is that attack on server?

rysic · October 30, 2013, 1:54pm

Recently i see a lot sshd lines lin my server log:


2013-10-30T14:51:21.901728+01:00 srv sshd[12664]: Postponed keyboard-interactive for invalid user warez from 192.241.237.101 port 54197 ssh2 [preauth]
2013-10-30T14:51:22.095587+01:00 srv sshd[12666]: pam_unix(sshd:auth): check pass; user unknown
2013-10-30T14:51:22.096537+01:00 srv sshd[12666]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.237.101
2013-10-30T14:51:24.139258+01:00 srv sshd[12664]: error: PAM: User not known to the underlying authentication module for illegal user warez from 192.241.237.101
2013-10-30T14:51:24.140565+01:00 srv sshd[12664]: Failed keyboard-interactive/pam for invalid user warez from 192.241.237.101 port 54197 ssh2
2013-10-30T14:51:24.524131+01:00 srv sshd[12664]: Received disconnect from 192.241.237.101: 11: Bye Bye [preauth]
2013-10-30T14:51:26.055719+01:00 srv sshd[12667]: reverse mapping checking getaddrinfo for oliverski.org [192.241.237.101] failed - POSSIBLE BREAK-IN ATTEMPT!
2013-10-30T14:51:26.276832+01:00 srv sshd[12670]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.237.101  user=root
2013-10-30T14:51:28.340727+01:00 srv sshd[12667]: error: PAM: Authentication failure for root from 192.241.237.101
2013-10-30T14:51:28.730723+01:00 srv sshd[12667]: Received disconnect from 192.241.237.101: 11: Bye Bye [preauth]
2013-10-30T14:51:30.266724+01:00 srv sshd[12671]: reverse mapping checking getaddrinfo for oliverski.org [192.241.237.101] failed - POSSIBLE BREAK-IN ATTEMPT!
2013-10-30T14:51:30.267401+01:00 srv sshd[12671]: Invalid user opcione from 192.241.237.101
2013-10-30T14:51:30.267906+01:00 srv sshd[12671]: input_userauth_request: invalid user opcione [preauth]
2013-10-30T14:51:30.272694+01:00 srv sshd[12673]: gkr-pam: error looking up user information
2013-10-30T14:51:30.273423+01:00 srv sshd[12671]: Postponed keyboard-interactive for invalid user opcione from 192.241.237.101 port 55462 ssh2 [preauth]
2013-10-30T14:51:30.470517+01:00 srv sshd[12673]: pam_unix(sshd:auth): check pass; user unknown
2013-10-30T14:51:30.471268+01:00 srv sshd[12673]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.237.101
2013-10-30T14:51:32.414731+01:00 srv sshd[12671]: error: PAM: User not known to the underlying authentication module for illegal user opcione from 192.241.237.101
2013-10-30T14:51:32.415531+01:00 srv sshd[12671]: Failed keyboard-interactive/pam for invalid user opcione from 192.241.237.101 port 55462 ssh2
2013-10-30T14:51:32.804523+01:00 srv sshd[12671]: Received disconnect from 192.241.237.101: 11: Bye Bye [preauth]
2013-10-30T14:51:34.330720+01:00 srv sshd[12674]: reverse mapping checking getaddrinfo for oliverski.org [192.241.237.101] failed - POSSIBLE BREAK-IN ATTEMPT!
2013-10-30T14:51:34.333707+01:00 srv sshd[12674]: Invalid user opciones from 192.241.237.101
2013-10-30T14:51:34.333745+01:00 srv sshd[12674]: input_userauth_request: invalid user opciones [preauth]
2013-10-30T14:51:34.338694+01:00 srv sshd[12676]: gkr-pam: error looking up user information
2013-10-30T14:51:34.338731+01:00 srv sshd[12674]: Postponed keyboard-interactive for invalid user opciones from 192.241.237.101 port 56082 ssh2 [preauth]
2013-10-30T14:51:34.533715+01:00 srv sshd[12676]: pam_unix(sshd:auth): check pass; user unknown
2013-10-30T14:51:34.534990+01:00 srv sshd[12676]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.237.101
2013-10-30T14:54:01.165740+01:00 srv sshd[12794]: error: PAM: User not known to the underlying authentication module for illegal user chaos from 192.241.237.101
2013-10-30T14:54:01.167066+01:00 srv sshd[12794]: Failed keyboard-interactive/pam for invalid user chaos from 192.241.237.101 port 49588 ssh2
2013-10-30T14:54:01.552867+01:00 srv sshd[12794]: Received disconnect from 192.241.237.101: 11: Bye Bye [preauth]
2013-10-30T14:54:03.124716+01:00 srv sshd[12797]: reverse mapping checking getaddrinfo for oliverski.org [192.241.237.101] failed - POSSIBLE BREAK-IN ATTEMPT!
2013-10-30T14:54:03.125704+01:00 srv sshd[12797]: Invalid user janeen from 192.241.237.101
2013-10-30T14:54:03.126713+01:00 srv sshd[12797]: input_userauth_request: invalid user janeen [preauth]
2013-10-30T14:54:03.130694+01:00 srv sshd[12799]: gkr-pam: error looking up user information
2013-10-30T14:54:03.131201+01:00 srv sshd[12797]: Postponed keyboard-interactive for invalid user janeen from 192.241.237.101 port 50161 ssh2 [preauth]
2013-10-30T14:54:03.328707+01:00 srv sshd[12799]: pam_unix(sshd:auth): check pass; user unknown
2013-10-30T14:54:03.329767+01:00 srv sshd[12799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.237.101
2013-10-30T14:54:05.277735+01:00 srv sshd[12797]: error: PAM: User not known to the underlying authentication module for illegal user janeen from 192.241.237.101
2013-10-30T14:54:05.278588+01:00 srv sshd[12797]: Failed keyboard-interactive/pam for invalid user janeen from 192.241.237.101 port 50161 ssh2
2013-10-30T14:54:05.676722+01:00 srv sshd[12797]: Received disconnect from 192.241.237.101: 11: Bye Bye [preauth]
2013-10-30T14:54:07.333719+01:00 srv sshd[12803]: reverse mapping checking getaddrinfo for oliverski.org [192.241.237.101] failed - POSSIBLE BREAK-IN ATTEMPT!
2013-10-30T14:54:07.335710+01:00 srv sshd[12803]: Invalid user josie from 192.241.237.101
2013-10-30T14:54:07.335751+01:00 srv sshd[12803]: input_userauth_request: invalid user josie [preauth]
2013-10-30T14:54:07.340513+01:00 srv sshd[12806]: gkr-pam: error looking up user information
2013-10-30T14:54:07.341346+01:00 srv sshd[12803]: Postponed keyboard-interactive for invalid user josie from 192.241.237.101 port 50780 ssh2 [preauth]
2013-10-30T14:54:07.534351+01:00 srv sshd[12806]: pam_unix(sshd:auth): check pass; user unknown
2013-10-30T14:54:07.535285+01:00 srv sshd[12806]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.237.101
2013-10-30T14:54:09.367713+01:00 srv sshd[12803]: error: PAM: User not known to the underlying authentication module for illegal user josie from 192.241.237.101
2013-10-30T14:54:09.368549+01:00 srv sshd[12803]: Failed keyboard-interactive/pam for invalid user josie from 192.241.237.101 port 50780 ssh2
2013-10-30T14:54:09.759742+01:00 srv sshd[12803]: Received disconnect from 192.241.237.101: 11: Bye Bye [preauth]
2013-10-30T14:54:11.290833+01:00 srv sshd[12807]: reverse mapping checking getaddrinfo for oliverski.org [192.241.237.101] failed - POSSIBLE BREAK-IN ATTEMPT!
2013-10-30T14:54:11.508531+01:00 srv sshd[12809]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.237.101  user=root
2013-10-30T14:54:12.890435+01:00 srv sshd[12807]: error: PAM: Authentication failure for root from 192.241.237.101
2013-10-30T14:54:13.280258+01:00 srv sshd[12807]: Received disconnect from 192.241.237.101: 11: Bye Bye [preauth]
2013-10-30T14:54:14.804725+01:00 srv sshd[12810]: reverse mapping checking getaddrinfo for oliverski.org [192.241.237.101] failed - POSSIBLE BREAK-IN ATTEMPT!
2013-10-30T14:54:15.020636+01:00 srv sshd[12812]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.237.101  user=root
2013-10-30T14:54:16.813728+01:00 srv sshd[12810]: error: PAM: Authentication failure for root from 192.241.237.101
2013-10-30T14:54:17.198723+01:00 srv sshd[12810]: Received disconnect from 192.241.237.101: 11: Bye Bye [preauth]
2013-10-30T14:54:18.728714+01:00 srv sshd[12813]: reverse mapping checking getaddrinfo for oliverski.org [192.241.237.101] failed - POSSIBLE BREAK-IN ATTEMPT!
2013-10-30T14:54:18.729704+01:00 srv sshd[12813]: Invalid user shell from 192.241.237.101
2013-10-30T14:54:18.731706+01:00 srv sshd[12813]: input_userauth_request: invalid user shell [preauth]
2013-10-30T14:54:18.736460+01:00 srv sshd[12815]: gkr-pam: error looking up user information
2013-10-30T14:54:18.737569+01:00 srv sshd[12813]: Postponed keyboard-interactive for invalid user shell from 192.241.237.101 port 52516 ssh2 [preauth]
2013-10-30T14:54:18.931366+01:00 srv sshd[12815]: pam_unix(sshd:auth): check pass; user unknown
2013-10-30T14:54:18.932237+01:00 srv sshd[12815]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.237.101
2013-10-30T14:54:20.940582+01:00 srv sshd[12813]: error: PAM: User not known to the underlying authentication module for illegal user shell from 192.241.237.101
2013-10-30T14:54:20.941555+01:00 srv sshd[12813]: Failed keyboard-interactive/pam for invalid user shell from 192.241.237.101 port 52516 ssh2
2013-10-30T14:54:21.331562+01:00 srv sshd[12813]: Received disconnect from 192.241.237.101: 11: Bye Bye [preauth]
2013-10-30T14:54:22.903707+01:00 srv sshd[12816]: reverse mapping checking getaddrinfo for oliverski.org [192.241.237.101] failed - POSSIBLE BREAK-IN ATTEMPT!
2013-10-30T14:54:23.126605+01:00 srv sshd[12818]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.237.101  user=root
2013-10-30T14:54:25.351581+01:00 srv sshd[12816]: error: PAM: Authentication failure for root from 192.241.237.101
2013-10-30T14:54:25.751721+01:00 srv sshd[12816]: Received disconnect from 192.241.237.101: 11: Bye Bye [preauth]
2013-10-30T14:54:27.284716+01:00 srv sshd[12819]: reverse mapping checking getaddrinfo for oliverski.org [192.241.237.101] failed - POSSIBLE BREAK-IN ATTEMPT!
2013-10-30T14:54:27.286731+01:00 srv sshd[12819]: Invalid user rosedgar from 192.241.237.101
2013-10-30T14:54:27.286767+01:00 srv sshd[12819]: input_userauth_request: invalid user rosedgar [preauth]
2013-10-30T14:54:27.291352+01:00 srv sshd[12821]: gkr-pam: error looking up user information
2013-10-30T14:54:27.291386+01:00 srv sshd[12819]: Postponed keyboard-interactive for invalid user rosedgar from 192.241.237.101 port 53592 ssh2 [preauth]
2013-10-30T14:54:27.485134+01:00 srv sshd[12821]: pam_unix(sshd:auth): check pass; user unknown
2013-10-30T14:54:27.486025+01:00 srv sshd[12821]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.237.101
2013-10-30T14:54:29.729696+01:00 srv sshd[12819]: error: PAM: User not known to the underlying authentication module for illegal user rosedgar from 192.241.237.101
2013-10-30T14:54:29.730995+01:00 srv sshd[12819]: Failed keyboard-interactive/pam for invalid user rosedgar from 192.241.237.101 port 53592 ssh2
2013-10-30T14:54:30.121222+01:00 srv sshd[12819]: Received disconnect from 192.241.237.101: 11: Bye Bye [preauth]
2013-10-30T14:54:31.628719+01:00 srv sshd[12822]: reverse mapping checking getaddrinfo for oliverski.org [192.241.237.101] failed - POSSIBLE BREAK-IN ATTEMPT!
2013-10-30T14:54:31.629707+01:00 srv sshd[12822]: Invalid user abierta from 192.241.237.101
2013-10-30T14:54:31.631460+01:00 srv sshd[12822]: input_userauth_request: invalid user abierta [preauth]
2013-10-30T14:54:31.636548+01:00 srv sshd[12824]: gkr-pam: error looking up user information
2013-10-30T14:54:31.637782+01:00 srv sshd[12822]: Postponed keyboard-interactive for invalid user abierta from 192.241.237.101 port 54083 ssh2 [preauth]
2013-10-30T14:54:31.830734+01:00 srv sshd[12824]: pam_unix(sshd:auth): check pass; user unknown
2013-10-30T14:54:31.831624+01:00 srv sshd[12824]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.237.101
2013-10-30T14:54:33.623718+01:00 srv sshd[12822]: error: PAM: User not known to the underlying authentication module for illegal user abierta from 192.241.237.101
2013-10-30T14:54:33.625085+01:00 srv sshd[12822]: Failed keyboard-interactive/pam for invalid user abierta from 192.241.237.101 port 54083 ssh2
2013-10-30T14:54:34.009812+01:00 srv sshd[12822]: Received disconnect from 192.241.237.101: 11: Bye Bye [preauth]
2013-10-30T14:54:35.587716+01:00 srv sshd[12825]: reverse mapping checking getaddrinfo for oliverski.org [192.241.237.101] failed - POSSIBLE BREAK-IN ATTEMPT!
2013-10-30T14:54:35.590706+01:00 srv sshd[12825]: Invalid user lomedic from 192.241.237.101
2013-10-30T14:54:35.590743+01:00 srv sshd[12825]: input_userauth_request: invalid user lomedic [preauth]
2013-10-30T14:54:35.596733+01:00 srv sshd[12827]: gkr-pam: error looking up user information
2013-10-30T14:54:35.596779+01:00 srv sshd[12825]: Postponed keyboard-interactive for invalid user lomedic from 192.241.237.101 port 54572 ssh2 [preauth]
2013-10-30T14:54:35.792916+01:00 srv sshd[12827]: pam_unix(sshd:auth): check pass; user unknown
2013-10-30T14:54:35.794162+01:00 srv sshd[12827]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.237.101

