!urgent! Is Someone Cracking Me?

output of 'tail -n 500 /var/log/messages'

They are coming from http://wq.apnic.net/apnic-bin/whois.pl . Should I be concerned? I have set in my sshd "allowusers XXXXX" this represents only *ME*

What do I do??????????? [attachmentid=1411]

That is a typical log of an ssh bruteforce attack. Try a forum / google search on the topic.

There are more ways to protect from these - one of them being not using normal auth with password but with ssh Key Authentication.

There are some programs that will block the offending IP when a ssh brute force attack is detected.

Good luck.

PS
The IP is from Korea, most likely a hacked computer.

Quote:

output of 'tail -n 500 /var/log/messages'

They are coming from http://wq.apnic.net/apnic-bin/whois.pl . Should I be concerned? I have set in my sshd "allowusers XXXXX" this represents only *ME*

What do I do??????????? [attachmentid=1411]
[/b]

I'm definitely no expert on these things but yes your PC is being attacked. Some people might set up a test account, and (bravely :lol: ) maybe not even password protect it, for checking out new apps etc so the attacker(script?) is trying the weakest possible accounts first and then working through all possible names for the user account name.....then it will start attacking the pasword and then he is in.

It would be better to protect your ssh log in with pgp key. There is a great podcast tutorial at Linux Reality. I don't remember which episode but check out Episode 47 OpenPGP and Episode 51 VNC which discusses using an encrypted SSH tunnel and pgp or gpg for security.

Infected computer? D'ya think it may have windows on it?

I've added this to /etc/hosts.deny

ALL: xx.xx.xx.xx (ip address of intruder)

I did not need to restart sshd, but I did it anyways. All is well

for now ......................... dun dun duuun.

port knocking would take care of such problem.
setting unusual listen port may somewhat help too (it only works for stupid robots though)

Quote:

port knocking would take care of such problem.
[/b]

What is port knocking?

Quote:

What is port knocking?
[/b]

I don't want to seem rude but try google
"Port knocking is a stealthy network authentication system that uses closed ports to carry out identification of trusted users......"

Read more here

In addition to "ssh Key Authentication", another thing that you can do is change your ssh port # (for example, if one has an external router, and a LAN, ... then map a high port number to each PC), i.e.
- map router port 8001 to PC#1's port-22,
- map router port 8002 to PC#2's port-22,
- map router port 8003 to PC#3's port-22.
Once in place, that is very easy to remember and gives one easy access to any PC.

For defence against Brute Force attacks, I have also read about an app called "fail2ban", which I note is also available for SuSE.
http://www.fail2ban.org/wiki/index.php/Main_Page
http://www.ducea.com/2006/07/03/using-fail...-force-attacks/

General downlaods:
http://www.fail2ban.org/wiki/index.php/Downloads

SuSE specific downloads:
ftp://ftp.rauchs-home.de/suse/

For example, for SuSE-10.2.
ftp://ftp.rauchs-home.de/suse/10.2/RPMS/noarch/

I have not tried this myself.

I have not implemented ssh Key Authentication (yet) although I am considering it. The reason why I have NOT implemented it, is that I like the flexibility to jump on a friend's PC (when I don't have my usb stick with my authentication key with me), and access my home pc. I believe I lose that flexibility with an ssh Key Authentication.

My current defences are ssh mapped to a different port (as noted above, and it is easy for me to remember) and also disabling root ssh access on each PC. Plus I note that having a good password for both user root and regular user "oldpu" helps. But I think I may check out "fail2ban" as a further defence, which I'm hoping will also not limit my remote access flexibilty.

Quote:

port knocking would take care of such problem.
setting unusual listen port may somewhat help too (it only works for stupid robots though)
[/b]

I haven't tried this myself, but I think it is a good idea. I've read one can set up a "port knocking daemon". Something more for me to read up on and learn about:
http://en.wikipedia.org/wiki/Port_knocking
http://www.linuxjournal.com/article/6811
http://www.portknocking.org/
I believe in such a case, one can then defend more than just port#22.

I've also read one can configure their firewall to only allow one connection per minute per ip address. Hence, if a connection attempt fails, the firewall will drop all connections from that ip address until there has been at least one minute since last attempt. I believe that will slow down the speed of a brute force attack. I haven't checked (yet) to see how this can be done in openSUSE. (I'm wondering if this might not also help in case of a Denial of Service attack, although a private user like myself is unlikely to ever be targetted in a Denial of Service attack).

As oldcpu says its fairly straightforward to add some firewall rules along these lines

iptables -A INPUT -m tcp -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 22 -m state --state NEW -m limit --limit 2/min --limit-burst 2 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 22 -j DROP

This will allow only three ssh attempts in any minute. I employee this idea on my machine and its very effective at stopping dictionary attacks - however its no good if you expect lots of genuine logins to your sshd.