[Boards: 3 / a / aco / adv / an / asp / b / bant / biz / c / can / cgl / ck / cm / co / cock / d / diy / e / fa / fap / fit / fitlit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mlpol / mo / mtv / mu / n / news / o / out / outsoc / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / spa / t / tg / toy / trash / trv / tv / u / v / vg / vint / vip / vp / vr / w / wg / wsg / wsr / x / y ] [Search | | Home]

>the fucking chinese want to break into my server why

This is a blue board which means that it's for everybody (Safe For Work content only). If you see any adult content, please report it.

Thread replies: 128
Thread images: 15

File: ssh.png (12KB, 256x256px) Image search: [iqdb] [SauceNao] [Google]
ssh.png
12KB, 256x256px
>the fucking chinese want to break into my server
why
>>
>>62421847
> Not blocking all IPs except for a specific range

It's like you enjoying having that fermented rice smelling dick up close to your face, Anon.
You enjoy the attention, don't you? The idea of fat chinese men touching your most intimate files...
>>
>>62421847
>tfw have to range ban China and Russia in order to keep server from crashing
>>
>>62421936
>>62421940
I actually have some users there I need, so rangeban is not an option
>>
>>62421958
Then rangeban them from connecting on the SSH port.
Unless you have random users in china that needs to connect to SSH... in which case, why?
>>
because you might be storing sensitive information there.

because your IP address probably isn't blocked by other servers

because you can act as a higher capacity node to participate in DDoS attacks.

if you don't understand these things, you shouldn't be running a server. you're honestly too stupid for this.
>>
>>62421847
You are using keys only right?

I don't give a shit about all the Russians knocking on the door.
>>
>>62422254
No, login is user:root password:password123456
>>
>>62421847
>use SSH keys only
>stop giving a shit

Sep 10 06:54:13 localhost sshd[31083]: fatal: Unable to negotiate a key exchange method [preauth]
Sep 10 06:54:33 localhost sshd[31085]: Connection closed by 106.15.194.11 [preauth]
Sep 10 06:54:58 localhost sshd[31088]: fatal: Unable to negotiate a key exchange method [preauth]
Sep 10 06:55:34 localhost sshd[31090]: fatal: Unable to negotiate a key exchange method [preauth]
Sep 10 06:55:40 localhost sshd[31092]: Connection closed by 106.15.194.11 [preauth]
Sep 10 06:56:15 localhost sshd[31095]: fatal: Unable to negotiate a key exchange method [preauth]
Sep 10 06:56:47 localhost sshd[31098]: Connection closed by 106.15.194.11 [preauth]
Sep 10 06:56:53 localhost sshd[31100]: fatal: Unable to negotiate a key exchange method [preauth]
Sep 10 06:57:32 localhost sshd[31102]: fatal: Unable to negotiate a key exchange method [preauth]
Sep 10 06:57:53 localhost sshd[31105]: Connection closed by 106.15.194.11 [preauth]
Sep 10 06:58:16 localhost sshd[31107]: fatal: Unable to negotiate a key exchange method [preauth]
Sep 10 06:58:51 localhost sshd[31110]: fatal: Unable to negotiate a key exchange method [preauth]
Sep 10 06:59:00 localhost sshd[31112]: Connection closed by 106.15.194.11 [preauth]
Sep 10 06:59:36 localhost sshd[31114]: fatal: Unable to negotiate a key exchange method [preauth]
Sep 10 07:00:07 localhost sshd[31117]: Connection closed by 106.15.194.11 [preauth]
Sep 10 07:00:18 localhost sshd[31119]: fatal: Unable to negotiate a key exchange method [preauth]
Sep 10 07:00:56 localhost sshd[31122]: fatal: Unable to negotiate a key exchange method [preauth]
Sep 10 07:01:00 localhost sshd[31124]: Did not receive identification string from 13.81.217.61
>>
>_<
>>
>>62421847
botnet
>>
Well you shouldn't have talked shit about them.
>>
>>62422307
I'm starting to consider moving ports because it makes so much fucking log noise.
>>
>>62422664
Learn to use grep?
>>
>>62422687
I have an entire fucking bash/sed script dedicated to cleaning up sshd logs but it makes a dedicated attacker indistinguishable from ssh knocking botnets that just hit every 22. Also another one that counts the amount of hits per username.
>>
Block all chinese, russian, indian, pakistan IP ranges.
Use port knocking
>>
>>62422712
A dedicated attacker IS indistinguishable from casual attackers.

