Quarter Life Crisis

The world according to Sven-S. Porst

« FrownyMainJamie »

Higher Achievement

315 words

When peeking into Activity Monitor, I saw that there were a number of sshd’s with high process numbers running. Which is odd because I didn’t log into my computer. A quick look at secure.log revealed that some program was trying to log into my machine:

...
Apr 19 01:01:29 Kalle com.apple.SecurityServer: Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
Apr 19 01:01:33 Kalle com.apple.SecurityServer: authinternal failed to authenticate user demo.
Apr 19 01:01:33 Kalle com.apple.SecurityServer: Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
Apr 19 01:01:35 Kalle com.apple.SecurityServer: authinternal failed to authenticate user grace.
...

One of those message was coming in each second. Looks a bit like an attack to me. So I became curious. Strangely the secure.log file doesn’t print the IP address where the failed request comes from, so I decided to quickly run Eavesdrop to see where this was coming from. And sure enough all the failed logins were coming from the same address, 69.20.65.198, aka higherachievement.org.

While the site looks pretty harmless – if a bit moronic because their organisation looks like its full of directors and buzzwords – I wondered whether the ‘evil’ guys might have set it up to make people like me think some harmless people have been hiring incompetent computer staff…

But paranoia aside, it’s probably just people who don’t know what they’re doing (I mentioned directors and buzzwords before, didn’t I?) hiring other people who don’t know what they’re doing giving a nicely incompetent mess that’s annoying people around the world.

What’s the best thing to do to stop those people?

I guess I’m just changing the port for my ssh server to something more obscure – so obscure that I’ll most likely have forgotten it the next time I want to use it – and that’s it.

Oh, and, higherachievement.org – you suck.

April 19, 2006, 1:14

Comments

Comment by d.w.: User icon

Most likely, higherachievement.org has been compromised/cracked/rooted and someone else is using it as a zombie from which to launch other attacks. I doubt anyone at that site has a clue about security, or realizes that they’re running a hotel for creeps. You could always try dropping an email to postmaster, root, or administrator@higherachievement.org, but it would likely bounce. You could also do a WHOIS and drop a line (phone or snail mail) to the technical contact (apparently a Mr. Fernando Batista, in Washington, D.C. USA)

As far as locking down ssh, there are a number of things you can do — changing the port, as you’ve already consider, restricting the allowed source IPs (which is a PITA if you travel often and want to be able to hit your machine from anywhere), turning off PW authentication, restricting the accounts that can log in remotely, etc.

April 19, 2006, 2:27

Comment by fudo: User icon

If you haven’t already, turn on firewall logging, and then leave a Console window open with ipfw.log showing. It’s quite fascinating what you’ll see…

April 19, 2006, 3:23

Comment by ssp: User icon

Dave: Sure, they may be innocent victims. But they’re still incompetent then. If they weren’t they’d have hired better geeks to run their computers. [As bosses like to take credit when things work well, I think they also should take responsibility when things go wrong - a little detail that’s often forgotten these days.]

I tried to send a message to an address from their web site, info@…, but it bounced. But to be honest I don’t really care about their system. If they want it to be compromised, so be it. There are probably too many bad guys on the net that getting those out of the game would help anyone.

I really wish OS X had comfortable control for remote access. I have some accounts on my machine which don’t need remote access at all, and I have others for which just having sftp access will do. But it looks like there’s neither a GUI for setting this nor may those settings be preserved when you move to a new machine or have to reinstall things. So I don’t want to make the effort…

fudo: I may have a look at that when I’m in a good mood. I might get the impression that I’m all popular!

April 19, 2006, 9:48

Comment by Hauke Fath: User icon

Aside from the load created by these dumb dictionary attacks, as long as you have strong passwords on the machine, you are quite safe. It becomes more of a problem on machines with many Luser accounts, obviously.

While you can of course respond by moving ssh to a different port, =/etc/hosts.{allow,deny}= access rules, port knocking etc., the cure will likely be worse than the disease.

April 19, 2006, 13:17

Comment by Jerry Kindall: User icon

Don’t allow passwords with ssh, accept only public-key encryption. Very easy to configure sshd to do this, just change PasswordAuthentication to No in /etc/sshdconfig. (You might also have to turn off UsePAM, I don’t remember.) You then use the application ssh-keygen to generate an RSA key pair and store the private key in ~/.ssh/authorizedkeys. Copy the public key to the client machine and use it with the ssh client (this varies from client to client; for a ssh command line tool you usually put it in ~/.ssh/id_rsa). Once you turn off password authentication, the only people who can log in to your machine are those for whom you generate key pairs (or have physical access to your machine when it’s logged in).

April 25, 2006, 7:07

Comment by ssp: User icon

Thanks for the hint Jerry. While I am a bit sceptical about changing files in OS X’s /private folder (because I fear that these changes will come to haunt me if I move to another computer or have to reinstall things - and I’ll probably have to both remember the changes I made and redo them in that case), this sounds interesting.

What’s not quite clear to me about using those keys for ssh is whether I can still access my machine from anywhere then. I.e. when I am at a friend’s and want to do something on my home computer or show them a file, can I still do that with a reasonable setup effort (on a Windows machine) and without compromising my own computer’s security in the process?

April 25, 2006, 11:31

Add your comment

« FrownyMainJamie »

Comments on

Photos

Categories

Me

This page

Out & About

pinboard Links

♪♬♪

Received data seems to be invalid. The wanted file does probably not exist or the guys at last.fm changed something.

People

Ego-Linking