I'm under attack I need help in ssh

inroute

Hi everyone,

I think I'm under attack I need help please.

Hackers are trying to login to my pbx gateway. I don't know why I viewed the log file to see why my gateway is rebooting himself every few minutes using this command below

tail -f /var/log/messages
authpriv.info dropbear[32417]: Child connection from xx.xx.xx.xx:2xxxx
authpriv.info dropbear[32417]: exit before auth: Disconnect received
auth.warn login[20056]: invalid password for 'UNKNOWN' on 'pts/7'
auth.warn login[20118]: invalid password for 'UNKNOWN' on 'pts/1'
auth.warn login[20582]: invalid password for 'UNKNOWN' on 'pts/4'
auth.warn login[20656]: invalid password for 'UNKNOWN' on 'pts/5'

And I see UNKNOWN user is trying to access.

I did a research about that on Google and I found a solution for that say have close SSH PasswordAuthentication. But I followed the steps to do that an I didn't find the file sshd_config that should be edit In etc/SSH/

Can someone help me please.

tiagom

What OS?

inroute

@tiagom GNU/Linux

stacksofplates

@inroute said in I'm under attack I need help in ssh:

Hi everyone,

I think I'm under attack I need help please.

Hackers are trying to login to my pbx gateway. I don't know why I viewed the log file to see why my gateway is rebooting himself every few minutes using this command below

tail -f /var/log/messages
authpriv.info dropbear[32417]: Child connection from xx.xx.xx.xx:2xxxx
authpriv.info dropbear[32417]: exit before auth: Disconnect received
auth.warn login[20056]: invalid password for 'UNKNOWN' on 'pts/7'
auth.warn login[20118]: invalid password for 'UNKNOWN' on 'pts/1'
auth.warn login[20582]: invalid password for 'UNKNOWN' on 'pts/4'
auth.warn login[20656]: invalid password for 'UNKNOWN' on 'pts/5'

And I see UNKNOWN user is trying to access.

I did a research about that on Google and I found a solution for that say have close SSH PasswordAuthentication. But I followed the steps to do that an I didn't find the file sshd_config that should be edit In etc/SSH/

Can someone help me please.

make sure you use /etc/ssh not /etc/SSH, the second doesn't exist.

You'll want to change these two:

PasswordAuthentication yes
PubkeyAuthentication no

to

PasswordAuthentication no
PubkeyAuthentication yes

Make sure to add your key before you restart the sshd process.

inroute

@stacksofplates there is no ssh file or folder under /etc/

stacksofplates

@inroute said in I'm under attack I need help in ssh:

@stacksofplates there is no ssh file or folder under /etc/

what's your output from ls /etc/

stacksofplates

Also what PBX is this? Is it FreePBX?

coliver

Would be a good idea to setup fail 2 ban as well.

tiagom

From the original post looks like you are using dropbear ssh.. config should be /etc/config/dropbear

Looks like you need to set

option PasswordAuth 'off'

https://wiki.openwrt.org/doc/uci/dropbear has more details as i couldn't (quickly) find official documentation.

stacksofplates

@coliver said in I'm under attack I need help in ssh:

Would be a good idea to setup fail 2 ban as well.

I hope at some point in the future they make the setup a little easier. It's fairly daunting for a new person. Pam_tally2 and faillock are fairly easy to set up, but rely on PAM. Would be nice to have a middle ground.

stacksofplates

@tiagom said in I'm under attack I need help in ssh:

From the original post looks like you are using dropbear ssh.. config should be /etc/config/dropbear

Looks like you need to set

option PasswordAuth 'off'

https://wiki.openwrt.org/doc/uci/dropbear has more details as i couldn't (quickly) find official documentation.

Good catch, I didn't notice that.

tiagom

@coliver said in I'm under attack I need help in ssh:

Would be a good idea to setup fail 2 ban as well.

Agreed.

inroute

there is no config folder in the /etc/ directory but i found dropbear folder in the /etc/ directory and it contain tow files

dropbear _dss_host_key
dropbear _rsa_host_key

any idea

tiagom

What about under /etc/default/dropbear

What distro and pbx are you running so we can stop guessing.

inroute

@tiagom no there no under /etc/default/dropbear

sorry Tiagom im new in Linux
the pbx is Panasonic gsm gateway

inroute

@tiagom Linux version 3.0.76-4.i586 gcc version 4.4.1 ( GCC)

tiagom

It looks like you need to set

 DROPBEAR_EXTRA_ARGS="-s"

in the dropbear init file.

https://github.com/mkj/dropbear/blob/master/debian/dropbear.init

*It states Do not configure this file. Edit /etc/default/dropbear instead! in the latest version. Your version maybe older or modified by panasonic since /etc/default/dropbear doesnt exist..

Arg found here

http://linux.die.net/man/8/dropbear

But honestly, if there is a firewall in front of this pbx box it maybe easier to do it there.

inroute

@tiagom so what do you think i must do to stop hackers and right now one hacker he made the gateway reboots like 100 time

is there a way that i can block him

inroute

@tiagom please see this link
http://manpages.ubuntu.com/manpages/precise/man8/dropbearkey.8.html

do you think it will help and honestly if you can guide me on how to do it .
it will be nice from you

tiagom

Its difficult to suggest without knowing the environment..

The simplest is change passwords if its compromised.

If its behind a firewall you can block traffic on port 22 unless its from your ip..