Thursday, May 21, 2015

ssh compromised

chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification.

Open up the terminal and type the following command to install chkrootkit:

$ sudo apt-get install chkrootkit

Using chkrootkit:
Open up the terminal and type the command: $ sudo chkrootkit
This will perform all tests

Other Configurations:
If you want an automatic daily run of chkrootkit:
Open /etc/chkrootkit.conf and Replace RUN_DAILY="false" by RUN_DAILY="true"

If you also want a daily mailed report :
Open /etc/cron.daily/chkrootkit and replace '$CHKROOTKIT $RUN_DAILY_OPTS' by
'$CHKROOTKIT $RUN_DAILY_OPTS | mail -s '"\"Daily chkrootkit run from $HOSTNAME \"$YOUR_EMAIL_ADDRESS"'

Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, sniffers, and malware. The application consists of the main shell script, a few text-based databases, and optional Perl scripts. It can recognise and run external applications like 'skdet' and 'unhide'. It should run on almost every Unix clone.

Open up the terminal and type the following command to install Rkhunter:
$ sudo apt-get install Rkhunter

Using Rkhunter:
Open up the terminal and type the command: $ sudo rkhunter --check
This will perform all tests

By default, the log file '/var/log/rkhunter.log' will be created. It will contain the results of the checks made by Rkhunter

The following command option causes rkhunter to check and download the later version of any of its text data files: $ sudo rkhunter --update

ssh compromised

1. stop ssh service
sudo /etc/init.d/ssh stop

2. stop ssh service

# sudo /etc/init.d/ssh start

3. Do not start at boot time :

chkconfig sshd off

1. Check auth log :

2. Do a portscan with nmap

3. security tools utils :

- logcheck, portsentry, and tripwire

"it's very common for random dictionary SSH attempts, so i wouldn't be too worried by that. you may want to change the port for random obfuscation, but you'll still see random attempts from time to time, it's life having a machine on the internet." - Owen

"Will happen all the time with ssh enabled. Move it to a high port." - Bill K

if there was an attack, the best advice is to reinstall it from scratch ( make sure you plugin any holes on the new install ). It is very easy to not notice a backdoor or a stealth process, you are better off reinstalling.
"* ... prevent this from happening in the future?"
  • security updates
  • tight firewall
  • strong passwords
  • turn off uneccessary services

Suggestion :

There is some poor advice on this thread, such as:
  • using a non-standard port for ssh (wrong!)
  • using some third party security tool (adding an unnecessary dependency/complexity)
  • configuring your firewall to block or whitelisting (maintenance head-ache)
Simply tweak your /etc/ssh/sshd_config instead to improve security:
  • PermitRootLogin no
  • Configure AllowUsers for only the users on the system who have ssh accounts
  • Consider using only physical keys with 'PasswordAuthentication no'
If you are box has been infiltrated. Rebuild the box.
How can I prevent this from happening in the future?

You can watch the box to see what's going in and out and look for anything suspicious. See this post:


Psad coupled with Shorewall is a good way to compliment your iptables rules.
I also use Fail2ban to track my ssh logins
taken from the website :
"OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response."
  • log analysis It can check logs file on your servers and alerts you via rules (there are a lot pre-defined and you can add your own)
  • file integrity tripwire/aide like functionnality so you will see if any file has been modified on your server
  • policy monitoring : check some "Best practices" security rules
  • rootkit detection : rkhunter, chkrootkit like functionnality
  • real-time alerting and active response : You can configure ossec to react automatically to alerts (i don't use this but you can use it to block ssh access to hosts making too many failed connections attempts)
Really good product and it is very active
To harden your box you can also use lynis or bastille


take a look at tools like logcheck, portsentry, and tripwire. it's very common for random dictionary SSH attempts, so i wouldn't be too worried by that. you may want to change the port for random obfuscation, but you'll still see random attempts from time to time, it's life having a machine on the internet.

Prevention :

- Use  iptables

$ iptables        -A INPUT      -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
$ iptables        -A INPUT      -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
$ iptables        -A INPUT      -p tcp --dport 22 -j DROP

Use DenyHosts to monitor my logs for suspicious SSH traffic, it can configured to automatically firewall off hosts at a certain point.

others :


1. DenyHosts

What is DenyHosts?

DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks). If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?


- Parses /var/log/secure to find all login attempts and filters failed and successful attempts. - Synchronization mode (new in 2.0) allows DenyHosts daemons the ability to share data via a centralized server to proactively thwart attacks.
- Can be run from the command line, cron or as a daemon (new in 0.9)
- Records all failed login attempts for the user and offending host
- For each host that exceeds a threshold count, records the evil host
- Keeps track of each non-existent user (eg. sdadasd) when a login attempt failed.
- Keeps track of each existing user (eg. root) when a login attempt failed.
- Keeps track of each offending host (with 0.8+ these hosts can be purged if the associated entry in /etc/hosts.deny is expired)
- Keeps track of suspicious logins (that is, logins that were successful for a host that had many login failures)
- Keeps track of the file offset, so that you can reparse the same file (/var/log/secure) continuously (until it is rotated).
- When the log file is rotated, the script will detect it and parse from the beginning.
- Appends /etc/hosts.deny and adds the newly banned hosts
- Optionally sends an email of newly banned hosts and suspicious logins.
- Keeps a history of all user, host, user/host combo and suspicious logins encountered which includes the data and number of corresponding failed login attempts.
- Maintains failed valid and invalid user login attempts in separate files, such that it is easy to see which valid user is under attack (which would give you the opportunity to remove the account, change the password or change it's default shell to something like /sbin/nologin
- Upon each run, the script will load the previously saved data and re-use it to append new failures.
- Resolves IP addresses to hostnames, if available (new in v0.6.0).
- /etc/hosts.deny entries can be expired (purge) at a user specified time (new in 0.8)

These are some of the people and sites that have blogged about DenyHosts:


2. Fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).  

3. Ubuntu security tools

The Ubuntu repositories contain several useful tools for maintaining a secure network and network administration. This page attempts to list the most popular and useful of these utilities, a brief description of them, and how to install them.
  • Wireshark (Previously called Ethereal) - a popular network traffic analyzing tool, that can capture both off the wire and from existing capture files. It features a helpful GUI to ease analysis. Note: The Universe package adds a menu entry that expects the user to have a root account. To use ethereal in Ubuntu, use gksudo in a terminal. You should only run it using sudo if need to capture packets live; root privileges are not required to read saved capture files. For Ubuntu 6.06 and earlier install the ethereal and ethereal-common packages from the Universe Repository.
    • For Ubuntu 6.10 onwards install install the wireshark and wireshark-common packages from the Universe Repository.
  • ''Nessus'' - a powerful remote network security auditor, with a nice GUI. Nessus supports plugins and offers a usually current attack database. It also features useful scripting abilities, allowing you to automate many tasks. Nessus is no longer open source, but is available free for personal use.
  • ''OpenVAS'' (The Open Vulnerability Assessment System) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 20,000 in total (as of January 2011). All OpenVAS products are Free Software. Most components are licensed under the GNU General Public License (GNU GPL). (forum thread on how to install and use.)
  • Nmap - the standard network mapper. Has a thousand and one uses. To install Nmap install the nmap package.
  • Etherape - an etherman clone. It displays network activity with an intuitive UI. Install the etherape package from the Universe Repository.
  • Kismet - a wireless sniffing tool. Includes support for GPS map scanning with in use of the gpsdrive package. Install the kismet package from the Universe Repository.
  • Chkrootkit - chkrootkit can be used to help determine if a machine has been compromised. While not what you should use for the 'final word' on if you have been compromised, it runs a lot of useful checks and can direct suspicions towards finding a solution. To install chkrootkit install the chkrootkit package.
  • Rkhunter (Ubuntu 6.06 and above only) - another rootkit detection software. Install the rkhunter package from the Universe Repository.
  • tiger - Tiger is a package consisting of Bourne Shell scripts, C code and data files which is used for checking for security problems on a UNIX system. It scans system configuration files, file systems, and user configuration files for possible security problems and reports them. Install tiger chkrootkit john.
  • GnuPG - also known as GPG, is an open source PGP replacement implementing the OpenPGP standard. Lacks support for IDEA, but is incredibly useful. Included by default. GnuPG will allow you to encrypt emails, digitally sign, and integrates well into the Evolution mail client as well as Thunderbird.
  • Seahorse - a light-weight Gnome frontend for GPG, makes managing keys much easier. Install the seahorse package from the Universe Repository.
  • Nemesis - a command-line based packet injection utility. Requires a bit of reading the documentation to get full use from. To install nemesis install the nemesis package from the Universe Repository.
  • Tcpdump - while its name suggests that it works for only TCP, tcpdump also supports UDP, BGP, NFS, and a lot of other packet types. It is a powerful network utility that should be in every admins toolbox, allowing you to pull in everything off the wire. In combination with ethereal it doesn't miss much. To install tcpdump install the tcpdump package.
  • OpenSSH - OpenSSH almost singlehandedly stopped admins from using telnet, an insecure protocol. The OpenSSH client is installed by default. Generally you want to use SSH instead of telnet or rsh. In some situations, such as large number of clients, you might want to pursue other options, such as telnet with ssl. To install the ssh server install the openssh-server package.
  • denyhosts (Ubuntu 6.10 and above only) - scans your SSH logs to find brute-force attacks, and then blocks the IPs they came from. To install denyhosts install the denyhosts package.

No comments: