SSH "break in attempts" security questions

English Network/Internet
#1

Hello,

I just saw all these break in attempts. No problem since I don’t even allow ssh through passwords - you can only get in if you have key setup on the server.

However, I have a program called fail2ban installed, which is great because 3 failed attempts within an hour from any IP address and that IP gets banned for an hour. But, as you can see this person is using a different IP every time so fail2ban can’t really stop them.

Here are my questions:

  • You can see there is a reverse mapping check that catches this person occasionally. That’s great and I assume that if the reverse mapping doesn’t checkout, it would not allow the connection. Is this correct or would the reverse mapping allow them anyway?

  • I can’t believe that this person has this many real IP addresses. So, why would the reverse mapping not pick up all these others, or are they really real?

Last question: Is there anyway to pick up on this persons real IP and ban it? Perhaps have a fake login account that let’s him think he is connecting… assuming a real IP would be needed for a connection.

2010-01-16T21:17:44.061821-08:00 neutrino sshd[28187]: Invalid user admin from 150.214.45.10
2010-01-16T21:17:57.489228-08:00 neutrino sshd[28193]: Invalid user admin from 159.90.61.49
2010-01-16T21:18:26.525332-08:00 neutrino sshd[28198]: Invalid user admin from 139.20.16.138
2010-01-16T21:18:55.762396-08:00 neutrino sshd[28205]: Invalid user admin from 201.72.166.52
2010-01-16T21:19:23.653430-08:00 neutrino sshd[28212]: Invalid user admin from 194.150.236.224
2010-01-16T21:19:56.713061-08:00 neutrino sshd[28217]: Invalid user adminftp from 201.47.232.58
2010-01-16T21:20:27.065951-08:00 neutrino sshd[28223]: Invalid user administracion from 196.213.52.90
2010-01-16T21:20:51.566487-08:00 neutrino sshd[28228]: Invalid user administrador from 141.89.112.177
2010-01-16T21:21:24.619492-08:00 neutrino sshd[28233]: reverse mapping checking getaddrinfo for 250.19.53.116.broad.km.yn.dynamic.163data.com.cn [116.53.19.250] failed - POSSIBLE BREAK-IN ATTEMPT!
2010-01-16T21:21:24.620534-08:00 neutrino sshd[28233]: Invalid user administrador from 116.53.19.250
2010-01-16T21:21:49.533861-08:00 neutrino sshd[28238]: Invalid user administration from 129.32.84.133
2010-01-16T21:22:47.758850-08:00 neutrino sshd[28246]: reverse mapping checking getaddrinfo for 200-206-190-87.speedyterra.com.br [200.206.190.87] failed - POSSIBLE BREAK-IN ATTEMPT!
2010-01-16T21:22:47.760023-08:00 neutrino sshd[28246]: Invalid user administrator from 200.206.190.87
2010-01-16T21:23:20.573787-08:00 neutrino sshd[28252]: Invalid user administrator from 114.247.0.222
2010-01-16T21:23:48.121951-08:00 neutrino sshd[28263]: Invalid user administrator from 203.194.209.214
2010-01-16T21:24:13.461630-08:00 neutrino sshd[28276]: Invalid user administrator from 150.254.171.185
2010-01-16T21:24:43.977624-08:00 neutrino sshd[28282]: Invalid user administrator from 195.134.132.130
2010-01-16T21:25:22.934354-08:00 neutrino sshd[28297]: reverse mapping checking getaddrinfo for 30.122.123.200.dynamic.telmex.net.ar [200.123.122.30] failed - POSSIBLE BREAK-IN ATTEMPT!
2010-01-16T21:25:22.935388-08:00 neutrino sshd[28297]: Invalid user administrator from 200.123.122.30
2010-01-16T21:26:12.127726-08:00 neutrino sshd[28322]: Address 195.35.109.80 maps to www.photoweb.de, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
2010-01-16T21:26:12.128857-08:00 neutrino sshd[28322]: Invalid user administrator from 195.35.109.80
