URGENT SSH / TCP Wrappers active by default on proxmox

[ejmerkel]

Some of my nodes are under attack via ssh. I am trying to block access.

I am trying to only allow SSH to certain IP's on my proxmox nodes v3.3-1.

hosts.allow looks like where X.X.X.X is my IP and Y.Y.Y.Y is the cluster network

sshd: X.X.X.X Y.Y.Y.Y/255.255.255.0

hosts.deny

sshd: ALL

For some reason this is not working. Is TCP Wrappers turned on by default or am I missing something?

Also, if I want to change SSH ports do I just set change Port XXX in /etc/ssh/ssh_config and sshd_config?

Thanks,
Eric

 

[ejmerkel]

Ok, it just dawned on me that it looks like they might have replaced sshd with their own version. Is there a way to reinstall sshd?

ERic

 

[mo_]

if somebody has already replaced the sshd binary.. do yourself a favour and save a lot of time by just taking the server offline. You might then want to take out all the disks and either analyse them yourself or give them to a forensics company. Theres almost no chance of getting the system completely clean without starting fresh. BTW you cannot use ANY of the now compromised data, you have to start from scratch (or the latest, full, clean backup for that matter).

 

[ejmerkel]

That's what I plan to do. It looks like the attack was automated and just replaced sshd for a future compromise but we caught it right away. Would I just do an apt-get install openssh-server to get SSH reinstalled just to keep them out as rebuild it?

Eric