Server Security

[Lego]

I hope this would be the right forum section...

Ok, So I was reading this article about tracing hackers, because My server was getting
bombarded with attempts on ssh server, so I changed the Port, to a non-standard port
a long while ago (I believe i even made an article with it); which I won't be
revealing.... http://forums.techarena.in/guides-tutorials/443453.htm

Anyway, Recently, My server has been being attacked though my ftp port(I don't know
much about hackers/hacking but I figure if they are trying to get into my ftp they are
trying to either download password files, or upload a virus/trojan), my ftp accounts
are limited and passwords are strong, and all are jailed. So as I was saying my ftp
has been gettting attacked:

blurr-ink.com login failures:
Oct 25 23:25:06 blurr-ink proftpd[34072]: localhost (125.152.0.72[125.152.0.72]) - USER mysql (Login failed): Incorrect password. 
Oct 25 23:25:18 blurr-ink proftpd[34079]: localhost (125.152.0.72[125.152.0.72]) - USER mysql (Login failed): Incorrect password. 
Oct 25 23:25:30 blurr-ink proftpd[34080]: localhost (125.152.0.72[125.152.0.72]) - USER mysql (Login failed): Incorrect password. 
Oct 25 23:25:42 blurr-ink proftpd[34081]: localhost (125.152.0.72[125.152.0.72]) - USER mysql (Login failed): Incorrect password. 
Oct 25 23:25:54 blurr-ink proftpd[34082]: localhost (125.152.0.72[125.152.0.72]) - USER mysql (Login failed): Incorrect password. 
Oct 25 23:25:56 blurr-ink proftpd[34083]: localhost (125.152.0.72[125.152.0.72]) - USER mysql (Login failed): Incorrect password. 
Oct 25 23:26:08 blurr-ink proftpd[34084]: localhost (125.152.0.72[125.152.0.72]) - USER mysql (Login failed): Incorrect password. 
Oct 25 23:26:21 blurr-ink proftpd[34088]: localhost (125.152.0.72[125.152.0.72]) - USER mysql (Login failed): Incorrect password. 
Oct 25 23:26:33 blurr-ink proftpd[34089]: localhost (125.152.0.72[125.152.0.72]) - USER mysql (Login failed): Incorrect password. 
Oct 25 23:26:38 blurr-ink proftpd[34090]: localhost (125.152.0.72[125.152.0.72]) - USER mysql (Login failed): Incorrect password. 
Oct 25 23:26:43 blurr-ink proftpd[34091]: localhost (125.152.0.72[125.152.0.72]) - USER mysql (Login failed): Incorrect password. 
Oct 25 23:52:58 blurr-ink proftpd[34677]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:09 blurr-ink proftpd[34678]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:10 blurr-ink proftpd[34678]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:10 blurr-ink proftpd[34678]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:21 blurr-ink proftpd[34740]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:22 blurr-ink proftpd[34740]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:22 blurr-ink proftpd[34740]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:33 blurr-ink proftpd[34741]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:34 blurr-ink proftpd[34741]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:34 blurr-ink proftpd[34741]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:46 blurr-ink proftpd[34742]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:46 blurr-ink proftpd[34742]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:47 blurr-ink proftpd[34742]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:58 blurr-ink proftpd[34743]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:58 blurr-ink proftpd[34743]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:53:59 blurr-ink proftpd[34743]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:10 blurr-ink proftpd[34744]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:10 blurr-ink proftpd[34744]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:11 blurr-ink proftpd[34744]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:22 blurr-ink proftpd[34748]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:23 blurr-ink proftpd[34748]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:23 blurr-ink proftpd[34748]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:27 blurr-ink proftpd[34749]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:28 blurr-ink proftpd[34749]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:28 blurr-ink proftpd[34749]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:39 blurr-ink proftpd[34750]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:40 blurr-ink proftpd[34750]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:40 blurr-ink proftpd[34750]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:52 blurr-ink proftpd[34751]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:52 blurr-ink proftpd[34751]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21 
Oct 25 23:54:53 blurr-ink proftpd[34751]: localhost (125.152.0.72[125.152.0.72]) - USER webadmin: no such user found from 125.152.0.72 [125.152.0.72] to 192.168.0.194:21

In the article its talking about tracing using the dos prompt, netstat, tracert, etc.
and was experimenting on my windows machine doing this to connections to follow along with the article.

