Events

Simple way to Foil the Hacker

Details

Category: How To

Hits: 3700

I attended the TALUG meeting focusing on Linux security last weekend (May 17, 2008). The presenter offered several techniques for securing our Linux boxen. One technique was to simply change the default port for SSH connections.

After the meeting I made the change from the default port 22. Now that a few days have passed, I decided to examine the logs to see what effect this has made on my firewall. These logs are from our company firewall, which is an OpenBSD box named Fred..

I grabbed a log file generated a few weeks ago named authlog.7.gz. I copied it to the home directory and gunzipped it.

The information contained in the log was generated during the following date range.

[root@Fred ~]$ head -n 1 authlog.7; tail -n 1 authlog.7
Mar 26 10:00:01 Fred newsyslog[25227]: logfile turned over
Apr 2 10:00:01 Fred newsyslog[24528]: logfile turned over

Here's an excerpt from this log showing hacker attempts.

Mar 26 17:38:45 Fred sshd[27164]: Invalid user pop from 88.97.1.13
Mar 26 17:38:45 Fred sshd[9425]: input_userauth_request: invalid user pop
Mar 26 17:38:45 Fred sshd[9425]: Failed password for invalid user pop from 88.97.1.13 port 38632 ssh2
Mar 26 17:38:45 Fred sshd[27164]: Failed password for invalid user pop from 88.97.1.13 port 38632 ssh2
Mar 26 17:38:45 Fred sshd[9425]: Received disconnect from 88.97.1.13: 11: Bye Bye
Mar 26 17:38:48 Fred sshd[23027]: Failed password for nobody from 88.97.1.13 port 38716 ssh2
Mar 26 17:38:48 Fred sshd[31795]: Failed password for nobody from 88.97.1.13 port 38716 ssh2
Mar 26 17:38:48 Fred sshd[23027]: Received disconnect from 88.97.1.13: 11: Bye Bye
Mar 26 17:38:50 Fred sshd[22617]: Failed password for root from 88.97.1.13 port 38797 ssh2
Mar 26 17:38:50 Fred sshd[13602]: Failed password for root from 88.97.1.13 port 38797 ssh2
Mar 26 17:38:51 Fred sshd[22617]: Received disconnect from 88.97.1.13: 11: Bye Bye
Mar 26 17:38:53 Fred sshd[30861]: Invalid user backup from 88.97.1.13
Mar 26 17:38:53 Fred sshd[10216]: input_userauth_request: invalid user backup
Mar 26 17:38:53 Fred sshd[10216]: Failed password for invalid user backup from 88.97.1.13 port 38881 ssh2
Mar 26 17:38:53 Fred sshd[30861]: Failed password for invalid user backup from 88.97.1.13 port 38881 ssh2
Mar 26 17:38:53 Fred sshd[10216]: Received disconnect from 88.97.1.13: 11: Bye Bye
Mar 26 17:38:56 Fred sshd[14336]: Invalid user info from 88.97.1.13
Mar 26 17:38:56 Fred sshd[16236]: input_userauth_request: invalid user info
Mar 26 17:38:56 Fred sshd[16236]: Failed password for invalid user info from 88.97.1.13 port 38965 ssh2
Mar 26 17:38:56 Fred sshd[14336]: Failed password for invalid user info from 88.97.1.13 port 38965 ssh2
Mar 26 17:38:56 Fred sshd[16236]: Received disconnect from 88.97.1.13: 11: Bye Bye
Mar 26 17:38:58 Fred sshd[7568]: Invalid user shop from 88.97.1.13
Mar 26 17:38:58 Fred sshd[28901]: input_userauth_request: invalid user shop

I did a line count on the failed logins and found over 12000 attempts duing this one week.

[root@Fred ~]$ grep "Failed password for invalid user" authlog.7 | wc -l
12278

Next, I copied a sorted list of the user names that was being attempted on Fred to a file named doorknock.txt. The list was arranged in alphabetical order. Each name is only saved once with the number of uses preceeding the name.

[root@Fred ~]$ grep "Failed password for invalid user" authlog.7 | awk '{print $11}' | sort | uniq -c > ~/doorknock.txt

A line count of this file shows that over 4000 names were tried.

[root@Fred ~]$ wc -l doorknock.txt
4138 doorknock.txt

Here's the top 20 names attempted. The preceding number indicates the number of attempts with the name.

[root@Fred ~]$ sort -r doorknock.txt | head -n 20
164 test
142 admin
88 user
78 guest
60 oracle
60 mysql
48 toor
38 tester
36 irc
34 webmaster
34 testing
32 student
32 info
30 students
30 news
28 web
28 support
28 mail
26 temp
26 shell

Finally, I looked at the current log file and see that it was started 4 days ago. Counting the number of failed login attempts now shows that the hackers have given up on Fred.

[root@Fred log]$ head -n 1 authlog
May 21 10:00:02 Fred newsyslog[2116]: logfile turned over

[root@Fred log]$ grep "Failed password for invalid user" authlog | wc -l
0

• < Prev