SSH brute force attacks are very common - we get several a week. There
are various methods for stopping them - a summary is in:
http://www.security-hacks.com/2007/05/23/protecting-against-ssh-brute-force-attacks
I suggest the following:
1. configure ssh to block all users apart from those you define - either
define the users or have an sshusers group. Don't put any default
accounts in here such as admin, sales, games - these regularly occur on
in the brute force attacks.
2. users should not have easy usernames like fred, mary - these are
usually on the guessing lists. firstnamesurname increases the options
they have to try. From reading the logs of brute force attacks the user
names are normally easy guesses based on default accounts or firstnames.
3. User passwords should meet minimum standards of letters, numbers,
minsize, other characters.
4. Don't allow root to log in via SSH - root is the most commonly used
name for SSH brute force attacks. If you must have root access set up
access via an RSA key. If possible get everyone using RSA keys and
switch off password logins altogether.
5. Use one of the blocking methods such as iptables rate limiting. They
invariably don't come back after being blocked once. You could use the
iptables method coupled with one of the log scanning methods for an
extra layer of defence.
One example is at:
http://blog.andrew.net.au/2005/02/16
6. If its convenient switch to a different port - the brute force
attackers just scan blocks of IP addresses at port 22 - if you are using
port 22 you are much less likely to be scanned.
Finally - don't panic - they are looking for easy targets, if you make
their life hard they go away. I rarely see the same IP address come back
after they have been blocked for a few minutes - they just move on.
Kevin.
Jochen Schulz wrote:
Norman Bird:
I decided to check the auth.log and started freaking out because I saw alot
of POSSIBLE BREAK-IN lines.
It says "possible break-in *attempt*". But either way, it is harmless.
And, by the way: do you think a smart attacker who gained root on your
machine would leave traces in the logs? I doubt it.
then I saw roon loging in so I was panicking.
Don't panic. :)
But as I really reviewed them it seems that the actual root logins were by
CRON and the nobody logins were system related. Please look this over and
give any advice and particularily what should I do.
You don't need to do anything.
Somewhere online said I should "boot with a root kit checker", feel free to
advise on this.
Root kit checkers, just as anti-virus programs, cannot reliably detect
anything. They report false positives as well as false negatives. But
the idea to boot from a known good medium is a good one. *If* your
system has been attacked successfully, you should never trust it to
report it to you. You always have to use another one.
I do need to log in via putty via ssh alot so I cant totally disable it. I
will beef up my password now and maybe change the port, but I need input on
that please, or a good site.
Search for a howto on public key authentication. It's well documented
and protects your SSH server from all those password brute force
attacks.
Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session closed for user
root
Feb 11 03:39:01 localhost CRON[29601]: (pam_unix) session closed for user
root
Feb 11 03:53:33 localhost sshd[29969]: Did not receive identification string
from 66.212.18.86
Feb 11 03:55:20 localhost sshd[30015]: reverse mapping checking getaddrinfo
for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
ATTEMPT!
Feb 11 03:55:20 localhost sshd[30015]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser=
rhost=66.212.18.86 user=root
Feb 11 03:55:22 localhost sshd[30015]: Failed password for root from
66.212.18.86 port 41396 ssh2
Feb 11 03:55:23 localhost sshd[30019]: reverse mapping checking getaddrinfo
for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
ATTEMPT! rhost=66.212.18.86
then there is this, but it looks system related i think:
Feb 11 07:09:01 localhost CRON[3127]: (pam_unix) session closed for user
root
Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session closed for user
root
Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session closed for user
root
Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session opened for user
nobody by (uid=0)
Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session closed for user
nobody
Feb 11 07:35:05 localhost su[3921]: Successful su for nobody by root
Feb 11 07:35:05 localhost su[3921]: + ??? root:nobody
Feb 11 07:35:05 localhost su[3921]: (pam_unix) session opened for user
nobody by (uid=0)
Feb 11 07:35:05 localhost su[3921]: (pam_unix) session closed for user
nobody
Feb 11 07:35:05 localhost su[3924]: Successful su for nobody by root
Feb 11 07:35:05 localhost su[3924]: + ??? root:nobody
Feb 11 07:35:05 localhost su[3924]: (pam_unix) session opened for user
nobody by (uid=0)
Feb 11 07:35:05 localhost su[3924]: (pam_unix) session closed for user
nobody
Feb 11 07:35:06 localhost su[3926]: Successful su for nobody by root
Feb 11 07:35:06 localhost su[3926]: + ??? root:nobody
Feb 11 07:35:06 localhost su[3926]: (pam_unix) session opened for user
nobody by (uid=0)
Feb 11 07:36:26 localhost su[3926]: (pam_unix) session closed for user
nobody
Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session closed for user
root
Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session closed for user
root
Feb 11 08:09:01 localhost CRON[4883]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 08:09:01 localhost CRON[4885]: (pam_unix) session opened for user
root by (uid=0)
Is there another log that would show a definate successful breakin?
thanks
Norm
