View previous topic :: View next topic |
Author |
Message |
Goverp Veteran
Joined: 07 Mar 2007 Posts: 1966
|
Posted: Tue Aug 24, 2021 8:31 am Post subject: Should I report spurious ssh login attempts? |
|
|
I've a raspberry pi that lives purely to tell me that power is on - I ping it using ssh, and if it's not there, something's up with power.
It's got a UFW firewall with rate limiting on ssh, and ssh config to disallow passwords and root, and sits behind a router firewall with port forwarding for ssh (only).
So, the script kiddies of the world keep trying to sign in. I have a little script that looks at lastb output and counts the number of different IP addresses where these kiddies claim to be signing on since yesterday. Usually AWS accounts or the like.
Should I tell/complain to AWS or whoever? At the moment, it's just a honeypot to distract them slightly. _________________ Greybeard |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Tue Aug 24, 2021 12:19 pm Post subject: |
|
|
Have you heard about the cosmic background radiation? The radiation that's simply there - everywhere - and you can't do anything about it?
Think of those login attempts as a kind of background noise in the internet. No matter where, no matter when... Whenever you connect a host to the internet, it will only take a few seconds before the first SSH login attempts arrive. There's nothing you can do about it. Just ignore those login attempts. Or configure your SSH server to listen on a port different than 22. This helps is most cases. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54028 Location: 56N 3W
|
Posted: Tue Aug 24, 2021 1:13 pm Post subject: |
|
|
Goverp,
The IPv4 address space is full. No matter were someone does a port scan, they get a response.
You can use a non standard port, switch to IPv6, only, as that's not full yet :) _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
steve_v Guru
Joined: 20 Jun 2004 Posts: 385 Location: New Zealand
|
Posted: Tue Aug 24, 2021 1:42 pm Post subject: |
|
|
Two words: fail2ban, and geoblocking.
Other than that, yeah. You run something on port 22, you expect bruteforce bots and skids. That's just the way the universe is. _________________ Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 3939 Location: Bavaria
|
Posted: Tue Aug 24, 2021 2:51 pm Post subject: |
|
|
There is something you should know about (black hat) hackers: They dont use their own computer for scanning ports or trying scripted actions. They have a lot of already hacked windows computers and use these as transit station. You will only see the IP address of an innocent private (and untaught) user. More bad: Many private users dont have a static (global) IP address. Their network provider gave them a temporary IP address for some days. After this they got a new one ... so a block of this address doesnt help you in any case ... if you would try to block these addresses you will have soon a big database
If you want to check an IP address take a look into: https://www.abuseipdb.com |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21431
|
Posted: Tue Aug 24, 2021 3:40 pm Post subject: |
|
|
Decades ago, reporting might have meant something. Now, the best you could hope for is that the offending system is part of a botnet and that your report alerts the legitimate operator of the system to go discover the bot and get out of the botnet. However, like the other posters here, I suspect this will likely waste your time with little or nothing to show for it. Even getting the notification to the legitimate owner will be a significant undertaking, and there's no guarantee the owner won't delete your message without acting on it. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20048
|
Posted: Tue Aug 24, 2021 4:13 pm Post subject: |
|
|
If for some reason using a different port is undesirable, port knocking may be worth consideration to reduce logging noise. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Goverp Veteran
Joined: 07 Mar 2007 Posts: 1966
|
Posted: Tue Aug 24, 2021 5:44 pm Post subject: |
|
|
Hu wrote: | Decades ago, reporting might have meant something. Now, the best you could hope for is that the offending system is part of a botnet and that your report alerts the legitimate operator of the system to go discover the bot and get out of the botnet. However, like the other posters here, I suspect this will likely waste your time with little or nothing to show for it. Even getting the notification to the legitimate owner will be a significant undertaking, and there's no guarantee the owner won't delete your message without acting on it. |
OK, that was along the lines I was thinking: my question was meant as "would the legitimate operator be interested". If not, I won't bother.
I'm not concerned about the idiots trying to get in (until the next security hole in ssh), so at least I'm consuming some small part of their effort. If they do get in, there's nothing there. _________________ Greybeard |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21431
|
Posted: Tue Aug 24, 2021 7:00 pm Post subject: |
|
|
The legitimate owners should care, but some won't. Even for those that do, reaching them is probably not worth the trouble. |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2894 Location: Edge of marsh USA
|
Posted: Wed Aug 25, 2021 3:58 am Post subject: |
|
|
I've had good luck changing ports and finding one less popular than one I had been using. The default port should be a non-starter. Pick a four digit number and start there. I have had to change ports a couple of times on more than one host in the past.
net-analyzer/fail2ban is a real winner. I'm using stringent settings in /etc/fail2ban/jail.local:
Code: | bantime = 72h
findtime = 48h
maxretry = 3 |
In other words, on the third failed attempt within 48 hours, the IP is banned for 72 hours.
maxretry = 2 would also be OK. But, I don't have repeat offenders as it is. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/17.1/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
Goverp Veteran
Joined: 07 Mar 2007 Posts: 1966
|
Posted: Wed Aug 25, 2021 8:57 am Post subject: |
|
|
For amusement, here's the list of most popular account names people try on this box, with counts, since the last reboot:
Code: | 4436 telecoma
4545 tech
4554 demo
4626 administ
4680 web
4690 ubnt
4697 support
4791 admin1
4850 profile1
4870 user1
4927 MikroTik
5007 user
5028 default
7125 admin |
and the most popular IP addresses for the purported origins.
(I guess there would be a small benefit by incorporating some sensible sorting, aggregation and whois lookups):
Code: | 280 101.109.142.5
280 102.132.76.198
280 103.120.175.116
280 103.144.14.204
280 103.145.19.146
280 103.25.242.130
280 103.59.58.29
280 105.189.32.48
280 109.125.148.9
280 110.224.217.136
280 111.68.96.34
280 112.121.223.223
280 112.210.160.251
280 113.186.253.113
280 115.77.68.190
280 115.96.217.16
280 116.103.152.87
280 117.247.136.110
280 118.96.170.52
280 1.2.168.171
280 122.161.165.73
280 122.168.190.139
280 122.180.255.222
280 122.181.121.240
280 122.183.41.45
280 123.201.227.36
280 124.13.239.105
280 124.253.120.152
280 125.166.220.45
280 128.106.99.157
280 131.196.4.146
280 138.99.93.61
280 141.179.54.243
280 14.160.198.232
280 148.255.251.184
280 1.55.78.83
280 156.215.184.78
280 168.205.100.146
280 170.78.28.38
280 170.84.58.105
280 171.224.178.50
280 171.225.250.89
280 171.229.244.238
280 175.196.196.157
280 179.181.197.119
280 179.192.197.113
280 180.241.8.4
280 180.244.132.31
280 180.244.172.199
280 180.244.173.94
280 180.251.113.115
280 181.46.166.66
280 182.191.34.156
280 186.12.224.14
280 186.169.44.171
280 186.188.202.115
280 186.95.155.2
280 187.111.253.38
280 188.247.44.58
280 188.84.41.75
280 189.38.238.26
280 192.141.240.9
280 193.36.60.253
280 196.206.231.73
280 197.211.14.253
280 197.251.185.209
280 200.222.237.83
280 202.124.36.82
280 203.76.249.187
280 206.172.106.155
280 213.131.56.66
280 213.74.145.7
280 223.136.116.200
280 223.206.21.170
280 2.50.132.43
280 2.50.13.51
280 27.34.13.250
280 31.207.168.22
280 36.81.246.83
280 37.144.205.31
280 41.251.118.152
280 41.83.108.240
280 42.113.114.140
280 43.231.78.98
280 45.45.15.157
280 45.9.46.164
280 46.39.43.40
280 47.11.66.215
280 49.32.251.47
280 49.36.40.241
280 49.37.38.11
280 51.39.228.32
280 5.35.145.252
280 58.8.141.63
280 59.4.72.200
280 59.93.241.177
280 66.181.161.32
280 78.98.58.76
280 81.30.217.50
280 81.92.251.116
280 83.110.94.175
280 85.97.200.178
280 87.143.254.67
280 94.43.138.241
280 95.104.50.158 |
_________________ Greybeard |
|
Back to top |
|
|
Goverp Veteran
Joined: 07 Mar 2007 Posts: 1966
|
Posted: Thu Oct 28, 2021 9:04 am Post subject: |
|
|
A minor update: since a recent system update, the number of spurious sign-in attempts has plummeted; only around 100 a day. (My system feels quite lonely now!)
Perhaps that's down to OpenSSH disabling SHA-1 by default. Maybe they were hoping to find a way in through that. _________________ Greybeard |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6095 Location: Dallas area
|
Posted: Thu Oct 28, 2021 2:26 pm Post subject: |
|
|
For things like ssh, I like to use the firewall to filter out IP's by region.
I don't know anyone from Bahrain, Afghanistan or places in China, Russia, etc. so I just mass block those off, stops a lot of crap early on.
And I set it up to drop packets that don't meet my criteria for entry, not return "any" reply _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2894 Location: Edge of marsh USA
|
Posted: Thu Oct 28, 2021 3:32 pm Post subject: |
|
|
Fail2Ban continues to work its magic. At the school, Geoloc banned any ssh requests not=usa. I still had to swap a couple sshd ports. Now we get none/month. At home, I had one last week, first in over a month, from China. I don't geographically ban at home.
Keyword = Fail2Ban _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/17.1/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
|