I think you have a poor understanding of just how unbreakable keys are.
>>
Can someone explain this thread in a sentence I don't understand what's going on but I hate chinese people so im curious
>>
>>62422743
Casual attackers rarely knock ports besides default ports. I know how public key cryptography works, it's just an annoyance to think some attempts could not be bots/skids.
>>
>>62421847
How do you know its the Chinese attempting to "hack"?
>>
>>62422766
Chinese people have liberal (shitty) laws so the world gets annoyed by pesky fuckers trying to break into servers.

Tbqh I bet google has spent like 4 months just developing a script to be safe from them.
>>
>>62422785
IP Range
>>
>>62422785
It does not matter who is trying to break in, what matters is this: >>62422798
>>
>>62421847
use pubkey auth or fail2ban
>>62421940
can't you just call in DoS attacks on the offending IP ranges or use zipbombs?
https://blog.haschek.at/post/f2fda
If you have a VPN you can do this:
nc -u <chink ip> <random udp port> < /dev/zero
Make sure compression is enabled and that your VPN isn't speed limited.
>>
>>62422798
Chinese IP range doesnt necessarily mean the hack attempts are coming from China.
Just sayin.
>>
>>62422785
Additionally, I nmapped the server and literally no Port is open, so I guess it is some dedicated machine sitting in someones basement
>>
File: 1497383262845.jpg (249KB, 1014x1024px) Image search: [iqdb] [SauceNao] [Google]
1497383262845.jpg
249KB, 1014x1024px
>mfw I scan huge IP ranges at a time for all kinds of things
>I've probably ended up in someone's logs that posts here
you'd be surprised just how many bakas leave their machines poorly secured or not secured at all
Or maybe you wouldn't?
meh
also IOT is cancer
>>
>>62422847
It's probably a hacked server
>>
chinese take from their family

you think they wont take from the rich western they never have to meet?

they dont have laws to protect you from stuff like this.
its not enforced.
>>
>>62422847
>>62422891
Yeah, could very well be either
>>
>>62422315
Well shit, now I'll never unsee this you bastard
>>
>>62421940
>looking up ip range of China so I can block it
>first result is stack overflow question asking for the ip range
>"best answer" is "you shouldn't range ban China because they aren't all spambots."
Fuck stack overflow.
>>
>>62422931
banning all of china and the middle east is considered controvercial only by non technical people

you have to put the motion aside to understand they produce most of the phones and their government owns all source to every project

their gov also spies on citizens which isnt illegal because they dont have civil laws to protect the people
>>
>>62421847
configure pam to block after 3 failed login attempts
problem solved

