Re: [gentoo-user] Usernames in ssh attacks
Paul Hartman wrote: On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck johan.bluecr...@gmail.com wrote: I've always had usernames when it comes to sshd's log entries in auth.log, like the following: time hostname sshd[5926]: error: PAM: Authentication failure for username from ip-adress Well, I don't use PAM, just key-based authentication only, so I always see only the IP getting rejected since it doesn't even give them a place to try a user/password :) It's just weird that it is refusing a connection from u...@domain rather than simply the IP. I guess they could be trying to ssh u...@myhost.net or something. The one with [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is interesting. I wonder what that's all about. I too use only PubKey but they need to send a username so ssh knows where to look for the public key. Your two options boil down to 1) install fail2ban (I installed it on all of my external ssh boxes and I love it) 2) change the ssh port to something other than 22 (Security by Obscurity but it frees up your logs so you can see real problems). The two may me mutually exclusive as I'm not sure if you can tweak fail2ban's ssh rules to monitor another port. I just chock it up as log spam unless I see definite bad patterns. But again, with public key access only and banning root from logging in via ssh I don't think anybody is getting far unless there is a flaw in ssh. -- Eric Martin Key fingerprint = D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Usernames in ssh attacks
On Fri, Mar 20, 2009 at 7:25 AM, Eric Martin freak4u...@gmail.com wrote: Paul Hartman wrote: On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck johan.bluecr...@gmail.com wrote: I've always had usernames when it comes to sshd's log entries in auth.log, like the following: time hostname sshd[5926]: error: PAM: Authentication failure for username from ip-adress Well, I don't use PAM, just key-based authentication only, so I always see only the IP getting rejected since it doesn't even give them a place to try a user/password :) It's just weird that it is refusing a connection from u...@domain rather than simply the IP. I guess they could be trying to ssh u...@myhost.net or something. The one with [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is interesting. I wonder what that's all about. I too use only PubKey but they need to send a username so ssh knows where to look for the public key. Your two options boil down to 1) install fail2ban (I installed it on all of my external ssh boxes and I love it) 2) change the ssh port to something other than 22 (Security by Obscurity but it frees up your logs so you can see real problems). The two may me mutually exclusive as I'm not sure if you can tweak fail2ban's ssh rules to monitor another port. I just chock it up as log spam unless I see definite bad patterns. But again, with public key access only and banning root from logging in via ssh I don't think anybody is getting far unless there is a flaw in ssh. Oh, I am not concerned about the attacks. I just thought it was weird that I saw u...@domain when I normally see only IP or only domain. They are already refused connection as the log shows :) Thanks, Paul
Re: [gentoo-user] Usernames in ssh attacks
Paul Hartman wrote: On Fri, Mar 20, 2009 at 7:25 AM, Eric Martin freak4u...@gmail.com wrote: Paul Hartman wrote: On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck johan.bluecr...@gmail.com wrote: I've always had usernames when it comes to sshd's log entries in auth.log, like the following: time hostname sshd[5926]: error: PAM: Authentication failure for username from ip-adress Well, I don't use PAM, just key-based authentication only, so I always see only the IP getting rejected since it doesn't even give them a place to try a user/password :) It's just weird that it is refusing a connection from u...@domain rather than simply the IP. I guess they could be trying to ssh u...@myhost.net or something. The one with [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is interesting. I wonder what that's all about. I too use only PubKey but they need to send a username so ssh knows where to look for the public key. Your two options boil down to 1) install fail2ban (I installed it on all of my external ssh boxes and I love it) 2) change the ssh port to something other than 22 (Security by Obscurity but it frees up your logs so you can see real problems). The two may me mutually exclusive as I'm not sure if you can tweak fail2ban's ssh rules to monitor another port. I just chock it up as log spam unless I see definite bad patterns. But again, with public key access only and banning root from logging in via ssh I don't think anybody is getting far unless there is a flaw in ssh. Oh, I am not concerned about the attacks. I just thought it was weird that I saw u...@domain when I normally see only IP or only domain. They are already refused connection as the log shows :) Thanks, Paul yeah, after I read your message I realized that I didn't quite answer your question. Somebody mentioned they probably configured the dns PTR record incorrectly which is my guess. -- Eric Martin Key fingerprint = D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F signature.asc Description: OpenPGP digital signature
[gentoo-user] Usernames in ssh attacks
In my ssh logs this morning I noticed a couple login attempts with usenames on them... I've never seen that before. It is usually just an IP address. Mar 18 20:19:48 [sshd] refused connect from postmas...@dns.cablecentro.net.co Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107 Mar 18 23:44:44 [sshd] refused connect from [u2fsdgvkx19g32yzvkmsqkl+mouwitiloicy4iq9oq...@211.116.136.107 Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66 weird... maybe the bad guys are up to something new.
Re: [gentoo-user] Usernames in ssh attacks
I've always had usernames when it comes to sshd's log entries in auth.log, like the following: time hostname sshd[5926]: error: PAM: Authentication failure for username from ip-adress On 3/19/09, Paul Hartman paul.hartman+gen...@gmail.com wrote: In my ssh logs this morning I noticed a couple login attempts with usenames on them... I've never seen that before. It is usually just an IP address. Mar 18 20:19:48 [sshd] refused connect from postmas...@dns.cablecentro.net.co Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107 Mar 18 23:44:44 [sshd] refused connect from [u2fsdgvkx19g32yzvkmsqkl+mouwitiloicy4iq9oq...@211.116.136.107 Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66 weird... maybe the bad guys are up to something new. -- For security reasons, all text in this mail is double-rot13 encrypted.
Re: [gentoo-user] Usernames in ssh attacks
On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck johan.bluecr...@gmail.com wrote: I've always had usernames when it comes to sshd's log entries in auth.log, like the following: time hostname sshd[5926]: error: PAM: Authentication failure for username from ip-adress Well, I don't use PAM, just key-based authentication only, so I always see only the IP getting rejected since it doesn't even give them a place to try a user/password :) It's just weird that it is refusing a connection from u...@domain rather than simply the IP. I guess they could be trying to ssh u...@myhost.net or something. The one with [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is interesting. I wonder what that's all about.
Re: [gentoo-user] Usernames in ssh attacks
On Thu, 19 Mar 2009 10:43:13 -0500 Paul Hartman paul.hartman+gen...@gmail.com wrote: On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck johan.bluecr...@gmail.com wrote: I've always had usernames when it comes to sshd's log entries in auth.log, like the following: time hostname sshd[5926]: error: PAM: Authentication failure for username from ip-adress Well, I don't use PAM, just key-based authentication only, so I always see only the IP getting rejected since it doesn't even give them a place to try a user/password :) It's just weird that it is refusing a connection from u...@domain rather than simply the IP. I guess they could be trying to ssh u...@myhost.net or something. The one with [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is interesting. I wonder what that's all about. My $.02: perl -MMIME::Base64 -e 'print decode_base64(U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=)' Salted__`�fT�,BI~���!2 :'���9 I'm not expert, so Google led me to OpenSSL's command-line enc utility: echo U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo= | openssl enc -d -base64 -a -idea enter idea-cbc decryption password: ... or like that. Seems like an attempt to send user and password together. I suppose if you know what are possible user/pass combos on your system, and can suss the crypt type from the signature (I've no idea if possible), you can see if it's a real hack attempt. It is interesting, I think... but I'm just guessing. ;-) Cheers, -- |\ /|| | ~ ~ | \/ ||---| `|` ? ||ichael | |iggins\^ / michael.higgins[at]evolone[dot]org
RE: [gentoo-user] Usernames in ssh attacks
In my ssh logs this morning I noticed a couple login attempts with usenames on them... I've never seen that before. It is usually just an IP address. Mar 18 20:19:48 [sshd] refused connect from postmas...@dns.cablecentro.net.co Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107 Mar 18 23:44:44 [sshd] refused connect from [u2fsdgvkx19g32yzvkmsqkl+mouwitiloicy4iq9oq...@211.116.136.107 Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66 weird... maybe the bad guys are up to something new. I'd say they've just made a mistake in their DNS config (or maybe used a wildcard record), and set the PTR record to be postmas...@dns.cablecentro.net.co instead of a hostname. I'm assuming the reason you usually see IP addresses is that there is no PTR record set for that IP Are you running Fail2ban or similar? Rgs, Adam