Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Should I report spurious ssh login attempts?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Goverp
Veteran
Veteran


Joined: 07 Mar 2007
Posts: 1966

PostPosted: Tue Aug 24, 2021 8:31 am    Post subject: Should I report spurious ssh login attempts? Reply with quote

I've a raspberry pi that lives purely to tell me that power is on - I ping it using ssh, and if it's not there, something's up with power.
It's got a UFW firewall with rate limiting on ssh, and ssh config to disallow passwords and root, and sits behind a router firewall with port forwarding for ssh (only).
So, the script kiddies of the world keep trying to sign in. I have a little script that looks at lastb output and counts the number of different IP addresses where these kiddies claim to be signing on since yesterday. Usually AWS accounts or the like.

Should I tell/complain to AWS or whoever? At the moment, it's just a honeypot to distract them slightly.
_________________
Greybeard
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany

PostPosted: Tue Aug 24, 2021 12:19 pm    Post subject: Reply with quote

Have you heard about the cosmic background radiation? The radiation that's simply there - everywhere - and you can't do anything about it?

Think of those login attempts as a kind of background noise in the internet. No matter where, no matter when... Whenever you connect a host to the internet, it will only take a few seconds before the first SSH login attempts arrive. There's nothing you can do about it. Just ignore those login attempts. Or configure your SSH server to listen on a port different than 22. This helps is most cases. :lol:
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54028
Location: 56N 3W

PostPosted: Tue Aug 24, 2021 1:13 pm    Post subject: Reply with quote

Goverp,

The IPv4 address space is full. No matter were someone does a port scan, they get a response.
You can use a non standard port, switch to IPv6, only, as that's not full yet :)
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 8291
Location: Saint Amant, Acadiana

PostPosted: Tue Aug 24, 2021 1:23 pm    Post subject: Reply with quote

Think how easy it is to scan large IP blocks for open ports, just fire up your script ... I think the whole IPv4 address space is under constant scan. As mike155 said.
_________________
My Gentoo installation notes.
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
steve_v
Guru
Guru


Joined: 20 Jun 2004
Posts: 385
Location: New Zealand

PostPosted: Tue Aug 24, 2021 1:42 pm    Post subject: Reply with quote

Two words: fail2ban, and geoblocking.

Other than that, yeah. You run something on port 22, you expect bruteforce bots and skids. That's just the way the universe is.
_________________
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3939
Location: Bavaria

PostPosted: Tue Aug 24, 2021 2:51 pm    Post subject: Reply with quote

There is something you should know about (black hat) hackers: They dont use their own computer for scanning ports or trying scripted actions. They have a lot of already hacked windows computers and use these as transit station. You will only see the IP address of an innocent private (and untaught) user. More bad: Many private users dont have a static (global) IP address. Their network provider gave them a temporary IP address for some days. After this they got a new one ... so a block of this address doesnt help you in any case ... if you would try to block these addresses you will have soon a big database ;-)

If you want to check an IP address take a look into: https://www.abuseipdb.com
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21431

PostPosted: Tue Aug 24, 2021 3:40 pm    Post subject: Reply with quote

Decades ago, reporting might have meant something. Now, the best you could hope for is that the offending system is part of a botnet and that your report alerts the legitimate operator of the system to go discover the bot and get out of the botnet. However, like the other posters here, I suspect this will likely waste your time with little or nothing to show for it. Even getting the notification to the legitimate owner will be a significant undertaking, and there's no guarantee the owner won't delete your message without acting on it.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20048

PostPosted: Tue Aug 24, 2021 4:13 pm    Post subject: Reply with quote

If for some reason using a different port is undesirable, port knocking may be worth consideration to reduce logging noise.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
Goverp
Veteran
Veteran


Joined: 07 Mar 2007
Posts: 1966

PostPosted: Tue Aug 24, 2021 5:44 pm    Post subject: Reply with quote

Hu wrote:
Decades ago, reporting might have meant something. Now, the best you could hope for is that the offending system is part of a botnet and that your report alerts the legitimate operator of the system to go discover the bot and get out of the botnet. However, like the other posters here, I suspect this will likely waste your time with little or nothing to show for it. Even getting the notification to the legitimate owner will be a significant undertaking, and there's no guarantee the owner won't delete your message without acting on it.

OK, that was along the lines I was thinking: my question was meant as "would the legitimate operator be interested". If not, I won't bother.
I'm not concerned about the idiots trying to get in (until the next security hole in ssh), so at least I'm consuming some small part of their effort. If they do get in, there's nothing there.
_________________
Greybeard
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 8291
Location: Saint Amant, Acadiana

PostPosted: Tue Aug 24, 2021 5:59 pm    Post subject: Reply with quote

Once upon time I ran MPD in my router, opened the port for a friend. In two days I got more "friends" I ever wished for. 8O
_________________
My Gentoo installation notes.
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21431

PostPosted: Tue Aug 24, 2021 7:00 pm    Post subject: Reply with quote

The legitimate owners should care, but some won't. Even for those that do, reaching them is probably not worth the trouble.
Back to top
View user's profile Send private message
figueroa
Advocate
Advocate


Joined: 14 Aug 2005
Posts: 2893
Location: Edge of marsh USA

PostPosted: Wed Aug 25, 2021 3:58 am    Post subject: Reply with quote

I've had good luck changing ports and finding one less popular than one I had been using. The default port should be a non-starter. Pick a four digit number and start there. I have had to change ports a couple of times on more than one host in the past.

net-analyzer/fail2ban is a real winner. I'm using stringent settings in /etc/fail2ban/jail.local:
Code:
bantime = 72h
findtime = 48h
maxretry = 3

In other words, on the third failed attempt within 48 hours, the IP is banned for 72 hours.

maxretry = 2 would also be OK. But, I don't have repeat offenders as it is.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/17.1/desktop (stable), OpenRC, -systemd -pulseaudio -uefi
Back to top
View user's profile Send private message
Goverp
Veteran
Veteran


Joined: 07 Mar 2007
Posts: 1966

PostPosted: Wed Aug 25, 2021 8:57 am    Post subject: Reply with quote

For amusement, here's the list of most popular account names people try on this box, with counts, since the last reboot:
Code:
4436 telecoma
4545 tech
4554 demo
4626 administ
4680 web
4690 ubnt
4697 support
4791 admin1
4850 profile1
4870 user1
4927 MikroTik
5007 user
5028 default
7125 admin

and the most popular IP addresses for the purported origins.
(I guess there would be a small benefit by incorporating some sensible sorting, aggregation and whois lookups):
Code:
280 101.109.142.5
280 102.132.76.198
280 103.120.175.116
280 103.144.14.204
280 103.145.19.146
280 103.25.242.130
280 103.59.58.29
280 105.189.32.48
280 109.125.148.9
280 110.224.217.136
280 111.68.96.34
280 112.121.223.223
280 112.210.160.251
280 113.186.253.113
280 115.77.68.190
280 115.96.217.16
280 116.103.152.87
280 117.247.136.110
280 118.96.170.52
280 1.2.168.171
280 122.161.165.73
280 122.168.190.139
280 122.180.255.222
280 122.181.121.240
280 122.183.41.45
280 123.201.227.36
280 124.13.239.105
280 124.253.120.152
280 125.166.220.45
280 128.106.99.157
280 131.196.4.146
280 138.99.93.61
280 141.179.54.243
280 14.160.198.232
280 148.255.251.184
280 1.55.78.83
280 156.215.184.78
280 168.205.100.146
280 170.78.28.38
280 170.84.58.105
280 171.224.178.50
280 171.225.250.89
280 171.229.244.238
280 175.196.196.157
280 179.181.197.119
280 179.192.197.113
280 180.241.8.4
280 180.244.132.31
280 180.244.172.199
280 180.244.173.94
280 180.251.113.115
280 181.46.166.66
280 182.191.34.156
280 186.12.224.14
280 186.169.44.171
280 186.188.202.115
280 186.95.155.2
280 187.111.253.38
280 188.247.44.58
280 188.84.41.75
280 189.38.238.26
280 192.141.240.9
280 193.36.60.253
280 196.206.231.73
280 197.211.14.253
280 197.251.185.209
280 200.222.237.83
280 202.124.36.82
280 203.76.249.187
280 206.172.106.155
280 213.131.56.66
280 213.74.145.7
280 223.136.116.200
280 223.206.21.170
280 2.50.132.43
280 2.50.13.51
280 27.34.13.250
280 31.207.168.22
280 36.81.246.83
280 37.144.205.31
280 41.251.118.152
280 41.83.108.240
280 42.113.114.140
280 43.231.78.98
280 45.45.15.157
280 45.9.46.164
280 46.39.43.40
280 47.11.66.215
280 49.32.251.47
280 49.36.40.241
280 49.37.38.11
280 51.39.228.32
280 5.35.145.252
280 58.8.141.63
280 59.4.72.200
280 59.93.241.177
280 66.181.161.32
280 78.98.58.76
280 81.30.217.50
280 81.92.251.116
280 83.110.94.175
280 85.97.200.178
280 87.143.254.67
280 94.43.138.241
280 95.104.50.158

_________________
Greybeard
Back to top
View user's profile Send private message
Goverp
Veteran
Veteran


Joined: 07 Mar 2007
Posts: 1966

PostPosted: Thu Oct 28, 2021 9:04 am    Post subject: Reply with quote

A minor update: since a recent system update, the number of spurious sign-in attempts has plummeted; only around 100 a day. (My system feels quite lonely now!)
Perhaps that's down to OpenSSH disabling SHA-1 by default. Maybe they were hoping to find a way in through that.
_________________
Greybeard
Back to top
View user's profile Send private message
Anon-E-moose
Watchman
Watchman


Joined: 23 May 2008
Posts: 6095
Location: Dallas area

PostPosted: Thu Oct 28, 2021 2:26 pm    Post subject: Reply with quote

For things like ssh, I like to use the firewall to filter out IP's by region.
I don't know anyone from Bahrain, Afghanistan or places in China, Russia, etc. so I just mass block those off, stops a lot of crap early on.

And I set it up to drop packets that don't meet my criteria for entry, not return "any" reply
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland
Back to top
View user's profile Send private message
figueroa
Advocate
Advocate


Joined: 14 Aug 2005
Posts: 2893
Location: Edge of marsh USA

PostPosted: Thu Oct 28, 2021 3:32 pm    Post subject: Reply with quote

Fail2Ban continues to work its magic. At the school, Geoloc banned any ssh requests not=usa. I still had to swap a couple sshd ports. Now we get none/month. At home, I had one last week, first in over a month, from China. I don't geographically ban at home.

Keyword = Fail2Ban
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/17.1/desktop (stable), OpenRC, -systemd -pulseaudio -uefi
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum