Posts Tagged ‘toto’

Maximal protection against SSH attacks. If your server has to stay with open SSH (Secure Shell) port open to the world

Thursday, April 7th, 2011

Reading Time: 5minutes
Brute Force Attack SSH screen, Script kiddie attacking
If you’re a a remote Linux many other Unix based OSes, you have defitenily faced the security threat of many failed ssh logins or as it’s better known a brute force attack

During such attacks your /var/log/messages or /var/log/auth gets filled in with various failed password logs like for example:

Feb 3 20:25:50 linux sshd[32098]: Failed password for invalid user oracle from 95.154.249.193 port 51490 ssh2
Feb 3 20:28:30 linux sshd[32135]: Failed password for invalid user oracle1 from 95.154.249.193 port 42778 ssh2
Feb 3 20:28:55 linux sshd[32141]: Failed password for invalid user test1 from 95.154.249.193 port 51072 ssh2
Feb 3 20:30:15 linux sshd[32163]: Failed password for invalid user test from 95.154.249.193 port 47481 ssh2
Feb 3 20:33:20 linux sshd[32211]: Failed password for invalid user testuser from 95.154.249.193 port 51731 ssh2
Feb 3 20:35:32 linux sshd[32249]: Failed password for invalid user user from 95.154.249.193 port 38966 ssh2
Feb 3 20:35:59 linux sshd[32256]: Failed password for invalid user user1 from 95.154.249.193 port 55850 ssh2
Feb 3 20:36:25 linux sshd[32268]: Failed password for invalid user user3 from 95.154.249.193 port 36610 ssh2
Feb 3 20:36:52 linux sshd[32274]: Failed password for invalid user user4 from 95.154.249.193 port 45514 ssh2
Feb 3 20:37:19 linux sshd[32279]: Failed password for invalid user user5 from 95.154.249.193 port 54262 ssh2
Feb 3 20:37:45 linux sshd[32285]: Failed password for invalid user user2 from 95.154.249.193 port 34755 ssh2
Feb 3 20:38:11 linux sshd[32292]: Failed password for invalid user info from 95.154.249.193 port 43146 ssh2
Feb 3 20:40:50 linux sshd[32340]: Failed password for invalid user peter from 95.154.249.193 port 46411 ssh2
Feb 3 20:43:02 linux sshd[32372]: Failed password for invalid user amanda from 95.154.249.193 port 59414 ssh2
Feb 3 20:43:28 linux sshd[32378]: Failed password for invalid user postgres from 95.154.249.193 port 39228 ssh2
Feb 3 20:43:55 linux sshd[32384]: Failed password for invalid user ftpuser from 95.154.249.193 port 47118 ssh2
Feb 3 20:44:22 linux sshd[32391]: Failed password for invalid user fax from 95.154.249.193 port 54939 ssh2
Feb 3 20:44:48 linux sshd[32397]: Failed password for invalid user cyrus from 95.154.249.193 port 34567 ssh2
Feb 3 20:45:14 linux sshd[32405]: Failed password for invalid user toto from 95.154.249.193 port 42350 ssh2
Feb 3 20:45:42 linux sshd[32410]: Failed password for invalid user sophie from 95.154.249.193 port 50063 ssh2
Feb 3 20:46:08 linux sshd[32415]: Failed password for invalid user yves from 95.154.249.193 port 59818 ssh2
Feb 3 20:46:34 linux sshd[32424]: Failed password for invalid user trac from 95.154.249.193 port 39509 ssh2
Feb 3 20:47:00 linux sshd[32432]: Failed password for invalid user webmaster from 95.154.249.193 port 47424 ssh2
Feb 3 20:47:27 linux sshd[32437]: Failed password for invalid user postfix from 95.154.249.193 port 55615 ssh2
Feb 3 20:47:54 linux sshd[32442]: Failed password for www-data from 95.154.249.193 port 35554 ssh2
Feb 3 20:48:19 linux sshd[32448]: Failed password for invalid user temp from 95.154.249.193 port 43896 ssh2
Feb 3 20:48:46 linux sshd[32453]: Failed password for invalid user service from 95.154.249.193 port 52092 ssh2
Feb 3 20:49:13 linux sshd[32458]: Failed password for invalid user tomcat from 95.154.249.193 port 60261 ssh2
Feb 3 20:49:40 linux sshd[32464]: Failed password for invalid user upload from 95.154.249.193 port 40236 ssh2
Feb 3 20:50:06 linux sshd[32469]: Failed password for invalid user debian from 95.154.249.193 port 48295 ssh2
Feb 3 20:50:32 linux sshd[32479]: Failed password for invalid user apache from 95.154.249.193 port 56437 ssh2
Feb 3 20:51:00 linux sshd[32492]: Failed password for invalid user rds from 95.154.249.193 port 45540 ssh2
Feb 3 20:51:26 linux sshd[32501]: Failed password for invalid user exploit from 95.154.249.193 port 53751 ssh2
Feb 3 20:51:51 linux sshd[32506]: Failed password for invalid user exploit from 95.154.249.193 port 33543 ssh2
Feb 3 20:52:18 linux sshd[32512]: Failed password for invalid user postgres from 95.154.249.193 port 41350 ssh2
Feb 3 21:02:04 linux sshd[32652]: Failed password for invalid user shell from 95.154.249.193 port 54454 ssh2
Feb 3 21:02:30 linux sshd[32657]: Failed password for invalid user radio from 95.154.249.193 port 35462 ssh2
Feb 3 21:02:57 linux sshd[32663]: Failed password for invalid user anonymous from 95.154.249.193 port 44290 ssh2
Feb 3 21:03:23 linux sshd[32668]: Failed password for invalid user mark from 95.154.249.193 port 53285 ssh2
Feb 3 21:03:50 linux sshd[32673]: Failed password for invalid user majordomo from 95.154.249.193 port 34082 ssh2
Feb 3 21:04:43 linux sshd[32684]: Failed password for irc from 95.154.249.193 port 50918 ssh2
Feb 3 21:05:36 linux sshd[32695]: Failed password for root from 95.154.249.193 port 38577 ssh2
Feb 3 21:06:30 linux sshd[32705]: Failed password for bin from 95.154.249.193 port 53564 ssh2
Feb 3 21:06:56 linux sshd[32714]: Failed password for invalid user dev from 95.154.249.193 port 34568 ssh2
Feb 3 21:07:23 linux sshd[32720]: Failed password for root from 95.154.249.193 port 43799 ssh2
Feb 3 21:09:10 linux sshd[32755]: Failed password for invalid user bob from 95.154.249.193 port 50026 ssh2
Feb 3 21:09:36 linux sshd[32761]: Failed password for invalid user r00t from 95.154.249.193 port 58129 ssh2
Feb 3 21:11:50 linux sshd[537]: Failed password for root from 95.154.249.193 port 58358 ssh2

This brute force dictionary attacks often succeed where there is a user with a weak a password, or some old forgotten test user account.
Just recently on one of the servers I administrate I have catched a malicious attacker originating from Romania, who was able to break with my system test account with the weak password tset .

Thanksfully the script kiddie was unable to get root access to my system, so what he did is he just started another ssh brute force scanner to crawl the net and look for some other vulnerable hosts.

As you read in my recent example being immune against SSH brute force attacks is a very essential security step, the administrator needs to take on a newly installed server.

The easiest way to get read of the brute force attacks without using some external brute force filtering software like fail2ban can be done by:

1. By using an iptables filtering rule to filter every IP which has failed in logging in more than 5 times

To use this brute force prevention method you need to use the following iptables rules:
linux-host:~# /sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state -state NEW -m recent -set
linux-host:~# /sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state -state NEW
-m recent -update -seconds 60 -hitcount 5 -j DROP

This iptables rules will filter out the SSH port to an every IP address with more than 5 invalid attempts to login to port 22

2. Getting rid of brute force attacks through use of hosts.deny blacklists

sshbl – The SSH blacklist, updated every few minutes, contains IP addresses of hosts which tried to bruteforce into any of currently 19 hosts (all running OpenBSD, FreeBSD or some Linux) using the SSH protocol. The hosts are located in Germany, the United States, United Kingdom, France, England, Ukraine, China, Australia, Czech Republic and setup to report and log those attempts to a central database. Very similar to all the spam blacklists out there.

To use sshbl you will have to set up in your root crontab the following line:

*/60 * * * * /usr/bin/wget -qO /etc/hosts.deny http://www.sshbl.org/lists/hosts.deny

To set it up from console issue:

linux-host:~# echo '*/60 * * * * /usr/bin/wget -qO /etc/hosts.deny http://www.sshbl.org/lists/hosts.deny' | crontab -u root -

These crontab will download and substitute your system default hosts with the one regularly updated on sshbl.org , thus next time a brute force attacker which has been a reported attacker will be filtered out as your Linux or Unix system finds out the IP matches an ip in /etc/hosts.deny

The /etc/hosts.deny filtering rules are written in a way that only publicly known brute forcer IPs will only be filtered for the SSH service, therefore other system services like Apache or a radio, tv streaming server will be still accessible for the brute forcer IP.

It’s a good practice actually to use both of the methods 😉
Thanks to Static (Multics) a close friend of mine for inspiring this article.

The Economics Exam. Or the day of a standard man :]

Tuesday, January 30th, 2007

Reading Time: < 1minute
Today. I had exam on marketing. The exam started 50 minutes later because the teachers had some sort of meating.I was able to get most of the test answers from one collegue but I’m not sure are her answers correct.I hope if God give me a help I would pass. After that me and some others from my group tried to get the anwers or the exam for our next exam which is tomorrow and is in the Accounting discipline.Unluckily we were not able to find anything. As usual I don’t know anything and I hope on a miracle and God’smercy to take the exam. I invited Habib to come home to explain me some of the matters. But my mind was toooverheaded with information so I was not in a mood for studying. After that we went out with Habib, Mitko,Toto and Sami. All started well until the Zuio’s father come to our table ( we were drinking beer on the fountain).He come and started kissing all of the guys around he started talking total bullshits to Habib and otherpersons in the coffee terrible picture The Classical “Bai Ganio” in action. After that we walked for some timewith Habib on the way to his home. And drinked a coffee on the “Zhurnalist” Coffee. Now I’m home again.After some problems luckily, I was able to start skype’s microphone to work under my FreeBSD.I have to sit on my back and study for few ours. Thanks God I didn’t have any problems with my Servers.Glory is for the Lord of Hosts.END—–

Looser Again

Wednesday, January 31st, 2007

Reading Time: < 1minute
Got the 2 mark on Marketing Exam. Again I’m a looser. I dont’ have nor time nor desire to learn again for this exam.I think I’m not suitable for student. Today we was on a coffee with Mitko, Toto and Dido. Nothing special ordinary day.Yesterday we stayed in Mitko and was installing Gentoo Linux to his laptop. Gentoo’s grub was buggy or something,we didn’t succeeded running the kernel with GRUB, so we decided to switch to LILO. We were able to makethe maching bootable using LILO. Then there was an annying error with REAL_ROOT option. After a lot of wanderingediting of /linuxrc we found the mistake it was a mismatch in lilo a mistake we made writing in it we wrote therereal_boot instead of real_root. In the end everything worked okay. And I went home sleeping.I’m not sure where my life is going to again … I’m completely Lost in the Dark.END—–

Sunday

Monday, July 9th, 2007

Reading Time: < 1minute
The day went faster than normal other days. I wake up in the morning went to Church on Liturgy.Then I went home watched some Cartoon Network. Later I decided going to my uncle to read himthe bible for some time, but he was not home I take a watermelon from the local market for mygrandmother. It’s nice to see somebody being happy about something :]. Later i went to my uncle.It’s sad to see someone like in his condition :[. I really want he to get better I read himfrom the Bible The Holy Evangelic text of Luka, I hope at least he has understood somethingfrom the Evangelical Text. Habib called home from London later, this was a real joyHabib is such a nice guy i really want God to bless him in everyhing for he desirves.We spake a lot about the life in England. The bad conditions there, the low paid job,how hard he is living there. About how we miss as friends, about some close friends.After the conversation I decided to go out. I first went to the Mino’s coffee. There weresome people there but I got angry at the non-sense conversations and decided to go to theFountain actually there was almost the same. Later I Toto and Mitko drinked beer in thecity park. And I went home … After the usual Evening Orthodox Prayers I will go to bed in 20 or 30 minutes.END—–

Tiulenovo’s Stones

Tuesday, July 17th, 2007

Reading Time: 3minutes
I spend the Friday night and The Saturday on a place near The Tiulenovo’sVillage. It’s beautiful there. There was a lot of waves. I spend a great time,and get a little wanting to live again and inspired. It was sad that mostof the people was there to drink and smoke as much as I can. I tried to learnto catch fish. There was a lot of wind the whole night and day. There wasnot enough woods for the fire, it was coldy experience when the firewood ended in 5:20 in the morning luckily the sun has risen 20 or 30 minutes later. In the morning we have a wonderful talk with Toto :]. In the morning Toto, Nomen and Zuio went to Shabla to find some woods for the next night. After a lot of searching at last we found some used wood with nails on it, we also collected some from a small wood belt, we take some food from one of the local shops, we drinked a coffee at the morning, later we left Mitko on the Bus Station, cause he had to be home until dinner. After that I had a bath in a place near rocks which everybody was calling “Djakuzi”, I really enjoyed the bath I haven’t taken a Sea bath for Seven years, also I haven’t exposed to a direct sun light my body for so much a hours from 7 years, so I got a sun burns without realising later I slept 2 hours at the Tent cause I was completely exhaused I haven’t slept for almost 2 days. When I wake up 2 hours later at the tent I was red like a tomato :], and it was hurting. In almost 22 o’clock I and Dido (The Head), have hit the road back to Dobrich. Unfortunately cops have catched him to drive with 70 km in a village where there was a speed limit of 50 and they would give him a sanction (At least they haven’t tested him for alcohol if they Did then it was sure that he was going to lost his driver license cause he have drinked a lot during the day). Happily this didn’t Happen Praise the Lord! :]. If I expel all the non-sense talking and swearings and all the alcohol that was drunk then it was a great experience. I used to thing that a man can feel God’s presence in such a wild and desolate places much stronger, also the inspiration gives you hope to continue no matter how bad things are. On the other side the last days I have lost faith and hope and even a sort of blaspehemed a little claiming to be an atheist, but the truth is I can’t after I’ve experienced the Eternal one’s love. And I’m trying to come back in repentance being sorry for all this. Today I woke up in 9:35 in the morning (a call from the office). There was a new employee and I have to setup him account to the Samba server and make him a mail account. *Luckily* :] My internet connectivity was missing, so I went to the college to use internet and see Ertan (The College’s Admin). After I have setupped the account and mail and did some usual system maintaince on the servers I hepled ertan to setup a laptop of a new English teacher who was previously in Australia and now is back to Bulgaria. We have setupped Debian Etch + Beryl +mplayer+ audacious + xmms … wine, gimp, office, etc, etc. In the evening we have drink a coffee with Mitko and later we went to his home Plamen (The Guitarist) has come and we went my home while Nomen and Sami went out to see each other, I had a great time with Plamenko (this guy’s a really interesting!), it’s a real blessing to know him :] END—–

On a beach again

Monday, July 14th, 2008

Reading Time: 4minutes
Yesterday I was to the beach again. We went first to a place called “The robinson” which was a terrible place. A small “beach” with oldnon functional quay. There were some of the planks missing so I had to walk very carefully at some places there were nails.At first I almost fall down from the quay there were a broken plank and I lost equilibrium thanks God I was able to balance myself and not fall.If I had fallen down I would probably seriously hurt or even die, cause down there the sea was shallow, the possible scenarious was to seriously hurt myself or even die .. Just a minute later a friend of mine who was walking in front of me warned me to be careful with the nails on some of the planks and even though I was carefully watching my steps I step over a nail. The nail pierced my sport shoes. At this moment I felt just a little hurt so I thoght I didn’t hurt seriously. Anyway I decided to take off the shoe and sock and blood started sprinkling. It took me some time to come back to the beach because I had to walk back through all that broken planks on the quay. Thanks to God I moved back to the beach where I put my leg in the salty water. Nomen and Javor were going to Kavarna at this moment so Toto (the guy who was with me) did call to Nomen and told him to get some medical alcohol (spirits) from the drug-store. After they came we used the alcolol to wash the wound in order disinfect it. Later while I was sitting on the beach Toto and Nomen went to the sea to catch some mussels. Toto was diving and searching for musselsfor some time and he quit at a point because he wasn’t able to collect enough. They came with only two mussels. At this time Javor tried to catch some fish from the quay, again unsuccesfully. Later we decided to move to another beach because I proposed so, I hated this place really plus it location was too near to the sea shore. We tried to move to another nice beach but since it was proprietary we wasn’t allowed to establish the tent and make the camp fire. So at the end we decided to move to Topola’s beach. The night there was a nerdy one, Toto and Javor were trying to make fun of me and I got really angry .. They made a fire and we baked some meat balls and had a nice dinner. The sky was full of stars, really beautiful ! I spend maybe an hour watching at the sky adoring the mighty work of God’s hands. I slept that Night at Nomen’s car (Audio A4 :)). At the morning Nomen and Toto and after that Mitko came one after another and woked me up for a few times at the end when I realized i won’t be able to sleep anymore and stand up and dressed my bathing trunks and went to the beach. I entered 3 times at the sea and had a really nice baths, we played volley ball in the water and had great time. At midday we had to set off to home because Nomen was going to travel back to Sofia in the afternoon. There was a problem one of the car’s tyre was passing the air out so Toto and Nomen used there 3l337 skillz to exchange the broken tyre. At somewhere around 14:30 we were back in Dobrich. I haven’t been to my grandma for a day so I went to her apartment (she lives 6 stages above my parent’s apartment. After that I went to the Church where I lighted few candles and prayed to God to have mercy over me the sinner and my family. On my way back home I met Papi (Paco). Papi is very guy a christian who for some time was like a Spiritual Father to me. We had a walk at the city park and spoke a bit about our life and the christianity’s face in general and how poor the condition of the christianity and faith in general is. Later at home my mother helped me to exercise the driving lessons tests. Another thing I did the recent 2 or 3 days was to configure a FreeBSD server who was going to host a website it was required the server to have Apache, PHP, MySQL and Qmail.Configuring Apache, PHP, MySQL on was pretty straight forward. The real problem occured when I tried to install Qmail from ports. I followed a freebsd qmail tutorial and at the end I was not happy with the qmail installation. After that I tried using the FreeBSD qmail toaster. But again I should say that FreeBSD qmail toaster is a total mess. Then I decided to go in another direction and tried to install qmail following the qmailrocks method I’m not really sure if I did everything the way I had to because I was really in a hurry to start a working SMTP server to send and receive mails. At the end I used a lot of custom configuration files and daemontools+qmail-spamcontrol+vpopmail ports in a ways I use on few of the other Qmails I administrate. Thanks God everything worked just fine and now I’m happy to have another functional qmail server on FreeBSD.END—–

How to install Ubuntu Linux on Acer ASPIRE 5736Z Notebook / Get around the black screen install CD issue

Friday, July 1st, 2011

Reading Time: 2minutes
My sister’s newly bought laptop is Acer Aspire 5736Z . By the default this notebook comes with some kind of Linux distribution Linpus .
Even though this Linpus (crafted Linux especially for Acer notebooks) looked really nice, it prooved to be a piece of shit linux distro.
Linplus was unable to even establish a simple Wireless WPA2 protected connection with my wireless router, not to mention that the physical Linux consoles (CTRL+ALT+F1) were disabled …

This LinPlus was so bad that I couldn’t even launch any type of terminal on it (I was stuck!) so I decided to kill it and make a decent latest Ubuntu 11.04 Install on it.

I was surprised to find out that trying to boot up the Ubuntu 11.04 installer led me to a black screen (black screen of death).

The v Aspire’s 5736Z monitor kept completely blank, where the hard drive was continuously reading (indicating that the Ubuntu installer has properly booted but it couldn’t light up the notebook screen).

A bit of investigation on any issues with this Acer notebook model has led me to a thread in fedora forums:
http://forums.fedoraforum.org/showthread.php?t=263794
On this forum the same kind of Linux install problem was described to also occur with ASPIREs 5736Z during a Fedora install.

I just tried the suggested fix and it works like a charm.

The fix goes like this:

1. Invoke the Ubuntu settings parameter Install pre install screen

Just press any button while the Ubuntu installer CD is reading and after few secs the Install options screen should appear, like you see it in below’s screenshot:

Ubuntu Install boot options parameters screen

2. Select the nomodetest Boot CD Ubuntu option

You see in the above screenshot the F6 Other Options . I had toto press F6 and choose the nomodetest boot option to make the Ubuntu be able to further boot up.

After selecting the nomodetest option and pressing on the Install Ubuntu menu option the graphic installer launched succesfully 😉
Hope this small tip to be helpful to some Ubuntu or other Linux user who is trying to install Linux on his Acer Aspire 5736Z
Cheers 😉