what are you 12?
>>
>>62422931
>>62422946
Well, pn what should you rangeban china?
You want people visiting your services out of china because it is a new market, but you do not want them in your ssh logs and trying to break into your server
>>
>>62422965
You can block them from p22 but not p80, or configure your fucking ssh server properly
>>
>>62422965
im talking about even doing this on your home router
>>
>>62422827
I'm pretty sure DoSing someone is still illegal even if they attacked your server first. Clearly we need a law for server self defence.
>>
>>62422984
>violating the NAP
>>
>>62422984
>implying there are international laws that apply to the chinese or russians
>>
>>62422984
>his country has functioning police
I don't even think it's illegal here, UDP floods might but sending zipbombs aren't.
>>
>>62422827
How the fuck would you send a zipbomb to a closed machine trying to ssh into you
>>
>>62423244
SSH supports gzip compression. Just send nulls and hope they decompress into memory. Or you can use a VPN with compression enabled and send NULL to a UDP port on the server if they don't limit your speed
>get chink ip list
>run modified dropbear that accepts all auth attempts and just sends null characters until connection is closed
>listen it on port x (not 22)
>use iptables to forward all chinese connections for p22 to this port instead of p22
>>
>start torrent
>stop torrent
>internet slows to a crawl
>router CPU at 80% due to iptables having to drop a shitload of intrusion attempts
>>
>>62422884
this shit
Running masscan 24/7 just to find unsecured routers and IP cameras
>>
run in it on a different port you retarded subhuman
>>
File: 80840531.jpg (15KB, 327x344px) Image search: [iqdb] [SauceNao] [Google]
80840531.jpg
15KB, 327x344px
>>62423546
It already is on a port greater than 10k nigger
>>
>>62421847
I still have my iptables configuration saved that rangebans whole China.
>>
>>62423725
>he voluntarily introduced a security risk for the sake of blocking harmless scanners
(rofl)(thumbsup)
>>
>>62422827
The offending machines belong to innocent retards who got botnetted you faggot.
>>
>>62424359
You either crash the scanner (good) or the machine (also good)
>>
Here's what I do:
>pubkey auth only
>nonstandard port (not 22)
>config file in ~/.ssh so I don't have to remember what port it is (or the user account, or the full domain)
>fail2ban
Works like a charm.
>>
>>62421847
>what is a botnet
>>
>not setting up an elaborate reverse proxy system
>>
>>62421984
>Unless you have random users in china that needs to connect to SSH... in which case, why?
The way we do tech support is that we let the users SSH into the server and create a text file with info about the issue they are having. Some people are overstepping their bounds though.
>>
>>62424126
>sticking ssh on a high port
>security risk
Nigger what?
>>
>>62425280
>way we do tech support is that we let users SSH into the server and create text file info about the issue
WAT
>>
>>62425352
I mean "create a text file with information about the issue they are having."
>>
>>62425280
have you heard about email?
>>
>>62425499
Oh... Well... Now we have this system in place and it's what the customers expect.
>>
Besides ssh, should I be worried about http or even mysql ports?
>>
>>62425426
I'm "WAT'ing" about the way you do support. WTF is this system. Why anyone even thought this is a good idea...
>>
File: 1501957425144.jpg (19KB, 480x360px) Image search: [iqdb] [SauceNao] [Google]
1501957425144.jpg
19KB, 480x360px
>>62425280
>>
>>62425280
Then you should have a separate container they ssh into for that which only supports creating text files, and a separate sshd for actual administration.
>>
File: 1470855478513.png (247KB, 500x375px) Image search: [iqdb] [SauceNao] [Google]
1470855478513.png
247KB, 500x375px
>>62425280
>>
>>62425348
Ports over 1024 are non-privileged ports, meaning any user can start processes to listen on them.
Processes listening on ports below 1024 require root to do so.

What that means is that every time sshd isn't listening on its designated port over 1024, for example during a reboot if its startup time is misconfigured or during a regular system upgrade when sshd is restarted, a malicious user/application pretending to be sshd can start listening on said port.
The malicious application may function just like the regular sshd, but log everything you do, revealing passwords, keyfiles etc.

The best security practice would be simply leaving sshd on its default (or any privileged) port and using port knocking which can be done on any port, even above 1024.
>>
>>62425280
Get email
Fix your shit
>>
>>62425280
>The way we do tech support is that we let the users SSH into the server and create a text file
>>
File: 1454995967369.jpg (9KB, 205x184px) Image search: [iqdb] [SauceNao] [Google]
1454995967369.jpg
9KB, 205x184px
>>62425280
pls b b8
>>
like trading a message in a bottle with your asshole
>>
>>62426221
Wouldn't that mess up the customer's root access?

>>62426932
Everyone thought it was a great idea at the time.
>>
File: 1394640793034.png (129KB, 354x504px) Image search: [iqdb] [SauceNao] [Google]
1394640793034.png
129KB, 354x504px
>>62427032
>Wouldn't that mess up the customer's root access?
>>
File: 1411933193282.gif (962KB, 300x168px) Image search: [iqdb] [SauceNao] [Google]
1411933193282.gif
962KB, 300x168px
>>62425280
>>
>>62427032
> customer's root access
No.
>>
>>62425280
It would be a thousand times easier to have a website with a form that when a customer submits, it creates the text file for you.
>>
>>62421958
> I actually have some users there I need, so rangeban is not an option
iptables -I PREROUTING -s <user IP> -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -I PREROUTING -i eth0 -p tcp --dport 22 -j DROP
Those who match allowed IP will be handled by ACCEPT directives, others get DROP.
>>
>>62421958
>reelect Trump campaign.
>>
>>62422307
How do you format text on /g/ to make it look like computer code?
>>
>>62428703
you need a 4chan gold account
>>
can someone provie ip ranges of russia, china and other shitholes I dont want to connect to my server?
>>
>>62429176
geoip is what you're looking for

thanks for this thread reminding me to rangeban all shithole countries from my server
>>
>>62422976
There should be an phone app that gives your server your replication so it can update ssh whitelists to your geolocation.
>>
>>62421847
Just change your port from the default
>>
How do I deactivate normal login and only use keys?
>>
>>62429579
>geoip is what you're looking for
thx anon

>thanks for this thread reminding me to rangeban all shithole countries from my server
will rangeban too
>>
>>62429942
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin no
AllowUsers username

Paste desired pubkeys into ~/.ssh/authorized_keys of the specific user.
>>
File: 1505241155092.jpg (11KB, 306x306px) Image search: [iqdb] [SauceNao] [Google]
1505241155092.jpg
11KB, 306x306px
>>62425280
>>
>>62428703
[ code ] code [ /code ]
>>
>>62421847
Disable password login, use a long RSA key.

Then they stand no chance.

You don't need to bother about their failed attempts then.
>>
>>62422307
How did you get it to immediately terminate them?

My system still gives them the password prompt. It will never accept a password because I set
 PasswordAuthentication no

though.
>>
>>62424359
Well, at least they'll realize that something is wrong then.
>>
>>62425280
You're not serious, right?
>>
>>62430381
Like this?
ssh [email protected]
echo 'china nuke OP ver big' > /etc/bash.bashrc
>>
>>62428703
Read the stickie guy
>>
>>62430171
Ty anon.
>>
>>62425280
what the fuck
>>62427032
what the fuck
who thought this was a good idea? have they never heard of email?
>>
File: 1363498030360.jpg (1MB, 1500x1563px) Image search: [iqdb] [SauceNao] [Google]
1363498030360.jpg
1MB, 1500x1563px
>>62421847
1. Change the default port to something over 1000
2. Enable public-key authentication only
3. Install fail2ban (optional)

wow, so hard
>>
>>62430788
>who thought this was a good idea? have they never heard of email?
Yeah, we heard of email. It just sounded a bit unsafe from a security perspective.
>>
>>62425280
Set up a mailing list genius
>>
ITT: /v/ gets tricked by ridiculous tech support stories
>>
>>62421940
>range ban China and Russia
What is the easiest way of doing this? I have the same problem.

>>62421847
>why
They need more command centres and more machines to obfuscate the route.

Also they hope there is something interesting on your machine to steal.
>>
>>62430973
>a bit unsafe
>giving your customers SHELL ACCESS TO YOUR SERVER is more safe
>>
>>62430973
How the fuck is it unsafe? You know you can run smtp over tls?
>>
>>62421940
>>62422931
>>62431079
#!/bin/bash

tag="$1"


if [[ $1 == 'R' ]]; then
#get latest chinese ip addresses
echo "Fetching Russian ip address ranges..."
curl -o /tmp/ru.zone -L http://www.ipdeny.com/ipblocks/data/countries/ru.zone

#create the set
echo "Generating the blocking set..."
ipset create russia hash:net

for i in $(cat /tmp/ru.zone); do
ipset add russia $i
done

iptables -I INPUT -m set --match-set russia src -j DROP

echo "Russia is blocked!"
rm /tmp/ru.zone

elif [[ $1 == 'C' ]]; then
#get latest chinese ip addresses
echo "Fetching chinese ip address ranges..."
curl -o /tmp/cn.zone -L http://www.ipdeny.com/ipblocks/data/countries/cn.zone

