Intrussion attempt 7:04 - enable sshd port .. Jul 9 08:43:23 fir sshd[7182]: Invalid user guest7

English Network/Internet
#1

I noticed some sluggishness and checked log with CNTRL-ALT-F10
This is after a fresh test install of 12.1 M2. At 7:04 I opened the ssh port on external interface.

So can run sshd on non-standard port. Anything included in distro to monitor & block addresses for a while after multiple failures to stymie automated brute force attack like this?

Jul 9 07:04:59 fir SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 …
Jul 9 07:05:00 fir SuSEfirewall2: Firewall rules successfully set

Things normal till a few minutes after I used Firefox sync, it may have been coincidence a random port 22 scan or perhaps it’s targetted looking for stored passwords.

Jul 9 07:04:59 fir SuSEfirewall2: Firewall rules unloaded.
Jul 9 07:04:59 fir SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 …
Jul 9 07:05:00 fir SuSEfirewall2: Firewall rules successfully set

Jul 9 08:26:07 fir sshd[6982]: Did not receive identification string from 222.152.64.186
Jul 9 08:42:59 fir sshd[7177]: Did not receive identification string from 121.78.116.92
Jul 9 08:43:23 fir sshd[7182]: Invalid user guest7 from 121.78.116.92
Jul 9 08:43:23 fir sshd[7187]: gkr-pam: error looking up user information
Jul 9 08:43:24 fir sshd[7182]: error: PAM: User not known to the underlying authentication module for illegal user guest7 from 121.78.116.92
Jul 9 08:43:24 fir sshd[7182]: Failed keyboard-interactive/pam for invalid user guest7 from 121.78.116.92 port 42495 ssh2
Jul 9 08:43:27 fir sshd[7188]: Invalid user guest8 from 121.78.116.92
Jul 9 08:43:27 fir sshd[7192]: gkr-pam: error looking up user information
Jul 9 08:43:27 fir sshd[7188]: error: PAM: User not known to the underlying authentication module for illegal user guest8 from 121.78.116.92
Jul 9 08:43:27 fir sshd[7188]: Failed keyboard-interactive/pam for invalid user guest8 from 121.78.116.92 port 44315 ssh2
Jul 9 08:43:30 fir sshd[7193]: Invalid user guest9 from 121.78.116.92
Jul 9 08:43:30 fir sshd[7200]: gkr-pam: error looking up user information
Jul 9 08:43:30 fir sshd[7193]: error: PAM: User not known to the underlying authentication module for illegal user guest9 from 121.78.116.92
Jul 9 08:43:30 fir sshd[7193]: Failed keyboard-interactive/pam for invalid user guest9 from 121.78.116.92 port 46129 ssh2
Jul 9 08:43:33 fir sshd[7201]: Invalid user guest10 from 121.78.116.92
Jul 9 08:43:33 fir sshd[7205]: gkr-pam: error looking up user information
Jul 9 08:43:33 fir sshd[7201]: error: PAM: User not known to the underlying authentication module for illegal user guest10 from 121.78.116.92
Jul 9 08:43:33 fir sshd[7201]: Failed keyboard-interactive/pam for invalid user guest10 from 121.78.116.92 port 47874 ssh2
Jul 9 08:43:37 fir sshd[7206]: Invalid user michael from 121.78.116.92
Jul 9 08:43:37 fir sshd[7210]: gkr-pam: error looking up user information
Jul 9 08:43:37 fir sshd[7206]: error: PAM: User not known to the underlying authentication module for illegal user michael from 121.78.116.92
Jul 9 08:43:37 fir sshd[7206]: Failed keyboard-interactive/pam for invalid user michael from 121.78.116.92 port 49691 ssh2
Jul 9 08:43:40 fir sshd[7211]: Invalid user gigi from 121.78.116.92
Jul 9 08:43:40 fir sshd[7215]: gkr-pam: error looking up user information
Jul 9 08:43:40 fir sshd[7211]: error: PAM: User not known to the underlying authentication module for illegal user gigi from 121.78.116.92
Jul 9 08:43:40 fir sshd[7211]: Failed keyboard-interactive/pam for invalid user gigi from 121.78.116.92 port 51515 ssh2
Jul 9 08:43:43 fir sshd[7216]: Invalid user france from 121.78.116.92
Jul 9 08:43:43 fir sshd[7220]: gkr-pam: error looking up user information
Jul 9 08:43:43 fir sshd[7216]: error: PAM: User not known to the underlying authentication module for illegal user france from 121.78.116.92
Jul 9 08:43:43 fir sshd[7216]: Failed keyboard-interactive/pam for invalid user

Jul 9 08:48:29 fir sshd[7581]: error: PAM: Authentication failure for root from 121.78.116.92
Jul 9 08:48:34 fir sshd[7590]: error: PAM: Authentication failure for root from 121.78.116.92
Jul 9 08:48:38 fir sshd[7594]: error: PAM: Authentication failure for root from 121.78.116.92

Jul 9 09:00:16 fir sshd[8275]: Invalid user linux2 from 121.78.116.92
Jul 9 09:00:16 fir sshd[8279]: gkr-pam: error looking up user information
Jul 9 09:00:16 fir sshd[8275]: error: PAM: User not known to the underlying authentication module for illegal user linux2 from 121.78.116.92
Jul 9 09:00:16 fir sshd[8275]: Failed keyboard-interactive/pam for invalid user linux2 from 121.78.116.92 port 53653 ssh2

Jul 9 09:00:52 fir sshd[8321]: Failed keyboard-interactive/pam for invalid user linux10 from 121.78.116.92 port 41683 ssh2
Jul 9 09:00:56 fir sshd[8326]: Invalid user test1 from 121.78.116.92
Jul 9 09:00:56 fir sshd[8330]: gkr-pam: error looking up user information
Jul 9 09:00:57 fir sshd[8326]: error: PAM: User not known to the underlying authentication module for illegal user test1 from 121.78.116.92
Jul 9 09:00:57 fir sshd[8326]: Failed keyboard-interactive/pam for invalid user test1 from 121.78.116.92 port 43634 ssh2
Jul 9 09:01:01 fir sshd[8331]: Invalid user test2 from 121.78.116.92

Jul 9 09:01:42 fir sshd[8382]: error: PAM: Authentication failure for news from 121.78.116.92
Jul 9 09:01:50 fir sshd[8392]: error: PAM: Authentication failure for mail from 121.78.116.92
Jul 9 09:01:55 fir sshd[8400]: Failed keyboard-interactive/pam for invalid user operator from 121.78.116.92 port 42213 ssh2
Jul 9 09:02:00 fir sshd[8405]: Failed keyboard-interactive/pam for invalid user postmaster from 121.78.116.92 port 44143 ssh2
Jul 9 09:02:04 fir sshd[8410]: Invalid user melanie from 121.78.116.92
Jul 9 09:02:12 fir sshd[8418]: Invalid user dennis from 121.78.116.92
Jul 9 09:02:18 fir sshd[8423]: Invalid user oracle from 121.78.116.92
Jul 9 09:02:24 fir sshd[8436]: Invalid user arnold from 121.78.116.92
Jul 9 09:02:33 fir sshd[8479]: Invalid user ed from 121.78.116.92
Jul 9 09:02:39 fir sshd[8484]: Invalid user sales from 121.78.116.92
Jul 9 09:02:44 fir sshd[8489]: Invalid user server from 121.78.116.92
8.116.92 port 34258 ssh2
Jul 9 09:02:52 fir sshd[8497]: Invalid user elke from 121.78.116.92

Jul 9 09:03:16 fir sshd[8523]: Invalid user rpm from 121.78.116.92
Jul 9 09:03:21 fir sshd[8532]: Invalid user smmsp from 121.78.116.92
Jul 9 09:03:25 fir sshd[8540]: Invalid user apache from 121.78.116.92
Jul 9 09:03:38 fir sshd[8560]: Invalid user mailman from 121.78.116.92

Jul 9 09:06:13 fir sshd[8959]: Invalid user erika from 121.78.116.92
Jul 9 09:06:13 fir sshd[8963]: gkr-pam: error looking up user information
Jul 9 09:06:14 fir sshd[8959]: error: PAM: User not known to the underlying authentication module for illegal user erika from 121.78.116.92
Jul 9 09:06:14 fir sshd[8959]: Failed keyboard-interactive/pam for invalid user erika from 121.78.116.92 port 60606 ssh2
Jul 9 09:06:15 fir SuSEfirewall2: Firewall rules unloaded.
Jul 9 09:06:15 fir SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 …
Jul 9 09:06:15 fir SuSEfirewall2: Firewall rules successfully set
Jul 9 09:06:18 fir sshd[9111]: Invalid user david from 121.78.116.92
Jul 9 09:06:18 fir sshd[9146]: gkr-pam: error looking up user information
Jul 9 09:06:19 fir sshd[9111]: error: PAM: User not known to the underlying authentication module for illegal user david from 121.78.116.92
Jul 9 09:06:19 fir sshd[9111]: Failed keyboard-interactive/pam for invalid user david from 121.78.116.92 port 34380 ssh2

Jul 9 09:06:15 fir SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 …
Jul 9 09:06:15 fir SuSEfirewall2: Firewall rules successfully set
Jul 9 09:06:18 fir sshd[9111]: Invalid user david from 121.78.116.92
Jul 9 09:06:18 fir sshd[9146]: gkr-pam: error looking up user information
Jul 9 09:06:19 fir sshd[9111]: error: PAM: User not known to the underlying authentication module for illegal user david from 121.78.116.92
Jul 9 09:06:19 fir sshd[9111]: Failed keyboard-interactive/pam for i
Jul 9 09:06:46 fir acpid: 1 client rule loaded
Jul 9 09:16:24 fir squid[5639]: logfileOpen: opening log /var/log/squid/netdb.state
Jul 9 09:16:24 fir squid[5639]: logfileClose: closing log /var/log/squid/netdb.state
Jul 9 09:16:24 fir squid[5639]: NETDB state saved; 0 entries, 0 msec
Jul 9 09:17:55 fir smartd[2866]: Device: /dev/sdb [SAT], SMART Usage Attribute: 190 Airflow_Temperature_Cel changed from 59 to 60

#2

One way of several is to use the ipt_recent module of netfilter for rate limiting, described here:

Virtual Brain Online Knowledge Base - Search Page

There are other pages on the web that describe the same thing, but the syntax is oriented to other frontends like shorewall.

There are user space utilities like fail2ban for the same task.

If you can change the listening port away from 22 that would be even better, it will cut out most of the noise.

Even better still is to go to public key authentication, but that means you have to carry the key around with you and can’t just login on a whim from anywhere.

#3

On 07/09/2011 11:36 AM, robopensuse wrote:
>
> I noticed some sluggishness and checked log with CNTRL-ALT-F10
> This is after a fresh test install of 12.1 M2. At 7:04 I opened the
> ssh port on external interface.
>
> So can run sshd on non-standard port. Anything included in distro to
> monitor& block addresses for a while after multiple failures to stymie
> automated brute force attack like this?

Those do not cause sluggishness, they just fill the logs.

Better not use username ‘test’ and password ‘aaron’ though.
Always use strong passwords.

But there’s a python script that works like a charm, called ‘blockhosts’.

You can 1-click install it, and find it wit suse software search engine.

I made some notes some time ago:
http://waxborg.servepics.com/howto/harden-ssh

Vahis

http://waxborg.servepics.com
openSUSE 11.2 (x86_64) 2.6.31.14-0.8-default “Evergreen” main host
openSUSE 11.4 (x86_64) 2.6.37.6-0.5-desktop in VirtualBox
openSUSE 11.4 (i586) 2.6.39.2-35-desktop “Tumbleweed” in EeePC 900

#4

On 07/09/2011 10:36 AM, robopensuse wrote:
>
> This is after a fresh test install of 12.1 M2.

all problems encountered with any milestone or beta software should be
made to the beta/unreleased forum here: http://tinyurl.com/2du7r4s


DD
-Caveat-Hardware-Software-

#5

On 07/09/2011 01:21 PM, DenverD wrote:
> On 07/09/2011 10:36 AM, robopensuse wrote:
>>
>> This is after a fresh test install of 12.1 M2.
>
> all problems encountered with any milestone or beta software should be
> made to the beta/unreleased forum here: http://tinyurl.com/2du7r4s
>

Luckily the OP has discovered that his system replies to ssh log-in
attempts as it should. :slight_smile:

And now that he knows that ssh is not the culprit to sluggishness he can
investigate further and ask in the appropriate forum :slight_smile:

Vahis

http://waxborg.servepics.com
openSUSE 11.2 (x86_64) 2.6.31.14-0.8-default “Evergreen” main host
openSUSE 11.4 (x86_64) 2.6.37.6-0.5-desktop in VirtualBox
openSUSE 11.4 (i586) 2.6.39.2-35-desktop “Tumbleweed” in EeePC 900

#6

Exactly, can’t fill a ssh or pam bug, saying I got pwned! Part of reason to post was to show it reallly does happen :slight_smile:

The sluggishness was actuaolly likely a graphics issue, it was coincidence that the log showed this attack, though I often do notice when a system is logging things at fair rate; and that suspicion that some error was occuring is what drew my attention.

