cancel
Showing results for 
Search instead for 
Did you mean: 

SSH under pointless(?) attack

VileReynard
Seasoned Pro
Posts: 10,646
Thanks: 206
Fixes: 9
Registered: 01-09-2007

SSH under pointless(?) attack

A small sample...
Quote
Aug  2 17:14:35 HECTOR sshd[17324]: Received disconnect from 125.32.42.30: 11: Bye Bye [preauth]
Aug  2 17:14:38 HECTOR sshd[17326]: reverse mapping checking getaddrinfo for 30.42.32.125.adsl-pool.jlccptt.net.cn [125.32.42.30] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug  2 17:14:38 HECTOR sshd[17326]: Invalid user andras from 125.32.42.30
Aug  2 17:14:38 HECTOR sshd[17326]: input_userauth_request: invalid user andras [preauth]
Aug  2 17:14:38 HECTOR sshd[17326]: Received disconnect from 125.32.42.30: 11: Bye Bye [preauth]
Aug  2 17:14:41 HECTOR sshd[17328]: reverse mapping checking getaddrinfo for 30.42.32.125.adsl-pool.jlccptt.net.cn [125.32.42.30] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug  2 17:14:41 HECTOR sshd[17328]: Invalid user dorka from 125.32.42.30
Aug  2 17:14:41 HECTOR sshd[17328]: input_userauth_request: invalid user dorka [preauth]
Aug  2 17:14:42 HECTOR sshd[17328]: Received disconnect from 125.32.42.30: 11: Bye Bye [preauth]
Aug  2 17:14:44 HECTOR sshd[17330]: reverse mapping checking getaddrinfo for 30.42.32.125.adsl-pool.jlccptt.net.cn [125.32.42.30] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug  2 17:14:44 HECTOR sshd[17330]: Invalid user dorka from 125.32.42.30
Aug  2 17:14:44 HECTOR sshd[17330]: input_userauth_request: invalid user dorka [preauth]
Aug  2 17:14:45 HECTOR sshd[17330]: Received disconnect from 125.32.42.30: 11: Bye Bye [preauth]
Aug  2 17:14:48 HECTOR sshd[17332]: reverse mapping checking getaddrinfo for 30.42.32.125.adsl-pool.jlccptt.net.cn [125.32.42.30] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug  2 17:14:48 HECTOR sshd[17332]: Invalid user benedek from 125.32.42.30
Aug  2 17:14:48 HECTOR sshd[17332]: input_userauth_request: invalid user benedek [preauth]
Aug  2 17:14:48 HECTOR sshd[17332]: Received disconnect from 125.32.42.30: 11: Bye Bye [preauth]
Aug  2 17:14:51 HECTOR sshd[17334]: reverse mapping checking getaddrinfo for 30.42.32.125.adsl-pool.jlccptt.net.cn [125.32.42.30] failed - POSSIBLE BREAK-IN ATTEMPT!

Why doesn't this person give up?
Think I'll get a new IP address...

11 REPLIES
Community Veteran
Posts: 4,938
Thanks: 357
Fixes: 16
Registered: 10-06-2010

Re: SSH under pointless(?) attack

I expect they don't give up because they actually found a SSH server rather than a more usual connection timeout.
Community Veteran
Posts: 3,380
Thanks: 2
Registered: 18-01-2013

Re: SSH under pointless(?) attack

Just install Fail2Ban and set it to three strikes and a four hour ban.
I've got mine to email me at a Hotmail address every time an intrusion is detected. Most hackers seem to give up after a few bans.
VileReynard
Seasoned Pro
Posts: 10,646
Thanks: 206
Fixes: 9
Registered: 01-09-2007

Re: SSH under pointless(?) attack

Thanks - I'll see if they discover my ip address soon.

kmilburn
Grafter
Posts: 902
Thanks: 2
Registered: 30-07-2007

Re: SSH under pointless(?) attack

Another handy tools is denyhosts.
Community Veteran
Posts: 1,136
Thanks: 2
Registered: 30-07-2007

Re: SSH under pointless(?) attack

Yep, I use fail2ban here, I also have it looking at my mail logs for people poking at my webmail / imaps / smtps servers.
Status for the jail: freebsd-ipfw-sendmail
|- filter
|  |- File list: /var/log/maillog
|  |- Currently failed: 793
|  `- Total failed: 972
`- action
  |- Currently banned: 30

Status for the jail: freebsd-ipfw-sshd
|- filter
|  |- File list: /var/log/auth.log
|  |- Currently failed: 78
|  `- Total failed: 814
`- action
  |- Currently banned: 216

I think I have my ban time set to a year (I have earlier firewall rules which explicitly grant access from a select few IP addresses in case I lock myself out!)
F9 member since 4 Sep 1999
F9 ADSL customer since 27 Aug 2004
DLM manages your line the same way DRM manages your rights.
Look at all the pretty graphs! (now with uptime logging!)
kjpetrie
Rising Star
Posts: 109
Thanks: 9
Fixes: 1
Registered: 19-12-2010

Re: SSH under pointless(?) attack

There are plenty of robots out there trying to brute force their way into any SSH port they find by trying huge combinations of user names and common passwords. Occasionally they succeed and then they've got a valuable *nix machine to add to the botnet. Once they're in a normal account they can try to brute force their way into root with su, and it's only a matter of time before they get that too. Then they own your machine and could even lock you out if they want, though that's not usually in their interest and they're more likely to install a rootkit.
Fail2ban will catch rapid attacks and slow them down, but won't catch distributed slow attacks from botnets. It's a start.
The first question you need to consider is firewall rules (iptables or pf). Do you need your SSH port open to the world or just a few addresses? If you drop packets from anywhere else your port will be stealthed to all except your chosen networks and that will reduce the risk a lot.
Changing your IP address will hold them off for a few minutes or even hours, which is how long it takes for my port to be attacked when I open it to the world. I'm working on that, as I only ever need to open it to the UK at most.
Community Veteran
Posts: 4,938
Thanks: 357
Fixes: 16
Registered: 10-06-2010

Re: SSH under pointless(?) attack

You could also run SSH on a non-standard port, and require the use of a key to login so there's no password to guess, that way to login you'd need the key file and the password to unlock the key.
VileReynard
Seasoned Pro
Posts: 10,646
Thanks: 206
Fixes: 9
Registered: 01-09-2007

Re: SSH under pointless(?) attack

Another failing of fail2ban is that any blocking disappears on a reboot.
So I need to capture the attacker ip-address and apply it to iptables on a semi-permanent basis.
Or perhaps they could go in /etc/hosts.deny ?

kmilburn
Grafter
Posts: 902
Thanks: 2
Registered: 30-07-2007

Re: SSH under pointless(?) attack

That's where denyhosts comes in handy.
VileReynard
Seasoned Pro
Posts: 10,646
Thanks: 206
Fixes: 9
Registered: 01-09-2007

Re: SSH under pointless(?) attack

Thanks - denyhosts seems superior to fail2ban.

dragon2611
Grafter
Posts: 283
Registered: 20-10-2013

Re: SSH under pointless(?) attack

Bit of an old thread but I fancy a resurrection  Tongue
http://www.configserver.com/cp/csf.html
This is quite a nice Linux firewall with automated brute-force tracking/blocking.
Oh and once someone triggers a perm ban it should persist across reboots