homepage Welcome to WebmasterWorld Guest from 54.211.68.132
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Security Issue.
Hack attempts? Can I block them?
gutabo

10+ Year Member



 
Msg#: 4242 posted 5:38 pm on Aug 29, 2005 (gmt 0)

Greetings,

I wasn't sure about where could I post this. Anyway, here we go... Here's a copy&paste from our security run output(just a part):

Aug 26 14:26:59 mysite sshd[81770]: Failed password for invalid user 1 from 211.21.170.138 port 34069 ssh2
Aug 26 14:27:05 mysite sshd[81829]: Failed password for invalid user a from 211.21.170.138 port 34162 ssh2
Aug 26 14:27:10 mysite sshd[81896]: Failed password for invalid user a from 211.21.170.138 port 34263 ssh2
Aug 26 14:27:16 mysite sshd[81955]: Failed password for invalid user abuse from 211.21.170.138 port 34361 ssh2
Aug 26 14:27:19 mysite sshd[82019]: Failed password for invalid user abuse from 211.21.170.138 port 34488 ssh2
Aug 26 14:27:22 mysite sshd[82054]: Failed password for invalid user abuse from 211.21.170.138 port 34563 ssh2
Aug 26 14:27:24 mysite sshd[82089]: Failed password for invalid user academia from 211.21.170.138 port 34637 ssh2
Aug 26 14:27:27 mysite sshd[82122]: Failed password for invalid user academia from 211.21.170.138 port 34709 ssh2
Aug 26 14:27:29 mysite sshd[82160]: Failed password for invalid user academia from 211.21.170.138 port 34787 ssh2
Aug 26 14:27:32 mysite sshd[82202]: Failed password for invalid user academic from 211.21.170.138 port 34881 ssh2
Aug 26 14:27:35 mysite sshd[82234]: Failed password for invalid user academic from 211.21.170.138 port 34964 ssh2
Aug 26 14:27:41 mysite sshd[82267]: Failed password for invalid user academic from 211.21.170.138 port 35042 ssh2
Aug 26 14:27:45 mysite sshd[82334]: Failed password for invalid user ada from 211.21.170.138 port 35150 ssh2
Aug 26 14:27:48 mysite sshd[82386]: Failed password for invalid user ada from 211.21.170.138 port 35240 ssh2
Aug 26 14:27:50 mysite sshd[82420]: Failed password for invalid user ada from 211.21.170.138 port 35323 ssh2
Aug 26 14:27:54 mysite sshd[82458]: Failed password for invalid user adams from 211.21.170.138 port 35398 ssh2
Aug 26 14:27:57 mysite sshd[82517]: Failed password for invalid user adams from 211.21.170.138 port 35501 ssh2
Aug 26 14:28:00 mysite sshd[82556]: Failed password for invalid user adams from 211.21.170.138 port 35586 ssh2
Aug 26 14:28:03 mysite sshd[82594]: Failed password for invalid user adating from 211.21.170.138 port 35660 ssh2
Aug 26 14:28:06 mysite sshd[82631]: Failed password for invalid user adating from 211.21.170.138 port 35749 ssh2
Aug 26 14:28:09 mysite sshd[82671]: Failed password for invalid user adating from 211.21.170.138 port 35843 ssh2
Aug 26 14:28:14 mysite sshd[82710]: Failed password for invalid user adm from 211.21.170.138 port 35956 ssh2
Aug 26 14:28:16 mysite sshd[82745]: Failed password for invalid user adm from 211.21.170.138 port 36053 ssh2
Aug 26 14:28:19 mysite sshd[82773]: Failed password for invalid user adm from 211.21.170.138 port 36125 ssh2

How can I block this attempts? Can I block an IP after so many login attempts? Help please! Thanks in advance!

 

GeorgeK

10+ Year Member



 
Msg#: 4242 posted 8:19 pm on Aug 29, 2005 (gmt 0)

These SSH Brute Force attacks have been going on for a few months (there are standard scripts out there in the hands of script kiddies). See:

[it.slashdot.org...]

for greater discussion. If your server software is up to date and you have strong passwords (i.e. don't use weak passwords like "test" or "admin" or "password" like some people do), you should be fine.

Someone wrote a script at:

[csc.liv.ac.uk...]

that says it'll block the attacks (I can't vouch for it, though, as I've not used it).

If you search Google for "SSH brute force", you'll find lots of other discussions.

zCat

10+ Year Member



 
Msg#: 4242 posted 8:36 pm on Aug 29, 2005 (gmt 0)

Also, as a general precaution, disable root logins in SSH (in: /etc/ssh/sshd_config set "PermitRootLogin" to "no", and reload the SSH server process). This is because root is the only user whom an attacker knows will exist (at least on Linux), and is therefore at greater risk than a normal user, whose name(s) can only be guessed at.

(Of course, if an attacker is in a position to be able to guess user names with some degree of accuracy, it might be an idea to use only non-obvious user name. This is all "security through obscurity" mind you, i.e. no replacement for strong passwords and a proactive security policy, but every little helps).

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved