Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kul
Contributor

log file -network compromised

One of my checkpoint client got the logs being sent by ISP saying that there are numerous traffic being generated and my network is compromised .The ip address in the log is my one of my servers IP.

i blocked  ssh from outside  to the server  as well

what do i do ?

Reported-From: abuse-team@blocklist.de
Category: abuse
Report-Type: login-attack
Service: ssh
Version: 0.2
User-Agent: Fail2BanFeedBackScript blocklist.de V0.2
Date: Sat, 21 Sep 2019 08:24:56 +0200
Source-Type: ip-address
Source: 202.xxx.xx.xx
Port: 22
Report-ID: 896439139@blocklist.de
Schema-URL: http://www.xarf.org/schema/abuse_login-attack_0.1.2.json
Attachment: text/plain

 

Sep 21 08:24:54 vps34202 sshd[544]: Address 202.XX.XX.XX maps to www.xx.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 21 08:24:54 vps34202 sshd[544]: Invalid user oracle from 202.XX.XX.XX
Sep 21 08:24:54 vps34202 sshd[544]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.XX.XX.XX 
Sep 21 08:24:56 vps34202 sshd[544]: Failed password for invalid user oracle from 202.XX.XX.XX port 45262 ssh2
Sep 21 08:24:56 vps34202 sshd[544]: Received disconnect from 202.XX.XX.XX: 11: Bye Bye [preauth]

0 Kudos
4 Replies
Timothy_Hall
Legend Legend
Legend

Check Point has a very good incident response service, and the speeches by @Daniel_Wiley at CPX are always a highlight for me.

https://www.checkpoint.com/support-services/threatcloud-incident-response/

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Kul
Contributor

This incidence response team is not respondin
0 Kudos
FedericoMeiners
Advisor

@Kul 

To mitigate the issue evaluate which ports do you need for your hosts to communicate with the internet, in most cases your server will not need to initiate SSH connections, apply same principle for all hosts in your network.

It's a very common mistake when doing bi-directional rules, many people think that if you need to access via SSH to a server you have to create two rules or a bidirectional one (One for outgoing traffic and another for incoming with same services), this is totally wrong.

After that, track in your logs which hosts attempted to do SSH connections (src: host and port 22) so you can isolate it until cleaning.

Hope it helps,

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
PhoneBoy
Admin
Admin

As a best practice, any server reachable from the Internet should only be permitted to originate connections to specific hosts (preferably none).
Your policy should definitely be tightened up.
Incident Response is definitely recommended to help clean up and lock down the environment.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events