Linux – How to determine if the Linux box has been infiltrated

debianlinuxSecurityssh

I recently read an article about analyzing malicious SSH login attempts. This got me thinking, are the SSH username, password combinations on my Debian box that uncommon? Had I been targeted by a brute force dictionary attack? Let's take a look at /var/log/auth.log.0:

Sep 23 07:42:04 SLUG sshd[8303]: Invalid user tyjuan from 210.168.200.190
Sep 23 07:42:09 SLUG sshd[8305]: Invalid user tykeedra from 210.168.200.190
Sep 23 07:42:14 SLUG sshd[8307]: Invalid user tykeem from 210.168.200.190
Sep 23 07:42:19 SLUG sshd[8309]: Invalid user tykeshia from 210.168.200.190
Sep 23 07:42:25 SLUG sshd[8311]: Invalid user tyla from 210.168.200.190
Sep 23 07:42:30 SLUG sshd[8313]: Invalid user tylan from 210.168.200.190
Sep 23 07:42:35 SLUG sshd[8315]: Invalid user tylar from 210.168.200.190
Sep 23 07:42:40 SLUG sshd[8317]: Invalid user tyler from 210.168.200.190
Sep 23 07:42:45 SLUG sshd[8319]: Invalid user tylerfrank from 210.168.200.190
Sep 23 07:42:50 SLUG sshd[8321]: Invalid user tyliah from 210.168.200.190
Sep 23 07:42:55 SLUG sshd[8323]: Invalid user tylor from 210.168.200.190

So that doesn't look good. Now that I know I've been targeted by an attack and that some of my username, password combinations are weak, I'd like to know how can I…

… determine if my Linux box has been infiltrated?
… undo any of the damage left by the perpetrators?
… prevent this from happening in the future?

UPDATE

Any advice on undo any of the damage left by the perpetrators?

Best Answer

A lot of people seem to suggest DenyHosts, but I've seen a lot of success with Fail2Ban on my systems. It watches for a (configurable) number of failures, and then performs an action - on my servers, that action is to use iptables to drop all traffic from the host. After 10 login failures, they get banned and that's the end of it.

I use that in combination with Logcheck, so that I always know what's going on on my servers.

If you have any evidence that someone has actually broken into your systems (the logs you have posted are not evidence of this), then your only solution is to back up all the data you need to keep, wipe the machine, reinstall, and restore from backups. Otherwise, there's no way to be sure.

Related Solutions

SSH certificate authentication for the user without home directory

No, unless the Solaris box in question have been setup in a rather exotic/strange way there are no way for you to specify a public key to use.

Assuming we are talking about the usual scp client, which is part of OpenSSH, it in itself won't accept a password non-interactively.

One solution might be to write your own scp "client". That is, put something together in your favorite scripting language, using a suitable module/library, allowing the password to be inserted non-interactively.

Linux – Can’t get Passwordless (SSH provided) SFTP working

First off, the home directories in /etc/passwd should reflect the un-chrooted paths, or you'll run into problems in general. In this case, sshd checks for authorized keys before it chroots, so it needs to find them using an un-chrooted path. That's why your first try doesn't work.

Second thing to note: Under your first setup, when david logs in he starts in /var/chroot-home/david, but he is actually chrooted to /var/chroot-home, meaning if he types cd .. he can see all of the other home dirs (although not their contents, if permissions are correct). This might or might not be a problem for you, but it's a good thing to be aware of.

If the above is fine with you, you can use your first sshd_config, set david's home dir to /var/chroot-home/david in the passwd file, and add the following symlink so that david still starts in his home directory:

cd /var/chroot-home
mkdir var
ln -s .. var/chroot-home

That symbolic link will make sure that you can reach a home directory using the same path whether or not you are in the chroot.

However, if you don't want the clients to see the names of each other's home directories, you need to chroot into the home directory itself, as in your second solution. But as you've seen, sshd doesn't like that (because for various subtle reasons, it's dangerous to give a user write access to the root of a filesystem). Sadly, you're mostly out of luck here. One (kludgy) solution to this is to create a files/ subdirectory in each home directory and give the client write access to that instead.

Another option might be to chroot to /var/chroot-home anyway, and name the home directories differently, e.g. using the user ID number instead of the name.

Best Answer

Related Solutions

SSH certificate authentication for the user without home directory

Linux – Can’t get Passwordless (SSH provided) SFTP working

Related Topic