Debian frozen possible hacker attacK ?

If none of the more specific forums is the right place to ask

Debian frozen possible hacker attacK ?

Postby rcanna72 » 2019-11-29 09:19

It' s second time that my server debian it's frozen and require reboot.

After reboot i find this in auth.log
Nov 29 07:40:48 myserver sshd[24440]: Failed password for root from 49.88.112.60 port 38364 ssh2
Nov 29 07:40:51 myserver sshd[24440]: Failed password for root from 49.88.112.60 port 38364 ssh2
Nov 29 07:40:53 myserver sshd[24440]: Received disconnect from 49.88.112.60 port 38364:11: [preauth]
Nov 29 07:40:53 myserver sshd[24440]: Disconnected from authenticating user root 49.88.112.60 port 38364 [preauth]
Nov 29 07:40:53 myserver sshd[24440]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.60 user=root
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@Nov 29 10:47:27 i-myserver systemd-logind[491]: New seat seat0.
Nov 29 10:47:27 i-voice-iredeos systemd-logind[491]: Watching system buttons on /dev/input/event4 (Power Button)
Nov 29 10:47:27 i-voice-iredeos systemd-logind[491]: Watching system buttons on /dev/input/event0 (AT Translated Set 2 keyboard)
Nov 29 10:47:28 i-voice-iredeos sshd[512]: Server listening on 0.0.0.0 port 22.

Now I have blocked ssh from external address
rcanna72
 
Posts: 1
Joined: 2019-11-29 09:11

Re: Debian frozen possible hacker attacK ?

Postby Sante » 2019-11-29 15:01

It's a chinese IP. A ssh server open to wan* is a security nightmare. Also disable ssh root access (let'em guess a valid UN) and password login - use a certificate with strong encryption and a tortuous passphrase. Make sure your ssh version isn't known for remote exploits. Do you really need ssh ? If not, consider uninstalling it altogether, but I guess if you have it you need it. Consider a VPN. About the crash thing, idk .


*not a chinese guy :P
Sante
 
Posts: 12
Joined: 2018-12-09 04:17

Re: Debian frozen possible hacker attacK ?

Postby None1975 » 2019-11-29 15:42

Congratulations!! You have been hacked!
OS: Debian 10.1 Buster / WM: fvwm
Debian Wiki | DontBreakDebian, My config files in github
User avatar
None1975
 
Posts: 956
Joined: 2015-11-29 18:23
Location: Lithuania, Vilnius

Re: Debian frozen possible hacker attacK ?

Postby trinidad » 2019-11-29 16:45

Geez don't jump to conclusions.

Do you/ did you/ run any Dell OEM utilities like i/e backup, firmware updates, datasafe, Dell service connections, etc.? How did you forward your ports, and how is AllowUsers setup? Are you SSHing in from Windows?

TC
You can't believe your eyes if your imagination is out of focus.
trinidad
 
Posts: 82
Joined: 2016-08-04 14:58

Re: Debian frozen possible hacker attacK ?

Postby Hallvor » 2019-11-29 17:13

My sever gets hit like this all the time. I am guessing there are bots knocking on available servers with root as user name and common passwords. Consider it noise. Change ssh port and disable root logins, and these attacks should be very rare. You can also make your firewall ban IP addresses on failed password attempts.
Lenovo Thinkpad T440S, Intel Core i7-4600U CPU @ 2.10GHz, 8 GB RAM, 256 GB SSD, Debian Buster (KDE)
User avatar
Hallvor
 
Posts: 952
Joined: 2009-04-16 18:35
Location: Norway

Re: Debian frozen possible hacker attacK ?

Postby cuckooflew » 2019-11-29 20:46

You can also make your firewall ban IP addresses on failed password attempts.

And that is one of many IPs that definitely should be blocked/banned :
https://www.abuseipdb.com/check/49.88.112.60
Yes , it is a hacker bot attack, but I don't see anything to indicate it successfully logged in as root, or any other user.
A properly setup firewall should prevent them from accessing, also this:ZBBLOCK is of additional help.
from: https://zb-block.net/zbf/showthread.php?p=1024The ZB-Block Website Protection Script (referred to as "the ZB-Block script" and "ZB-Block") is a computer program that allows a website administrator to filter unwanted and potentially malicious connections to their website. This helps to protect the website against unwanted activity, intrusion, and/or data theft.

The ZB-Block script runs directly on the protected website. ZB-Block is not a data collector or data processor as defined by GDPR. The ZB-Block script does not access, request, review, or retain any Personally Identifying Information as defined by GDPR.

If ZB-Block finds no reason to prevent (or "block") a connection to the protected website, ZB-Block will allow the connection to pass through to the protected website, and no record of the connection is retained by ZB-Block.

However, if ZB-Block finds sufficient reason to interrupt (or "block") a particular connection, ZB-Block will retain a record of that "block" for the website administrator to review. This allows the website administrator to adjust their installation of ZB-Block by removing incorrect restrictions or instituting additional restrictions.
My grand father knows all about everything:
…one flew east, one flew west,
One flew over the cuckoo’s nest.
cuckooflew
 
Posts: 84
Joined: 2018-05-10 19:34
Location: Some where out west


Return to General Questions

Who is online

Users browsing this forum: No registered users and 5 guests

fashionable