too many illegal connection attempts through ssh - FreeBSD

[Edwin]

hello,

shown below is snapshot of too many illegal attempts to login to my
server from a suspicious hacker. this is taken from the
"/var/log/auth.log". my question is, how do i automatically block an
IP address if it is attempting to guess my login usernames? can i
configure the firewall to check the instances a certain IP has
attempted to access/ssh the sevrer, and if it has failed to login for
about "x" number of attempts, it will be blocked automatically?

thank you in advance!

-edwin

----------------
Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over due to size>100K
Mar 26 22:49:29 pawikan sshd[66637]: Illegal user test from 211.176.33.46
Mar 26 22:49:32 pawikan sshd[66639]: Illegal user guest from 211.176.33.46
Mar 26 22:49:35 pawikan sshd[66641]: Illegal user admin from 211.176.33.46
Mar 26 22:49:37 pawikan sshd[66643]: Illegal user admin from 211.176.33.46
Mar 26 22:49:40 pawikan sshd[66645]: Illegal user user from 211.176.33.46
Mar 26 22:49:50 pawikan sshd[66654]: Illegal user test from 211.176.33.46
Mar 27 02:50:12 pawikan sshd[69369]: Illegal user test from 210.0.141.89
Mar 27 02:50:14 pawikan sshd[69463]: Illegal user guest from 210.0.141.89
Mar 27 02:50:15 pawikan sshd[69650]: Illegal user admin from 210.0.141.89
Mar 27 02:50:17 pawikan sshd[69745]: Illegal user admin from 210.0.141.89
Mar 27 02:50:18 pawikan sshd[69858]: Illegal user user from 210.0.141.89
Mar 27 02:50:24 pawikan sshd[70319]: Illegal user test from 210.0.141.89
Mar 27 04:10:58 pawikan sshd[5171]: Illegal user test from 218.188.9.202
Mar 27 04:10:59 pawikan sshd[5173]: Illegal user guest from 218.188.9.202
Mar 27 04:11:00 pawikan sshd[5175]: Illegal user admin from 218.188.9.202
Mar 27 04:11:01 pawikan sshd[5190]: Illegal user admin from 218.188.9.202
Mar 27 04:11:02 pawikan sshd[5192]: Illegal user user from 218.188.9.202
Mar 27 04:11:07 pawikan sshd[5200]: Illegal user test from 218.188.9.202
Mar 27 12:13:21 pawikan sshd[9236]: Did not receive identification
string from 61.59.143.27
Mar 27 12:23:03 pawikan sshd[13482]: Illegal user jordan from 61.59.143.27
Mar 27 12:23:07 pawikan sshd[13484]: Illegal user michael from 61.59.143.27
Mar 27 12:23:11 pawikan sshd[13486]: Illegal user nicole from 61.59.143.27
Mar 27 12:23:14 pawikan sshd[13488]: Illegal user daniel from 61.59.143.27
Mar 27 12:23:18 pawikan sshd[13490]: Illegal user andrew from 61.59.143.27
Mar 27 12:23:21 pawikan sshd[13492]: Illegal user nathan from 61.59.143.27
Mar 27 12:23:25 pawikan sshd[13494]: Illegal user matthew from 61.59.143.27
Mar 27 12:23:29 pawikan sshd[13496]: Illegal user magic from 61.59.143.27
Mar 27 12:23:33 pawikan sshd[13498]: Illegal user lion from 61.59.143.27
Mar 27 12:23:37 pawikan sshd[13500]: Illegal user david from 61.59.143.27
Mar 27 12:23:41 pawikan sshd[13502]: Illegal user jason from 61.59.143.27
Mar 27 12:23:45 pawikan sshd[13504]: Illegal user ben from 61.59.143.27
Mar 27 12:23:49 pawikan sshd[13506]: Illegal user carmen from 61.59.143.27
Mar 27 12:23:53 pawikan sshd[13510]: Illegal user justin from 61.59.143.27
Mar 27 12:23:57 pawikan sshd[13512]: Illegal user charlie from 61.59.143.27
Mar 27 12:24:02 pawikan sshd[13514]: Illegal user steven from 61.59.143.27
Mar 27 12:24:06 pawikan sshd[13517]: Illegal user brandon from 61.59.143.27
Mar 27 12:24:09 pawikan sshd[13519]: Illegal user brian from 61.59.143.27
Mar 27 12:24:13 pawikan sshd[13521]: Illegal user stephen from 61.59.143.27
Mar 27 12:24:17 pawikan sshd[13523]: Illegal user william from 61.59.143.27
Mar 27 12:24:21 pawikan sshd[13525]: Illegal user angel from 61.59.143.27
Mar 27 12:24:27 pawikan sshd[13527]: Illegal user emily from 61.59.143.27
Mar 27 12:24:31 pawikan sshd[13529]: Illegal user eric from 61.59.143.27
Mar 27 12:24:36 pawikan sshd[13531]: Illegal user joe from 61.59.143.27
Mar 27 12:24:39 pawikan sshd[13533]: Illegal user tom from 61.59.143.27
Mar 27 12:24:43 pawikan sshd[13535]: Illegal user billy from 61.59.143.27
Mar 27 12:24:47 pawikan sshd[13537]: Illegal user buddy from 61.59.143.27
Mar 27 12:24:50 pawikan sshd[13540]: Illegal user jeremy from 61.59.143.27
Mar 27 12:24:54 pawikan sshd[13542]: Illegal user vampire from 61.59.143.27
Mar 27 12:24:57 pawikan sshd[13544]: Illegal user betty from 61.59.143.27
Mar 27 12:25:00 pawikan sshd[13546]: Illegal user henry from 61.59.143.27
Mar 27 12:25:04 pawikan sshd[13749]: Illegal user max from 61.59.143.27
Mar 27 12:25:07 pawikan sshd[14024]: Illegal user nicholas from 61.59.143.27
Mar 27 12:25:11 pawikan sshd[14336]: Illegal user robin from 61.59.143.27
Mar 27 12:25:15 pawikan sshd[14644]: Illegal user system from 61.59.143.27
Mar 27 12:25:18 pawikan sshd[14904]: Illegal user johnny from 61.59.143.27
Mar 27 12:25:22 pawikan sshd[15221]: Illegal user lucy from 61.59.143.27
Mar 27 12:25:26 pawikan sshd[15521]: Illegal user market from 61.59.143.27
Mar 27 12:25:32 pawikan sshd[15673]: Illegal user lp from 61.59.143.27
Mar 27 12:25:37 pawikan sshd[15675]: Illegal user maria from 61.59.143.27
Mar 27 12:25:42 pawikan sshd[15677]: Illegal user rose from 61.59.143.27
Mar 27 12:25:47 pawikan sshd[15679]: Illegal user mail from 61.59.143.27
Mar 27 12:25:52 pawikan sshd[15681]: Illegal user god from 61.59.143.27
Mar 27 12:25:56 pawikan sshd[15683]: Illegal user barbara from 61.59.143.27
Mar 27 12:26:05 pawikan sshd[15688]: Illegal user larisa from 61.59.143.27
Mar 27 12:26:10 pawikan sshd[15690]: Illegal user shell from 61.59.143.27
Mar 27 12:26:15 pawikan sshd[15692]: Illegal user jane from 61.59.143.27
Mar 27 12:26:19 pawikan sshd[15694]: Illegal user dog from 61.59.143.27
Mar 27 12:26:23 pawikan sshd[15696]: Illegal user blue from 61.59.143.27