Agree, setting up keys will be better than passwords and also using an alternative port, it’s just annoying to be burdened with all this diddling. Will look into the filter, having had server boxes at Network Centres in past getting scanned was pretty common. The surprise in this case, was how swiftly it happened. I’m wondering if they’re hammering with common user names, on the blowfish passwd keys, after recent publicity about the sign extension bug, breaking the current password hashes (use SHA-512).

I can explicitly allow a few hosts, but I think doing the filter is good idea anyway, as the intrusion was wasting my resources, dropping the packets cost very little and likely slows things considerably.

Rob

#7

On 07/09/2011 11:36 PM, robopensuse wrote:
>
> Vahis;2362444 Wrote:
>> On 07/09/2011 01:21 PM, DenverD wrote:
>>> On 07/09/2011 10:36 AM, robopensuse wrote:
>>>>
>>>> This is after a fresh test install of 12.1 M2.
>>>
>>> all problems encountered with any milestone or beta software should
>> be
>>> made to the beta/unreleased forum here: ‘Pre-Release/Beta’
>> (http://tinyurl.com/2du7r4s)
>>>
>>
>> Luckily the OP has discovered that his system replies to ssh log-in
>> attempts as it should. :slight_smile:
> Exactly, can’t fill a ssh or pam bug, saying I got pwned! Part of
> reason to post was to show it reallly does happen :slight_smile:
>
> The sluggishness was actuaolly likely a graphics issue, it was
> coincidence that the log showed this attack, though I often do notice
> when a system is logging things at fair rate; and that suspicion that
> some error was occuring is what drew my attention.

>
> Agree, setting up keys will be better than passwords and also using an
> alternative port, it’s just annoying to be burdened with all this
> diddling. Will look into the filter, having had server boxes at Network
> Centres in past getting scanned was pretty common. The surprise in this
> case, was how swiftly it happened. I’m wondering if they’re hammering
> with common user names, on the blowfish passwd keys, after recent
> publicity about the sign extension bug, breaking the current password
> hashes (use SHA-512).
>
> I can explicitly allow a few hosts, but I think doing the filter is
> good idea anyway, as the intrusion was wasting my resources, dropping
> the packets cost very little and likely slows things considerably.
>

Here’s what blockhosts does:

Jul 10 17:25:59 114 sshd[8908]: Invalid user test from 216.201.82.16
Jul 10 17:26:00 114 sshd[8912]: Invalid user test from 216.201.82.16
Jul 10 17:26:02 114 sshd[8916]: Invalid user test from 216.201.82.16
Jul 10 17:26:07 114 sshd[8932]: Invalid user nagios from 216.201.82.16
Jul 10 17:26:09 114 sshd[8937]: Invalid user nagios from 216.201.82.16
Jul 10 17:26:10 114 sshd[8941]: Invalid user nagios from 216.201.82.16
Jul 10 17:26:10 114 blockhosts[8947]: Notice: count=8, blocking host:
216.201.82.16
Jul 10 17:26:11 114 sshd[8945]: Invalid user postgres from 216.201.82.16
Jul 10 17:26:12 114 sshd[8950]: refused connect from 216.201.82.16
(216.201.82.16)

This blocking has nothing to do with security though.
It just keeps the log tidier if you like.

Important things are:

Not to allow root login
Not to allow ssh1

Those can be set in /etc/ssh/ssh_config

Always use strong passwords. Ones that can’t be found in dictionaries in
any languages.

Vahis

http://waxborg.servepics.com
openSUSE 11.2 (x86_64) 2.6.31.14-0.8-default “Evergreen” main host
openSUSE 11.4 (x86_64) 2.6.37.6-0.5-desktop in VirtualBox
openSUSE 11.4 (i586) 2.6.39.2-35-desktop “Tumbleweed” in EeePC 900

#8

There is a special facility in /etc/sysconfig/SuSEfirewall2 at FW_SERVICES_ACCEPT_EXT where you can limit the number of accepted connections to for instance 3 per minute, which also limits the number of log entries. Note that you have to remove port 22/sshd at other locations in this file. In /etc/ssh/sshd_conf you could change the value of MaxAuthTries to less than 6 which is the default. I use 2.

#9

MaxAuthTries merely logs connections that fail to authenticate within 1/2 the number of permitted tries, which will certainly be the case for intruders (or you are in deep trouble) so it just adds to the logfile clutter.