Is it possible that it is some attack on server?

caf4926 · October 30, 2013, 2:04pm

The IP info is

|**Reverse**|oliverski.org.|
|---|---|
|**Reverse-verified**|No|
|**Origin AS**|- Digital Ocean, Inc...|
|**Country Code**|US|
|**Country**|United States|
|**Region**|North America|
|**Population**|278058881|
|**Top-level Domain**|US|
|**IPv4 Ranges**|40247|
|**IPv6 Ranges**|3201|
|**Currency**|US Dollar|
|**Currency Code**|USD|
|**IP Range - Start**|192.241.128.0|
|**IP Range - End**|192.241.255.255|
|**Registrar**|ARIN|
|**Allocation date**|Jun 10, 2013|

ab · October 30, 2013, 2:00pm

Sure looks like it. I’d recommend changing your default SSH port to
prevent most of this silliness.

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

nrickert · October 30, 2013, 2:09pm

In a word – YES.

This is very common.

My personal “solution” - I disallow password authentication and challenge-response authentication. I allow only public key authentication. That way, they are unlikely to ever succeed. But they keep trying.

My second solution: I setup an entry in “/etc/hosts.allow” and “/etc/hosts.deny” to only allow ssh from the home network, my work network, and localhost. That discourage these attempts. Most of them give up after one login try (instead of thousands of tries). But logs still show some persistent triers.

Another option, which I don’t use, is to setup “fail2ban”, which scans log files, and sets up temporary firewall rules to block repeated attempts from the same IP address.

Other people run “sshd” to listen on a non-standard port, because the hackers mainly try port 22.

rysic · October 30, 2013, 2:11pm

Hmmm…


srv:~ # rcsshd status
Checking for service sshd                                                                                                                                                                                                         unused
sshd.service - OpenSSH Daemon
          Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
          Active: inactive (dead) since Wed, 2013-10-30 15:10:52 CET; 17s ago
         Process: 13181 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS (code=exited, status=0/SUCCESS)
         Process: 13178 ExecStartPre=/usr/sbin/sshd-gen-keys-start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/sshd.service

Oct 30 15:10:50 srv.openit.com.pl sshd[13636]: input_userauth_request: invalid user herschell [preauth]
Oct 30 15:10:50 srv.openit.com.pl sshd[13638]: gkr-pam: error looking up user information
Oct 30 15:10:50 srv.openit.com.pl sshd[13636]: Postponed keyboard-interactive for invalid user herschell from 192.241.237.101 port 53229 ssh2 [preauth]
Oct 30 15:10:51 srv.openit.com.pl sshd[13638]: pam_unix(sshd:auth): check pass; user unknown
Oct 30 15:10:51 srv.openit.com.pl sshd[13638]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.237.101
Oct 30 15:10:52 srv.openit.com.pl systemd[1]: Stopping OpenSSH Daemon...
Oct 30 15:10:52 srv.openit.com.pl sshd[13181]: Received signal 15; terminating.
Oct 30 15:10:52 srv.openit.com.pl systemd[1]: Stopped OpenSSH Daemon.
Oct 30 15:10:52 srv.openit.com.pl sshd[13636]: error: PAM: User not known to the underlying authentication module for illegal user herschell from 192.241.237.101
Oct 30 15:10:52 srv.openit.com.pl sshd[13636]: Failed keyboard-interactive/pam for invalid user herschell from 192.241.237.101 port 53229 ssh2
Oct 30 15:10:53 srv.openit.com.pl sshd[13636]: Received disconnect from 192.241.237.101: 11: Bye Bye [preauth]

I changed port and also cut myself off I must change router interface redirection later I have better idea that just change SSH port (SSH knocking) but I need more time to implement it

robin_listas · October 30, 2013, 2:18pm

On 2013-10-30 13:56, rysic wrote:
>
> Recently i see a lot sshd lines lin my server log:

…

> Is it possible that it is some attack on server?

Possible not. Sure, yes. They are trying to guess a user/password pair
that works.

You can do several things. One, change the port, as ab says. Another,
block repeated failed attempts in the firewall.


> ## Type: string
> ## Default:
> #
> # Services to allow. This is a more generic form of FW_SERVICES_XXX_{IP,UDP,TCP}
> # and more specific than FW_TRUSTED_NETS
> #
> # Format: space separated list of net,protocol,dport,sport,flags]]]
> # Example: "0/0,tcp,22"
> #
> # Supported flags are
> #   hitcount=NUMBER     : ipt_recent --hitcount parameter
> #   blockseconds=NUMBER : ipt_recent --seconds parameter
> #   recentname=NAME     : ipt_recent --name parameter
> # Example:
> #    Allow max three ssh connects per minute from the same IP address:
> #      "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh

Another, use specialized scripts that scan the firewall log and
dynamically add a list of blocks. For instance, Fail2ban (search for it
in the wikipedia). It is available in the oss repo.

You can also disable password login in the sshd port, and allow only
keyword pair. That depends on how you use it, if it is possible or not.

–
Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

Robidu · November 3, 2013, 2:47pm

Definitely looks like an ongoing attack - and as long as you have password or challenge-response authentication active, they are not going to give up.

As has been mentioned before, switch SSH to pubkey authentication (that makes guessing passwords moot).
Furthermore, tell your server’s firewall to become naughty (i. e. blocking brute-force attacks for extended periods of time without adversely affecting legitimate connections too much).

Any would-be attackers might continue to try for some time, but eventually they are going to give up (that’s my experience after I reconfigured my server to do exactly that).

Or, as a third option, open an IPsec tunnel, and once that’s working properly, close the SSH port altogether (but beware to update any certificates in time you may have to register with the IPsec solution you would use in that case - otherwise you would lock yourself out when they expire).

I have a description of a possible solution to this problem available (as far as SSH is concerned).