--
--
Edwin D. Viñas
http://www.geocities.com/edwin_vinas/
IN THE WORLD OF SCIENCE,
NOTHING IS IMPOSSIBLE.
--

[Joshua]

On Wednesday 06 April 2005 00:15, "Edwin D. Vinas" <com>
wrote: 

The easiest way to fix this problem most of the time is just change the
ssh port to something else, like a high numbered port that's otherwise
unassigned.
 

Yes, the best way to deal with this is through the firewall rather than
sshd, if you still get people hammering away at your ssh port even
after you change it. What are you using? You might want to check in
chapter 24 of the handbook ...

- jt

[Rob]

Edwin D. Vinas wrote: 

My solution is not full proof, but appears to be good
enough to stop these bulk attacks on my server. I use
a combination of firewall & alternative sshd port.

For example, in /etc/rc.conf, I have:
sshd_enable="YES"
sshd_flags="-p 22 -p 1234"

(choose 1234 whatever alternative port number you
prefer)

Then add two tcp rules to your firewall:

ipfw add allow log tcp from 55.44.33.22/11 to \
${oip} ssh in via ${oif} setup
ipfw add allow log tcp from any to ${oip} 1234 \
in via ${oif} setup

where "55.44.33.22/11" represents your, more or less,
trusted nearby network, ${oip} your outbound IP and
${oif} your outbound interface (e.g. rl0).
I suppose you're familiar enough with firewall rules.

These firewall rules allow 'regular' ssh connections
only from within your nearby network; all other
parties must connect over the alternative port number,
1234 in this example.

Regards,
Rob.



