View previous topic :: View next topic |
Author |
Message |
JTHM Tux's lil' helper
Joined: 31 Jul 2005 Posts: 115 Location: South Farms
|
Posted: Thu Oct 04, 2007 1:26 am Post subject: SSH Breakin Attempts |
|
|
Hey all, I've got a bit of a problem (or at least a potential problem). For the past few weeks, it seems somebody's been trying to break into my gentoo box over ssh. I've been getting several chunks like this in my /var/log/messages:
Sep 29 06:50:16 Nirvana sshd[4122]: Invalid user france from 219.139.190.249
Sep 29 06:50:24 Nirvana sshd[4392]: Invalid user raider from 219.139.190.249
Sep 29 06:50:31 Nirvana sshd[4580]: Invalid user movie from 219.139.190.249
Sep 29 06:50:37 Nirvana sshd[4796]: Invalid user movies from 219.139.190.249
Sep 29 06:50:44 Nirvana sshd[4931]: Invalid user judith from 219.139.190.249
Sep 29 06:50:50 Nirvana sshd[5151]: Invalid user default from 219.139.190.249
Sep 29 06:50:55 Nirvana sshd[5295]: Invalid user sean from 219.139.190.249
Sep 29 06:51:03 Nirvana sshd[5457]: Invalid user erik from 219.139.190.249
Sep 29 06:51:08 Nirvana sshd[5665]: Invalid user house from 219.139.190.249
Sep 29 06:51:14 Nirvana sshd[5839]: Invalid user status from 219.139.190.249
Sep 29 06:51:19 Nirvana sshd[6022]: Invalid user music from 219.139.190.249
Sep 29 06:51:25 Nirvana sshd[6159]: Invalid user test from 219.139.190.249
Sep 29 06:51:30 Nirvana sshd[6320]: Invalid user christian from 219.139.190.249
Sep 29 06:51:36 Nirvana sshd[6454]: Invalid user upload from 219.139.190.249
Sep 29 06:51:42 Nirvana sshd[6613]: Invalid user security from 219.139.190.249
Sep 29 06:51:47 Nirvana sshd[6748]: Invalid user scanner from 219.139.190.249
Sep 29 06:51:53 Nirvana sshd[6910]: Invalid user work from 219.139.190.249
Sep 29 06:52:00 Nirvana sshd[7069]: Invalid user eli from 219.139.190.249
Sep 29 06:52:09 Nirvana sshd[7338]: Invalid user ariel from 219.139.190.249
Sep 29 06:52:14 Nirvana sshd[7473]: Invalid user matt from 219.139.190.249
Sep 29 06:52:20 Nirvana sshd[7634]: Invalid user smoke from 219.139.190.249
Sep 29 06:52:25 Nirvana sshd[7794]: Invalid user papa from 219.139.190.249
Sep 29 06:52:31 Nirvana sshd[7928]: Invalid user beth from 219.139.190.249
Sep 29 06:52:36 Nirvana sshd[8088]: Invalid user samba from 219.139.190.249
Sep 29 06:52:44 Nirvana sshd[8222]: Invalid user library from 219.139.190.249
Sep 29 06:52:54 Nirvana sshd[8438]: Invalid user don from 219.139.190.249
Sep 29 06:52:59 Nirvana sshd[8680]: Invalid user webuser from 219.139.190.249
Sep 29 06:53:05 Nirvana sshd[8840]: Invalid user monitor from 219.139.190.249
This goes on for pages. Fortunately, the box isn't big (just for personal use really) and only has 2 or 3 accounts, all of them password protected.
It seems he hasn't been successful yet (although after each attack, X goes into a kind of half-freeze with X itself using 100% of the CPU and not responding to anything).
I was wondering a couple of things:
1.) Is there any way to secure sshd against something like this short of installing iptables? While each attempt in a session comes from the same IP address, each session comes from a different one. Is there any way to, say, lock out an IP after 3 bad usernames are attempted?
2.) Can I verify that he hasn't gotten in yet? The seemingly random attempts take place as recently as this afternoon, and I imagine he wouldn't be trying random names if he found a way in, but you never know (especially with the X freezing issue).
3.) Does anybody have any suggestions on ways to screw with him? Nothing malicious (he hasn't done any damage yet), but something practical-joke-like.
Thanks for the read, any suggestions are welcome. _________________ Any problem can be solved. You just need to throw enough time and ninjas at it. |
|
Back to top |
|
|
davidgurvich Veteran
Joined: 23 Apr 2004 Posts: 1063
|
Posted: Thu Oct 04, 2007 1:35 am Post subject: |
|
|
A basic hosts.allow file
Code: | ALL : 127.0.0.1 : ALLOW
ALL : 192.168.2.0/255.255.255.0 : ALLOW
ALL : ALL : DENY
| That only allows localhost and local ip logins. man hosts.allow to see more options. There is also the possibility of setting up an automated blacklist file and using that as well. |
|
Back to top |
|
|
JTHM Tux's lil' helper
Joined: 31 Jul 2005 Posts: 115 Location: South Farms
|
Posted: Thu Oct 04, 2007 1:41 am Post subject: |
|
|
Hmm, how would I go about setting up an automated blacklist file? I considered setting up something like that hosts.allow, but I remote in from work and a number of other places (not always known ahead of time), so I'd like to leave that option open if possible. For now, I just turned sshd off since I'm sitting at the machine. Thanks a lot for the help, though, that's a great fallback option since I'd just have to add my work IP to the list and just make sure I don't need to get in from anywhere unexpected. _________________ Any problem can be solved. You just need to throw enough time and ninjas at it. |
|
Back to top |
|
|
Dammital Apprentice
Joined: 05 Nov 2004 Posts: 189
|
Posted: Thu Oct 04, 2007 1:54 am Post subject: Try denyhosts |
|
|
Easy to install ("emerge denyhosts") and configure, and works pretty well.
See http://denyhosts.sourceforge.net/ |
|
Back to top |
|
|
JTHM Tux's lil' helper
Joined: 31 Jul 2005 Posts: 115 Location: South Farms
|
Posted: Thu Oct 04, 2007 2:43 am Post subject: |
|
|
Thanks, I just installed denyhosts and started it up. Lets see if this helps prevent further attacks. _________________ Any problem can be solved. You just need to throw enough time and ninjas at it. |
|
Back to top |
|
|
m.b.j. Guru
Joined: 12 Sep 2003 Posts: 407 Location: Germany (Essen)
|
Posted: Thu Oct 04, 2007 7:33 am Post subject: |
|
|
Try run your sshd on a differend port. Most script kiddies don't know how to change the target port on their "hack scripts"...
/etc/ssh/sshd_config
While connecting you can use the -p switch to set port.
Or put this into your ~/.ssh/config
Code: | host <yourhost>
port <yourport>
|
_________________ root@mbj # echo "sys-pizza/calzone -tunfish" >> /etc/paludis/use.conf
root@mbj # paludis -i calzone --dl-blocks discard |
|
Back to top |
|
|
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10589 Location: Somewhere over Atlanta, Georgia
|
Posted: Thu Oct 04, 2007 9:15 am Post subject: |
|
|
You might also want to consider using public key authentication, especially if you are the principle user. Then you can set "PasswordAuthentication no" in your /etc/ssh/sshd_config and laugh at the futile script kiddie login attempts. I regularly report 'em to their ISP anyway, getting the contact information from the whois data.
- John |
|
Back to top |
|
|
mark_alec Bodhisattva
Joined: 11 Sep 2004 Posts: 6066 Location: Melbourne, Australia
|
|
Back to top |
|
|
|