Professional Web Applications Themes

too many illegal connection attempts through ssh - FreeBSD

hello, shown below is snapshot of too many illegal attempts to login to my server from a suspicious hacker. this is taken from the "/var/log/auth.log". my question is, how do i automatically block an IP address if it is attempting to guess my login usernames? can i configure the firewall to check the instances a certain IP has attempted to access/ssh the sevrer, and if it has failed to login for about "x" number of attempts, it will be blocked automatically? thank you in advance! -edwin ---------------- Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over due to size>100K Mar 26 ...

  1. #1

    Default too many illegal connection attempts through ssh

    hello,

    shown below is snapshot of too many illegal attempts to login to my
    server from a suspicious hacker. this is taken from the
    "/var/log/auth.log". my question is, how do i automatically block an
    IP address if it is attempting to guess my login usernames? can i
    configure the firewall to check the instances a certain IP has
    attempted to access/ssh the sevrer, and if it has failed to login for
    about "x" number of attempts, it will be blocked automatically?

    thank you in advance!

    -edwin

    ----------------
    Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over due to size>100K
    Mar 26 22:49:29 pawikan sshd[66637]: Illegal user test from 211.176.33.46
    Mar 26 22:49:32 pawikan sshd[66639]: Illegal user guest from 211.176.33.46
    Mar 26 22:49:35 pawikan sshd[66641]: Illegal user admin from 211.176.33.46
    Mar 26 22:49:37 pawikan sshd[66643]: Illegal user admin from 211.176.33.46
    Mar 26 22:49:40 pawikan sshd[66645]: Illegal user user from 211.176.33.46
    Mar 26 22:49:50 pawikan sshd[66654]: Illegal user test from 211.176.33.46
    Mar 27 02:50:12 pawikan sshd[69369]: Illegal user test from 210.0.141.89
    Mar 27 02:50:14 pawikan sshd[69463]: Illegal user guest from 210.0.141.89
    Mar 27 02:50:15 pawikan sshd[69650]: Illegal user admin from 210.0.141.89
    Mar 27 02:50:17 pawikan sshd[69745]: Illegal user admin from 210.0.141.89
    Mar 27 02:50:18 pawikan sshd[69858]: Illegal user user from 210.0.141.89
    Mar 27 02:50:24 pawikan sshd[70319]: Illegal user test from 210.0.141.89
    Mar 27 04:10:58 pawikan sshd[5171]: Illegal user test from 218.188.9.202
    Mar 27 04:10:59 pawikan sshd[5173]: Illegal user guest from 218.188.9.202
    Mar 27 04:11:00 pawikan sshd[5175]: Illegal user admin from 218.188.9.202
    Mar 27 04:11:01 pawikan sshd[5190]: Illegal user admin from 218.188.9.202
    Mar 27 04:11:02 pawikan sshd[5192]: Illegal user user from 218.188.9.202
    Mar 27 04:11:07 pawikan sshd[5200]: Illegal user test from 218.188.9.202
    Mar 27 12:13:21 pawikan sshd[9236]: Did not receive identification
    string from 61.59.143.27
    Mar 27 12:23:03 pawikan sshd[13482]: Illegal user jordan from 61.59.143.27
    Mar 27 12:23:07 pawikan sshd[13484]: Illegal user michael from 61.59.143.27
    Mar 27 12:23:11 pawikan sshd[13486]: Illegal user nicole from 61.59.143.27
    Mar 27 12:23:14 pawikan sshd[13488]: Illegal user daniel from 61.59.143.27
    Mar 27 12:23:18 pawikan sshd[13490]: Illegal user andrew from 61.59.143.27
    Mar 27 12:23:21 pawikan sshd[13492]: Illegal user nathan from 61.59.143.27
