I'm under attack

[Ricky]

Hi everyone,

I am running FreeBSD under Windows 7 using VirtualBox. Some days ago I got hacked and I could not connect any more to SSH and MySql.

Here is what I have done to prevent hackers:

Root's password is at least 16 characters mixed with numbers and letters;
Anti DDoS script running every minute:

#!/bin/sh
MAX_CONN=200
mkdir /tmp/itcforce
TMP_PREFISSO='/tmp/itcforce'
TMP_FILE='ip-abusi'
netstat -ntu -f inet| awk '{if(NR>2 && NF=6) print $5}' | cut -d. -f1-4 | grep '^[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$' | sort | uniq -c | sort -nr > $TMP_FILE
while read line; do
COR_LINEA_CONN=$(echo $line | cut -d" " -f1)
COR_LINEA_IP=$(echo $line | cut -d" " -f2)
if [ $COR_LINEA_CONN -lt $MAX_CONN ]; then
break
fi
echo $COR_LINEA_IP > $TMP_PREFISSO/abusi
awk '{$1="/sbin/route add -net "$0}1{$2=" 127.0.0.1 -blackhole"}2' $TMP_PREFISSO/abusi > $TMP_PREFISSO/nullr.sh ; sh $TMP_PREFISSO/nullr.sh
done < $TMP_FILE
rm -rf $TMP_PREFISSO

Anti Brute-Force script running every 10 minutes:

#!/bin/sh
if ipfw show | awk '{print $1}' | grep -q 20000 ; then
        ipfw delete 20000
fi
# This catches repeated attempts for both legal and illegal users
# No check for duplicate entries is performed, since the rule
# has been deleted.
awk '/sshd/ && (/Invalid user/ || /authentication error/) {try[$(NF)]++}
END {for (h in try) if (try[h] > 5) print h}' /var/log/auth.log |
while read ip
do
        ipfw -q add 20000 deny tcp from $ip to any in
done

My ipfw.rules:

IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

$IPF 130 allow tcp from 192.168.1.80 to 192.168.1.69 SSHPort
$IPF 131 deny tcp from any to any SSHPort
#$IPF 150 allow udp from any to any 80 in
#$IPF 155 allow tcp from any to any 80 in
#$IPF 160 allow udp from any to any 80 out
#$IPF 165 allow tcp from any to any 80 out
$IPF 170 allow tcp from 192.168.1.80 to 192.168.1.69 3306
$IPF 171 deny tcp from any to any 3306

# metin2
$IPF 220 allow tcp from 192.168.1.80 to 192.168.1.69 11002 in
$IPF 230 allow tcp from any to any 11002 out
$IPF 240 allow tcp from any to any 13000 in
$IPF 250 allow tcp from any to any 13000 out
$IPF 260 allow tcp from any to any 13001 in
$IPF 270 allow tcp from any to any 13001 out
$IPF 280 allow tcp from any to any 13099 in
$IPF 290 allow tcp from any to any 13099 out

I would like if someone could give me more tips to make my system secure.

Thank you.

 

[Lorem-Ipsum]

I would move ssh to a different port, something a bit obscure and run Fail2Ban with some custom regex on /var/log/auth.log with a huge ban time.

Also if you can, set ssh authentication to use ssh keys only.

 

[kpa]

1) Disable direct root logins via ssh(1) if you haven't already and use a normal user account in wheel group for accessing the root account with su(1) (or security/sudo).

2) Install security/sshguard-ipfw to temporarily ban apparent hackers or move the ssh listening port to a non standard port. The latter option is surprisingly good. (I have the sshd daemon listening on the standard port 22 but I have a port forward from a non standard port on the external address to port 22 on localhost and access is allowed only to the non-standard port.)

3) Disable PasswordAuthentication and ChallengeResponseAuthentication in sshd_config(5) and effectively force logins with only RSA keys.

 

[Ricky]

Thank you for your answers. Due to an ipfw rule ($IPF 130 allow tcp from 192.168.1.80 to 192.168.1.69 SSHPort) I believe my SSH is already pretty secure but still I will take a look at your advises. Protection is never too much.

I forgot to mention that the attack was probably a DDoS. Of course I can be wrong but it seems they (hackers) have killed some of my processes. Can someone help me protecting my system against DDoS? Also back in the time my router Intrusion Detection was disabled for an unknown reason. I already enabled it and I'm 50% the attacks are over but still get this security logs on my router.

 	Mar 17 23:07:52	FIREWALL replay check (1 of 3): Protocol: ICMP Src ip: 187.104.233.42 Dst ip: 85.245.176.155 Type: Destination Unreachable Code: Host Unreacheable

 	Mar 17 22:54:23	FIREWALL replay check (1 of 1): Protocol: ICMP Src ip: 187.104.233.42 Dst ip: 85.245.176.155 Type: Destination Unreachable Code: Host Unreacheable

 	Mar 17 22:53:43	FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 187.104.233.42 Dst ip: 85.245.176.155 Type: Destination Unreachable Code: Host Unreacheable

 	Mar 17 22:13:26	FIREWALL replay check (1 of 1): Protocol: ICMP Src ip: 91.74.119.118 Dst ip: 85.245.176.155 Type: Destination Unreachable Code: Communication Administratively Prohibited

 	Mar 17 22:13:24	FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 86.127.139.43 Dst ip: 85.245.176.155 Type: Destination Unreachable Code: Host Unreacheable

 	Mar 17 22:07:55	FIREWALL replay check (1 of 1): Protocol: ICMP Src ip: 91.74.119.118 Dst ip: 85.245.176.155 Type: Destination Unreachable Code: Communication Administratively Prohibited

 	Mar 17 22:06:41	FIREWALL replay check (1 of 1): Protocol: ICMP Src ip: 91.74.119.118 Dst ip: 85.245.176.155 Type: Destination Unreachable Code: Communication Administratively Prohibited

 	Mar 17 22:05:25	FIREWALL replay check (1 of 1): Protocol: ICMP Src ip: 91.74.119.118 Dst ip: 85.245.176.155 Type: Destination Unreachable Code: Communication Administratively Prohibited

 	Mar 17 22:04:08	FIREWALL replay check (1 of 1): Protocol: ICMP Src ip: 91.74.119.118 Dst ip: 85.245.176.155 Type: Destination Unreachable Code: Communication Administratively Prohibited

 	Mar 17 22:03:07	FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 89.37.117.157 Dst ip: 85.245.176.155 Type: Destination Unreachable Code: Host Unreacheable

 	Mar 17 22:02:45	FIREWALL replay check (1 of 1): Protocol: ICMP Src ip: 91.74.119.118 Dst ip: 85.245.176.155 Type: Destination Unreachable Code: Communication Administratively Prohibited

 	Mar 17 22:01:15	FIREWALL replay check (1 of 1): Protocol: ICMP Src ip: 91.74.119.118 Dst ip: 85.245.176.155 Type: Destination Unreachable Code: Communication Administratively Prohibited

 	Mar 17 22:00:07	FIREWALL replay check (1 of 1): Protocol: ICMP Src ip: 91.74.119.118 Dst ip: 85.245.176.155 Type: Destination Unreachable Code: Communication Administratively Prohibited

fragment_sweep	0
zero-length_fragment_size	0
small_fragment_size	0
fragment_size_overrun	0
fragment_overlap	0
fragment_out-of-order	6
ip_protocol_scan	0
tcp_port_scan	1
tcp_syn_scan	0
stealth_tcp_null_scan	0
stealth_tcp_fin_scan	0
stealth_tcp_xmas_scan	0
stealth_tcp_full_xmas_scan	0
stealth_tcp_vecna_scan	0
stealth_tcp_syn-fin_scan	0
udp_port_scan	0
ping_sweep_scan	0
tcp_syn_flood	6
udp_flood	0
ping_flood	0
icmp_unreachable_storm	0
smurf_broadcast_attack	0
smurf_storm_attack	0
fraggle_broadcast_attack	0
fraggle_storm_attack	0
land_attack	0
tcp_null_port	0
tcp_data_on_syn_segment	0
tcp_invalid_urgent_offset	0
udp_null_port	2
icmp_type_unknown	0
icmp_code_unknown	0
ip_zero_payload	0
tcp_rate_limiting	0
udp_rate_limiting	0
icmp_rate_limiting	0
ip_rate_limiting	0

This is weird. Not sure if it could be because of web browsing. I tried DDoS Deflate in the past but the make file had some sort of error.

Once again thank you for the fast replies

I forgot to show you my sysctl.conf

net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
net.inet.tcp.msl=7500
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.icmp.icmplim=50
kern.ipc.somaxconn=32768

 

[fonz]

As mentioned above, even something as simple as running sshd(8) on a (high-numbered) non-standard port (e.g. 21774 or something) already helps surprisingly much. Disallowing remote root logins is pretty much standard. As is closing every port that isn't absolutely needed.

Having Windows in between could be either an additional security layer or an additional liability; I'm not going there.

Fonz

P.S. Just for what it's worth: you probably mean [red]cr[/red]ackers, not [red]h[/red]ackers...

 

[drhowarddrfine]

Having Windows in between could be either an additional security layer or an additional liability; I'm not going there.

I will. Windows is how they got in. It's your big weakness.

 

[kpa]

DDoS? I thought you said someone had managed to break into your system... two very different type of attacks.
Well the bad news is that if you're hit with a DDoS there's very little you can do on the actual host to remedy the situation, all you can do is call your ISP and ask if they could block the attackers.

And yeah, having the Windows system in between the attackers and your system running in VBox isn't going to help in terms of security.

 

[sossego]

The other way is:
Go outside and disconnect your cable or phone line from where it comes to your place.
Wait 24 hours.
New IP- unless you have static.

Meanwhile you can use a Linux liveCD and copy the .vdi image to a key.

Run a scan on your system for rootkits and viruses/viri. Remove them.
Use system restore.


There is plenty of used equipment that people are throwing away, giving away, selling for cheap, and hacking at pawn/consignment/used shops; I suggest you go and find/buy such.

Buy a used router if you don't already have one.

Okay. Reconnect the cable/phone line.
Connect the router.
Burn a CD of FreeBSD.
Connect your used box.
Install.

After such you can add another card to the FreeBSD box.
Set it up as a firewall, dhcp server/router.
Connect the machine running Windows to it.

Ta dah!!! You have proved your nerdiness and can pimp around the hood.