Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SSH Breakin Attempts
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Duplicate Threads
View previous topic :: View next topic  
Author Message
JTHM
Tux's lil' helper
Tux's lil' helper


Joined: 31 Jul 2005
Posts: 115
Location: South Farms

PostPosted: Thu Oct 04, 2007 1:26 am    Post subject: SSH Breakin Attempts Reply with quote

Hey all, I've got a bit of a problem (or at least a potential problem). For the past few weeks, it seems somebody's been trying to break into my gentoo box over ssh. I've been getting several chunks like this in my /var/log/messages:

Sep 29 06:50:16 Nirvana sshd[4122]: Invalid user france from 219.139.190.249
Sep 29 06:50:24 Nirvana sshd[4392]: Invalid user raider from 219.139.190.249
Sep 29 06:50:31 Nirvana sshd[4580]: Invalid user movie from 219.139.190.249
Sep 29 06:50:37 Nirvana sshd[4796]: Invalid user movies from 219.139.190.249
Sep 29 06:50:44 Nirvana sshd[4931]: Invalid user judith from 219.139.190.249
Sep 29 06:50:50 Nirvana sshd[5151]: Invalid user default from 219.139.190.249
Sep 29 06:50:55 Nirvana sshd[5295]: Invalid user sean from 219.139.190.249
Sep 29 06:51:03 Nirvana sshd[5457]: Invalid user erik from 219.139.190.249
Sep 29 06:51:08 Nirvana sshd[5665]: Invalid user house from 219.139.190.249
Sep 29 06:51:14 Nirvana sshd[5839]: Invalid user status from 219.139.190.249
Sep 29 06:51:19 Nirvana sshd[6022]: Invalid user music from 219.139.190.249
Sep 29 06:51:25 Nirvana sshd[6159]: Invalid user test from 219.139.190.249
Sep 29 06:51:30 Nirvana sshd[6320]: Invalid user christian from 219.139.190.249
Sep 29 06:51:36 Nirvana sshd[6454]: Invalid user upload from 219.139.190.249
Sep 29 06:51:42 Nirvana sshd[6613]: Invalid user security from 219.139.190.249
Sep 29 06:51:47 Nirvana sshd[6748]: Invalid user scanner from 219.139.190.249
Sep 29 06:51:53 Nirvana sshd[6910]: Invalid user work from 219.139.190.249
Sep 29 06:52:00 Nirvana sshd[7069]: Invalid user eli from 219.139.190.249
Sep 29 06:52:09 Nirvana sshd[7338]: Invalid user ariel from 219.139.190.249
Sep 29 06:52:14 Nirvana sshd[7473]: Invalid user matt from 219.139.190.249
Sep 29 06:52:20 Nirvana sshd[7634]: Invalid user smoke from 219.139.190.249
Sep 29 06:52:25 Nirvana sshd[7794]: Invalid user papa from 219.139.190.249
Sep 29 06:52:31 Nirvana sshd[7928]: Invalid user beth from 219.139.190.249
Sep 29 06:52:36 Nirvana sshd[8088]: Invalid user samba from 219.139.190.249
Sep 29 06:52:44 Nirvana sshd[8222]: Invalid user library from 219.139.190.249
Sep 29 06:52:54 Nirvana sshd[8438]: Invalid user don from 219.139.190.249
Sep 29 06:52:59 Nirvana sshd[8680]: Invalid user webuser from 219.139.190.249
Sep 29 06:53:05 Nirvana sshd[8840]: Invalid user monitor from 219.139.190.249

This goes on for pages. Fortunately, the box isn't big (just for personal use really) and only has 2 or 3 accounts, all of them password protected.

It seems he hasn't been successful yet (although after each attack, X goes into a kind of half-freeze with X itself using 100% of the CPU and not responding to anything).

I was wondering a couple of things:

1.) Is there any way to secure sshd against something like this short of installing iptables? While each attempt in a session comes from the same IP address, each session comes from a different one. Is there any way to, say, lock out an IP after 3 bad usernames are attempted?

