Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SSH] Multiples connexions (sans bruteforce)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index French
View previous topic :: View next topic  
Author Message
Bio
Apprentice
Apprentice


Joined: 17 Mar 2003
Posts: 197
Location: Geneva which should be in Switzerland...

PostPosted: Wed May 07, 2008 12:37 pm    Post subject: [SSH] Multiples connexions (sans bruteforce) Reply with quote

Mon serveur est régulièrement victime de tentatives de connexions et notamment de bruteforce ssh, par contre je n'avais jamais rien vu de tel que les logs suivants. Je ne sais pas trop quoi en penser, autant de tentatives de connexions provenant d'hôtes différents en seulement 3 heures de temps. Je n'héberge pas de service et/ou données sensibles donc je suis un peu surpris.

Qu'en pensez vous? Dois-je être inquiet?


Code:
May  6 23:37:38 localhost sshd[7862]: refused connect from ::ffff:200.241.233.130 (::ffff:200.241.233.130)
May  6 23:44:16 localhost sshd[7894]: warning: /etc/hosts.deny, line 3240: host name/name mismatch: 85-92-131-183.twiki.magsoft.nl != 85-92-131-181.magsoft.nl
May  6 23:44:16 localhost sshd[7894]: refused connect from user@::ffff:85.92.131.183 (::ffff:85.92.131.183)
May  6 23:46:21 localhost sshd[7901]: refused connect from LSt-Amand-152-33-4-70.w82-127.abo.wanadoo.fr (::ffff:82.127.35.70)
May  6 23:48:55 localhost sshd[7910]: refused connect from mutlb164055.smarttadsl.com (::ffff:69.67.164.55)
May  6 23:51:40 localhost sshd[7931]: refused connect from 28-248-114-200.fibertel.com.ar (::ffff:200.114.248.28)
May  6 23:53:22 localhost sshd[7937]: refused connect from ns01.zerojoy.net (::ffff:66.76.241.57)
May  6 23:56:06 localhost sshd[7946]: refused connect from iw4.internetdsl.tpnet.pl (::ffff:80.53.126.4)
May  6 23:57:54 localhost sshd[7953]: warning: /etc/hosts.deny, line 3240: host name/name mismatch: ftp.marpress.com.br != webmail.marpress.com.br
May  6 23:57:55 localhost sshd[7953]: refused connect from ::ffff:201.28.216.115 (::ffff:201.28.216.115)
May  7 00:02:26 localhost sshd[7981]: refused connect from simon@211-22-140-146.HINET-IP.hinet.net (::ffff:211.22.140.146)
May  7 00:05:01 localhost sshd[7989]: refused connect from 62.43.205.67.static.user.ono.com (::ffff:62.43.205.67)
May  7 00:06:54 localhost sshd[7998]: refused connect from p12028-ipbffx02marunouchi.tokyo.ocn.ne.jp (::ffff:222.147.75.28)
May  7 00:09:30 localhost sshd[8007]: refused connect from eli18.internetdsl.tpnet.pl (::ffff:83.15.142.18)
May  7 00:12:01 localhost sshd[8027]: refused connect from ::ffff:85.232.25.213 (::ffff:85.232.25.213)
May  7 00:13:59 localhost sshd[8034]: refused connect from foyer18rt.net1.nerim.net (::ffff:213.41.153.174)
May  7 00:16:43 localhost sshd[8043]: refused connect from mail.moldes.com.pe (::ffff:200.62.177.91)
May  7 00:18:27 localhost sshd[8049]: refused connect from LSt-Amand-152-33-4-70.w82-127.abo.wanadoo.fr (::ffff:82.127.35.70)
May  7 00:22:53 localhost sshd[8076]: refused connect from mail.atlas.com.tw (::ffff:61.63.6.144)
May  7 00:25:18 localhost sshd[8084]: refused connect from mail.inveda.net (::ffff:81.169.156.95)
May  7 00:25:30 localhost sshd[8085]: refused connect from 80.179.15.227.static.012.net.il (::ffff:80.179.15.227)
May  7 00:26:59 localhost sshd[8090]: refused connect from 80.179.15.227.static.012.net.il (::ffff:80.179.15.227)
May  7 00:28:04 localhost sshd[8094]: error: PAM: Authentication failure for illegal user root from adsl-66-159-198-155.dslextreme.com
May  7 00:28:04 localhost sshd[8094]: Failed keyboard-interactive/pam for invalid user root from 66.159.198.155 port 50746 ssh2
May  7 00:30:02 localhost sshd[8104]: refused connect from mailtest@i195160.ppp.asahi-net.or.jp (::ffff:61.125.195.160)
May  7 00:32:26 localhost sshd[8124]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(net-178-212-58-207
.in-addr.arpa, AF_INET) failed
May  7 00:32:26 localhost sshd[8124]: refused connect from ::ffff:207.58.212.178 (::ffff:207.58.212.178)
May  7 00:34:20 localhost sshd[8130]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(69-64-65-35.dedicated.abac.net, AF_INET) failed
May  7 00:34:21 localhost sshd[8130]: refused connect from ::ffff:69.64.65.35 (::ffff:69.64.65.35)
May  7 00:36:49 localhost sshd[8139]: warning: /etc/hosts.deny, line 3240: host name/name mismatch: ns2.glai.de != piripiri051.webperoni.de
May  7 00:36:49 localhost sshd[8139]: refused connect from ::ffff:80.190.233.22 (::ffff:80.190.233.22)
May  7 00:38:54 localhost sshd[8146]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(customer123-181-213.iplannetworks.net, AF_INET) failed
May  7 00:38:55 localhost sshd[8146]: refused connect from ::ffff:200.123.181.213 (::ffff:200.123.181.213)
May  7 00:41:33 localhost sshd[8166]: refused connect from static-dsl-102.213-160-166.telecom.sk (::ffff:213.160.166.102)
May  7 00:43:30 localhost sshd[8173]: refused connect from static-dsl-102.213-160-166.telecom.sk (::ffff:213.160.166.102)
May  7 00:45:54 localhost sshd[8182]: refused connect from eli18.internetdsl.tpnet.pl (::ffff:83.15.142.18)
May  7 00:48:37 localhost sshd[8191]: refused connect from foyer18rt.net1.nerim.net (::ffff:213.41.153.174)
May  7 00:50:27 localhost sshd[8209]: refused connect from 195.47.114.129.adsl.nextra.cz (::ffff:195.47.114.129)
May  7 00:52:58 localhost sshd[8218]: error: PAM: Authentication failure for illegal user root from adsl-66-159-198-155.dslextreme.com
May  7 00:52:58 localhost sshd[8218]: Failed keyboard-interactive/pam for invalid user root from 66.159.198.155 port 49581 ssh2
May  7 00:57:25 localhost sshd[8235]: refused connect from TROYMIMNDS0A910.mcleodusa.net (::ffff:209.254.234.18)
May  7 00:59:19 localhost sshd[8241]: refused connect from confixx.fernuni-hagen.de (::ffff:132.176.85.100)
May  7 01:04:23 localhost sshd[8271]: refused connect from r01.glglgl.eu (::ffff:89.149.208.141)
May  7 01:06:30 localhost sshd[8279]: refused connect from ::ffff:66.99.53.142 (::ffff:66.99.53.142)
May  7 01:09:11 localhost sshd[8288]: refused connect from webserver.janel.com.mx (::ffff:201.134.245.78)
May  7 01:14:02 localhost sshd[8315]: error: PAM: Authentication failure for illegal user root from b14f0.static.pacific.net.au
May  7 01:14:02 localhost sshd[8315]: Failed keyboard-interactive/pam for invalid user root from 202.7.89.240 port 36568 ssh2
May  7 01:15:40 localhost sshd[8323]: refused connect from joe@cni1.cbinf.com (::ffff:196.2.12.200)
