Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Intercept X Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Switch
Sophos Mobile
Sophos Wireless
Sophos Email
UTM Firewall
Community Chat
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
Sophos Techvids
Product Documentation
Visit docs.sophos.com
Support Portal
Sophos.com
More
Cancel
UTM Firewall
VPN: Site to Site and Remote Access
VPN HACK ???
Release Notes & News
Discussions
Recommended Reads
Early Access Programs
More
Cancel
New
Thread Info
State
Not Answered
Locked
Locked
Replies
8 replies
Subscribers
2 subscribers
Views
21469 views
Users
0 members are here
Options
RSS
More
Cancel
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion
VPN HACK ???
Arjan
over 17 years ago
Hi all,
Today i discovered a possible hack attempt in my VPN connection.
I use the lastest version of astaro 5 (version 5.1)
As i do not exactly get what happened i will try to share it with you and maybe someone can help me with this ?
First i got an email (from ids) that there was a dictionary attack on mij server. The strange thing was that the attack was from my internal ip-numbers used bij the PPTP range !
After looking at the log files of the pptp i discovered that someone did have a connection for at least 9.5 minutes !!
I will attach the log file maybe that someone has a explanation about this ??
a little part of the log file mentions: pppd-pptp[898]: Plugin /usr/sbin/aua.so loaded --> this worries me most
Thanx
This thread was automatically locked due to age.
53057-pptpd-2004-12-09[1].21h06m.zip
Parents
0
ReD-MaN
over 17 years ago
[ QUOTE ]
Hi all,
Today i discovered a possible hack attempt in my VPN connection.
I use the lastest version of astaro 5 (version 5.1)
As i do not exactly get what happened i will try to share it with you and maybe someone can help me with this ?
First i got an email (from ids) that there was a dictionary attack on mij server. The strange thing was that the attack was from my internal ip-numbers used bij the PPTP range !
After looking at the log files of the pptp i discovered that someone did have a connection for at least 9.5 minutes !!
I will attach the log file maybe that someone has a explanation about this ??
a little part of the log file mentions: pppd-pptp[898]: Plugin /usr/sbin/aua.so loaded --> this worries me most
Thanx
[/ QUOTE ]
aua.so is part of the Astaro User Authentication package I believe...
Cancel
Vote Up
0
Vote Down
Cancel
0
Arjan
over 17 years ago
in reply to
ReD-MaN
So if i understand correctly the astaro only loads some plugins when someone tries to connect to the PPTP-port ? [:S]
Do the plugins stay loaded in the system or are they loaded everytime after someone connects ?
Cancel
Vote Up
0
Vote Down
Cancel
0
Gert Hansen
over 17 years ago
in reply to
Arjan
Hi there all,
to share some light into the darkness.
AUA is not something evil, but our internal "Astaro User Authentication" Service.
What happens is the following:
The PPTP server listens on TCP port 1701.
Than IP 194.151.117.165 tried to connect:
this ip is listed:
inetnum: 194.151.116.0 - 194.151.117.255
netname: BUSPAM
descr: KPN Telecom BV
country: NL
Once the IP gets connected pptpd starts a PPPd process to do the authentication and handle the connection.
During startup the pppd it initilizes either aua.so (local authentication) or radius.so (radius authentication).
JEs this plugin gets loaded during every startup of the pppd process.
after a successfull authentication, which you can analyze in /var/log/aua.log i think,
it sets up the final connection parameters and assigns the internal IP 10.100.125.2.
Than for an unknown reason four keep-alive packets did not get responded on,
which tells the server that this connection is no longer alive and disconnects it.
I hope this helps,
best regards
Gert
Cancel
Vote Up
0
Vote Down
Cancel
Reply
0
Gert Hansen
over 17 years ago
in reply to
Arjan
Hi there all,
to share some light into the darkness.
AUA is not something evil, but our internal "Astaro User Authentication" Service.
What happens is the following:
The PPTP server listens on TCP port 1701.
Than IP 194.151.117.165 tried to connect:
this ip is listed:
inetnum: 194.151.116.0 - 194.151.117.255
netname: BUSPAM
descr: KPN Telecom BV
country: NL
Once the IP gets connected pptpd starts a PPPd process to do the authentication and handle the connection.
During startup the pppd it initilizes either aua.so (local authentication) or radius.so (radius authentication).
JEs this plugin gets loaded during every startup of the pppd process.
after a successfull authentication, which you can analyze in /var/log/aua.log i think,
it sets up the final connection parameters and assigns the internal IP 10.100.125.2.
Than for an unknown reason four keep-alive packets did not get responded on,
which tells the server that this connection is no longer alive and disconnects it.
I hope this helps,
best regards
Gert
Cancel
Vote Up
0
Vote Down
Cancel
Children
0
Arjan
over 17 years ago
in reply to
Gert Hansen
"" it sets up the final connection parameters and assigns the internal IP 10.100.125.2 ""
So this means that someone either guessed my own password or the admin password ? Otherwise he wouldn't come this far ?
If thats the case then a simple password change would be sufficient enough. Can i see in some other logs who connected succesfull because i cannot find it in the log-file i attached.
Thanx
---edited--- Oops sorry did not see the comment about the local log file, i will check this
Cancel
Vote Up
0
Vote Down
Cancel