2010-01-16T21:26:31.273721-08:00 neutrino sshd[28333]: Invalid user administrator from 58.247.222.163
2010-01-16T21:26:57.466776-08:00 neutrino sshd[28340]: Invalid user admins from 12.2.202.132
2010-01-16T21:27:25.787001-08:00 neutrino sshd[28349]: Invalid user admon from 119.136.10.80
2010-01-16T21:27:53.342800-08:00 neutrino sshd[28357]: Invalid user adnan from 150.244.36.63
2010-01-16T21:28:22.258458-08:00 neutrino sshd[28363]: Invalid user adrian from 200.179.104.136
2010-01-16T21:34:33.341479-08:00 neutrino sshd[28470]: reverse mapping checking getaddrinfo for 189-108-202-34.customer.tdatabrasil.net.br [189.108.202.34] failed - POSSIBLE BREAK-IN ATTEMPT!
2010-01-16T21:34:33.342602-08:00 neutrino sshd[28470]: Invalid user agnes from 189.108.202.34
2010-01-16T21:34:48.315868-08:00 neutrino sshd[28475]: Invalid user agnieszka from 190.12.80.115
2010-01-16T21:35:17.162908-08:00 neutrino sshd[28483]: Invalid user agostino from 201.38.0.130
2010-01-16T21:35:46.728633-08:00 neutrino sshd[28487]: Invalid user agro from 201.217.215.66
2010-01-16T21:36:14.517934-08:00 neutrino sshd[28492]: Invalid user agronomia from 123.50.36.248
2010-01-16T21:36:37.224355-08:00 neutrino sshd[28496]: Invalid user ah from 193.56.58.2
2010-01-16T21:37:34.975433-08:00 neutrino sshd[28512]: Invalid user ahmed from 194.67.115.240
2010-01-16T21:37:59.637716-08:00 neutrino sshd[28517]: Invalid user aiden from 207.81.103.10
2010-01-16T21:38:27.436652-08:00 neutrino sshd[28528]: Invalid user aiello from 82.66.246.203
2010-01-16T21:39:03.701350-08:00 neutrino sshd[28537]: Invalid user ailleen from 125.88.99.31
2010-01-16T21:39:25.192063-08:00 neutrino sshd[28548]: Invalid user aimee from 195.110.156.129
2010-01-16T21:39:52.882619-08:00 neutrino sshd[28556]: Invalid user aires from 123.255.46.6
2010-01-16T21:40:17.605186-08:00 neutrino sshd[28560]: Invalid user ajay from 193.56.58.2
2010-01-16T21:40:47.285068-08:00 neutrino sshd[28563]: Address 190.39.202.126 maps to 190-39-202-126.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
2010-01-16T21:40:47.286193-08:00 neutrino sshd[28563]: Invalid user ajit from 190.39.202.126
2010-01-16T21:41:21.019255-08:00 neutrino sshd[28571]: Invalid user ajm from 119.136.13.147
2010-01-16T21:41:43.006200-08:00 neutrino sshd[28575]: Invalid user ak from 201.44.212.170
2010-01-16T21:42:09.181599-08:00 neutrino sshd[28579]: Invalid user ak from 147.102.191.143
2010-01-16T21:42:41.260822-08:00 neutrino sshd[28586]: Invalid user aki from 119.113.5.199
2010-01-16T21:42:52.563468-08:00 neutrino sshd[28590]: Invalid user akira from 202.137.147.50
2010-01-16T21:43:18.495666-08:00 neutrino sshd[28599]: Invalid user akiyama from 195.24.254.26
2010-01-16T21:43:48.203779-08:00 neutrino sshd[28604]: Invalid user akram from 203.97.102.19
2010-01-16T21:44:10.170783-08:00 neutrino sshd[28611]: Invalid user akutsu from 189.80.131.234
2010-01-16T21:44:35.490960-08:00 neutrino sshd[28616]: Invalid user al from 129.32.84.133
2010-01-16T21:45:02.803961-08:00 neutrino sshd[28633]: Invalid user al from 134.147.66.74
2010-01-16T21:45:35.502407-08:00 neutrino sshd[28677]: Invalid user al from 190.108.18.182
2010-01-16T21:45:56.804240-08:00 neutrino sshd[28683]: Invalid user alain from 115.41.148.16
2010-01-16T21:46:22.436447-08:00 neutrino sshd[28688]: Invalid user alan from 195.172.129.134
2010-01-16T21:46:49.989395-08:00 neutrino sshd[28693]: Invalid user alan from 113.100.129.20
2010-01-16T21:47:17.196171-08:00 neutrino sshd[28699]: Invalid user alano from 123.147.203.73
2010-01-16T21:47:39.202595-08:00 neutrino sshd[28703]: reverse mapping checking getaddrinfo for ruth.telecomunique.net.gt [168.234.239.158] failed - POSSIBLE BREAK-IN ATTEMPT!
2010-01-16T21:47:39.203695-08:00 neutrino sshd[28703]: Invalid user alb from 168.234.239.158
2010-01-16T21:48:08.150444-08:00 neutrino sshd[28708]: reverse mapping checking getaddrinfo for adsl-pool2-100.metrotel.net.co [190.182.10.100] failed - POSSIBLE BREAK-IN ATTEMPT!
2010-01-16T21:48:08.151606-08:00 neutrino sshd[28708]: Invalid user albert from 190.182.10.100
2010-01-16T21:48:30.729222-08:00 neutrino sshd[28713]: Invalid user albert from 143.121.196.205
2010-01-16T21:48:51.088529-08:00 neutrino sshd[28718]: Invalid user albert from 168.212.16.52
2010-01-16T21:49:29.438360-08:00 neutrino sshd[28756]: Invalid user alberta from 115.168.71.84
2010-01-16T21:49:45.127196-08:00 neutrino sshd[28760]: Invalid user alberto from 193.219.145.206
2010-01-16T21:50:02.009871-08:00 neutrino sshd[28765]: Invalid user alcione from 201.65.198.226
2010-01-16T21:50:25.170168-08:00 neutrino sshd[28769]: Invalid user alejandro from 141.44.40.29
2010-01-16T21:50:49.343922-08:00 neutrino sshd[28775]: Invalid user aleks from 136.142.60.27
2010-01-16T21:51:14.735311-08:00 neutrino sshd[28780]: Invalid user aleks from 209.91.178.244
2010-01-16T21:51:38.811687-08:00 neutrino sshd[28785]: reverse mapping checking getaddrinfo for cluster-box-47-19.agnat.pl [193.239.47.19] failed - POSSIBLE BREAK-IN ATTEMPT!
2010-01-16T21:51:38.812739-08:00 neutrino sshd[28785]: Invalid user alena from 193.239.47.19
2010-01-16T21:52:06.317881-08:00 neutrino sshd[28792]: Invalid user alessandro from 200.171.178.213
2010-01-16T21:52:28.825091-08:00 neutrino sshd[28797]: Invalid user alex from 213.184.199.12
2010-01-16T21:52:53.633691-08:00 neutrino sshd[28809]: Invalid user alex from 200.161.44.152
2010-01-16T21:53:14.732215-08:00 neutrino sshd[28814]: reverse mapping checking getaddrinfo for 208-118-179-195.i95.net [208.118.179.195] failed - POSSIBLE BREAK-IN ATTEMPT!
2010-01-16T21:53:14.733738-08:00 neutrino sshd[28814]: Invalid user alex from 208.118.179.195
2010-01-16T21:53:41.609476-08:00 neutrino sshd[28820]: Invalid user alex from 195.60.168.78
2010-01-16T21:54:06.753241-08:00 neutrino sshd[28825]: Address 201.248.48.195 maps to 201-248-48-195.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
2010-01-16T21:54:06.754311-08:00 neutrino sshd[28825]: Invalid user alex from 201.248.48.195
2010-01-16T21:54:53.996159-08:00 neutrino sshd[28841]: Invalid user alex from 193.190.242.2
2010-01-16T21:55:04.271508-08:00 neutrino sshd[28836]: Invalid user alex from 203.64.18.7
2010-01-16T21:55:18.280642-08:00 neutrino sshd[28847]: Invalid user alex from 200.23.113.129
2010-01-16T21:55:40.765299-08:00 neutrino sshd[28854]: Invalid user alex from 213.239.195.20
2010-01-16T21:56:04.960383-08:00 neutrino sshd[28861]: Invalid user alex from 139.6.3.24
2010-01-16T21:56:32.961117-08:00 neutrino sshd[28872]: Invalid user alex from 190.3.10.18
2010-01-16T21:56:56.923813-08:00 neutrino sshd[28884]: Invalid user alex from 190.65.107.110
2010-01-16T21:57:08.644847-08:00 neutrino sshd[28889]: Invalid user alex from 125.89.93.21
2010-01-16T21:57:37.421473-08:00 neutrino sshd[28894]: Invalid user alex from 200.162.9.91
2010-01-16T21:57:55.118098-08:00 neutrino sshd[28900]: reverse mapping checking getaddrinfo for ip-132-4.amnet.com.ni [165.98.132.4] failed - POSSIBLE BREAK-IN ATTEMPT!
2010-01-16T21:57:55.118253-08:00 neutrino sshd[28900]: Invalid user alex from 165.98.132.4

#2

BTW, these attempts are still going - there must be hundreds by now.

#3

He’s probably got an army of zombie bots. If you don’t use passwords but keys, don’t worry about it and no need to spend time poring over the logs.

#4

On Sun, 17 Jan 2010 06:06:01 +0000, Reg gie wrote:

> - You can see there is a reverse mapping check that catches this person
> occasionally. That’s great and I assume that if the reverse mapping
> doesn’t checkout, it would not allow the connection. Is this correct or
> would the reverse mapping allow them anyway?

From what I understand of this setting, it’s just to ensure there is a
DNS entry for the host (or that the server can resolve to a name - either
by DNS or a hosts file entry). I may be mistaken on this, though, as I
haven’t used it at all.

> - I can’t believe that this person has this many real IP addresses. So,
> why would the reverse mapping not pick up all these others, or are they
> really real?

They’re probably really real, it could be an attack launched using a
botnet or using a TOR connection.

> Last question: Is there anyway to pick up on this persons real IP and
> ban it? Perhaps have a fake login account that let’s him think he is
> connecting… assuming a real IP would be needed for a connection.

The thing that I found most effective was to disable password usage for
ssh and switch to using public key authentication.

You might also look at using something like knockd to require pinging
several ports in sequence before opening the ssh port. That can also be
effective at thwarting this kind of brute force attack.

Jim


Jim Henderson
openSUSE Forums Moderator

#5

Hi,
Just for the knowledge, can you redirect to any tutorial or information, how to use keys instead of passwords.

Thanks

#6

Yeah, I’m not worried, but thanks for the note. I had no idea what a zombie bot was so for anyone else who comes across this, here’s a snippet from the wiki:

“…this word is generally used to refer to a collection of compromised computers (called zombie computers) running software…”

I get it, they are all legit IP’s but probably the owners of the computers don’t even know they are doing this on the attackers behalf.

#7

On 01/17/2010 09:06 AM, mmarif4u wrote:
>
> hendersj;2105528 Wrote:
>>
>> The thing that I found most effective was to disable password usage
>> for
>> ssh and switch to using public key authentication.
>>
>
> Hi,
> Just for the knowledge, can you redirect to any tutorial or
> information, how to use keys instead of passwords.
>

Look here:
http://tinyurl.com/yforq98

Vahis

“Sunrise 9:09am (EET), sunset 3:52pm (EET) at Espoo, FI (6:43 hours
daylight)”
http://waxborg.servepics.com
Linux 2.6.25.20-0.5-default #1 SMP 2009-08-14 01:48:11 +0200 x86_64
9:15am up 78 days 14:16, 17 users, load average: 0.51, 0.81, 0.78

#8

On 01/17/2010 09:06 AM, Reg gie wrote:
>
> Yeah, I’m not worried, but thanks for the note. I had no idea what a
> zombie bot was so for anyone else who comes across this, here’s a
> snippet from the wiki:
>
> “…this word is generally used to refer to a collection of compromised
> computers (called zombie computers) running software…”
>
> I get it, they are all legit IP’s but probably the owners of the
> computers don’t even know they are doing this on the attackers behalf.
>
>

That’s right.
And can you guess what might be the OS on them? :slight_smile:

Vahis

“Sunrise 9:09am (EET), sunset 3:52pm (EET) at Espoo, FI (6:43 hours
daylight)”
http://waxborg.servepics.com
Linux 2.6.25.20-0.5-default #1 SMP 2009-08-14 01:48:11 +0200 x86_64
9:17am up 78 days 14:18, 17 users, load average: 0.71, 0.75, 0.75

#9

Most of these bots try to hack at port#22, and can not be bothered to scan for higher ports that may be open.

So something else you can do is change your SSH port.

Its not full security, but it has surprisingly success in dramatically reducing the number of hack attempts. I saw my hack attempts go from hundreds every day to not one attempt since (in over 1 year) after I did some port remapping.

For example, on your router, close port#22. And open, say, port 30001 to point to port#22 on your PC. That way for you to access your PC via SSH you need to direct your SSH applications to go to port 30001 and your router will re-direct you to port #22 on your PC.

Lets say that is PC#1 and you have 3 PCs on your home LAN. Then you could map on your router port#30002 to PC#2’s port#22, and you could map port#30003 on your router to PC#3’s port#22.

There are also many other security measures one could do. You appear to be well on top of this with the software you have applied and are considering.

#10

What OldCPU said. We haven’t had a single attack in over a year, either, since we changed our SSH port numbers.

#11

On Sun, 17 Jan 2010 07:06:01 +0000, mmarif4u wrote:

> Hi,
> Just for the knowledge, can you redirect to any tutorial or information,
> how to use keys instead of passwords.

The way I do it is by modifying /etc/ssh/sshd_config - just change the
option PasswordAuthentication to “no”.

Then use ssh_keygen to generate a key (if you haven’t already done so)
and put the public key that’s generated (id_rsa.pub is the file it’s
stored in by default) in the target system’s authorized_keys file.

Jim


Jim Henderson
openSUSE Forums Moderator

#12

I had the same issue with my home server. I was getting hit big time on port 22. I moved it to a obscure port number and that was the end of it.

I also disallowed root login - also in the previously mentioned config file. That way if I did get hacked they would be stuck in user level account and would then have to start looking for the root password.

Keys are probably best but if you are at a different computer away from home you can’t get in yourself - right?

#13

Even better than setting PermitRootLogin no is to restrict the AllowedUsers to the minimum set.

#14

On Tue, 19 Jan 2010 03:06:01 +0000, etch wrote:

> Keys are probably best but if you are at a different computer away from
> home you can’t get in yourself - right?

Yes, unless you’ve taken your key with you.

Jim

Jim Henderson
openSUSE Forums Moderator

#15

Ohhhhhhhhh! Cool! I’ll have to remember that.

#16

On Wed, 20 Jan 2010 02:06:01 +0000, etch wrote:

> Ohhhhhhhhh! Cool! I’ll have to remember that.

Just don’t lose it - or if you do, don’t forget to regen your private
key. :slight_smile:

Jim


Jim Henderson
openSUSE Forums Moderator

#17

Or call somebody at home to read out the key to you. lol!