    Mar 27 12:23:25 pawikan sshd[13494]: Illegal user matthew from 61.59.143.27
    Mar 27 12:23:29 pawikan sshd[13496]: Illegal user magic from 61.59.143.27
    Mar 27 12:23:33 pawikan sshd[13498]: Illegal user lion from 61.59.143.27
    Mar 27 12:23:37 pawikan sshd[13500]: Illegal user david from 61.59.143.27
    Mar 27 12:23:41 pawikan sshd[13502]: Illegal user jason from 61.59.143.27
    Mar 27 12:23:45 pawikan sshd[13504]: Illegal user ben from 61.59.143.27
    Mar 27 12:23:49 pawikan sshd[13506]: Illegal user carmen from 61.59.143.27
    Mar 27 12:23:53 pawikan sshd[13510]: Illegal user justin from 61.59.143.27
    Mar 27 12:23:57 pawikan sshd[13512]: Illegal user charlie from 61.59.143.27
    Mar 27 12:24:02 pawikan sshd[13514]: Illegal user steven from 61.59.143.27
    Mar 27 12:24:06 pawikan sshd[13517]: Illegal user brandon from 61.59.143.27
    Mar 27 12:24:09 pawikan sshd[13519]: Illegal user brian from 61.59.143.27
    Mar 27 12:24:13 pawikan sshd[13521]: Illegal user stephen from 61.59.143.27
    Mar 27 12:24:17 pawikan sshd[13523]: Illegal user william from 61.59.143.27
    Mar 27 12:24:21 pawikan sshd[13525]: Illegal user angel from 61.59.143.27
    Mar 27 12:24:27 pawikan sshd[13527]: Illegal user emily from 61.59.143.27
    Mar 27 12:24:31 pawikan sshd[13529]: Illegal user eric from 61.59.143.27
    Mar 27 12:24:36 pawikan sshd[13531]: Illegal user joe from 61.59.143.27
    Mar 27 12:24:39 pawikan sshd[13533]: Illegal user tom from 61.59.143.27
    Mar 27 12:24:43 pawikan sshd[13535]: Illegal user billy from 61.59.143.27
    Mar 27 12:24:47 pawikan sshd[13537]: Illegal user buddy from 61.59.143.27
    Mar 27 12:24:50 pawikan sshd[13540]: Illegal user jeremy from 61.59.143.27
    Mar 27 12:24:54 pawikan sshd[13542]: Illegal user vampire from 61.59.143.27
    Mar 27 12:24:57 pawikan sshd[13544]: Illegal user betty from 61.59.143.27
    Mar 27 12:25:00 pawikan sshd[13546]: Illegal user henry from 61.59.143.27
    Mar 27 12:25:04 pawikan sshd[13749]: Illegal user max from 61.59.143.27
    Mar 27 12:25:07 pawikan sshd[14024]: Illegal user nicholas from 61.59.143.27
    Mar 27 12:25:11 pawikan sshd[14336]: Illegal user robin from 61.59.143.27
    Mar 27 12:25:15 pawikan sshd[14644]: Illegal user system from 61.59.143.27
    Mar 27 12:25:18 pawikan sshd[14904]: Illegal user johnny from 61.59.143.27
    Mar 27 12:25:22 pawikan sshd[15221]: Illegal user lucy from 61.59.143.27
    Mar 27 12:25:26 pawikan sshd[15521]: Illegal user market from 61.59.143.27
    Mar 27 12:25:32 pawikan sshd[15673]: Illegal user lp from 61.59.143.27
    Mar 27 12:25:37 pawikan sshd[15675]: Illegal user maria from 61.59.143.27
    Mar 27 12:25:42 pawikan sshd[15677]: Illegal user rose from 61.59.143.27
    Mar 27 12:25:47 pawikan sshd[15679]: Illegal user mail from 61.59.143.27
    Mar 27 12:25:52 pawikan sshd[15681]: Illegal user god from 61.59.143.27
    Mar 27 12:25:56 pawikan sshd[15683]: Illegal user barbara from 61.59.143.27
    Mar 27 12:26:05 pawikan sshd[15688]: Illegal user larisa from 61.59.143.27
    Mar 27 12:26:10 pawikan sshd[15690]: Illegal user shell from 61.59.143.27
    Mar 27 12:26:15 pawikan sshd[15692]: Illegal user jane from 61.59.143.27
    Mar 27 12:26:19 pawikan sshd[15694]: Illegal user dog from 61.59.143.27
    Mar 27 12:26:23 pawikan sshd[15696]: Illegal user blue from 61.59.143.27

