Author Message

eohrnberger









Joined: 09 Dec 2004

Posts: 225

ApprenticeJoined: 09 Dec 2004Posts: 225

Posted: Fri Mar 17, 2017 11:27 pm Post subject: Oh oh - seems my Gentoo's been ransomwared!! Oh No! Now this is really troubling. Seems that my Gentoo system has been ransomwared.



So, yeah, I'm looking for some pointer as to how to detect where it's sitting, and eradicate it.



Came home from work yesterday, logged into my Gentoo machine and was greeted with this message:

Code:

Using username "root".

****************************************!WARNING!**************************************

*************************************YOU ARE INFECTED**********************************

***********************WITH THE MOST CRYPTOGRAPHIC ADVANCED RANSOMWARE*****************

=======================================================================================

All your data of all your users, all your databases and all your Websites are encrypted

=======================================================================================

Send your UID to e-mail: johnmorcbw@seznam.cz

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

***************************************************************************************

***************************************************************************************



YOUR UUID IS : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx



****************************************!WARNING!**************************************



Come to find out that my home dir files were all encrypted with an '.enc' on the end of the file name. Yeah, they are binary (well no big deal there either, I have them under revision control).



Seems to have crawled through the file system, left most of the files alone (thank goodness), except the web site (no big deal, it was not being used), but still.



I noticed that there was a hugely high CPU python2 task running, so I killed that, and renamed



/usr/bin/python2.7 => python2.7.disabled (symlink to python-exec2c)

/usr/bin/python-exec2c => python-exec2c.disabled

/usr/lib/python-exec/python-exec2 => /usr/lib/python-exec/python-exec2.disabled



I also set the permissions for these files to 000 to prevent this thing from being able to run again, at least for now (this will stop it form running, won't it?)



But I want this out of my system (can you blame me?), but I have to admit that I've never faced this with a Gentoo system before, and I'm hoping that there's a good reference (or a set of good hints) that can help me eradicate this.



Please help.

Schnulli









Joined: 25 Jun 2010

Posts: 320

Location: Bremen DE GuruJoined: 25 Jun 2010Posts: 320Location: Bremen DE

Posted: Fri Mar 17, 2017 11:45 pm Post subject: Well, nearly same trouble here.....

YOU ARE HACKED !

Kick adobe-flash and take care what Websites you visit ^^

rkhunter and sharp firewall rules are usefull as well.

The firewall rules aoso should disable some outgoing ports whom arent used usually......

i disallowed all and only http, imap, ssh and ftp outgoing is allowed here, they hate it ^^

if destination port = 80 and so on allow and so on

I am trying to figure it since weeks out....

I gave up and installed on another drive a fresh Gentoo....

safed me alot greay hairs



Listen, you are not the only one who got hacked ^^

You can do also this.. safe your whole drive and send it to a Cybercrime Dapartment.... they will love to read out who and from where it was.....

Its well know that Gentoo is beeing attacked since a while also.... so take care and shutdown or lock your comp, shutdown net, when not at it



Regards



Last edited by Schnulli on Fri Mar 17, 2017 11:47 pm; edited 1 time in total

eccerr0r









Joined: 01 Jul 2004

Posts: 7546

Location: almost Mile High in the USA WatchmanJoined: 01 Jul 2004Posts: 7546Location: almost Mile High in the USA

Posted: Fri Mar 17, 2017 11:46 pm Post subject: It would be interesting on how they got in, but you do have a mess on your hands.



I'm not sure if python is your culprit program, it may just be the python interpreter which normally shows up whenever a python script is running - though it's still good to suspect that they are or have been trojaned. At this point you should assume everything is compromised and start a fresh build, copying the important stuff over. Especially when root has been compromised, this is the only way to safely eradicate this.



Note that you probably cannot run emerge, equery, etc. if you disabled python as they too require python. Equery is a good script to use as you can use it to check the integrity of files (provided the hacker did not muck with the checksums) -



# equery check packagename



and start from those files that fail checksum. Again, since they got root, these checksums may no longer be trustable.



Though adobe-flash is definitely an intrusion risk, unless they only took over your user account, it would be extremely unlikely they could take over root. My guess is it's one of those semi-recent bugs like shellshock or perhaps just those pesky bruteforce attacks that got your machines.



