I have a 10.2 Suse workstation, and since two days i’ve been receiving several ssh login attemps.
Example:
May 19 21:37:12 siroco sshd[3882]: Invalid user olivia from 91.188.58.105
May 19 21:37:12 siroco sshd[3882]: Failed password for invalid user olivia from 91.188.58.105 port 46043 ssh2
May 19 21:37:13 siroco sshd[3884]: Invalid user olivia from 91.188.58.105
May 19 21:37:13 siroco sshd[3884]: Failed password for invalid user olivia from 91.188.58.105 port 46100 ssh2
May 19 21:37:14 siroco sshd[3886]: Invalid user olivia from 91.188.58.105
May 19 21:37:14 siroco sshd[3886]: Failed password for invalid user olivia from 91.188.58.105 port 46144 ssh2
May 19 21:37:15 siroco sshd[3888]: Invalid user olivia from 91.188.58.105
May 19 21:37:15 siroco sshd[3888]: Failed password for invalid user olivia from 91.188.58.105 port 46189 ssh2
May 19 21:37:16 siroco sshd[3890]: Invalid user olivia from 91.188.58.105
May 19 21:37:16 siroco sshd[3890]: Failed password for invalid user olivia from 91.188.58.105 port 46241 ssh2
May 19 21:37:17 siroco sshd[3892]: Invalid user olivia from 91.188.58.105
May 19 21:37:17 siroco sshd[3892]: Failed password for invalid user olivia from 91.188.58.105 port 46304 ssh2
May 19 21:37:18 siroco sshd[3894]: Invalid user olivia from 91.188.58.105
May 19 21:37:18 siroco sshd[3894]: Failed password for invalid user olivia from 91.188.58.105 port 46342 ssh2
May 19 21:37:19 siroco sshd[3896]: Invalid user olivia from 91.188.58.105
May 19 21:37:19 siroco sshd[3896]: Failed password for invalid user olivia from 91.188.58.105 port 46399 ssh2
May 19 21:37:19 siroco sshd[3898]: Invalid user olivia from 91.188.58.105
May 19 21:37:19 siroco sshd[3898]: Failed password for invalid user olivia from 91.188.58.105 port 46453 ssh2
May 19 21:37:20 siroco sshd[3900]: Invalid user olivia from 91.188.58.105
After these attacks (during hours), my workstation holds but finally, all the services crashes (not the machine) without no aparently reason.
May 20 10:01:26 siroco pure-ftpd: (?@my_ip) [INFO] New connection from my_ip
May 20 10:01:26 siroco pure-ftpd: (?@my_ip) [INFO] Logout.
May 20 10:28:12 siroco syslog-ng[2620]: STATS: dropped 0
I have to reboot and start xinetd services.
May 20 10:41:16 siroco shutdown[8610]: shutting down for system reboot
I scan with rkhunter and lynis and everything seems to be ok.
ssh attack is quite common if you have a public IP and you keep ssh open.
First of all, you have to disallow root access via ssh.
Run ssh only if you want to access this machine from outside. Also, use a certificate+passphrase combination.
Also, see why xinet needs to be run? Are you running any services for the outside world?
I don’t know if the crash is related, but sometime back I also received many ssh hack attempts on my PC. In my case my PC is on a LAN where previous I had port#22 on my router forwarded to port#22 on that PC. So what I did was close port#22 on my router, and instead I opened a high port number (port #42000 or somthing like that) forwarded to port#22 on my PC on the LAN.
That effectively stopped the attacks, as the hackers trying to break in could not be bothered to scan all the way up to port #42000 to see if I had an open SSH port.
You should also check to ensure that you have SSH access disabled for user root.
There are other defensive measures one can take to make your ssh even more secure, but that is an effective start.
I do note they are focussed on user “oliva”. In my case they did not know the user, and so they were forced to guess in each of their hack attempts as to what user accounts I had created. [They did try to hack in as user root many many times]. If you have a user “oliva” on your PC, you have been partly compromised, and if I were you I would remove that user’s account, and give them an account with a different user name.
You can open ssh to your lan and filter external access with iptable. If only you and a couple friends need to connect to your computer through ssh, you could only allow those Ips or IP/ranges to pass. Enabling the appropriate “jail” in fail2ban will drasticaly reduce the size of your auth.log. That’s indeed a very cool piece of software. Running ssh on a higher port just makes you feel safer without offering more protection.
fail2ban is a python script which reads the acces log and bans the ips which failed to log on for a certain time. You decide the number of attempts and how long the ips should be banned. Be careful not to ban yourself by setting up too few attemps or a too long banning time!
Just as a reminder to show, why more code does not make things automatically “safer” and is generally a bad idea, especially when security should be enhanced by safe configuration with the tools already provided by the service itsself.
Just one note. If you need access to a box as root you should still
always disable logging in as ‘root’ directly (PermitRootLogin no) in
/etc/ssh/sshd_config and restart the SSH service and just SSH in as a
normal user then use either sudo -i or su - or something to become
root. This also gives you an audit trail anytime one of your “trusted”
users does something stupid.
Good luck.
kserradell wrote:
> Thanks guys for all your replies.
>
>> First of all, you have to disallow root access via ssh.
>
> Ok. I need it, but i’ll do to see if attacks stops.
>
>> Run ssh only if you want to access this machine from outside. Also, use
>> a certificate+passphrase combination.
>
> Certificate and passphrase. Good idea.
>
>> Also, see why xinet needs to be run? Are you running any services for
>> the outside world?
>
> I need for Nagios monitoring.
>
>> So what I did was close port#22 on my router, and instead I opened a
>> high port number
>
> Another thing to do.
>
>> That should take care of the door knockers - remember to read the
>> documentation regarding the use of the fail2ban software.
>
> What’s this Chrysantine ?
>
> Thanks !!!
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
On 5/20/2009 6:16 AM, kserradell wrote:
> Thanks guys for all your replies.
>
>> First of all, you have to disallow root access via ssh.
>
> Ok. I need it, but i’ll do to see if attacks stops.
>
Why do you need root access via ssh? It is much safer to close off root
access and log in as a regular user. Then all you need to do is su - to
privileged user and do whatever is needed.
True, BUT, and I think it is a very big BUT … why would they scan in descending order? :rolleyes:
Most open ports by default are in the lower port range. If one is looking for an open port to hack at an unsuspecting user, does it not make sense to look in the location where most open ports are to be found? From what I have read, the most common location for open ports is in the area of the ports’ default value, which is the lower numbers.
IMHO hackers, in order to be successful, also have to be practical. Scanning in descending order does not make a lot of sense to me. Given what I have read, it (scanning in descending order) also does not make a lot of sense to a lot of hackers.
Agreed, and along with that most attacks (99.999%) that are scripted
aren’t going to look for SSH off of port 22 anyway. There are too many
open ports with bad passwords and allowing ‘root’ logins directly to make
it worthwhile to start looking elsewhere. Changing the port isn’t
security (it’s just obscurity) but it’s a start and will at least keep
your logs a little cleaner. Disabling direct root login viai SSH is
something you SHOULD ALWAYS do on your system as that prevents hackers
from logging in with the one account whose name they know will always
(99.999% of the time) be there (I’ve never known anybody to change the
‘root’ username, though in theory it’s possible).
Good luck.
oldcpu wrote:
> please_try_again;1988611 Wrote:
>> assuming they scanned ports in ascending order. ;)True, BUT, and I think it is a very big BUT … why would they scan in
> descending order? :rolleyes:
>
> Most open ports by default are in the lower port range. If one is
> looking for an open port to hack at an unsuspecting user, does it not
> make sense to look in the location where most open ports are to be
> found? From what I have read, the most common location for open ports
> is in the area of the ports’ default value, which is the lower numbers.
>
> IMHO hackers, in order to be successful, also have to be practical.
> Scanning in descending order does not make a lot of sense to me. Given
> what I have read, it (scanning in descending order) also does not make a
> lot of sense to a lot of hackers.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
I still prefer using an old pentium pc with 2 network cards set up as a dedicated firewall/router for the internal network. When you set it up, you want only a minimal install, since you don’t want it to run extra services that could be hacked or add extra load to an old pc.
Look at some of the dedicated linux firewalls like smoothwall, ipcop, etc.
You can then set up ipsec for remote access to the internal network.
That way, if you get an attack, the only box that goes is the firewall.
If the firewall works, anything that is hacked internally, is then because you have invited it in yourself.