Now when I do an IP lookup I get this:

% APNIC found the following authoritative answer from: whois.apnic.net

% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      125.128.0.0 - 125.159.255.255
netname:      KORNET
descr:        Korea Telecom
descr:        Network Management Center
country:      KR
admin-c:      IM76-AP
tech-c:       IM76-AP
descr:        ************************************************
descr:        Allocated to KRNIC Member.
descr:        If you would like to find assignment
descr:        information in detail please refer to
descr:        the KRNIC Whois Database at:
descr:        "http://whois.nic.or.kr/english/index.html"
descr:        ************************************************
status:       Allocated Portable
mnt-by:       MNT-KRNIC-AP
mnt-lower:    MNT-KRNIC-AP
changed:      hm-changed@apnic.net 20050822
source:       APNIC

person:       IP Manager
nic-hdl:      IM76-AP
e-mail:       ip@krnic.kornet.net
e-mail:       abuse@kornet.net
address:      Seoul
address:      206, Jungja-Dong, Bundang-Gu, Sungnam, Gyunggi-Do
address:      463-711
phone:        +82-2-3674-5708
fax-no:       +82-2-747-8701
country:      KR
changed:      hostmaster@nic.or.kr 20061009
mnt-by:       MNT-KRNIC-AP
source:       APNIC

inetnum:      125.128.0.0 - 125.159.255.255
netname:      KORNET-KR
descr:        Korea Telecom
country:      KR
admin-c:      IA9-KR
tech-c:       IM9-KR
status:       ALLOCATED PORTABLE
mnt-by:       MNT-KRNIC-AP
remarks:      This information has been partially mirrored by APNIC from
remarks:      KRNIC. To obtain more specific information, please use the
remarks:      KRNIC whois server at whois.krnic.net.
changed:      hostmaster@nic.or.kr
source:       KRNIC

What else can I do?? or what methods are available to bsd to do this??

 

[Lego]

Also, Im behind a router, with the needed ports forwarded, and the firewall on the router being used, I have no firewall installed on my bsd server, I've been relying on the fact that I only open needed ports and forward them to the server and the firewall in my router...

Also, there is no remote adminitration of my router setup, so nobody can log into the router from an external connection

 

[Lego]

Also how could i see every connection to the server, so i can figure out if something has already been done to the server??

 

[SirDice]

Getting bombarded by ssh brute-force attacks is a fact of life unfortunately. You may want to have a look at security/sshguard. There are several other similar ports too.

If you want to see what's going on tcpdump(1) is the tool I would use. You do need to have a good understanding of TCP/IP to make sense of it all.

 

[dennylin93]

+1 for security/sshguard-pf. The attempts continue, but they're cut off after a few failed attempts. I've started to ignore the SSH attempts in my security daily output since they're there every day.

 

[Lego]

well like i said, i changed my ssh to a non-standard port, and haven't had a single ssh attempt since, because nobody would ever guess this port number....

The issues are now with the ftp.. but I will look into sshguard,

I want to beable to trace the hacker thats attempting to break in..... does the tcpdump produce a similar out as netstat in dos?? or is there another program or something That I can use to log more information when they try to log in??

 

[SirDice]

I want to beable to trace the hacker thats attempting to break in.....

What do you feel is missing in /var/log/auth.log?

does the tcpdump produce a similar out as netstat in dos??

Not really. No offense but if you don't know how and why tcp/ip works tcpdump isn't the tool for you.

 

[Lego]

I have a basic Idea of how TCP/IP works, anyway, what do you mean when you say "What do you feel is missing in /var/log/auth.log?"?? I don't know whats missing in that log, I've looked at it, and it says at the top "Oct 26 00:00:00 blurr-ink newsyslog[34871]: logfile turned over due to size>100K"

Then there is a ton of log in attempts to ftp (in the log /var/log/auth.log) 3 trys and connection refused, then 3 more then connection refuses. Over and over and over, then my login then more of the attempts under a different ip...

 

[Lego]

Ok Nevermind, Is there a way to ban or deny the ip after 3 failed login attempts?? im using proftpd

 

[Beastie]

i changed my ssh to a non-standard port, and haven't had a single ssh attempt since, because nobody would ever guess this port number

What about port scanning?

 

[Lego]

well i guess they could do that, but thats besides the point, im not getting ssh attempts, im getting ftp attempts

 

[dennylin93]

I'd recommend using something like security/sshguard-pf instead of changing the port number. This way, you can just use the default port settings instead of specifying them every time. As for FTP, try using sftp instead (automatically enabled by OpenSSH). FTP isn't secure, and it sure is a pain in the neck when it comes to firewalls.

 

[Lego]

ok, Um well I'll definitely look into those options (althought i have the proper port set as the default in putty so it doesn't matter )but I just noticed something unusual in my daily security output:

blurr-ink.com kernel log messages:
+++ /tmp/security.h0LVtTaE	2009-10-28 03:02:08.000000000 -0400
+fxp0: promiscuous mode enabled
+fxp0: promiscuous mode disabled

I have NEVER seen this before what does that mean, and does that mean someone has gained access to my server??

 

[dennylin93]

This should be normal. Promicious mode must be turned on when you want to capture packets on an interface (like when using tcpdump). On some special interfaces, such as bridges, promicious mode is always turned on.

 

[DutchDaemon]

tcpdump will put the interface in promiscuous mode unless you use the -p flag (which is usually fine).

 

[SirDice]

Ok Nevermind, Is there a way to ban or deny the ip after 3 failed login attempts?? im using proftpd

sshguard can also protect proftp. http://sshguard.sourceforge.net/

 

[Lego]

cool, and thanks.