If you're not too embarrassed about it, curious how often/when was the last time the box was (completely) updated, along with which kernel you're using (like if you were vulnerable to dirtyc0w)? This would perhaps give some clues on what packages were used to exploit your box.

_________________

Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD

What am I supposed watching?



Last edited by eccerr0r on Fri Mar 17, 2017 11:55 pm; edited 1 time in total

Schnulli









Joined: 25 Jun 2010

Posts: 320

Location: Bremen DE GuruJoined: 25 Jun 2010Posts: 320Location: Bremen DE

Posted: Fri Mar 17, 2017 11:51 pm Post subject: hi eccerr0r



they use python and crash it locally later.... they also load code from external....

remember the DNS Problem when infected years ago.. seems to me the same weird idea is behind maybe same guys

whole portage is trash than.... and they try to redirect to "somewhere"



nothing new that they attac Gentoo too lately.....

Be warned with Adobe-Flash the the first Door they use..... Wrong permissions and the "got ya"



seemed to me that also some layman repos got infected as well....

Who?? no idea still.....

I´ll setup a transparent bridge in a few an log the whole traffic to figure out

eccerr0r









Joined: 01 Jul 2004

Posts: 7546

Location: almost Mile High in the USA WatchmanJoined: 01 Jul 2004Posts: 7546Location: almost Mile High in the USA

Posted: Fri Mar 17, 2017 11:59 pm Post subject: Well we don't know if this is Gentoo specific or any Linux could have been vulnerable.



I'm not surprised they had a "intrusion intrusion detector" and crash your box when you find out that you've been exploited and try to fix your machine. Best thing to do when dealing with this kind of stuff is disconnect the network, cold reboot off a livecd and and go from there.



I'll knock on wood that I haven't seen any adobe-flash exploits on my box yet...

_________________

Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD

What am I supposed watching?

eohrnberger









Joined: 09 Dec 2004

Posts: 225

ApprenticeJoined: 09 Dec 2004Posts: 225

Posted: Sat Mar 18, 2017 12:30 am Post subject: Yeah, I'm guilty of running FireFox as root. Shame on me - I should have known better.



Well, pretty much flushed everything in the home directory, .mozilla, etc. figuring that it's not that important, and is already encrypted, so . . what am I going to do with it anyway?



Been thinking should be a list of file mtimes and see what's changed on the system as of a few days ago. See if that leads me to anything suspicious, although, that can easily programmatically be set backwards to any time desired. Still, you never know.



The Good News:

All the real important data is safe, as I'm using zfs, and have a grand-father-father-son snapshot script in cron (hourly, daily, weekly, monthly), and only very few files seem to have been encrypted, based on the ".enc" in the filename. If I find others, I have a year's worth of snapshots to restore from. Makes me think I need to learn how to configure a gentoo that uses zfs for the root file system as well. Been meaning to, just haven't had the time, because Gentoo just runs so reliably.



I have it's sister server (same patch config and software load), which appears to be non-infected, so I can clone that system disk and recover pretty quick, with some conf files I have in version control. Couple of hours I figure.



Interesting to note that another system, also a sister, seems to have caught the same, and I can't recall ever having run anything but VirtualBox VMs on that one, it's turned off right now until I figure out a recovery plan, so at least 2 systems to recover, and have one clean one to do so from.



The infected systems are internal systems, only access to the Internet is through a firewall, and yes, minimal ports open on the Linux firewall machine, and also an ssh port knocking log scan that injects an iptables drop for offending IPs (think a primitive fail2ban shell script).



So maybe not all that bad. Not sure as to the next step forward, but I appreciate the contribution and ideas.



Yeah, I know that the python interpreter is probably just running some code downloaded off of the Internet, and probably isn't a replaced binary, but that code that download the encrypter, that has to live someplace, if it's going to survive between reboots. Tracking that one down. Hmm.



Really sad to learn that there are Gentoo specific attackers. What'd Gentoo ever do to them? Guess there's no figuring some people out.

eccerr0r









Joined: 01 Jul 2004

Posts: 7546

Location: almost Mile High in the USA WatchmanJoined: 01 Jul 2004Posts: 7546Location: almost Mile High in the USA

Posted: Sat Mar 18, 2017 1:04 am Post subject: Yeah shame shame, dont firefox as root.



