Over the weekend I was experimenting with a promising new monitoring system; I have a close friend who runs a ministry to missionary kids who had let me test the system on his server and so far the monitoring system was reporting as it should. However, there were a couple of alerts that kept being sent over regarding memory, page file, disk space, and repeated “hacking attempts.”
Now, for the average user, a “hacking attempt” sounds incredibly serious, but in actuality they are often an improperly configured service. Seeing as how there were a few hundred authentication failures a day I thought my friend may have had an error in the configuration of one of the services running on his server. Considering it was my best friend I offered to log in remotely and sort out the alerts I was seeing.
The issues with the disk space were rectified rather easily; it appeared that a program went awry when it was built with Java. Somehow it had managed to grow the directory it was in to over 28 GB. Next I thought I might go take a look at the authentication logs to see what service was causing trouble. Hmm… the service that was having authentication failures was SSH, a protocol for taking control of the command line interface on Linux/Unix from remote locations. Worse still they were all originating from another address and they were bouncing through a list of potential user names like the all powerful ‘root’ which was a locked down account for this system, ftp, postgres, etc. We call this a ‘brute force’ attack because it looks for a user names then tries various passwords from a dictionary list. Usually these lists will also allow you to append a series of numbers too so that it tries the name of the user + a dictionary word + 00 through 99 which generally works because people often use passwords like robert77, beijing42, or linebacker82.
So as it turns out, the hacking alert really was a hacking attempt this time! My friend regularly uses SSH for various work he does, so I couldn’t firewall it off entirely or shut it down. I decided to do a quick install of denyhosts (http://denyhosts.sourceforge.net/), and configured it to lock out IP addresses after 5 failed login attempts on regular accounts and 1 failed attempt at user names like ‘root’. I left a note for my friend about the hacking attempts and closed the support session.
The next morning I received an email from my friend expressing how much faster his system was now running. This story illustrates how important it is to monitor the systems on your network. That is why GeekOut Technologies is dedicated to providing the best value available in monitoring and intervention for our clients. To this end we hope to be able to provide monitoring of servers for under $1.00 SGD/day by mid fall. Stay tuned!