May  7 01:18:16 localhost sshd[8332]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(customer68-83-177.iplannetworks.net, AF_INET) failed
May  7 01:18:26 localhost sshd[8332]: refused connect from ::ffff:200.68.83.177 (::ffff:200.68.83.177)
May  7 01:20:46 localhost sshd[8352]: refused connect from s161-184-174-76.ab.hsia.telus.net (::ffff:161.184.174.76)
May  7 01:22:48 localhost sshd[8359]: refused connect from 3e70de9.adsl.enternet.hu (::ffff:62.112.222.9)
May  7 01:25:25 localhost sshd[8368]: refused connect from ::ffff:62.77.209.5 (::ffff:62.77.209.5)
May  7 01:27:15 localhost sshd[8374]: warning: /etc/hosts.deny, line 3240: host name/name mismatch: spare.eorigen.com != lon-web-test.gradwell.net
May  7 01:27:16 localhost sshd[8374]: refused connect from ::ffff:193.111.200.140 (::ffff:193.111.200.140)
May  7 01:29:47 localhost sshd[8383]: refused connect from ::ffff:62.159.113.66 (::ffff:62.159.113.66)
May  7 01:31:52 localhost sshd[8402]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(net-178-212-58-207.in-addr.arpa, AF_INET) failed
May  7 01:31:52 localhost sshd[8402]: refused connect from ::ffff:207.58.212.178 (::ffff:207.58.212.178)
May  7 01:34:43 localhost sshd[8411]: refused connect from ex216126.uac63.hknet.com (::ffff:202.71.216.126)
May  7 01:39:13 localhost sshd[8425]: refused connect from 62-167-18-154.static.adslpremium.ch (::ffff:62.167.18.154)
May  7 01:41:33 localhost sshd[8446]: warning: /etc/hosts.deny, line 3240: host name/address mismatch: 83.136.87.102 != www.unicum.de
May  7 01:41:33 localhost sshd[8446]: refused connect from ::ffff:83.136.87.102 (::ffff:83.136.87.102)
May  7 01:43:40 localhost sshd[8453]: refused connect from pd95b4140.dip0.t-ipconnect.de (::ffff:217.91.65.64)
May  7 01:46:28 localhost sshd[8462]: refused connect from dsl-200-67-131-155.prod-empresarial.com.mx (::ffff:200.67.131.155)
May  7 01:48:18 localhost sshd[8469]: refused connect from provone.provsol.net (::ffff:70.90.196.137)
May  7 01:51:03 localhost sshd[8490]: refused connect from admin.leeds-utd.org.uk (::ffff:81.5.160.149)
May  7 01:52:56 localhost sshd[8497]: refused connect from ns2374.ovh.net (::ffff:213.186.45.34)
May  7 01:55:49 localhost sshd[8506]: error: PAM: Authentication failure for illegal user root from x020112.ppp.asahi-net.or.jp
May  7 01:55:49 localhost sshd[8506]: Failed keyboard-interactive/pam for invalid user root from 122.249.20.112 port 15058 ssh2
May  7 01:58:25 localhost sshd[8517]: refused connect from dsl-200-67-131-155.prod-empresarial.com.mx (::ffff:200.67.131.155)
May  7 02:00:28 localhost sshd[8538]: error: PAM: Authentication failure for illegal user root from adsl-66-159-198-155.dslextreme.com
May  7 02:00:28 localhost sshd[8538]: Failed keyboard-interactive/pam for invalid user root from 66.159.198.155 port 52621 ssh2
May  7 02:01:05 localhost denyhosts: Added the following hosts to /etc/hosts.deny - adsl-66-159-198-155.dslextreme.com
May  7 02:03:25 localhost sshd[8549]: refused connect from ::ffff:143.107.110.29 (::ffff:143.107.110.29)
May  7 02:05:19 localhost sshd[8556]: refused connect from h-66-134-26-166.nycmny83.covad.net (::ffff:66.134.26.166)
May  7 02:07:48 localhost sshd[8565]: refused connect from ::ffff:212.150.167.61 (::ffff:212.150.167.61)
May  7 02:09:54 localhost sshd[8572]: refused connect from blulove.pl (::ffff:217.160.20.154)
May  7 02:12:36 localhost sshd[8593]: refused connect from bvm52.internetdsl.tpnet.pl (::ffff:83.18.194.52)
May  7 02:14:51 localhost sshd[8600]: refused connect from confixx.fernuni-hagen.de (::ffff:132.176.85.100)
May  7 02:17:34 localhost sshd[8610]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(net-178-212-58-207.in-addr.arpa, AF_INET) failed
May  7 02:17:34 localhost sshd[8610]: refused connect from ::ffff:207.58.212.178 (::ffff:207.58.212.178)
May  7 02:20:33 localhost sshd[8632]: refused connect from ::ffff:200.172.166.2 (::ffff:200.172.166.2)
May  7 02:22:42 localhost sshd[8638]: refused connect from 216-197-204-76.estv.hsdb.sasknet.sk.ca (::ffff:216.197.204.76)
May  7 02:25:30 localhost sshd[8648]: refused connect from foyer18rt.net1.nerim.net (::ffff:213.41.153.174)
May  7 02:27:28 localhost sshd[8655]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(customer68-83-177.iplannetworks.net, AF_INET) failed
May  7 02:27:32 localhost sshd[8655]: refused connect from javier@::ffff:200.68.83.177 (::ffff:200.68.83.177)
May  7 02:30:13 localhost sshd[8676]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(net-178-212-58-207.in-addr.arpa, AF_INET) failed
May  7 02:30:13 localhost sshd[8676]: refused connect from ::ffff:207.58.212.178 (::ffff:207.58.212.178)
May  7 02:32:24 localhost sshd[8684]: refused connect from david@habousha-771-u.customer.be.colt.net (::ffff:62.72.101.154)
May  7 02:35:08 localhost sshd[8693]: refused connect from 1389442210.ip2long.net (::ffff:82.209.52.162)
May  7 02:37:56 localhost sshd[8702]: refused connect from chello084114015179.14.vie.surfer.at (::ffff:84.114.15.179)
May  7 02:45:25 localhost sshd[8737]: refused connect from host217-35-80-115.in-addr.btopenworld.com (::ffff:217.35.80.115)
May  7 02:48:12 localhost sshd[8746]: refused connect from ::ffff:145.253.179.229 (::ffff:145.253.179.229)
May  7 02:50:24 localhost sshd[8766]: refused connect from sara@::ffff:87.241.33.10 (::ffff:87.241.33.10)
May  7 02:53:09 localhost sshd[8775]: refused connect from static.88-198-17-13.clients.your-server.de (::ffff:88.198.17.13)
May  7 02:56:02 localhost sshd[8788]: refused connect from usa@::ffff:193.71.255.202 (::ffff:193.71.255.202)
May  7 02:58:21 localhost sshd[8795]: refused connect from 88-196-54-98-dsl.trt.estpak.ee (::ffff:88.196.54.98)
May  7 03:01:07 localhost sshd[8821]: refused connect from cc67835-a.groni1.gr.home.nl (::ffff:82.73.18.76)
May  7 03:03:30 localhost sshd[8829]: refused connect from bvm52.internetdsl.tpnet.pl (::ffff:83.18.194.52)
May  7 03:06:19 localhost sshd[8838]: refused connect from mail.inveda.net (::ffff:81.169.156.95)
May  7 03:08:41 localhost sshd[8846]: warning: /etc/hosts.deny, line 3240: host name/name mismatch: 39757.net != man1.as39757.net
May  7 03:08:42 localhost sshd[8847]: input_userauth_request: invalid user root
May  7 03:08:44 localhost sshd[8846]: error: PAM: Authentication failure for illegal user root from 89.107.16.5
May  7 03:08:44 localhost sshd[8846]: Failed keyboard-interactive/pam for invalid user root from 89.107.16.5 port 59840 ssh2

_________________
I'm all in !
Back to top
View user's profile Send private message
El_Goretto
Moderator
Moderator


Joined: 29 May 2004
Posts: 3166
Location: Paris

PostPosted: Wed May 07, 2008 1:12 pm    Post subject: Reply with quote

Vu l'echelle de temps restreinte, ou bien t'as plein plein de potes bots fouisseurs de failles (classique), ou bien c'est un petit botnet, carrément. Tu t'es fait un grand ami, récemment? :)
_________________
-TrueNAS & jails: µ-serv Gen8 E3-1260L, 16Go ECC + µ-serv N40L, 10Go ECC
-Réseau: APU2C4 (OpenWRT) + GS726Tv3 + 2x GS108Tv2 + Archer C5v1 (OpenWRT)
Back to top
View user's profile Send private message
geekounet
Bodhisattva
Bodhisattva


Joined: 11 Oct 2004
Posts: 3772
Location: Wellington, Aotearoa

PostPosted: Wed May 07, 2008 1:17 pm    Post subject: Reply with quote

Ou de l'ip spoofing.
Back to top
View user's profile Send private message
Bio
Apprentice
Apprentice


Joined: 17 Mar 2003
Posts: 197
Location: Geneva which should be in Switzerland...

PostPosted: Wed May 07, 2008 1:33 pm    Post subject: Reply with quote

Je pense aussi à du spoofing, mais c'est se donner bien du mal pour pas grand chose si ce n'est accéder à mes photos de vacances.

@El_Goretto : Qu'est ce que tu appelles un botnet?
_________________
I'm all in !
Back to top
View user's profile Send private message
Desintegr
l33t
l33t


Joined: 25 Mar 2004
Posts: 863
Location: France - Orléans

PostPosted: Wed May 07, 2008 1:40 pm    Post subject: Reply with quote

Si tu veux être tranquille, change simplement de port.
Sinon tu peux aussi mettre en place du port-knocking.

Enfin bon, ce genre de truc ça arrive souvent, des petits malins qui essayent de forcer des mots de passe sur des serveurs SSH trouvés par scan d'IP.
Là le petit malin a surement accès à plusieurs machines zombies (infectée par un backdoor) et il lance plusieurs connexions en même temps pour augmenter ses chances.
_________________
Gentoo ~AMD64
Hoc Volo, Sic Jubeo !
Mon wiki : http://desintegr.free.fr


Last edited by Desintegr on Wed May 07, 2008 1:46 pm; edited 1 time in total
Back to top
View user's profile Send private message
loopx
Advocate
Advocate


Joined: 01 Apr 2005
Posts: 2787
Location: Belgium / Liège

PostPosted: Wed May 07, 2008 1:46 pm    Post subject: Reply with quote

geekounet wrote:
Ou de l'ip spoofing.


Sur la toile :o ?
_________________
Mon MediaWiki perso : http://pix-mania.dyndns.org
Back to top
View user's profile Send private message
Bio
Apprentice
Apprentice


Joined: 17 Mar 2003
Posts: 197
Location: Geneva which should be in Switzerland...

PostPosted: Wed May 07, 2008 2:40 pm    Post subject: Reply with quote

Desintegr wrote:
Si tu veux être tranquille, change simplement de port.
Sinon tu peux aussi mettre en place du port-knocking.


Effectivement mais vu que j'accède à mon serveur via le boulot je n'ai accès qu'aux ports "standards" 21, 22, 80 etc...


Je pourrais le basculer sur le 443 ceci dit.
_________________
I'm all in !
Back to top
View user's profile Send private message
Bio
Apprentice
Apprentice


Joined: 17 Mar 2003
Posts: 197
Location: Geneva which should be in Switzerland...

PostPosted: Wed May 07, 2008 2:53 pm    Post subject: Reply with quote

Oulà je n'avais pas vu car mon rapport journalier est généré à 3h du mat. Mais ça continue comme ça et le mec est encore actif sur mon serveur. Une connexion toutes les 45 secondes environ et à chaque fois une IP différente.

Pour la peine j'ai redirigé ssh sur le 443 le temps que ça se calme
_________________
I'm all in !
Back to top
View user's profile Send private message
-KuRGaN-
Veteran
Veteran


Joined: 05 Dec 2004
Posts: 1142
Location: Besançon (25) [FRANCE]

PostPosted: Wed May 07, 2008 2:55 pm    Post subject: Reply with quote

Ben si le port-knocking ne te convient pas, tu peux déjà virer l'authentification par mot de passe de ssh et ensuite installer fail2ban.
_________________
Knight Gent00 Industries RiDeR !!!!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index French All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum