SSH under pointless(?) attack
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Other forums
- :
- Tech Help - Software/Hardware etc
- :
- Re: SSH under pointless(?) attack
SSH under pointless(?) attack
02-08-2013 8:16 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote Aug 2 17:14:35 HECTOR sshd[17324]: Received disconnect from 125.32.42.30: 11: Bye Bye [preauth]
Aug 2 17:14:38 HECTOR sshd[17326]: reverse mapping checking getaddrinfo for 30.42.32.125.adsl-pool.jlccptt.net.cn [125.32.42.30] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 2 17:14:38 HECTOR sshd[17326]: Invalid user andras from 125.32.42.30
Aug 2 17:14:38 HECTOR sshd[17326]: input_userauth_request: invalid user andras [preauth]
Aug 2 17:14:38 HECTOR sshd[17326]: Received disconnect from 125.32.42.30: 11: Bye Bye [preauth]
Aug 2 17:14:41 HECTOR sshd[17328]: reverse mapping checking getaddrinfo for 30.42.32.125.adsl-pool.jlccptt.net.cn [125.32.42.30] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 2 17:14:41 HECTOR sshd[17328]: Invalid user dorka from 125.32.42.30
Aug 2 17:14:41 HECTOR sshd[17328]: input_userauth_request: invalid user dorka [preauth]
Aug 2 17:14:42 HECTOR sshd[17328]: Received disconnect from 125.32.42.30: 11: Bye Bye [preauth]
Aug 2 17:14:44 HECTOR sshd[17330]: reverse mapping checking getaddrinfo for 30.42.32.125.adsl-pool.jlccptt.net.cn [125.32.42.30] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 2 17:14:44 HECTOR sshd[17330]: Invalid user dorka from 125.32.42.30
Aug 2 17:14:44 HECTOR sshd[17330]: input_userauth_request: invalid user dorka [preauth]
Aug 2 17:14:45 HECTOR sshd[17330]: Received disconnect from 125.32.42.30: 11: Bye Bye [preauth]
Aug 2 17:14:48 HECTOR sshd[17332]: reverse mapping checking getaddrinfo for 30.42.32.125.adsl-pool.jlccptt.net.cn [125.32.42.30] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 2 17:14:48 HECTOR sshd[17332]: Invalid user benedek from 125.32.42.30
Aug 2 17:14:48 HECTOR sshd[17332]: input_userauth_request: invalid user benedek [preauth]
Aug 2 17:14:48 HECTOR sshd[17332]: Received disconnect from 125.32.42.30: 11: Bye Bye [preauth]
Aug 2 17:14:51 HECTOR sshd[17334]: reverse mapping checking getaddrinfo for 30.42.32.125.adsl-pool.jlccptt.net.cn [125.32.42.30] failed - POSSIBLE BREAK-IN ATTEMPT!
Why doesn't this person give up?
Think I'll get a new IP address...
"In The Beginning Was The Word, And The Word Was Aardvark."
Re: SSH under pointless(?) attack
02-08-2013 8:53 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: SSH under pointless(?) attack
02-08-2013 9:38 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I've got mine to email me at a Hotmail address every time an intrusion is detected. Most hackers seem to give up after a few bans.
Re: SSH under pointless(?) attack
03-08-2013 12:41 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
"In The Beginning Was The Word, And The Word Was Aardvark."
Re: SSH under pointless(?) attack
03-08-2013 12:53 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: SSH under pointless(?) attack
03-08-2013 1:04 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Status for the jail: freebsd-ipfw-sendmail
|- filter
| |- File list: /var/log/maillog
| |- Currently failed: 793
| `- Total failed: 972
`- action
|- Currently banned: 30
Status for the jail: freebsd-ipfw-sshd
|- filter
| |- File list: /var/log/auth.log
| |- Currently failed: 78
| `- Total failed: 814
`- action
|- Currently banned: 216
I think I have my ban time set to a year (I have earlier firewall rules which explicitly grant access from a select few IP addresses in case I lock myself out!)
Re: SSH under pointless(?) attack
25-08-2013 12:25 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Fail2ban will catch rapid attacks and slow them down, but won't catch distributed slow attacks from botnets. It's a start.
The first question you need to consider is firewall rules (iptables or pf). Do you need your SSH port open to the world or just a few addresses? If you drop packets from anywhere else your port will be stealthed to all except your chosen networks and that will reduce the risk a lot.
Changing your IP address will hold them off for a few minutes or even hours, which is how long it takes for my port to be attacked when I open it to the world. I'm working on that, as I only ever need to open it to the UK at most.
Re: SSH under pointless(?) attack
25-08-2013 12:59 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: SSH under pointless(?) attack
25-08-2013 1:42 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
So I need to capture the attacker ip-address and apply it to iptables on a semi-permanent basis.
Or perhaps they could go in /etc/hosts.deny ?
"In The Beginning Was The Word, And The Word Was Aardvark."
Re: SSH under pointless(?) attack
25-08-2013 10:46 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: SSH under pointless(?) attack
27-08-2013 1:02 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
"In The Beginning Was The Word, And The Word Was Aardvark."
Re: SSH under pointless(?) attack
03-11-2013 12:34 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
http://www.configserver.com/cp/csf.html
This is quite a nice Linux firewall with automated brute-force tracking/blocking.
Oh and once someone triggers a perm ban it should persist across reboots
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Other forums
- :
- Tech Help - Software/Hardware etc
- :
- Re: SSH under pointless(?) attack