshd port. what do you think about this ps aux outputs??
root 92173 0.0 0.2 4864 2392 ?? Ss 11:21PM 0:00.03 sshd: unknown [priv] (sshd)
sshd 92174 0.0 0.2 4760 2264 ?? S 11:21PM 0:00.01 sshd: unknown [net] (sshd)
sshd 92176 0.0 0.2 4720 2228 ?? S 11:21PM 0:00.01 sshd: [net] (sshd)
sshd 92178 0.0 0.2 4720 2224 ?? S 11:21PM 0:00.01 sshd: [net] (sshd)
this lines dont mean any system-hacked signals? do you think i am secure?? i am regularly updating the ports collection and installed programs. and nobody rest of me have shell account before.. should not i fear?
i dont have any firewall on the system now. but i decided to install one.
thanks again..
-
12-08-2006, 01:40 PM #6Web Hosting Master
- Join Date
- Apr 2005
- Location
- Tinterweb
- Posts
- 556
Install APF and BFD, also if you see 208.98.219.212 trying to login again ban the IP.
-
12-08-2006, 01:47 PM #7Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Originally Posted by Excel Hosting UKSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
12-08-2006, 02:46 PM #8Newbie
- Join Date
- May 2006
- Posts
- 26
Originally Posted by Steven
-
12-08-2006, 08:36 PM #9Aspiring Evangelist
- Join Date
- Jul 2006
- Posts
- 413
The guy is talking about Freebsd and APF and BFD dont work on Freebsd. You need to install an IPFW firewall. Looks like maybe this server was compromised as those ssh lines dont look right there.
You better contact a server security company and get your box checked out and your ssh moved to another port.<< Please see the Rules page. >>
-
12-09-2006, 04:10 AM #10Newbie
- Join Date
- May 2006
- Posts
- 26
hi. i was very stressed. when i see this lines, i feel terribled. they were only ssh login attempts. the attacker, trying passwords with a user wordlist. the hard think is to find my personal username. then crack the password. because of the system's being freebsd, you cant login with root remotely. first you must login as a standart user. now i changed the sshd port.
and all programs are up to date. so i think it's hard system to be exploitable by a kiddie. i was hacked 2 years ago with a redhat 7.3 system. so i am very paranoic now.
But anyway, i will format the machine soon.
Thank you all..
-
12-09-2006, 04:14 AM #11WHT Addict
- Join Date
- Feb 2006
- Posts
- 111
Have you read the Firewall chapter of the FreeBSD handbook? That'd be a good starting place if you aren't already familiar with FreeBSD's firewall options.
ipfw is the more complete firewall solution, but pf is a little easier and still very feature-rich. Both are actively developed, but pf is maintained by the OpenBSD team. Pick whichever one you feel is easiest for you and install it. Personally, I prefer pf, since persistent tables are quite handy and the syntax is pretty straight-forward.
As far as your brute force "problem" (debatable, in my opinion it's just log noise), you might consider looking into one of the several options available to you in the ports tree. For example, security/bruteforceblocker is a nice solution. It's better than the APF/BFD combo most people recommend for Linux simply because it's inline. The problem I have with BFD is it waits for the cron to run, then it has to parse the latest entries to to the security log. I think it's an ugly hack, particularly when syslogd (at least FreeBSD's implementation...) has the facility to pipe the output to an application -- i.e. a parser. It's simple to configure, too.
You should also install security/portaudit if you haven't already. It'll attach an audit of your installed ports to the nightly security report, letting you know if anything is vulnerable. It'll even give you a link to the CVE notice.
And finally, are you subscribed to the freebsd-security-notifications mailing list? If not, you should probably go ahead and subscribe. It'll keep you aware of any system-level vulnerabilities.
-
12-09-2006, 04:21 AM #12Newbie
- Join Date
- May 2006
- Posts
- 26
@Anonymous Coward,
thank you very very very much i will keen on what you have said. thanks again..