Re: What to do with a constant flow of attempts to login to my compuet?
On Sunday 03 January 2010, Gabor Szabo wrote: I just noticed someone bombarding my machine trying to login via ssh. From auth.log Jan 3 06:31:48 s6 sshd[22774]: Failed password for invalid user amavisd from 202.138.142.216 port 35172 ssh2 In addition to moving away from port 22, you can run a script such as denyhosts - http://denyhosts.sourceforge.net/ --y signature.asc Description: This is a digitally signed message part. ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
RE: What to do with a constant flow of attempts to login to my compuet?
Hi Gabor, Moving sshd off port 22 to any non-standard port worked fine for me. Most attacks are too lazy to do a full portscan, so if they don't find the default port open, they just move to the next host. Of course, this is assuming that the attack chose you at random. If it's a targeted attack, this won't help very much... Cheers, Rony -Original Message- From: linux-il-boun...@cs.huji.ac.il [mailto:linux-il-boun...@cs.huji.ac.il] On Behalf Of Gabor Szabo Sent: Sunday, January 03, 2010 4:34 PM To: linux-il Subject: What to do with a constant flow of attempts to login to my compuet? I just noticed someone bombarding my machine trying to login via ssh. From auth.log Jan 3 06:31:48 s6 sshd[22774]: Failed password for invalid user amavisd from 202.138.142.216 port 35172 ssh2 Jan 3 06:31:48 s6 sshd[22773]: Failed password for invalid user clamav from 202.138.142.216 port 39941 ssh2 Jan 3 06:31:49 s6 sshd[22780]: Invalid user clamav from 202.138.142.216 Jan 3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): check pass; user unknown Jan 3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216 Jan 3 06:31:49 s6 sshd[22781]: Invalid user appserver from 202.138.142.216 Jan 3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): check pass; user unknown Jan 3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216 Jan 3 06:31:52 s6 sshd[22780]: Failed password for invalid user clamav from 202.138.142.216 port 35699 ssh2 Jan 3 06:31:52 s6 sshd[22781]: Failed password for invalid user appserver from 202.138.142.216 port 40470 ssh2 So what is your suggestion. What to do with it? Gabor ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: What to do with a constant flow of attempts to login to my compuet?
This is so common these days I heard years ago people filtering out such messages. Just check your machine carefully - I once had a break-in that was caused from a stupid chain of mistakes: i switched sshd to listen on its default port (22) for some time (instead of some arbitrary port as it was used to be) + router forwarded 22 connections to the linux machine (as needed for SSH to work) + yes, there was a little issue of a test user I once created, named test with password test... . Violla! a robot sounded the bingo! alarm somewhere... . I had to reinstall my machine (which wasn't that bad, but still...). Lesson? carefully check your machine's entry points and as much as you can - try not to assume things to be in certain status before checking that (like, I don't have stupid test users on machines - check your configured users) as that can fail you. In other words - don't presume anything. Check it, to evaluate your status. Boaz. On Sun, 3 Jan 2010 16:34:29 +0200, Gabor Szabo szab...@gmail.com wrote: I just noticed someone bombarding my machine trying to login via ssh. From auth.log Jan 3 06:31:48 s6 sshd[22774]: Failed password for invalid user amavisd from 202.138.142.216 port 35172 ssh2 Jan 3 06:31:48 s6 sshd[22773]: Failed password for invalid user clamav from 202.138.142.216 port 39941 ssh2 Jan 3 06:31:49 s6 sshd[22780]: Invalid user clamav from 202.138.142.216 Jan 3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): check pass; user unknown Jan 3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216 Jan 3 06:31:49 s6 sshd[22781]: Invalid user appserver from 202.138.142.216 Jan 3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): check pass; user unknown Jan 3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216 Jan 3 06:31:52 s6 sshd[22780]: Failed password for invalid user clamav from 202.138.142.216 port 35699 ssh2 Jan 3 06:31:52 s6 sshd[22781]: Failed password for invalid user appserver from 202.138.142.216 port 40470 ssh2 So what is your suggestion. What to do with it? Gabor ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: What to do with a constant flow of attempts to login to my compuet?
Few suggestions: 1. after 3 unsuccesful logins knock the user out (no matter who is the user). 2. ban the ip in iptables. you can see it's the same ip all the time. this ip is from the Philippines http://www.dnsstuff.com/tools/ipall/?tool_id=67token=toolhandler_redirect=0ip=202.138.142.216 3. check if you happen to have root login via ssh and disable it, in case this options appears. check in ssh.conf options 4. move to other port other than 22 is a good practice, but in this case, they scan your ports, so it won't help. On Sun, Jan 3, 2010 at 4:34 PM, Gabor Szabo szab...@gmail.com wrote: I just noticed someone bombarding my machine trying to login via ssh. From auth.log Jan 3 06:31:48 s6 sshd[22774]: Failed password for invalid user amavisd from 202.138.142.216 port 35172 ssh2 Jan 3 06:31:48 s6 sshd[22773]: Failed password for invalid user clamav from 202.138.142.216 port 39941 ssh2 Jan 3 06:31:49 s6 sshd[22780]: Invalid user clamav from 202.138.142.216 Jan 3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): check pass; user unknown Jan 3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216 Jan 3 06:31:49 s6 sshd[22781]: Invalid user appserver from 202.138.142.216 Jan 3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): check pass; user unknown Jan 3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216 Jan 3 06:31:52 s6 sshd[22780]: Failed password for invalid user clamav from 202.138.142.216 port 35699 ssh2 Jan 3 06:31:52 s6 sshd[22781]: Failed password for invalid user appserver from 202.138.142.216 port 40470 ssh2 So what is your suggestion. What to do with it? Gabor ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: What to do with a constant flow of attempts to login to my compuet?
To add my list: * verify there are as least as possible users on the machine. Unused user? either purge or disable (login shell set to /bin/false or the like; home dir set to /not/here). * verify users on machine not have easy to guess password. * indeed move sshd to listen to its NON default port * shutdown and remove any unneeded software/services including and specifically any web applications that are not used. * keep your installed applications updated and keep an eye on software updates. I once had an unsuccessful break-in attempt that was trying to exploit some bug in a webmail application that was not used. The bug was two weeks old at the time. Both of the break in cases I described were of my 24/7 home machine I had running for years (but not anymore), not some high traffic IP address so this is rather common these days. Boaz. On Sun, 03 Jan 2010 09:51:05 -0500, Boaz Rymland b...@rymland.com wrote: This is so common these days I heard years ago people filtering out such messages. Just check your machine carefully - I once had a break-in that was caused from a stupid chain of mistakes: i switched sshd to listen on its default port (22) for some time (instead of some arbitrary port as it was used to be) + router forwarded 22 connections to the linux machine (as needed for SSH to work) + yes, there was a little issue of a test user I once created, named test with password test... . Violla! a robot sounded the bingo! alarm somewhere... . I had to reinstall my machine (which wasn't that bad, but still...). Lesson? carefully check your machine's entry points and as much as you can - try not to assume things to be in certain status before checking that (like, I don't have stupid test users on machines - check your configured users) as that can fail you. In other words - don't presume anything. Check it, to evaluate your status. Boaz. On Sun, 3 Jan 2010 16:34:29 +0200, Gabor Szabo szab...@gmail.com wrote: I just noticed someone bombarding my machine trying to login via ssh. From auth.log Jan 3 06:31:48 s6 sshd[22774]: Failed password for invalid user amavisd from 202.138.142.216 port 35172 ssh2 Jan 3 06:31:48 s6 sshd[22773]: Failed password for invalid user clamav from 202.138.142.216 port 39941 ssh2 Jan 3 06:31:49 s6 sshd[22780]: Invalid user clamav from 202.138.142.216 Jan 3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): check pass; user unknown Jan 3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216 Jan 3 06:31:49 s6 sshd[22781]: Invalid user appserver from 202.138.142.216 Jan 3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): check pass; user unknown Jan 3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216 Jan 3 06:31:52 s6 sshd[22780]: Failed password for invalid user clamav from 202.138.142.216 port 35699 ssh2 Jan 3 06:31:52 s6 sshd[22781]: Failed password for invalid user appserver from 202.138.142.216 port 40470 ssh2 So what is your suggestion. What to do with it? Gabor ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: What to do with a constant flow of attempts to login to my compuet?
Hi, simple answer: apt-get install denyhosts Then setup the config file according to your needs and run this daemon. When someone will pass the threshold, it will be added to /etc/hosts.deny and will be blocked. You might want to complain about the abuser to this IP holder (Digitel Philippines), by sending an email to ne...@digitelone.com - They are in charge of the IP you're mentioning. Hetz On Sun, Jan 3, 2010 at 4:34 PM, Gabor Szabo szab...@gmail.com wrote: I just noticed someone bombarding my machine trying to login via ssh. From auth.log Jan 3 06:31:48 s6 sshd[22774]: Failed password for invalid user amavisd from 202.138.142.216 port 35172 ssh2 Jan 3 06:31:48 s6 sshd[22773]: Failed password for invalid user clamav from 202.138.142.216 port 39941 ssh2 Jan 3 06:31:49 s6 sshd[22780]: Invalid user clamav from 202.138.142.216 Jan 3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): check pass; user unknown Jan 3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216 Jan 3 06:31:49 s6 sshd[22781]: Invalid user appserver from 202.138.142.216 Jan 3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): check pass; user unknown Jan 3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216 Jan 3 06:31:52 s6 sshd[22780]: Failed password for invalid user clamav from 202.138.142.216 port 35699 ssh2 Jan 3 06:31:52 s6 sshd[22781]: Failed password for invalid user appserver from 202.138.142.216 port 40470 ssh2 So what is your suggestion. What to do with it? Gabor ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- my blog (hebrew): http://benhamo.org Skype: heunique MSN: hetz-b...@benhamo.org ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il