    --
    --
    Edwin D. Viñas
    http://www.geocities.com/edwin_vinas/
    IN THE WORLD OF SCIENCE,
    NOTHING IS IMPOSSIBLE.
    --
    Edwin Guest

  2. #2

    Default Re: too many illegal connection attempts through ssh

    On Wednesday 06 April 2005 00:15, "Edwin D. Vinas" <com>
    wrote: 

    The easiest way to fix this problem most of the time is just change the
    ssh port to something else, like a high numbered port that's otherwise
    unassigned.
     

    Yes, the best way to deal with this is through the firewall rather than
    sshd, if you still get people hammering away at your ssh port even
    after you change it. What are you using? You might want to check in
    chapter 24 of the handbook ...

    - jt
    Joshua Guest

  3. #3

    Default Re: too many illegal connection attempts through ssh

    Edwin D. Vinas wrote: 

    My solution is not full proof, but appears to be good
    enough to stop these bulk attacks on my server. I use
    a combination of firewall & alternative sshd port.

    For example, in /etc/rc.conf, I have:
    sshd_enable="YES"
    sshd_flags="-p 22 -p 1234"

    (choose 1234 whatever alternative port number you
    prefer)

    Then add two tcp rules to your firewall:

    ipfw add allow log tcp from 55.44.33.22/11 to \
    ${oip} ssh in via ${oif} setup
    ipfw add allow log tcp from any to ${oip} 1234 \
    in via ${oif} setup

    where "55.44.33.22/11" represents your, more or less,
    trusted nearby network, ${oip} your outbound IP and
    ${oif} your outbound interface (e.g. rl0).
    I suppose you're familiar enough with firewall rules.

    These firewall rules allow 'regular' ssh connections
    only from within your nearby network; all other
    parties must connect over the alternative port number,
    1234 in this example.

    Regards,
    Rob.



    __________________________________
    Do you Yahoo!?
    Yahoo! Sports - Sign up for Fantasy Baseball.
    http://baseball.fantasysports./
    Rob Guest

  4. #4

    Default Re: too many illegal connection attempts through ssh

    Edwin D. Vinas wrote: 

    This question is asked on the list ever so often - see the archives for
    suggestions. These are automated attacks, they come regularly as
    crackers, black hats or script kidies scan across the net.

    You can avoid the automated scanning by chaning port, but this won't
    stop the determined cracker - he will scan all your ports and identify
    which services are running on which ports.

    Ask yourself a few questions:

    * Do you need to allow ssh from anywhere? If not, restrict to the
    relevant ip blocks.

    * Do you need to allow password based authentication? If not, disable it
    and use only ssh keys, in sshd_config:

    PasswordAuthentication no
    PubkeyAuthentication yes

    * Do all users need to have ssh access? If not, restrict to specific
    groups of users, in sshd_config, eg:

    AllowGroups staff

    * Is it a problem appart from the log messages? Trying to login with a
    nonexistent username is usually not a problem.

    Other tips: Disable ssh1, reduce the number of simultaneous non-authen-
    ticated connections, set timeouts etc.

    Cheers, Erik
    --
    Ph: +34.666334818 web: http://www.locolomo.org
    S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
    Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22 :DE:4C:B9
    Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73 :25:67:C2
    Erik Guest

  5. #5

    Default Re: too many illegal connection attempts through ssh

    Am Mittwoch, 6. April 2005 12:07 schrieb Erik Nørgaard: 
    >
    > This question is asked on the list ever so often - see the archives for
    > suggestions. These are automated attacks, they come regularly as
    > crackers, black hats or script kidies scan across the net.[/ref]

    Does anybody know what robots beeing used? And on what systems? All you
    mention later in your posting is true of course and I needn't care about
    these logs, but it's like like somebody unknown puts 10 flyers in your
    letterbox every night. I'm sure, one night you'll hide and build a trap for
    that person. I'm too lazy to enter those net-circles for finding these
    robots, but maybe some other has already done that?

    -Harry
     

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (FreeBSD)

    iD8DBQBCU+soBylq0S4AzzwRAi4FAJ0aUw/EhRjY1g0mJpQMqfUg4aV9mgCfTc0Z
    22S2qUrgjlyCDKSAzFMJBbs=
    =NyNb
    -----END PGP SIGNATURE-----

    Emanuel Guest

  6. #6

    Default Re: too many illegal connection attempts through ssh

    On Wednesday 06 April 2005 06:58, Emanuel Strobl
    <net> wrote: 
    > >
    > > This question is asked on the list ever so often - see the archives
    > > for suggestions. These are automated attacks, they come regularly
    > > as crackers, black hats or script kidies scan across the net.[/ref]
    >
    > Does anybody know what robots beeing used? And on what systems? All
    > you mention later in your posting is true of course and I needn't
    > care about these logs, but it's like like somebody unknown puts 10
    > flyers in your letterbox every night. I'm sure, one night you'll hide
    > and build a trap for that person. I'm too lazy to enter those
    > net-circles for finding these robots, but maybe some other has
    > already done that?[/ref]

    It's painfully easy to write a script which checks for the existence of
    ssh on all the IPs in an IP block, at least if all you're checking is
    port 22. A lot of these guys just write a bot which does that and sends
    the "live" IPs back to someone, either the originator or another bot,
    which then will do things like dictionary attack each one. You have
    tools in ports which can serve as the vehicle to do this - nmap is an
    oldie but a goodie. Don't misunderstand - it's also a security tool.

    This type of attack is pretty old, actually, it's just now more people
    are online on bigger pipes, so there are thousands (millions?) of
    zombied computers due to the more recent trojan horses and worms which
    are unwitting accomplices to this sort of thing. It's much harder to
    trace now. All you need is a bunch of zombies, maybe a proxy or three
    and an irc bot. You have a massive scanning machine with quite a bit of
    distributed computing power, which isn't easily traceable. The way to
    avoid it is to not be an obvious target, and not allow password logins
    at all.

    - jt
    Joshua Guest

  7. #7

    Default Re: too many illegal connection attempts through ssh

    >>>> shown below is snapshot of too many illegal attempts to login to 
    >>
    >> Does anybody know what robots beeing used? And on what systems? All
    >> you mention later in your posting is true of course and I needn't
    >> care about these logs, but it's like like somebody unknown puts 10
    >> flyers in your letterbox every night. I'm sure, one night you'll hide
    >> and build a trap for that person. I'm too lazy to enter those
    >> net-circles for finding these robots, but maybe some other has
    >> already done that?[/ref][/ref]

    I haven't done that, but if you don't like them you can block them fairly
    easily... I wrote a little script in PHP (not that it would be hard to
    re-write in perl or whatever) that watches /var/log/auth.log and if it
    sees an invalid login, it adds a firewall rule to block that IP.

    Then I've got a separate cronjob that removes those firewall rules a
    couple minutes later.

    Yes, I have locked myself out of my own server when I mistype my password,
    but I just wait a minute and it lets me back in.

    I thought about modifying it so instead of outright blocking it, it put
    it into a pipe that limited it's bandwidth to almost nil just to hold the
    thing up a bit, but this works for me..

    http://www.pjkh.com/sshmonitor/

    -philip
    Philip Guest

Similar Threads

  1. What does CF do when a second user attempts a doublelogin?
    By BKBK in forum Coldfusion - Advanced Techniques
    Replies: 23
    Last Post: August 18th, 10:23 AM
  2. How to disable login after too many attempts
    By Carol in forum Linux / Unix Administration
    Replies: 10
    Last Post: December 6th, 09:31 PM
  3. logon/off attempts
    By in forum Windows Server
    Replies: 2
    Last Post: August 11th, 04:32 PM
  4. MS says pirating is illegal, but are their PA rules illegal?
    By PCyr in forum Windows Setup, Administration & Security
    Replies: 17
    Last Post: August 7th, 03:45 AM
  5. Replies: 19
    Last Post: August 7th, 03:45 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139