#create the set
echo "Generating the blocking set..."
ipset create china hash:net

for i in $(cat /tmp/cn.zone); do
ipset add china $i
done

iptables -I INPUT -m set --match-set china src -j DROP

echo "China is blocked!"
rm /tmp/cn.zone
else
echo "Invalid parameter"
fi
>>
>>62430853
Something is off about that face.
>>
>>62432193
>http://www.ipdeny.com/
Big thanks.
>>
>>62421847
put SSH on a random ass port in the high 40,000s, then disable user pass login. Only allow key-based authentication

Security 101
>>
File: trump tweet v2.jpg (804KB, 1112x1878px) Image search: [iqdb] [SauceNao] [Google]
trump tweet v2.jpg
804KB, 1112x1878px
>>62430973
>>62425280
>>62427032
This is truly masterful bait.
At least I hope it is.
>>
>>62425280
I spit coffee all over my desk. Gr8 b8 i r8 8/8
>>
>>62432619
So we should get multiple users on the server? Isn't that a lot of work for just tech support? I guess we can make a user login and tell them to stop using the normal one.
>>
>>62421847
Just use SSH with 2FA, it's not hard.
>>
>>62425280
congratulations, you've won the thread
>>
>>62421847
because they can sell root access for 0.02 usd (2 cents for the retards
>>
>>62425280
this is absolutely retarded
>>
>>62430853
>Change the default port to something over 1000
no, keep it below 1024, if anything use your router/firewall or iptables to route something higher to the correct port
>>
>>62433511
How do you actually do this?
>>
>>62432193
Enjoy your mustard gas
>>
>>62430571
Disable insecure KEX algorithms.

kek, most of them don't even get to the authentication stage. Not that that'll help them, since it's pubkey only.

KexAlgorithms [email protected]
>>
Why do Chinese and Russians spend so much damn time doing this
>>
>>62426863
If the application can reconfigure my init and act as sshd, which requires root permissions to begin with unless you're okay with the malicious application having different keys and everyone trying to connect getting told that the server may have been compromised, then it probably has root permissions in the first place.
>>
>>62425280
Great b8
>>
>>62433511
PAM, probably. I know you can use a smartcard as auth for ssh with PAM.
>>
if i disable pw login and enable pub key access only am i safe from using a weak password for root because it's a bitch to remember complex pw's
>>
>>62426863
I'm sorry, but you actually don't know what you're talking about.

If someone is pretending to be sshd, they'd have to know the ssh keys. They would have to already be root.. In which case the system is fucking done to begin with. I'm not connecting to any sshd that has a key I'm not expecting..

Time for you to leave this board I guess.
>>
Why do you allow any country to access port 22 except the ones you connect from? I just don't understand.
>>
>>62438552
He didn't, he said they are just trying.
>>
>>62438552
I'd do that in case I ever want to connect over Tor, but then I could just have a hidden service with just port 22 exposed running.
Thread posts: 128
Thread images: 15


[Boards: 3 / a / aco / adv / an / asp / b / bant / biz / c / can / cgl / ck / cm / co / cock / d / diy / e / fa / fap / fit / fitlit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mlpol / mo / mtv / mu / n / news / o / out / outsoc / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / spa / t / tg / toy / trash / trv / tv / u / v / vg / vint / vip / vp / vr / w / wg / wsg / wsr / x / y] [Search | Top | Home]
Please support this website by donating Bitcoins to 16mKtbZiwW52BLkibtCr8jUg2KVUMTxVQ5
If a post contains copyrighted or illegal content, please click on that post's [Report] button and fill out a post removal request
All trademarks and copyrights on this page are owned by their respective parties. Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.
This is a 4chan archive - all of the content originated from that site. This means that 4Archive shows an archive of their content. If you need information for a Poster - contact them.