Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > Looks like a hacker attempt... what do you think?

Looks like a hacker attempt... what do you think?
Thread Tools
eggman
Mac Enthusiast
Join Date: Aug 2002
Location: Santa Rosa, CA
Status: Offline
Reply With Quote
Dec 28, 2007, 03:56 PM
 
Thanks to LittleSnitch, I noticed some uncharacteristic traffic on sshd from an unknown IP address which was being very, very persistent.

Looking in my appfirewall logs, I'm finding many, many dozens of messages like this:

Dec 28 10:29:23 [my computer name] Firewall[59]: Allow sshd-keygen-wrapper connecting from 64.122.166.7:45287 uid = 0 proto=6
The port number following the IP is always different, but otherwise the message repeats every 4 or 5 seconds for over an hour (which is when I sat down to work, noticed this, and blocked their IP address).

I'm assuming that these many, many redundant attacks represent attempts... but failures... to gain access to my system - but I'm more than a bit wary about this. Looking over my logs from previous days, I'm seeing other such attempts coming from other IP addresses. Frankly, I resent my bandwidth being utilized by these clowns.

So, what do you think: how concerned should I be? I have changed my system admin password, just to be safe.

I've got the SSH port open on my router so I can shell in remotely myself, which I sometimes have occasion to do.
     
Chuckit
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Dec 28, 2007, 04:01 PM
 
All the different IP addresses makes it sound like it's probably just zombie computers feeling blindly for an easy mark rather than some person actively trying to hack you.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Dec 28, 2007, 04:01 PM
 
The IP crosses to "integraonline.com", an ISP for the Western U.S. You might contact them and ask what is going on.

Glenn -----OTR/L, MOT, Tx
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Dec 28, 2007, 04:08 PM
 
You might want to setup your firewall to only allow connections from your remote IP, or look into port knocking. This way, the connection refusals will be handled at the kernel level rather than the network stack level.
     
Cadaver
Addicted to MacNN
Join Date: Jan 2003
Location: ~/
Status: Offline
Reply With Quote
Dec 28, 2007, 05:05 PM
 
The open SSH port is going to act as a magnet to anyone (or anything) looking to gain access - as soon as a useful open port is discovered by port scanners trying out random IP addresses, hackers and zombie PCs will continue to try to access it.
     
~bash $
Forum Regular
Join Date: Feb 2007
Status: Offline
Reply With Quote
Dec 28, 2007, 05:08 PM
 
If you suspect that this is over ssh (port 22 by default), then you need to either shut down sshd or enable TCP wrappers, which are basically two files in /etc/ that will deny access outside a specified range that can be very specific.

The two file are called hosts.allow and hosts.deny. There's a nice doc on this at:

HMUG: Unix How Tos

LS caught remote attempt at at brute force break-in to a non-admin accn of mine once, it was apparently a remote IRC server. Anyhow, good luck.

PS. It is my opinion that EVERYONE who enables sshd should be doing this already; ssh attacks are among the most persistent in the Unix/Unix-like world.
     
eggman  (op)
Mac Enthusiast
Join Date: Aug 2002
Location: Santa Rosa, CA
Status: Offline
Reply With Quote
Dec 28, 2007, 06:29 PM
 
Originally Posted by ~bash $ View Post
If you suspect that this is over ssh (port 22 by default), then you need to either shut down sshd or enable TCP wrappers, which are basically two files in /etc/ that will deny access outside a specified range that can be very specific.
Well, damn.

The problem is that I'll sometimes need to access my system remotely when I'm at a client's office... (and I have dozens of clients) so it's not like there's a small set of IP addresses that are well known to me to permit: it's not like there's one office computer that I want to give access to - it's a laptop that's going to be connecting from whatever LAN I have available to me - and that might not even have a static IP.

You might want to setup your firewall to only allow connections from your remote IP, or look into port knocking.
Port knocking sounds like it could be the ticket... I just wish I could find any indication that there are tools available on the Mac to facilitate the process. So far, not much luck in that regard.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Dec 28, 2007, 10:12 PM
 
Originally Posted by ~bash $ View Post
If you suspect that this is over ssh (port 22 by default), then you need to either shut down sshd or enable TCP wrappers, which are basically two files in /etc/ that will deny access outside a specified range that can be very specific.

The two file are called hosts.allow and hosts.deny. There's a nice doc on this at:

HMUG: Unix How Tos

LS caught remote attempt at at brute force break-in to a non-admin accn of mine once, it was apparently a remote IRC server. Anyhow, good luck.

PS. It is my opinion that EVERYONE who enables sshd should be doing this already; ssh attacks are among the most persistent in the Unix/Unix-like world.

Another thing worth entertaining is putting SSH on an alternate port. This does *not* provide any more security, but it may be enough to put a damper on many of the automated scripted attacks.

On a related note, for those interested in securing their systems have you ever looked at the Nessus scanner? If so, any opinions on it?
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Dec 28, 2007, 10:13 PM
 
Originally Posted by eggman View Post
Port knocking sounds like it could be the ticket... I just wish I could find any indication that there are tools available on the Mac to facilitate the process. So far, not much luck in that regard.
If you mean GUI tools, I don't know of any, sorry!
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Dec 28, 2007, 10:15 PM
 
eggman: if you decide to explore port knocking, please report back your findings... I haven't really looked into this yet myself, but it's been something I've been interested in for a while!
     
~bash $
Forum Regular
Join Date: Feb 2007
Status: Offline
Reply With Quote
Dec 28, 2007, 11:02 PM
 
VPN is one solution. I don't know a lot about setting it up (hardware), but I do know that if you have a VPN, you can have a nice, restricted IP space once you're connected to your VPN and you can connect from anywhere. It would require that you install a VPN client on each remote machine ....
     
moonmonkey
Professional Poster
Join Date: Jan 2001
Location: Australia, the greatest country in the world, (Australians keep telling me).
Status: Offline
Reply With Quote
Jan 2, 2008, 07:48 AM
 
Jesus, its like reading a foreign language.
     
horseflesh
Fresh-Faced Recruit
Join Date: Dec 2007
Status: Offline
Reply With Quote
Jan 3, 2008, 12:03 AM
 
I have run a Unix web server from my home for many, many years... before Unix was in the Mac even. I keep the ssh port open so I can get in. And every day, there are hundreds of login attempts. (and attempts to exploit known weaknesses in PHP applications, and Windows-specific virus attacks, and open mail relay probes, etc etc.)

Big deal. They don't get in.

If your ssh port is visible to the world, you will be fine as long as they can't guess your password. It is BETTER to shield the port as well as you can, that's just good cover-your-ass security practice. But OpenSSH is very mature and if some sort of remote access exploit were found it would be a huge event. If you can't know the IPs you will be coming from, leave it open to everything.

If you would like an extra layer of security, look in to ssh authentication via encrypted keys instead of passwords.

OpenSSH Public Key Authentication

You can also change what port ssh listens on. It's not much good but you'll dodge some probes that way. Personally, I do not bother. Probe me. You aren't getting in.

Also, VPN isn't a solution to this non-problem; after all, the VPN port would need to be secured in the same way as the SSH port! It's just another encrypted protocol. VPN is neat though and if you want full desktop access look in to it.

BTW you can probably tunnel a desktop sharing client over your SSH connection. I do that for the windows remote desktop client.

Good luck!
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 3, 2008, 12:14 AM
 
The SSH public key recommendation is an excellent one. Not only is it more convenient to not have to type in your password each time, but it is also more secure (as long as you keep your private key safe), and allows for scripted automation of tasks. If you do this, I might suggest disabling password authentication on SSH. Doing so will eliminate the password entry attempts being attempted by the botnetted machines trying to access your machine.
     
eggman  (op)
Mac Enthusiast
Join Date: Aug 2002
Location: Santa Rosa, CA
Status: Offline
Reply With Quote
Jan 3, 2008, 01:49 AM
 
Thanks, all.

I tried posting earlier and my response apparently got eaten: I looked into port knocking and it'd be more work to set up than I have time for... ultimately, I came to the conclusion articulated by horseflesh. They clearly didn't get in. I have good, strong passwords.

BTW, I have been using public key authentication... but hadn't disabled password authentication.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 04:20 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,