Take me to Mac network security school.
December 5, 2007 6:12 PM   Subscribe

I noticed this morning in my system logs that I had some failed FTP and SSH login attempts from an IP in China. I thought I was going to have get all Cliff Stoll on this guy, but then looking back further I saw that this has been happening for months, from lots of different IP addresses.

I'm many things, but I have never claimed to be a network guy. I know my way around the command line, for the most part, but after the basic network utilities, I'm done. Further, I've been pretty lax with network security, generally having a "wouldn't happen to me" sort of attitude about hackers. That being said, I admittedly have a very insecure setup between the outside world and my computer. My router is set with DMZ to my computer, so I can get to it easily. I have web sharing, remote desktop, ssh, ftp, and afp enabled -- and use all of them regularly. Up until about half an hour ago, I also had my software firewall disabled.

On the other hand, fortunately, my passwords are strong, and the root account isn't enabled.

After seeing the mountain of failed login attempts, I've become a little more paranoid, and would like to be more cautious. A few questions, though:

1. These people trying to break in, do you they just do pings of a range of IP addresses until one responds, and then have a program that just tries a whole lot of logins/passwords at that IP? I see lots of attempts for Administrator, root, and mysql, but there are also attempts for random ones like 'raphael'. What's the deal?

2. I have test users on my system for debug purposes, some of them with admin rights. Is there any way to disallow these users to log in with ftp and ssh? How paranoid should I be?

3. I'd still like to be able to access my computer from the outside world using the same services I have been before, but I'm thinking I should start using my firewall properly, and take off DMZ and enable port forwarding instead, right? Question is, how is this any better at preventing break in attempts? If I can get in here from the outside, they could too, right?

Any other tips, suggested readings, or words of wisdom? School me.
posted by jeffxl to Computers & Internet (9 answers total) 5 users marked this as a favorite
Best answer: It's basically random. Chances are it's from a hijacked/virused computer somewhere and it's a process that's just running in the background. It searches for servers that it gets a response from, and then it tries to log in 10 or 20 times and if it can't do it it moves on to the next. Eventually it gets a hit or two, and then emails the passwords back to some random dead-drop email somewhere.

Welcome to the internets. Make sure your passwords are 'strong' and are not dictionary words, don't use people's first names for your logins, and get on with life.

If you really want to be proactive, there's suites that will keep an eye on your system logs and your iptables logs and will do 'dynamic blacklisting' of hosts that have a certain number of failed login attempts at your firewall.
posted by SpecialK at 6:20 PM on December 5, 2007

Best answer: As SpecialK says, it's a bunch of script kiddies/hijacked boxes looking for holes to sneak in. My Apache logs at home on my Shaw connected server are full of IIS exploit attempts (HA!).

This is a major reason why all the boxes I look after run SSH on a different port, and either don't run FTP at all, or run it also on another port if it has to be offered. I find that moving the port alone cuts down 99.99% of the hack attempts. One time I set up a new box and forgot to move the SSH port for a couple of days and I couldn't believe how many attempts had been made to get in... sigh.

Use high ports, like 31521 and 31522 or similar and that'll take care of almost all of it instantly.
posted by barc0001 at 6:41 PM on December 5, 2007

Best answer: Stop with the DMZ stuff. You've clearly identified what services you require externally and setting up port exceptions on your router is not a difficult task.

Yes, they're still available externally, but you reduce the attack surface significantly (there are other vulnerabilities in an OS outside of the services you've enabled). Further security options could be to specify a range of allowed addresses to those ports or a VPN server (depending on the capabilities of your router).

These people are trying to break in. It could be intentional on the part of the user performing the attack or they could be compromised themselves and part of a larger botnet that is actively scanning for other machines to infect and add to the swarm. As for the username, they are known as dictionary attacks. The attackers will use a somewhat random username/password combinations (some standard, like admin) to see if they find an open account.

As for your 2nd question, hard to answer without more details. Is this a Mac or Unix box you're trying to secure?
posted by purephase at 6:43 PM on December 5, 2007

Response by poster: @purephase: Mac.
posted by jeffxl at 6:48 PM on December 5, 2007

Best answer: 1. Yes. I get one of these SSH dictionary attacks every couple of weeks. Use strong passwords, or if you can, disable password authentication entirely and use per-user SSH keys (~/.ssh/authorized_keys).

2. You can deny specific users from SSH logins in /etc/sshd_config; see the man page for same. Or you can specify a list of users to allow, with everyone else being denied by default. See "man sshd" and "man sshd_config". For FTP, see "man 5 ftpusers".

Many utilities will deny logins for any user whose shell is not one of the ones listed in /etc/shells, but IIRC you can still 'su' to those users, which might be good enough for you.

3. I agree with purephase, etc.: there's not much to be gained from things like DMZs (for a small network), funny port numbers, port-knocking daemons, etc..
posted by hattifattener at 7:03 PM on December 5, 2007 [1 favorite]

Best answer: I use DenyHosts to automatically lock out IPs that knock on the ssh port with bad passwords. It works on Mac.
posted by zsazsa at 8:08 PM on December 5, 2007 [2 favorites]

After a couple of years of getting daily log reports with upwards of 2MB of ssh attacks on a machine that nobody hardly uses besides me, I finally just changed the port sshd runs on. Problem solved. Oh, and not running ftpd at all since you can scp everything around anyway. These two changes will make your daily logs spotless.
posted by rhizome at 11:40 PM on December 5, 2007

Ditto turning off ftp, using Denyhosts. Checking my /etc/hosts.deny, I see it's banned 11 IPs so far for December.
posted by Zed_Lopez at 3:25 AM on December 6, 2007

I had the same problem with my SMTP server...
I only have 2 addresses on my mail server, and they aren't used very often...but it's fun to play with...
So my log files are always under 2K or so...
One day I noticed my connection was very slow..I checked netstat and noticed several connections I didn't recognize to my SMTP port...
Checked the SMTP log...it was 98MB for that day.
I searched for an app to block this IP (the attack was still happening)....and found PeerGuardian....
They have a rather hokey interface, but it does a decent job of filtering IP's.
I'd like to find a more streamlines IP filter app...but this is the only one I was able to find.
posted by AltReality at 1:48 PM on December 6, 2007

« Older Antique Ring?   |   Festive Red Colouring - Not always a "Good Thing" Newer »
This thread is closed to new comments.