Results 1 to 5 of 5

Thread: SSHD: Break-in attempts

  1. #1

    Exclamation SSHD: Break-in attempts

    Hi everyone,

    I have been using for some time the FreeNX to be able to remotely connect from work to my home desktop, which runs openSUSE 10.3. Of course for that I have kept running the SSHD service on my desktop, with the default port to 22.

    As I looked today in the syslog (/var/log/messages), I have seen numerous break-in attempts, some IP's consistently trying out various usernames for the SSH login. This is an extract from the log:

    Code:
    Jun 27 23:31:53 linux-0l38 sshd[13684]: Invalid user apple from 67.171.151.126
    Jun 27 23:32:04 linux-0l38 sshd[13720]: Invalid user brian from 67.171.151.126
    Jun 27 23:32:11 linux-0l38 sshd[13740]: Invalid user andrew from 67.171.151.126
    Jun 27 23:32:25 linux-0l38 sshd[13783]: Invalid user newsroom from 67.171.151.126
    Jun 27 23:32:35 linux-0l38 sshd[13819]: Invalid user magazine from 67.171.151.126
    Jun 27 23:32:49 linux-0l38 sshd[13863]: Invalid user research from 67.171.151.126
    Jun 27 23:32:56 linux-0l38 sshd[13889]: Invalid user cjohnson from 67.171.151.126
    Jun 27 23:33:05 linux-0l38 sshd[13902]: Invalid user export from 67.171.151.126
    Jun 27 23:33:14 linux-0l38 sshd[13909]: Invalid user photo from 67.171.151.126
    Jun 27 23:33:28 linux-0l38 sshd[13919]: Invalid user gast from 67.171.151.126
    Jun 27 23:33:39 linux-0l38 sshd[13932]: Invalid user murray from 67.171.151.126
    Jun 27 23:33:46 linux-0l38 sshd[13939]: Invalid user falcon from 67.171.151.126
    Jun 27 23:33:58 linux-0l38 sshd[13958]: Invalid user fly from 67.171.151.126
    Jun 27 23:34:13 linux-0l38 sshd[13962]: Invalid user gerry from 67.171.151.126
    I also found a different type of attack:
    Code:
    Jun 17 05:07:45 linux-0l38 sshd[16882]: reverse mapping checking getaddrinfo for 134.195.77.82.static.cluj.rdsnet.ro [82.77.195.134] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jun 17 05:07:45 linux-0l38 sshd[16882]: Invalid user roma from 82.77.195.134
    Jun 17 05:07:45 linux-0l38 sshd[16884]: reverse mapping checking getaddrinfo for 134.195.77.82.static.cluj.rdsnet.ro [82.77.195.134] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jun 17 05:07:45 linux-0l38 sshd[16884]: Invalid user gisele from 82.77.195.134
    Now I'm not sure I should be really worried about this, but for the moment I shut down the SSHD service and what I really would like to do is to create some rules in the firewall to deal with these threats, something like "if an IP address attempts to connect for 3 times and fails --> put it on a blacklist".

    Here I turn to you, because I don't know how to do that in iptables.

    Thank you very much for your help,
    glu

  2. #2
    Join Date
    Jun 2008
    Location
    Finland, European Union
    Posts
    1,879

    Default Re: SSHD: Break-in attempts

    That's pretty normal - they're "zombies", machines that scan the network (usually certain port such as 21, 22, 80, 443 etc) for known vulnerabilities or try simple brute force methods to crack *really* weak passwords.

    Best solution is to block 22, open it for IPs that are your own or change the ssh port to some random number.

    Nothing to worry about.

  3. #3
    Join Date
    Jan 2008
    Location
    N40 44.977 W073 59.356
    Posts
    1,170

    Default Re: SSHD: Break-in attempts

    glumetu wrote:
    > Hi everyone,
    >
    > I have been using for some time the FreeNX to be able to remotely
    > connect from work to my home desktop, which runs openSUSE 10.3. Of
    > course for that I have kept running the SSHD service on my desktop,
    > with the default port to 22.
    >
    > As I looked today in the syslog (/var/log/messages), I have seen
    > numerous break-in attempts, some IP's consistently trying out various
    > usernames for the SSH login. This is an extract from the log:
    >
    >
    > Code:
    > --------------------
    > Jun 27 23:31:53 linux-0l38 sshd[13684]: Invalid user apple from 67.171.151.126
    > Jun 27 23:32:04 linux-0l38 sshd[13720]: Invalid user brian from 67.171.151.126
    > Jun 27 23:32:11 linux-0l38 sshd[13740]: Invalid user andrew from 67.171.151.126
    > Jun 27 23:32:25 linux-0l38 sshd[13783]: Invalid user newsroom from 67.171.151.126
    > Jun 27 23:32:35 linux-0l38 sshd[13819]: Invalid user magazine from 67.171.151.126
    > Jun 27 23:32:49 linux-0l38 sshd[13863]: Invalid user research from 67.171.151.126
    > Jun 27 23:32:56 linux-0l38 sshd[13889]: Invalid user cjohnson from 67.171.151.126
    > Jun 27 23:33:05 linux-0l38 sshd[13902]: Invalid user export from 67.171.151.126
    > Jun 27 23:33:14 linux-0l38 sshd[13909]: Invalid user photo from 67.171.151.126
    > Jun 27 23:33:28 linux-0l38 sshd[13919]: Invalid user gast from 67.171.151.126
    > Jun 27 23:33:39 linux-0l38 sshd[13932]: Invalid user murray from 67.171.151.126
    > Jun 27 23:33:46 linux-0l38 sshd[13939]: Invalid user falcon from 67.171.151.126
    > Jun 27 23:33:58 linux-0l38 sshd[13958]: Invalid user fly from 67.171.151.126
    > Jun 27 23:34:13 linux-0l38 sshd[13962]: Invalid user gerry from 67.171.151.126
    > --------------------
    >
    >
    > I also found a different type of attack:
    >
    > Code:
    > --------------------
    > Jun 17 05:07:45 linux-0l38 sshd[16882]: reverse mapping checking getaddrinfo for 134.195.77.82.static.cluj.rdsnet.ro [82.77.195.134] failed - POSSIBLE BREAK-IN ATTEMPT!
    > Jun 17 05:07:45 linux-0l38 sshd[16882]: Invalid user roma from 82.77.195.134
    > Jun 17 05:07:45 linux-0l38 sshd[16884]: reverse mapping checking getaddrinfo for 134.195.77.82.static.cluj.rdsnet.ro [82.77.195.134] failed - POSSIBLE BREAK-IN ATTEMPT!
    > Jun 17 05:07:45 linux-0l38 sshd[16884]: Invalid user gisele from 82.77.195.134
    > --------------------
    >
    >
    > Now I'm not sure I should be really worried about this, but for the
    > moment I shut down the SSHD service and what I really would like to do
    > is to create some rules in the firewall to deal with these threats,
    > something like "if an IP address attempts to connect for 3 times and
    > fails --> put it on a blacklist".
    >
    > Here I turn to you, because I don't know how to do that in iptables.
    >
    > Thank you very much for your help,
    > glu
    >
    >

    You could check out denyhosts or fail2ban as they both do this. Also,
    think about denying root login if you haven't already and maybe changing
    to key authentication.

  4. #4
    Join Date
    Mar 2008
    Location
    Phuket, Thailand
    Posts
    27,108
    Blog Entries
    40

    Default Re: SSHD: Break-in attempts

    Quote Originally Posted by glumetu View Post
    I have been using for some time the FreeNX to be able to remotely connect from work to my home desktop, which runs openSUSE 10.3. Of course for that I have kept running the SSHD service on my desktop, with the default port to 22.
    If your home PC is behind a router (with a firewall) then one simple approach is to close port#22 on the router, but leave port#22 open on your PC. Then in your router, map port#41001 (or some number like that) to port#22 on your PC. Most routers have a very easy menu to follow to set that up.

    To ssh from work, then you simply:
    ssh -X username@home-router-ip-address -p 41001

    If the above was for PC#1, and you have second (PC#2) on your home LAN, then map port#41002 (or some different number like that) to port#22 on PC#2. Then to connect to PC#2 via ssh from work, then you simply:
    ssh -X username@home-router-ip-address -p 41002

    Also, ensure you have closed all ssh root access to your PCs.

  5. #5

    Default Re: SSHD: Break-in attempts

    thanks a lot for your messages!

    indeed, in the meanwhile I did try denyhosts and it really does the job. I hope I have not messed up the settings since I followed a Gentoo guide, but first time I ran it I had the /etc/hosts.deny filled with those IP's that tried to break in, so it did parse the syslog.

    and of course I disallowed login to root (duh, should have done that from the very beginning)... and I do not use password to connect through SSH.

    so I guess I should be pretty safe now, even though I _should_ really consider moving to another port than 22. But ok too many changes for now, I need to let the knowledge settle in a bit

    I understand these kind of brute force attacks are pretty common and rarely successful, especially if I do the above steps.

    Thank you very much for your help!

    regards,
    glu

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •