Announcement

Collapse
No announcement yet.

Have I been attacked? Network security question.

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Have I been attacked? Network security question.

    I have a home media server running LAMP but with just the basic setup. This allows me to watch my videos, look at family photos, listen to music, and so on with all our computers and various media devices.

    I have a Verizon FIOS floating IP so I haven't bothered to setup a VPN or a webpage yet - just the "It Works" default page when you attempt http connection from the internal network.

    In theory - attacking the IP would get you my DSL Router and it's firewall, right?

    Today, I checked the server's monitor (it's connected to the second input port on one of my desktop monitors, sweet right?) and saw a few error messages and a notice of required reboot (security update). So I decided to SSH over there and check the errors and reboot. When I logged in I saw:

    stuart@office:~$ ssh -p XXXXX daddy@server
    daddy@server's password:
    Linux server 2.6.38-7-server #37~lucid1-Ubuntu SMP Mon Mar 21 18:38:53 UTC 2011 x86_64 GNU/Linux
    Ubuntu 10.04.2 LTS

    ~~~~~~~

    *** System restart required ***
    Last login: Sat Mar 26 20:30:21 2011 from new-host-2.home
    daddy@server:~$ users
    This is not a name on my network so I went totally paranoid and I immediately rebooted (maybe not the best idea) but the reboot went normal and all seemed OK.

    I went to /var/log/auth.log and saw (truncated)

    Code:
    Mar 30 15:50:47 server sshd[19361]: pam_unix(sshd:session): session opened for user daddy by (uid=0)
    Mar 30 15:51:31 server sudo: pam_unix(sudo:auth): authentication failure; logname=daddy uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=daddy
    Mar 30 15:51:35 server sudo:  daddy : TTY=pts/0 ; PWD=/home/daddy ; USER=root ; COMMAND=/sbin/reboot
    Mar 30 15:52:23 server sshd[525]: Server listening on 0.0.0.0 port XXXXX.
    Mar 30 15:52:23 server sshd[525]: Server listening on :: port XXXXX.
    Mar 30 15:52:38 server perl: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
    Mar 30 15:52:38 server perl: pam_winbind(webmin:auth): getting password (0x00000388)
    Mar 30 15:52:38 server perl: pam_winbind(webmin:auth): pam_get_item returned a password
    Mar 30 15:52:38 server perl: pam_winbind(webmin:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
    Mar 30 15:52:40 server webmin[1484]: Webmin starting
    Mar 30 15:52:51 server sshd[1490]: Accepted password for daddy from 192.168.1.199 port XXXXX ssh2
    Mar 30 15:52:51 server sshd[1490]: pam_unix(sshd:session): session opened for user daddy by (uid=0)
    That was todays log in after reboot so it's not likely a hacker, rather some service I have mis-configured?

    As I typed this, it occurred to me that possibly the new-host-2 was my relatively new Roku box that plays home videos off of the server. I will test this later when I get some time.

    Any comments? Is a non-standard ssh port enough security in light of the fact that I'm behind a firewall?

    Maybe I should create an SSH whitelist.

    Please Read Me

    #2
    Re: Have I been attacked? Network security question.

    Being nowhere near as network-savvy as GreyGeek, for example, I put my trust in Shields Up. As far as I know, it is the premier security checker for an individual PC, regardless of the OS.

    Test your server -- if it's hiding, then I would suppose "daddy" is your roku box or some other service that you started.

    Comment


      #3
      Re: Have I been attacked? Network security question.

      Sorry I should have been more clear "daddy" is my admin username on that server (name changed to protect the innocent!) because I want to keep admin duties separate form regular user activities.

      The suspicious hostname was new-host-2.home which may be the Roku...

      Please Read Me

      Comment


        #4
        Re: Have I been attacked? Network security question.

        Unless you're doing some port forwarding it's gotta be on your network as 192.168.0 is a private network.

        The only other thing it can be is hacked wireless but that's damned unlikely if you're using anything stronger than WEP.

        If your network's a private network (10.0, 172.16.0 through 172.31.0 or 192.168.0) it's not visible from the internet unless somebody's got a hell of a routing table - they'd have to put a direct path from their machine to yours on their router; which for all practical purposes is impossible.

        If you're really interested see RFC 1918.

        I wouldn't worry too much about it - it's probably the roku.

        we see things not as they are, but as we are.
        -- anais nin

        Comment


          #5
          Re: Have I been attacked? Network security question.

          Agree with the Wiz. The hacker would have had to have direct access to your machine though the router. You can try removing the Roku to see if it goes away. If it does then you know.

          Comment


            #6
            Re: Have I been attacked? Network security question.

            Originally posted by oshunluvr
            In theory - attacking the IP would get you my DSL Router and it's firewall, right?
            Yes, in theory. Some things to consider.
            • Assign a secure administration password (i.e. not the manufacturer default password) to the router.
            • Disallow router administration from the WAN side.
            • Secure (encrypt) wireless connection or disable it completely on the router.
            • Disallow router administration from wireless clients.
            • Disable UPNP on the router.
            • Enable the router's built in firewall, and block everything by default. Manually open ports on your router only as you need them.


            You should also use the ShieldsUp site mentioned by dibl to scan for open ports. You want all your ports in stealth mode if possible. The only ports accessible on your machine from the Internet should be the ones you manually open yourself, or for which you have chosen to offer services on those ports.

            Maybe I should create an SSH whitelist.
            Probably a good idea. Consider disallowing password login completely if possible, especially if you intend to access it outside your LAN.
            Welcome newbies!
            Verify the ISO
            Kubuntu's documentation

            Comment


              #7
              Re: Have I been attacked? Network security question.

              [quote|
              • Done: Assign a secure administration password (i.e. not the manufacturer default password) to the router.
              • Done: Disallow router administration from the WAN side.
              • Not done: Secure (encrypt) wireless connection or disable it completely on the router.
              • Good idea: Disallow router administration from wireless clients.
              • Done: Disable UPNP on the router.
              • Not done: Enable the router's built in firewall, and block everything by default. Manually open ports on your router only as you need them.
              [/quote|

              [quote|Another good idea: You should also use the ShieldsUp site mentioned by dibl to scan for open ports. You want all your ports in stealth mode if possible. The only ports accessible on your machine from the Internet should be the ones you manually open yourself, or for which you have chosen to offer services on those ports.[/quote|


              [quote|Really good idea: Probably a good idea. Consider disallowing password login completely if possible, especially if you intend to access it outside your LAN.
              [/quote]

              Please Read Me

              Comment


                #8
                Re: Have I been attacked? Network security question.

                I've not worried too much about the wireless. I live in the city and can "see" about 20 wireless networks from my living room. Based on the fact that 60% of them have the ESSID of "Linksys" or "Netgear" I'm rather sure that there are other, more easily hacked networks near by.

                I know this will spark some comments, but I really hate the passphrase BS. I would really rather have a secure key type setup where once log in with a certain computer, it looks for the matching key and only requires a passphrase if it's unknown. Currently I'm using MAC filtering but I know that's probably the easiest hacked security.

                My problem (or not ) is that I'm just not paranoid enough to worry that much about it. The built-in firewall and linux's native security has really been enough to quell my fears. There are two computers that are on all the time on my network. The server and my desktop. The server contains videos, family photos and music. My desktop has the usual desktop stuff on it. All this is backed up, but only to these two computers. I really should have an off-line backup.

                I suppose if one had the time to:

                Clone a MAC address of one of my allowed computers (about 20). Relatively easy
                Figure out a username and password available (4) or plant a new one. Moderately difficult
                Search through 20,000 documents for SSN and other identifying data. Easy
                Steal my identity and... obtain credit? empty my bank account? Possible I suppose

                Honestly, I suppose this has actually happened somewhere but not that I've ever heard of and certainly not in enough numbers to make the news. Identity thieves would rather dig through your trash (I shred ).

                Actually, the worst thing I could think of happening is someone hacking in and using my computer to forward child porn or worse.

                I guess I need to make an action list and start making things somewhat more safe.

                Please Read Me

                Comment


                  #9
                  Re: Have I been attacked? Network security question.

                  Originally posted by oshunluvr
                  I really should have an off-line backup.
                  Right there you have nailed it, IMHO.

                  Just look at what happened in Japan, and consider the data recovery problem for a family whose house was washed away. How well will that set of backup DVDs help? The quality of the data backup that is in the cabinet beside your server is pretty irrelevant to a catastrophe in which the house and all the contents are gone.