2.) Can I verify that he hasn't gotten in yet? The seemingly random attempts take place as recently as this afternoon, and I imagine he wouldn't be trying random names if he found a way in, but you never know (especially with the X freezing issue).

3.) Does anybody have any suggestions on ways to screw with him? Nothing malicious (he hasn't done any damage yet), but something practical-joke-like.

Thanks for the read, any suggestions are welcome.
_________________
Any problem can be solved. You just need to throw enough time and ninjas at it.
Back to top
View user's profile Send private message
davidgurvich
Veteran
Veteran


Joined: 23 Apr 2004
Posts: 1063

PostPosted: Thu Oct 04, 2007 1:35 am    Post subject: Reply with quote

A basic hosts.allow file
Code:
ALL : 127.0.0.1 : ALLOW
ALL : 192.168.2.0/255.255.255.0 : ALLOW
ALL : ALL : DENY
That only allows localhost and local ip logins. man hosts.allow to see more options. There is also the possibility of setting up an automated blacklist file and using that as well.
Back to top
View user's profile Send private message
JTHM
Tux's lil' helper
Tux's lil' helper


Joined: 31 Jul 2005
Posts: 115
Location: South Farms

PostPosted: Thu Oct 04, 2007 1:41 am    Post subject: Reply with quote

Hmm, how would I go about setting up an automated blacklist file? I considered setting up something like that hosts.allow, but I remote in from work and a number of other places (not always known ahead of time), so I'd like to leave that option open if possible. For now, I just turned sshd off since I'm sitting at the machine. Thanks a lot for the help, though, that's a great fallback option since I'd just have to add my work IP to the list and just make sure I don't need to get in from anywhere unexpected.
_________________
Any problem can be solved. You just need to throw enough time and ninjas at it.
Back to top
View user's profile Send private message
Dammital
Apprentice
Apprentice


Joined: 05 Nov 2004
Posts: 189

PostPosted: Thu Oct 04, 2007 1:54 am    Post subject: Try denyhosts Reply with quote

Easy to install ("emerge denyhosts") and configure, and works pretty well.
See http://denyhosts.sourceforge.net/
Back to top
View user's profile Send private message
JTHM
Tux's lil' helper
Tux's lil' helper


Joined: 31 Jul 2005
Posts: 115
Location: South Farms

PostPosted: Thu Oct 04, 2007 2:43 am    Post subject: Reply with quote

Thanks, I just installed denyhosts and started it up. Lets see if this helps prevent further attacks.
_________________
Any problem can be solved. You just need to throw enough time and ninjas at it.
Back to top
View user's profile Send private message
m.b.j.
Guru
Guru


Joined: 12 Sep 2003
Posts: 407
Location: Germany (Essen)

PostPosted: Thu Oct 04, 2007 7:33 am    Post subject: Reply with quote

Try run your sshd on a differend port. Most script kiddies don't know how to change the target port on their "hack scripts"...

/etc/ssh/sshd_config
Code:
Port 222



While connecting you can use the -p switch to set port.

Or put this into your ~/.ssh/config

Code:
host <yourhost>
  port <yourport>

_________________
root@mbj # echo "sys-pizza/calzone -tunfish" >> /etc/paludis/use.conf
root@mbj # paludis -i calzone --dl-blocks discard
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 7421
Location: Somewhere over Atlanta, Georgia

PostPosted: Thu Oct 04, 2007 9:15 am    Post subject: Reply with quote

You might also want to consider using public key authentication, especially if you are the principle user. Then you can set "PasswordAuthentication no" in your /etc/ssh/sshd_config and laugh at the futile script kiddie login attempts. I regularly report 'em to their ISP anyway, getting the contact information from the whois data.

- John
Back to top
View user's profile Send private message
mark_alec
Bodhisattva
Bodhisattva


Joined: 11 Sep 2004
Posts: 6066
Location: Melbourne, Australia

PostPosted: Thu Oct 04, 2007 11:16 am    Post subject: Reply with quote

Moved from Networking & Security to Duplicate Threads.

See https://forums.gentoo.org/viewtopic-t-566744.html
_________________
www.gentoo.org.au || #gentoo-au
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Duplicate Threads All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum