SSHD: Break-in attempts

Hi everyone,

I have been using for some time the FreeNX to be able to remotely connect from work to my home desktop, which runs openSUSE 10.3. Of course for that I have kept running the SSHD service on my desktop, with the default port to 22.

As I looked today in the syslog (/var/log/messages), I have seen numerous break-in attempts, some IP’s consistently trying out various usernames for the SSH login. This is an extract from the log:

Jun 27 23:31:53 linux-0l38 sshd[13684]: Invalid user apple from 67.171.151.126
Jun 27 23:32:04 linux-0l38 sshd[13720]: Invalid user brian from 67.171.151.126
Jun 27 23:32:11 linux-0l38 sshd[13740]: Invalid user andrew from 67.171.151.126
Jun 27 23:32:25 linux-0l38 sshd[13783]: Invalid user newsroom from 67.171.151.126
Jun 27 23:32:35 linux-0l38 sshd[13819]: Invalid user magazine from 67.171.151.126
Jun 27 23:32:49 linux-0l38 sshd[13863]: Invalid user research from 67.171.151.126
Jun 27 23:32:56 linux-0l38 sshd[13889]: Invalid user cjohnson from 67.171.151.126
Jun 27 23:33:05 linux-0l38 sshd[13902]: Invalid user export from 67.171.151.126
Jun 27 23:33:14 linux-0l38 sshd[13909]: Invalid user photo from 67.171.151.126
Jun 27 23:33:28 linux-0l38 sshd[13919]: Invalid user gast from 67.171.151.126
Jun 27 23:33:39 linux-0l38 sshd[13932]: Invalid user murray from 67.171.151.126
Jun 27 23:33:46 linux-0l38 sshd[13939]: Invalid user falcon from 67.171.151.126
Jun 27 23:33:58 linux-0l38 sshd[13958]: Invalid user fly from 67.171.151.126
Jun 27 23:34:13 linux-0l38 sshd[13962]: Invalid user gerry from 67.171.151.126

I also found a different type of attack:

Jun 17 05:07:45 linux-0l38 sshd[16882]: reverse mapping checking getaddrinfo for 134.195.77.82.static.cluj.rdsnet.ro [82.77.195.134] failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 17 05:07:45 linux-0l38 sshd[16882]: Invalid user roma from 82.77.195.134
Jun 17 05:07:45 linux-0l38 sshd[16884]: reverse mapping checking getaddrinfo for 134.195.77.82.static.cluj.rdsnet.ro [82.77.195.134] failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 17 05:07:45 linux-0l38 sshd[16884]: Invalid user gisele from 82.77.195.134

Now I’m not sure I should be really worried about this, but for the moment I shut down the SSHD service and what I really would like to do is to create some rules in the firewall to deal with these threats, something like “if an IP address attempts to connect for 3 times and fails → put it on a blacklist”.

Here I turn to you, because I don’t know how to do that in iptables.

Thank you very much for your help,
glu

That’s pretty normal - they’re “zombies”, machines that scan the network (usually certain port such as 21, 22, 80, 443 etc) for known vulnerabilities or try simple brute force methods to crack really weak passwords.

Best solution is to block 22, open it for IPs that are your own or change the ssh port to some random number.

Nothing to worry about.

glumetu wrote:
> Hi everyone,
>
> I have been using for some time the FreeNX to be able to remotely
> connect from work to my home desktop, which runs openSUSE 10.3. Of
> course for that I have kept running the SSHD service on my desktop,
> with the default port to 22.
>
> As I looked today in the syslog (/var/log/messages), I have seen
> numerous break-in attempts, some IP’s consistently trying out various
> usernames for the SSH login. This is an extract from the log:
>
>
> Code:
> --------------------
> Jun 27 23:31:53 linux-0l38 sshd[13684]: Invalid user apple from 67.171.151.126
> Jun 27 23:32:04 linux-0l38 sshd[13720]: Invalid user brian from 67.171.151.126
> Jun 27 23:32:11 linux-0l38 sshd[13740]: Invalid user andrew from 67.171.151.126
> Jun 27 23:32:25 linux-0l38 sshd[13783]: Invalid user newsroom from 67.171.151.126
> Jun 27 23:32:35 linux-0l38 sshd[13819]: Invalid user magazine from 67.171.151.126
> Jun 27 23:32:49 linux-0l38 sshd[13863]: Invalid user research from 67.171.151.126
> Jun 27 23:32:56 linux-0l38 sshd[13889]: Invalid user cjohnson from 67.171.151.126
> Jun 27 23:33:05 linux-0l38 sshd[13902]: Invalid user export from 67.171.151.126
> Jun 27 23:33:14 linux-0l38 sshd[13909]: Invalid user photo from 67.171.151.126
> Jun 27 23:33:28 linux-0l38 sshd[13919]: Invalid user gast from 67.171.151.126
> Jun 27 23:33:39 linux-0l38 sshd[13932]: Invalid user murray from 67.171.151.126
> Jun 27 23:33:46 linux-0l38 sshd[13939]: Invalid user falcon from 67.171.151.126
> Jun 27 23:33:58 linux-0l38 sshd[13958]: Invalid user fly from 67.171.151.126
> Jun 27 23:34:13 linux-0l38 sshd[13962]: Invalid user gerry from 67.171.151.126
> --------------------
>
>
> I also found a different type of attack:
>
> Code:
> --------------------
> Jun 17 05:07:45 linux-0l38 sshd[16882]: reverse mapping checking getaddrinfo for 134.195.77.82.static.cluj.rdsnet.ro [82.77.195.134] failed - POSSIBLE BREAK-IN ATTEMPT!
> Jun 17 05:07:45 linux-0l38 sshd[16882]: Invalid user roma from 82.77.195.134
> Jun 17 05:07:45 linux-0l38 sshd[16884]: reverse mapping checking getaddrinfo for 134.195.77.82.static.cluj.rdsnet.ro [82.77.195.134] failed - POSSIBLE BREAK-IN ATTEMPT!
> Jun 17 05:07:45 linux-0l38 sshd[16884]: Invalid user gisele from 82.77.195.134
> --------------------
>
>
> Now I’m not sure I should be really worried about this, but for the
> moment I shut down the SSHD service and what I really would like to do
> is to create some rules in the firewall to deal with these threats,
> something like “if an IP address attempts to connect for 3 times and
> fails → put it on a blacklist”.
>
> Here I turn to you, because I don’t know how to do that in iptables.
>
> Thank you very much for your help,
> glu
>
>
You could check out denyhosts or fail2ban as they both do this. Also,
think about denying root login if you haven’t already and maybe changing
to key authentication.

If your home PC is behind a router (with a firewall) then one simple approach is to close port#22 on the router, but leave port#22 open on your PC. Then in your router, map port#41001 (or some number like that) to port#22 on your PC. Most routers have a very easy menu to follow to set that up.

To ssh from work, then you simply:
ssh -X username@home-router-ip-address -p 41001

If the above was for PC#1, and you have second (PC#2) on your home LAN, then map port#41002 (or some different number like that) to port#22 on PC#2. Then to connect to PC#2 via ssh from work, then you simply:
ssh -X username@home-router-ip-address -p 41002

Also, ensure you have closed all ssh root access to your PCs.

thanks a lot for your messages!

indeed, in the meanwhile I did try denyhosts and it really does the job. I hope I have not messed up the settings since I followed a Gentoo guide, but first time I ran it I had the /etc/hosts.deny filled with those IP’s that tried to break in, so it did parse the syslog.

and of course I disallowed login to root (duh, should have done that from the very beginning)… and I do not use password to connect through SSH.

so I guess I should be pretty safe now, even though I should really consider moving to another port than 22. But ok too many changes for now, I need to let the knowledge settle in a bit :slight_smile:

I understand these kind of brute force attacks are pretty common and rarely successful, especially if I do the above steps.

Thank you very much for your help!

regards,
glu