Welcome to WebmasterWorld Guest from 54.162.239.134

Forum Moderators: phranque

Message Too Old, No Replies

Security Issue.

Hack attempts? Can I block them?

     
5:38 pm on Aug 29, 2005 (gmt 0)

10+ Year Member



Greetings,

I wasn't sure about where could I post this. Anyway, here we go... Here's a copy&paste from our security run output(just a part):

Aug 26 14:26:59 mysite sshd[81770]: Failed password for invalid user 1 from 211.21.170.138 port 34069 ssh2
Aug 26 14:27:05 mysite sshd[81829]: Failed password for invalid user a from 211.21.170.138 port 34162 ssh2
Aug 26 14:27:10 mysite sshd[81896]: Failed password for invalid user a from 211.21.170.138 port 34263 ssh2
Aug 26 14:27:16 mysite sshd[81955]: Failed password for invalid user abuse from 211.21.170.138 port 34361 ssh2
Aug 26 14:27:19 mysite sshd[82019]: Failed password for invalid user abuse from 211.21.170.138 port 34488 ssh2
Aug 26 14:27:22 mysite sshd[82054]: Failed password for invalid user abuse from 211.21.170.138 port 34563 ssh2
Aug 26 14:27:24 mysite sshd[82089]: Failed password for invalid user academia from 211.21.170.138 port 34637 ssh2
Aug 26 14:27:27 mysite sshd[82122]: Failed password for invalid user academia from 211.21.170.138 port 34709 ssh2
Aug 26 14:27:29 mysite sshd[82160]: Failed password for invalid user academia from 211.21.170.138 port 34787 ssh2
Aug 26 14:27:32 mysite sshd[82202]: Failed password for invalid user academic from 211.21.170.138 port 34881 ssh2
Aug 26 14:27:35 mysite sshd[82234]: Failed password for invalid user academic from 211.21.170.138 port 34964 ssh2
Aug 26 14:27:41 mysite sshd[82267]: Failed password for invalid user academic from 211.21.170.138 port 35042 ssh2
Aug 26 14:27:45 mysite sshd[82334]: Failed password for invalid user ada from 211.21.170.138 port 35150 ssh2
Aug 26 14:27:48 mysite sshd[82386]: Failed password for invalid user ada from 211.21.170.138 port 35240 ssh2
Aug 26 14:27:50 mysite sshd[82420]: Failed password for invalid user ada from 211.21.170.138 port 35323 ssh2
Aug 26 14:27:54 mysite sshd[82458]: Failed password for invalid user adams from 211.21.170.138 port 35398 ssh2
Aug 26 14:27:57 mysite sshd[82517]: Failed password for invalid user adams from 211.21.170.138 port 35501 ssh2
Aug 26 14:28:00 mysite sshd[82556]: Failed password for invalid user adams from 211.21.170.138 port 35586 ssh2
Aug 26 14:28:03 mysite sshd[82594]: Failed password for invalid user adating from 211.21.170.138 port 35660 ssh2
Aug 26 14:28:06 mysite sshd[82631]: Failed password for invalid user adating from 211.21.170.138 port 35749 ssh2
Aug 26 14:28:09 mysite sshd[82671]: Failed password for invalid user adating from 211.21.170.138 port 35843 ssh2
Aug 26 14:28:14 mysite sshd[82710]: Failed password for invalid user adm from 211.21.170.138 port 35956 ssh2
Aug 26 14:28:16 mysite sshd[82745]: Failed password for invalid user adm from 211.21.170.138 port 36053 ssh2
Aug 26 14:28:19 mysite sshd[82773]: Failed password for invalid user adm from 211.21.170.138 port 36125 ssh2

How can I block this attempts? Can I block an IP after so many login attempts? Help please! Thanks in advance!

8:19 pm on Aug 29, 2005 (gmt 0)

10+ Year Member



These SSH Brute Force attacks have been going on for a few months (there are standard scripts out there in the hands of script kiddies). See:

[it.slashdot.org...]

for greater discussion. If your server software is up to date and you have strong passwords (i.e. don't use weak passwords like "test" or "admin" or "password" like some people do), you should be fine.

Someone wrote a script at:

[csc.liv.ac.uk...]

that says it'll block the attacks (I can't vouch for it, though, as I've not used it).

If you search Google for "SSH brute force", you'll find lots of other discussions.

8:36 pm on Aug 29, 2005 (gmt 0)

10+ Year Member



Also, as a general precaution, disable root logins in SSH (in: /etc/ssh/sshd_config set "PermitRootLogin" to "no", and reload the SSH server process). This is because root is the only user whom an attacker knows will exist (at least on Linux), and is therefore at greater risk than a normal user, whose name(s) can only be guessed at.

(Of course, if an attacker is in a position to be able to guess user names with some degree of accuracy, it might be an idea to use only non-obvious user name. This is all "security through obscurity" mind you, i.e. no replacement for strong passwords and a proactive security policy, but every little helps).

 

Featured Threads

Hot Threads This Week

Hot Threads This Month