__________________________________
Do you Yahoo!?
Yahoo! Sports - Sign up for Fantasy Baseball.
http://baseball.fantasysports./

[Erik]

Edwin D. Vinas wrote: 

This question is asked on the list ever so often - see the archives for
suggestions. These are automated attacks, they come regularly as
crackers, black hats or script kidies scan across the net.

You can avoid the automated scanning by chaning port, but this won't
stop the determined cracker - he will scan all your ports and identify
which services are running on which ports.

Ask yourself a few questions:

* Do you need to allow ssh from anywhere? If not, restrict to the
relevant ip blocks.

* Do you need to allow password based authentication? If not, disable it
and use only ssh keys, in sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes

* Do all users need to have ssh access? If not, restrict to specific
groups of users, in sshd_config, eg:

AllowGroups staff

* Is it a problem appart from the log messages? Trying to login with a
nonexistent username is usually not a problem.

Other tips: Disable ssh1, reduce the number of simultaneous non-authen-
ticated connections, set timeouts etc.

Cheers, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22 :DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73 :25:67:C2

[Emanuel]

Am Mittwoch, 6. April 2005 12:07 schrieb Erik Nørgaard: 
>
> This question is asked on the list ever so often - see the archives for
> suggestions. These are automated attacks, they come regularly as
> crackers, black hats or script kidies scan across the net.[/ref]

Does anybody know what robots beeing used? And on what systems? All you
mention later in your posting is true of course and I needn't care about
these logs, but it's like like somebody unknown puts 10 flyers in your
letterbox every night. I'm sure, one night you'll hide and build a trap for
that person. I'm too lazy to enter those net-circles for finding these
robots, but maybe some other has already done that?

-Harry
 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQBCU+soBylq0S4AzzwRAi4FAJ0aUw/EhRjY1g0mJpQMqfUg4aV9mgCfTc0Z
22S2qUrgjlyCDKSAzFMJBbs=
=NyNb
-----END PGP SIGNATURE-----

[Joshua]

On Wednesday 06 April 2005 06:58, Emanuel Strobl
<net> wrote: 
> >
> > This question is asked on the list ever so often - see the archives
> > for suggestions. These are automated attacks, they come regularly
> > as crackers, black hats or script kidies scan across the net.[/ref]
>
> Does anybody know what robots beeing used? And on what systems? All
> you mention later in your posting is true of course and I needn't
> care about these logs, but it's like like somebody unknown puts 10
> flyers in your letterbox every night. I'm sure, one night you'll hide
> and build a trap for that person. I'm too lazy to enter those
> net-circles for finding these robots, but maybe some other has
> already done that?[/ref]

It's painfully easy to write a script which checks for the existence of
ssh on all the IPs in an IP block, at least if all you're checking is
port 22. A lot of these guys just write a bot which does that and sends
the "live" IPs back to someone, either the originator or another bot,
which then will do things like dictionary attack each one. You have
tools in ports which can serve as the vehicle to do this - nmap is an
oldie but a goodie. Don't misunderstand - it's also a security tool.

This type of attack is pretty old, actually, it's just now more people
are online on bigger pipes, so there are thousands (millions?) of
zombied computers due to the more recent trojan horses and worms which
are unwitting accomplices to this sort of thing. It's much harder to
trace now. All you need is a bunch of zombies, maybe a proxy or three
and an irc bot. You have a massive scanning machine with quite a bit of
distributed computing power, which isn't easily traceable. The way to
avoid it is to not be an obvious target, and not allow password logins
at all.

- jt

[Philip]

>>>> shown below is snapshot of too many illegal attempts to login to 
>>
>> Does anybody know what robots beeing used? And on what systems? All
>> you mention later in your posting is true of course and I needn't
>> care about these logs, but it's like like somebody unknown puts 10
>> flyers in your letterbox every night. I'm sure, one night you'll hide
>> and build a trap for that person. I'm too lazy to enter those
>> net-circles for finding these robots, but maybe some other has
>> already done that?[/ref][/ref]

I haven't done that, but if you don't like them you can block them fairly
easily... I wrote a little script in PHP (not that it would be hard to
re-write in perl or whatever) that watches /var/log/auth.log and if it
sees an invalid login, it adds a firewall rule to block that IP.

Then I've got a separate cronjob that removes those firewall rules a
couple minutes later.

Yes, I have locked myself out of my own server when I mistype my password,
but I just wait a minute and it lets me back in.

I thought about modifying it so instead of outright blocking it, it put
it into a pipe that limited it's bandwidth to almost nil just to hold the
thing up a bit, but this works for me..

http://www.pjkh.com/sshmonitor/

-philip