However if it really is adobe-flash as the vector, this would not be Gentoo specific and would equally infect Ubuntu, Fedora, etc. -- but I don't know, is it really adobe-flash? Then again I don't know how pervasive firefoxing as root is...

_________________

Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD

What am I supposed watching?



Last edited by eccerr0r on Sat Mar 18, 2017 1:08 am; edited 1 time in total

eohrnberger









Joined: 09 Dec 2004

Posts: 225

ApprenticeJoined: 09 Dec 2004Posts: 225

Posted: Sat Mar 18, 2017 1:05 am Post subject: Well, the message is coming from the /etc/motd file. That's simple stuff.

eccerr0r









Joined: 01 Jul 2004

Posts: 7546

Location: almost Mile High in the USA WatchmanJoined: 01 Jul 2004Posts: 7546Location: almost Mile High in the USA

Posted: Sat Mar 18, 2017 1:15 am Post subject: Now what else did they edit to keep them in the machine?



Did they ssh in?



I wonder if they were using a python script to encrypt your files instead of some compiled binary, that could slow down the encryption to reduce the amount of damage done... ha.

_________________

Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD

What am I supposed watching?

eohrnberger









Joined: 09 Dec 2004

Posts: 225

ApprenticeJoined: 09 Dec 2004Posts: 225

Posted: Sat Mar 18, 2017 1:21 am Post subject: eccerr0r wrote: Now what else did they edit to keep them in the machine?



Did they ssh in?



I wonder if they were using a python script to encrypt your files instead of some compiled binary, that could slow down the encryption to reduce the amount of damage done... ha.



No, not ssh, I don't think so. But yeah, what'd they leave behind? That's the question.

NeddySeagoon









Joined: 05 Jul 2003

Posts: 46072

Location: 56N 3W AdministratorJoined: 05 Jul 2003Posts: 46072Location: 56N 3W

Posted: Sat Mar 18, 2017 10:14 am Post subject: eohrnberger,



/etc/motd can only be edited by root. That means that they got root.

You can't clean that up, its a reinstall.



Either they gained access to root directly or broke in as another user and ran a privilege escalation exploit to gain root.

It doesn't matter much. Its a reinstall either way.



If you want to do forensics, make a disc image of the install and work on that. You need the filesystem free space too, as that's where the interesting stuff will be.



A few of these ransomware attacks have known decryption methods. If you are lucky, you might get the data back.

You can't salvage the install though.

_________________

Regards,



NeddySeagoon



Computer users fall into two groups:-

those that do backups

those that have never had a hard drive fail.

cboldt









Joined: 24 Aug 2005

Posts: 899

l33tJoined: 24 Aug 2005Posts: 899

Posted: Sat Mar 18, 2017 10:48 am Post subject: The attack isn't Gentoo specific. The exploit works against many distros.



I'm curious about the vector too, how they malicious code made its way onto your system. One of the remarks here has me working to regulate outgoing IP traffic - heretofore, I'd been concerned about incoming, but not outgoing. But I can see where closing off outgoing ports might stifle an attack.



On that front, I'm stuck at ftp, which includes outgoing NEW packets aimed at random, unprivileged ports.

NeddySeagoon









Joined: 05 Jul 2003

Posts: 46072

Location: 56N 3W AdministratorJoined: 05 Jul 2003Posts: 46072Location: 56N 3W

Posted: Sat Mar 18, 2017 12:04 pm Post subject: cboldt,



It helps to stop evil intruders phoning home if they do get in.

My firewall drops unwanted incoming packets and denies unwanted outgoing packets.

You need the logs to know what to allow out :)



I use shorewall and shorewall6 with similar rule sets.



For ftp, which is horribly insecure, you need to use passive mode.

sftp is preferred.

_________________

Regards,



NeddySeagoon



Computer users fall into two groups:-

those that do backups

those that have never had a hard drive fail.

eohrnberger









Joined: 09 Dec 2004

Posts: 225

ApprenticeJoined: 09 Dec 2004Posts: 225

Posted: Sat Mar 18, 2017 12:18 pm Post subject: NeddySeagoon wrote: eohrnberger,



/etc/motd can only be edited by root. That means that they got root.

You can't clean that up, its a reinstall.



Either they gained access to root directly or broke in as another user and ran a privilege escalation exploit to gain root.

It doesn't matter much. Its a reinstall either way.



If you want to do forensics, make a disc image of the install and work on that. You need the filesystem free space too, as that's where the interesting stuff will be.



A few of these ransomware attacks have known decryption methods. If you are lucky, you might get the data back.

You can't salvage the install though.



I very much appreciate your post, NeddySeagoon. Many thanks.



While I've been running my various Linux flavors at home over the years, this is the first encounter with something like this on Linux.

jonathan183









Joined: 13 Dec 2011

Posts: 311

GuruJoined: 13 Dec 2011Posts: 311

Posted: Sat Mar 18, 2017 12:28 pm Post subject:

Knowing what binaries/logs were attacked would also be useful.



Was ssh open to the net with password access or key based? It is worth trying to work out how you were compromised, a fresh install with identical configuration and use will probably have similar results in future ... surfing the net as root is not wise ... but you already know thatKnowing what binaries/logs were attacked would also be useful.Was ssh open to the net with password access or key based?

NeddySeagoon









Joined: 05 Jul 2003

Posts: 46072

Location: 56N 3W AdministratorJoined: 05 Jul 2003Posts: 46072Location: 56N 3W

Posted: Sat Mar 18, 2017 12:35 pm Post subject: eohrnberger,



Is your normal user in the disk group?

That's a very bad thing. It gives the user raw access to the block devices, so they can do what they want, avoiding filesystem restrictions.

Code: ls /dev/sda -l

brw-rw---- 1 root disk 8, 0 May 12 2013 /dev/sda



That would effectively give them root access without ever being root.

It gives easy access to root, since they can modify /etc/passwd and /etc/shadow with a tool like hexedit, while the run as a normal user.



Being somewhat paranoid, I mount user writeable space with the noexec option, so a break in as a non root user can't execute random binaries.

/tmp and /home need to be their own partitions. That does not stop scripts being run, so Code: python27 encrypt_home would still have worked.



All the .bash_history files on your system will make interesting reading.

Its especially informative if they appear to be truncated.

_________________

Regards,



NeddySeagoon



Computer users fall into two groups:-

those that do backups

those that have never had a hard drive fail.

eohrnberger









Joined: 09 Dec 2004

Posts: 225

ApprenticeJoined: 09 Dec 2004Posts: 225

Posted: Sat Mar 18, 2017 1:01 pm Post subject: jonathan183 wrote: It is worth trying to work out how you were compromised, a fresh install with identical configuration and use will probably have similar results in future ... surfing the net as root is not wise ... but you already know that

Knowing what binaries/logs were attacked would also be useful.



Was ssh open to the net with password access or key based?

No, this machine is behind the firewall, and does not have an ssh route from the outside to it. You'd have to use ssh and jump through the firewall to get to it. I don't think that this is what happened. On the firewall, any ssh password knocking, even a single failed password attempt, injects an iptables drop rule for that source IP (think primitive fail2ban).

NeddySeagoon wrote: eohrnberger,



Is your normal user in the disk group?

That's a very bad thing. It gives the user raw access to the block devices, so they can do what they want, avoiding filesystem restrictions.

Code: ls /dev/sda -l

brw-rw---- 1 root disk 8, 0 May 12 2013 /dev/sda

This is as mine reads:

Code: ls -l /dev/sda

brw-rw---- 1 root disk 8, 0 Mar 16 21:41 /dev/sda

What's recommended for this device node?

Quote: That would effectively give them root access without ever being root.

It gives easy access to root, since they can modify /etc/passwd and /etc/shadow with a tool like hexedit, while the run as a normal user.



Being somewhat paranoid, I mount user writeable space with the noexec option, so a break in as a non root user can't execute random binaries.

/tmp and /home need to be their own partitions. That does not stop scripts being run, so Code: python27 encrypt_home would still have worked.

The partician layout is really simple. A small /boot as sda1, swap as sda2, and root as sda3, the rest of sda, including /home, /var, etc... The important data in the zfs pools are mounted off of /, as this machine's primary role is to be something like a NAS.



Quote: All the .bash_history files on your system will make interesting reading.

Its especially informative if they appear to be truncated.

Those were encrypted, including .bash_history, and since have been deleted, being useless, from my view.



I want to figure out what code is being run to encrypt, so I created shell script replacements for

Code: /usr/lib/python-exec/python-exec2:

#!/bin/bash

echo "`date` $0 $*" >> /root/python-exec2.execution.log

and

Code:

/usr/bin/python2.7:

#!/bin/bash

echo "`date` $0 $*" >> /root/python2.7.execution.log





Really simple and primitive, but might capture something. Going to sit and watch for the next 24 hours, and see what happens. If I'm lucky, I can catch from where the encryption code is being run. Since python is never executed any python code on this system is rendered null, for now, but can easily be reverted by moving back the original binaries and symlinks to what they were.



Last edited by eohrnberger on Sat Mar 18, 2017 1:17 pm; edited 1 time in total

NeddySeagoon









Joined: 05 Jul 2003

Posts: 46072

Location: 56N 3W AdministratorJoined: 05 Jul 2003Posts: 46072Location: 56N 3W

Posted: Sat Mar 18, 2017 1:17 pm Post subject: eohrnberger,



The block device node is correct. What does groups say for your normal user?

Code: $ groups

tty wheel uucp audio cdrom video games kvm cdrw users vboxusers scanner wireshark plugdev roy

Its important that disk is not there.



Is /root/.bash_history still there or it it encrypted too?

_________________

Regards,



NeddySeagoon



Computer users fall into two groups:-

those that do backups

those that have never had a hard drive fail.

eohrnberger









Joined: 09 Dec 2004

Posts: 225

ApprenticeJoined: 09 Dec 2004Posts: 225

Posted: Sat Mar 18, 2017 1:22 pm Post subject: NeddySeagoon wrote: eohrnberger,



The block device node is correct. What does groups say for your normal user?

Code: $ groups

tty wheel uucp audio cdrom video games kvm cdrw users vboxusers scanner wireshark plugdev roy

Its important that disk is not there.



Is /root/.bash_history still there or it it encrypted too?



Users are only in the group that is the same as their username. A user 'ted' would only belong to the group 'ted'. root, of course, contains the disk group.



The Windows clients access the zfs storage via samba, and that has it's own smbusers. Other Linux machines access the zfs storage via nfs.



/root/.bash_history was encrypted, and was deleted. Maybe that was a hasty decision on my part.

NeddySeagoon









Joined: 05 Jul 2003

Posts: 46072

Location: 56N 3W AdministratorJoined: 05 Jul 2003Posts: 46072Location: 56N 3W

Posted: Sat Mar 18, 2017 1:32 pm Post subject: eohrnberger,



eohrnberger wrote: /root/.bash_history was encrypted .. .

Yes, change nothing if you want to do forensics.



As users don't have raw block device access, the attacker must have got root to encrypt /root/.bash_history.

That's another file that is only accessible to root, through the filesystem anyway.

_________________

Regards,



NeddySeagoon



Computer users fall into two groups:-

those that do backups

those that have never had a hard drive fail.

cboldt









Joined: 24 Aug 2005

Posts: 899

l33tJoined: 24 Aug 2005Posts: 899

Posted: Sat Mar 18, 2017 2:02 pm Post subject: NeddySeagoon wrote:

It helps to stop evil intruders phoning home if they do get in.

My firewall drops unwanted incoming packets and denies unwanted outgoing packets.

You need the logs to know what to allow out



I use shorewall and shorewall6 with similar rule sets.



For ftp, which is horribly insecure, you need to use passive mode.

sftp is preferred.



Yes on the "stifle the call home" notion. And "you need the logs to know what to allow in" too, at least I did, because I forgot about half of the services!



My firewall is built with a combination of router, and a homebrew script that has been in use nd grown over the course of a decade of so.



No ftp service running on any machine - sftp is available locally as one means to use the local cloud, which aims to give the family a place to offload phone/camera and music.



So, the "ftp problem" for me is just outgoing ftp, which starts with a packet to the server's port 21 (DPT=21), followed by a NEW packet to an unprivileged port. I get this hourly on one machine that visits a noaa website to get solar activity data, and on a different machine that fetches packages for the system, that is, the "fetch" part of "emerge -u @world" uses ftp in addition to http.



wget is using passive ftp for this.



Code: Active FTP :

command : client >1023 -> server 21

data : client >1023 <- server 20



Passive FTP :

command : client >1023 -> server 21

data : client >1024 -> server >1023



I'm still pondering how to handle this. For now the connections are just logged, so at least I have a chance to detect something abonrmal. Yesterday, when I first "closed" OUTPUT (actually, changed to allow certain packets and log the rest), I noticed those packets headed out to high port numbers, had a "WTF?" moment, then figured out the source.

szatox









Joined: 27 Aug 2013

Posts: 1913

VeteranJoined: 27 Aug 2013Posts: 1913

Posted: Sat Mar 18, 2017 2:07 pm Post subject: Quote: It helps to stop evil intruders phoning home if they do get in. Easier said than done.

Source ports are usually randomized and they provide no information regarding the service in use. Destination ports are controlled by the attacker, so they can have the exploit pretend to be a legitimate user of some common service like www, and you're not going to block THAT.

DPI can be fooled too, even accidentally. Especially in case of ransomware which only needs to send a few bytes, so the connection is already over by the time you discover you should have shut it down.

You could try blocking by destination IP, but this would require prompting for user input every time something tries to reach an unknown machine. A lot of work to train it to your needs.

cboldt









Joined: 24 Aug 2005

Posts: 899

l33tJoined: 24 Aug 2005Posts: 899

Posted: Sat Mar 18, 2017 2:13 pm Post subject: Quote: On the firewall, any ssh password knocking, even a single failed password attempt, injects an iptables drop rule for that source IP (think primitive fail2ban).



The firewall doesn't know if there was even a password attempt. I run a honeypot here, and the number of hits vs. port 22 is amazing, hundreds of different IP's per day. I let a given IP "hit it" half a dozen times before banning. Port 23 is even busier. On the machine that does have sshd open to the outside (different port), there are occasional intrusion attempts that include password. A user gets multiple password attempts on a single connection. The only way to know a password attempt was made is to watch the sshd activity log (auth.log).



Nobody gets into sshd here with a password. That method is closed off. Funny assortment of usernames. I'd guess on the order of 1 intrusion attempt per day, there.

Tony0945









Joined: 25 Jul 2006

Posts: 3996

Location: Illinois, USA AdvocateJoined: 25 Jul 2006Posts: 3996Location: Illinois, USA

Posted: Sat Mar 18, 2017 2:24 pm Post subject: eohrnberger wrote: The Windows clients access the zfs storage via samba, and that has it's own smbusers. Other Linux machines access the zfs storage via nfs. Can samba access any root owned files? I try to keep samba restricted to one directory, but others make the whole machine accessible. Maybe the malware got in via Windows and samba?



If your users only belong to their own group they can't do much. Maybe that's why you were web surfing as root? I have fired the browser up as root, but only to access my modem, not the internet.



My apologies for intruding. I am in no way an expert. Listen to Neddy, he is.

eohrnberger









Joined: 09 Dec 2004

Posts: 225

ApprenticeJoined: 09 Dec 2004Posts: 225

Posted: Sat Mar 18, 2017 2:28 pm Post subject: cboldt wrote: Quote: On the firewall, any ssh password knocking, even a single failed password attempt, injects an iptables drop rule for that source IP (think primitive fail2ban).



The firewall doesn't know if there was even a password attempt. I run a honeypot here, and the number of hits vs. port 22 is amazing, hundreds of different IP's per day. I let a given IP "hit it" half a dozen times before banning. Port 23 is even busier. On the machine that does have sshd open to the outside (different port), there are occasional intrusion attempts that include password. A user gets multiple password attempts on a single connection. The only way to know a password attempt was made is to watch the sshd activity log (auth.log).



Nobody gets into sshd here with a password. That method is closed off. Funny assortment of usernames. I'd guess on the order of 1 intrusion attempt per day, there.



The firewall doesn't allow 23 to the Internet. That's silently dropped. While the firewall doesn't log everything, it is configured to log the banned traffic. sshd is configured to logs to the secure log (at least on this configuration), and the secure log is scanned, offensive IPs gathered, and iptables rules injected.



Yeah, I'm seeing tons of traffic knocking on the ssh port. Not exactly sure when I setup the banning script, must have been years ago, but seems that such port knocking has increased as of late.



Last edited by eohrnberger on Sat Mar 18, 2017 3:04 pm; edited 1 time in total