[GLLUG] Uh Oh. Help?

Richard Houser rick at divinesymphony.net
Sat Mar 3 20:58:42 EST 2012


You shouldn't forward rdp or Vincent, etc. directly over the net.  Turn off
the forward and just tunnel it over ssh.  Ssh left open to the net for
something like this should be using keyed logins, too.
On Mar 3, 2012 6:00 PM, "J Neveau" <neveauj at gmail.com> wrote:

> Well, I made the adjustments to the router.  UPnP was active, so I
> disabled that.
>
> Karl, my setup was as you described.  I would remote to her box via her
> outside IP address
> via a given port number.  That port was forwarded to her reserved internal
> IP address for her
> machine on that port.
>
> I did have remote desk-top enabled on her machine, but it required a
> password of eight
> characters (alpha/numeric, random, not "dictionary" stuff).  It seems to
> me that I changed
> the default port used for that too; the one that forwarded to her machine
> via the router.
>
> That's why I was confused as to how someone could remote to her machine on
> a port
> that was not forwarded through the router to her machine specifically.
>
> But, like I said, I'm self-taught and sort of new to this networking
> stuff.  VERY green behind
> the ears!  Being that I cut my teeth on the linux boxes, I try to think
> "security" as much
> as my amount of knowledge allows.
>
> Thanks for the help and your patience in my lack of knowledge!!  I'll
> check her router log
> tonight and see of the "shinnanigans" are still there.
>
> Cheers!
>
> J.Neveau
>
>
>
> On Fri, Mar 2, 2012 at 1:59 AM, Richard Houser <rick at divinesymphony.net>wrote:
>
>> J,
>>
>> As long as the connection isn't established and the attempts aren't
>> enough to cause a DOS effect, you shouldn't be concerned.
>>
>> Many home routers will just let you brute force password attempts
>> until you get it.  Those that implement meager IP-based blackout
>> periods are still vulnerable to anyone with access to many IPs.  I
>> recommend you keep the remote access disabled on the router unless you
>> can restrict the access using a strong key.  For example, I run
>> OpenWRT and just disable password logins to dropbear.
>>
>>
>>
>> On Thu, Mar 1, 2012 at 11:47 PM, STeve Andre' <andres at msu.edu> wrote:
>> > It's important to understand that people get scanned by "script
>> > kiddies" all the time, on public networks.  ALL THE TIME.  My
>> > boss had something like Zone Alarm on his Windows machine
>> > and was equally fascinated and horrified at the number of
>> > things his machine was exposed to.
>> >
>> > The few times I've looked at my own Comcast connection I
>> > saw at least 5 an hour, and sometimes some little twerp
>> > would develop an inordinate fondness for me, and bombard
>> > me with useless logins, malformed http GETS and so on.
>> >
>> > While its not good to let your guard down, log file entries
>> > quickly start looking like noise, which 99.8%+, they are.
>> >
>> > --STeve Andre'
>> >
>> >
>> > On 03/01/12 17:38, Karl Schuttler wrote:
>> >>
>> >> Port 5900 is vnc (remote access, as you noticed). The 70.x.x.x ip you
>> >> mentioned is registered to THEPLANET.COM INTERNET SERVICES in Dallas,
>> >> TX. Feel free to send me the log and i'll take a look. You might
>> >> consider reaching out to ThePlanet.com and asking them about the
>> >> incident; they might have a security breach. I would call them over
>> >> the phone, but you could certainly email.  The 140.x.x.x address
>> >> belongs to National Chung Cheng University in Taiwan.
>> >>
>> >> It would seem that they shouldn't be able to access her computer, from
>> >> your description of the network setup; perhaps it isnt functioning as
>> >> you intended.
>> >>
>> >>
>> >> On Thu, Mar 1, 2012 at 5:16 PM, J Neveau<neveauj at gmail.com>  wrote:
>> >>>
>> >>> Could someone in the group with network guru skills help me out?  I
>> was
>> >>> perusing my Mom's router log today and saw something that concerned
>> me.
>> >>>
>> >>> The log shows:
>> >>>
>> >>> [LAN access from remote] from 70.86.214.138:48659 to 192.168.1.3:5900
>> >>> Thursday, Mar 01,2012 08:06:39
>> >>>
>> >>> and
>> >>>
>> >>> [LAN access from remote] from 140.123.103.148:45214 to
>> 192.168.1.3:5900
>> >>> Wednesday, Feb 29,2012 6:31:46
>> >>>
>> >>> Both of those lines show up a number of times over the past couple
>> weeks.
>> >>>
>> >>> I'm concerned, as my Mom is 80 years old and (hopefully) didn't
>> download
>> >>> anything malicious that is allowing port 5900 to be used on her OS.
>>  She
>> >>> is
>> >>> using Linux Mint and I've been keeping it up to date on updates
>> through
>> >>> it's
>> >>> synaptic application. (version 10.something if I recall correctly)
>> >>>
>> >>> I have a PDF file of the entire log if anyone would be kind enough to
>> >>> look
>> >>> at it.
>> >>>
>> >>> I had her router set up for remote management so that I could log in
>> to
>> >>> deal
>> >>> with issues.  I had it assigned to a selected port number for admin of
>> >>> the
>> >>> router.  I also had the DHCP reserve that IP address to her machine
>> so I
>> >>> could remote admin her operating system if she had any issues; it was
>> >>> port
>> >>> forwarded to a selected port (different than the router log-in; NOT
>> port
>> >>> 5900) for that purpose as well.
>> >>>
>> >>> For the time being, I've disabled the remote log-in function until I
>> can
>> >>> get
>> >>> this surveyed by those more knowledgeable.  I will have physical
>> access
>> >>> to
>> >>> her machine for the next week, so if any additional diagnoses is
>> needed,
>> >>> I'll be happy to forward that information to the group.
>> >>>
>> >>> Any help is greatly appreciated!
>> >>>
>> >>> J.Neveau
>> >>>
>> >
>> > _______________________________________________
>> > linux-user mailing list
>> > linux-user at egr.msu.edu
>> > http://mailman.egr.msu.edu/mailman/listinfo/linux-user
>> _______________________________________________
>> linux-user mailing list
>> linux-user at egr.msu.edu
>> http://mailman.egr.msu.edu/mailman/listinfo/linux-user
>>
>
>
> _______________________________________________
> linux-user mailing list
> linux-user at egr.msu.edu
> http://mailman.egr.msu.edu/mailman/listinfo/linux-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.egr.msu.edu/mailman/public/linux-user/attachments/20120303/34bc7370/attachment-0001.html>


More information about the linux-user mailing list