                  My 20 years of accumulated personal and professional data, including some really hard research that I'll not live long enough to reproduce, is on backups in two other households, both of which are located 30 miles or more from my house.

                  Now, who's paranoid?

                  Comment


                    #10
                    Re: Have I been attacked? Network security question.

                    Originally posted by oshunluvr
                    I'm rather sure that there are other, more easily hacked networks near by.
                    I can't recommend relying on other people's stupidity to protect yourself, but if it comforts you then it doesn't hurt me any.

                    I would really rather have a secure key type setup where once log in with a certain computer, it looks for the matching key and only requires a passphrase if it's unknown.
                    You mean for router configuration? I completely agree, but if you are using certificates to verify your clients then you definitely want to disallow login by password. Having both just defeats the whole purpose of having certificates.

                    Currently I'm using MAC filtering but I know that's probably the easiest hacked security.
                    It is another layer in your LAN's armor, and I would not be without it.

                    The goal of the identity thief is not to steal your family photos. He wants to use your good name/credit rating/bank account to commit bigger crimes.

                    Take care of properly securing that SSH server as shown in the article. If you don't need access to it outside your LAN then block it at the router.

                    FWIW

                    Have fun
                    Welcome newbies!
                    Verify the ISO
                    Kubuntu's documentation

                    Comment


                      #11
                      Re: Have I been attacked? Network security question.

                      I for one don't use MAC filtering as I think it's no more secure than hiding your SSID.

                      I don't allow SSH access outside the LAN, but I also have my access points set to rotate keys every 15 minutes instead of the default hour.

                      WEP has been cracked, WPA-TKIP has been also but it takes hours - but there isn't enough computing power available to a hacker to crack WPA-AES or WPA2 before my keys rotate, even if the hacker had access to Watson. By the time he got the key deciphered it would have changed a couple dozen times and all his work would be for nought

                      Pulling an SSID or MAC address out of the air (and cloning the MAC) is relatively simple but the short version is that AES is as secure as it gets outside of certificate-based authentication like PEAP or EAP-TLS.

                      IMO hiding SSIDs and MAC filtering gives a false sense of security as both the SSID and MAC address are easily sniffed out of the air. On the network itself, if SSH is facing the internet I'd be using certificate-based authentication.
                      we see things not as they are, but as we are.
                      -- anais nin

                      Comment


                        #12
                        Re: Have I been attacked? Network security question.

                        Originally posted by wizard10000
                        I for one don't use MAC filtering as I think it's no more secure than hiding your SSID.

                        I don't allow SSH access outside the LAN, but I also have my access points set to rotate keys every 15 minutes instead of the default hour.

                        WEP has been cracked, WPA-TKIP has been also but it takes hours - but there isn't enough computing power available to a hacker to crack WPA-AES or WPA2 before my keys rotate, even if the hacker had access to Watson. By the time he got the key deciphered it would have changed a couple dozen times and all his work would be for nought

                        Pulling an SSID or MAC address out of the air (and cloning the MAC) is relatively simple but the short version is that AES is as secure as it gets outside of certificate-based authentication like PEAP or EAP-TLS.

                        IMO hiding SSIDs and MAC filtering gives a false sense of security as both the SSID and MAC address are easily sniffed out of the air. On the network itself, if SSH is facing the internet I'd be using certificate-based authentication.
                        +1

                        Comment


                          #13
                          Re: Have I been attacked? Network security question.

                          Yeah, the certificate idea is my preferred method. I like the idea of a one-time secure key install for each computer I want on - and yes, I would disallow the password logins. I didn't bother to hide my essid because I can so easily sniff that out and the people accessing my system via wireless are not the most savvy computer users and would complain if they had any difficulty (see the lovely woman to the left )

                          My ssh is set to local network only and a non-standard port, so I'm pretty sure is rather safe. I guess if theory if some gained access to my wifi they'd have a local IP - then all they'd have to do is port scan for open ports. They'd also have to know or discover my admin username and password to login right? It would probably be better to use a non-name username for the admin account and only allow ssh using that account.

                          I would like to be able to access my server via the internet but haven't had the time to set it up. I think I'd like to set up a VPN, then my kids (other cities and states) could access the family pics and videos without my system being too at risk.

                          Please Read Me

                          Comment

                          Working...
                          X