LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 11-16-2004, 10:05 PM   #1
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
ssh intrusion!


I was just wanting to post this ip that's increasingly attempting to login to my system.


Failed logins from these:
adm/password from 68.251.82.222: 2 time(s)
apache/password from 68.251.82.222: 1 time(s)
mysql/password from 68.251.82.222: 1 time(s)
nobody/password from 68.251.82.222: 1 time(s)
operator/password from 68.251.82.222: 1 time(s)
root/password from 68.251.82.222: 59 time(s)

**Unmatched Entries**
Received disconnect from 68.251.82.222: 11: Bye Bye
input_userauth_request: illegal user patrick
Failed password for illegal user patrick from 68.251.82.222 port 47268 ssh2
Received disconnect from 68.251.82.222: 11: Bye Bye
input_userauth_request: illegal user patrick
Failed password for illegal user patrick from 68.251.82.222 port 47769 ssh2
Received disconnect from 68.251.82.222: 11: Bye Bye
Received disconnect from 68.251.82.222: 11: Bye Bye
Received disconnect from 68.251.82.222: 11: Bye Bye
Received disconnect from 68.251.82.222: 11: Bye Bye
Received disconnect from 68.251.82.222: 11: Bye Bye
Received disconnect from 68.251.82.222: 11: Bye Bye



The complete list for today is a few feet long, but you get the idea.

Anyone else seeing this same IP in their logs?

david@zeus:~> whois 68.251.82.222
Ameritech Electronic Commerce SBCIS-AMER-100902 (NET-68-248-0-0-1)
68.248.0.0 - 68.255.255.255
 
Old 11-17-2004, 01:03 AM   #2
student04
Member
 
Registered: Jan 2004
Location: Georgia
Distribution: OS X, CentOS
Posts: 669

Rep: Reputation: 34
If this is happening via your ssh server, you can do a few things:
1. Don't use ssh!
2. Block them with the /etc/hosts.allow and /etc/hosts.deny config files
3. Block EVERYONE and only specify certain IP address allowed to connect to which services.

Here are some examples: (hosts.deny)
Code:
ALL: .domain.com #denies access from all in domain.com
ALL .sshd:  .domain.com #denies access to ssh from all in domain.com
ALL .sshd:  68.248.0.0/68.255.255.255 #this is the range that will be blocked
I'm going to assume that the ranged I specified is for all computers for that one host, but you can just do this in hosts.deny:
Code:
ALL: 68.251.82.222 #block all access to this IP
Note: these files only affect those services invoked via inetd (and tcp_wrappers), or that have support for tcp_wrappers built-in. There are also other files, one being /etc/hosts_options.

Let me know if you have any luck!

Last edited by student04; 11-17-2004 at 01:16 AM.
 
Old 11-17-2004, 07:39 AM   #3
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 199Reputation: 199
I haven't seen that actual IP but I do see an increase in the number of ssh attempts even on my own servers.. lots ol fun!
 
Old 11-17-2004, 07:56 AM   #4
jdruin
Member
 
Registered: Jul 2003
Location: Louisville aka Derby City
Distribution: WinXP SP2 and SP3, W2K Server, Ubuntu
Posts: 313

Rep: Reputation: 30
Where is the log file that logs connections such as these? I would like to learn how to check such events.
 
Old 11-17-2004, 08:03 AM   #5
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 199Reputation: 199
Quote:
Originally posted by jdruin
Where is the log file that logs connections such as these? I would like to learn how to check such events.
Usually just in /var/log/messages
 
Old 11-17-2004, 08:20 AM   #6
pld
Member
 
Registered: Jun 2003
Location: Southern US
Distribution: Ubuntu 5.10
Posts: 206

Rep: Reputation: 30
i think i noticed on another thread a couple of days ago that alot of us were getting the same type of blocked attempts on ssh. it would appear to be some sort of script-kiddie with a brute force dictionary attack on ssh. i have noticed many of the same messages (from a different ip) in my logs.

perhaps block all further attempts from an ip after X failed logins through ssh?
 
Old 11-17-2004, 11:11 AM   #7
drj000
Member
 
Registered: Sep 2004
Location: Hagerstown, MD
Distribution: Ubuntu Natty Narwahl
Posts: 258

Rep: Reputation: 31
Since I know the IPs of the computers from which I want to use SSH, I just block all IPs for every service (by adding "all:all" in my hosts.deny file), and selectively allow the IPs that I needed for certain services. That's always seemed the safest thing to do. Before I did this, I got ssh attempts like that all the time. They were never successful, which, once I learned of them, I was surprised, because I stupidly used a proper noun for my root password. I was lucky. (I have, of course, since changed my root password to something obscure that only my family members would be able to guess, and it would be difficult for them)
 
Old 11-17-2004, 01:31 PM   #8
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Original Poster
Rep: Reputation: 56
I use dialup a lot when I'm on the road. I guess I could start blocking the ip's that are trying to get in but I really don't think they are going to get in this lifetime.

Unless maybe there is some new way to decipher a pattern or something.

The funny thing is they are trying to log in as root and some other invalid usernames but not any valid ssh usernames yet.

It is somewhat amusing to watch them try. I was thinking about sending them a message like this...


ssh StopTryingToGetIntoMySystemBoneHead@68.251.82.222

Today there is a different ip with the same thing so I guess they are on some dialup or dsl that they can change easily.


jdruln

I have a program called LogWatch that emails me daily with anything odd that it finds in my logs.
 
Old 11-17-2004, 02:12 PM   #9
student04
Member
 
Registered: Jan 2004
Location: Georgia
Distribution: OS X, CentOS
Posts: 669

Rep: Reputation: 34
Quote:
Originally posted by DavidPhillips
It is somewhat amusing to watch them try. I was thinking about sending them a message like this...


ssh StopTryingToGetIntoMySystemBoneHead@68.251.82.222

Today there is a different ip with the same thing so I guess they are on some dialup or dsl that they can change easily.


jdruln

I have a program called LogWatch that emails me daily with anything odd that it finds in my logs.
Haha that's an interesting way to send a message...

This LogWatch.. http://freshmeat.net/projects/logwatch/ is that what you're referring to?
 
Old 11-17-2004, 02:51 PM   #10
Hcman
Member
 
Registered: Jan 2003
Location: Holland
Distribution: OpenBSD 3.6 - Arch Linux 0.7
Posts: 210

Rep: Reputation: 30
Quote:
Originally posted by drj000
(...) (I have, of course, since changed my root password to something obscure that only my family members would be able to guess, and it would be difficult for them)
If it's a word there's still the chance a simple dictionary search will find it so it's best to use random passwords.
Look into apg for example. It generates random passwords but also pronounceable random passwords you can easily memorize.

Arjan
 
Old 11-17-2004, 03:03 PM   #11
student04
Member
 
Registered: Jan 2004
Location: Georgia
Distribution: OS X, CentOS
Posts: 669

Rep: Reputation: 34
Oh man that's awesome. I've been looking for one of those
 
Old 11-17-2004, 05:27 PM   #12
emetib
Member
 
Registered: Feb 2003
Posts: 482

Rep: Reputation: 33
i've gotten a bunch of these also. i have a cron job that sends them to me. i have sent out emails to the isp's of the addresses. from the ten-fifteen that i've sent i have received 4 replies, 3 of them static replies "thanks, we'll check into it." and one actually saying that they will take a look at the ip and narrow it down to whom is doing it.

something else, if you're going to send emails with part of your message, make sure that you put it in the body of the message and not as an attachment. just like most of us, we don't want to have to scan our emails before opening them up.

what i've done is to just put the addresses in my /etc/hosts.deny and then drop the whole block of addresses from access. yes i could just allow only the one's that i know, but i'm also hosting someone who comes from a dhcp enviroment, dial-up, so i would be blocking him also.

isn't it fun having your own servers to take care of
 
Old 11-17-2004, 05:35 PM   #13
student04
Member
 
Registered: Jan 2004
Location: Georgia
Distribution: OS X, CentOS
Posts: 669

Rep: Reputation: 34
Quote:
Originally posted by emetib
just like most of us, we don't want to have to scan our emails before opening them up.
Scan? For what?
 
Old 11-17-2004, 08:05 PM   #14
hw-tph
Senior Member
 
Registered: Sep 2003
Location: Sweden
Distribution: Debian
Posts: 3,032

Rep: Reputation: 57
I believe most - if not all - of these attempts (yes, I've got them too) come from already compromised machines. It would have to be a real newbie script kiddie to try brute force entry on entire subnets from their own machines.

I've been tempted to set up a honey pot after weeks of logwatch mails choke full with warning messages from ssh.


Håkan
 
Old 11-17-2004, 09:11 PM   #15
emetib
Member
 
Registered: Feb 2003
Posts: 482

Rep: Reputation: 33
Quote:
Originally posted by hw-tph
I've been tempted to set up a honey pot after weeks of logwatch mails choke full with warning messages from ssh.
Håkan
make sure that you have enough ram to run that vmware. a honeypot would be fun to play with.

one thing though. what it seems like is there using passwds that are the user name. so a basic script like that wouldn't be that hard to make. if they're trying a brute force attack you would see multiple root-denied in those logs. not just root, admin, user, .....

so if you have your machines set up with good passwds, and then make it so that you can't log into them without keys, then i wouldn't worry to much about it.

for me, you can't get into my machines unless you have a key. no plain test passwds are allowed. they're real easy to generate so i don't understand why more people don't use them. oh, and if you have a laptop, don't keep your key there. keep it on one of the keychain fobs that people have now. your less likely to loose that at the same time that you have your laptop stolen/compromised.

cheers.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
intrusion detection fakie_flip Linux - Security 4 08-19-2005 05:24 PM
intrusion? tincat2 Linux - Security 2 01-01-2005 01:56 AM
Intrusion Detection L1nuxbug Linux - Security 4 07-21-2004 05:20 AM
Intrusion Detection!!! egyptian Linux - Security 2 04-02-2004 11:37 AM
Intrusion Detection? matador Linux - Security 5 09-03-2003 04:44 AM


All times are GMT -5. The time now is 01:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration