I'm under attack I need help in ssh
-
What OS?
-
@tiagom GNU/Linux
-
@inroute said in I'm under attack I need help in ssh:
Hi everyone,
I think I'm under attack I need help please.
Hackers are trying to login to my pbx gateway. I don't know why I viewed the log file to see why my gateway is rebooting himself every few minutes using this command below
tail -f /var/log/messages
authpriv.info dropbear[32417]: Child connection from xx.xx.xx.xx:2xxxx
authpriv.info dropbear[32417]: exit before auth: Disconnect received
auth.warn login[20056]: invalid password for 'UNKNOWN' on 'pts/7'
auth.warn login[20118]: invalid password for 'UNKNOWN' on 'pts/1'
auth.warn login[20582]: invalid password for 'UNKNOWN' on 'pts/4'
auth.warn login[20656]: invalid password for 'UNKNOWN' on 'pts/5'And I see UNKNOWN user is trying to access.
I did a research about that on Google and I found a solution for that say have close SSH PasswordAuthentication. But I followed the steps to do that an I didn't find the file sshd_config that should be edit In etc/SSH/
Can someone help me please.
make sure you use /etc/ssh not /etc/SSH, the second doesn't exist.
You'll want to change these two:
PasswordAuthentication yes PubkeyAuthentication noto
PasswordAuthentication no PubkeyAuthentication yesMake sure to add your key before you restart the sshd process.
-
@stacksofplates there is no ssh file or folder under /etc/
-
@inroute said in I'm under attack I need help in ssh:
@stacksofplates there is no ssh file or folder under /etc/
what's your output from ls /etc/
-
Also what PBX is this? Is it FreePBX?
-
Would be a good idea to setup fail 2 ban as well.
-
From the original post looks like you are using dropbear ssh.. config should be /etc/config/dropbear
Looks like you need to set
option PasswordAuth 'off'https://wiki.openwrt.org/doc/uci/dropbear has more details as i couldn't (quickly) find official documentation.
-
@coliver said in I'm under attack I need help in ssh:
Would be a good idea to setup fail 2 ban as well.
I hope at some point in the future they make the setup a little easier. It's fairly daunting for a new person. Pam_tally2 and faillock are fairly easy to set up, but rely on PAM. Would be nice to have a middle ground.
-
@tiagom said in I'm under attack I need help in ssh:
From the original post looks like you are using dropbear ssh.. config should be /etc/config/dropbear
Looks like you need to set
option PasswordAuth 'off'https://wiki.openwrt.org/doc/uci/dropbear has more details as i couldn't (quickly) find official documentation.
Good catch, I didn't notice that.
-
@coliver said in I'm under attack I need help in ssh:
Would be a good idea to setup fail 2 ban as well.
Agreed.
-
there is no config folder in the /etc/ directory but i found dropbear folder in the /etc/ directory and it contain tow files
dropbear _dss_host_key
dropbear _rsa_host_keyany idea
-
What about under /etc/default/dropbear
What distro and pbx are you running so we can stop guessing.
-
@tiagom no there no under /etc/default/dropbear
sorry Tiagom im new in Linux
the pbx is Panasonic gsm gateway -
@tiagom Linux version 3.0.76-4.i586 gcc version 4.4.1 ( GCC)
-
It looks like you need to set
DROPBEAR_EXTRA_ARGS="-s"in the dropbear init file.
https://github.com/mkj/dropbear/blob/master/debian/dropbear.init
*It states Do not configure this file. Edit /etc/default/dropbear instead! in the latest version. Your version maybe older or modified by panasonic since /etc/default/dropbear doesnt exist..
Arg found here
http://linux.die.net/man/8/dropbear
But honestly, if there is a firewall in front of this pbx box it maybe easier to do it there.
-
@tiagom so what do you think i must do to stop hackers and right now one hacker he made the gateway reboots like 100 time
is there a way that i can block him
-
@tiagom please see this link
http://manpages.ubuntu.com/manpages/precise/man8/dropbearkey.8.htmldo you think it will help and honestly if you can guide me on how to do it .
it will be nice from you -
Its difficult to suggest without knowing the environment..
The simplest is change passwords if its compromised.
If its behind a firewall you can block traffic on port 22 unless its from your ip..
-
@tiagom ummmm....
