LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-12-2014, 11:51 AM   #1
tarken
Member
 
Registered: Jan 2010
Location: Portland
Distribution: Xubuntu
Posts: 66

Rep: Reputation: 16
Possible to see actual password's used?


I don't think this is possible, but maybe it is. Is it possible to see what passwords these Chinese "hackers" are trying to use to get into my system via SSH? All I am getting is:

A
Code:
ug 12 05:08:58 localhost sshd[4721]: Failed password for root from 61.174.51.213 port 8112 ssh2
Aug 12 05:08:58 localhost sshd[4729]: Failed password for invalid user admin from 61.174.51.213 port 10025 ssh2
Aug 12 05:08:58 localhost unix_chkpwd[4751]: password check failed for user (root)
Aug 12 05:08:58 localhost sshd[4697]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 12 05:08:58 localhost unix_chkpwd[4750]: password check failed for user (root)
Aug 12 05:08:58 localhost sshd[4721]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 12 05:08:58 localhost sshd[4710]: Failed password for root from 61.174.51.213 port 5195 ssh2
Aug 12 05:08:58 localhost sshd[4710]: Disconnecting: Too many authentication failures for root [preauth]
Aug 12 05:08:58 localhost sshd[4710]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.213  user=root
Aug 12 05:08:58 localhost sshd[4710]: PAM service(sshd) ignoring max retries; 6 > 3
Aug 12 05:08:58 localhost sshd[4745]: reverse mapping checking getaddrinfo for 213.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.213] failed - POSSIBLE BREAK-IN ATTEMPT!
Thanks for your time,

Tark
 
Old 08-12-2014, 11:53 AM   #2
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 3,774
Blog Entries: 1

Rep: Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339
You need to ban that IP at the router immediately. If you don't need China to access your DC, then a quick read here will help:

http://www.wizcrafts.net/chinese-blocklist.html

No, you cannot view the password they are using.

Last edited by szboardstretcher; 08-12-2014 at 11:56 AM.
 
Old 08-12-2014, 05:50 PM   #3
tarken
Member
 
Registered: Jan 2010
Location: Portland
Distribution: Xubuntu
Posts: 66

Original Poster
Rep: Reputation: 16
I have the IP's blocked. Is it not even possible to see the hashes that they are trying to use?
 
Old 08-12-2014, 06:25 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
Quote:
Originally Posted by szboardstretcher View Post
You need to ban that IP at the router immediately. If you don't need China to access your DC, then a quick read here will help
I think it would be easier to point the OP to using fail2ban or equivalent as you wouldn't have to think twice about what to block and what not?..


Quote:
Originally Posted by szboardstretcher View Post
No, you cannot view the password they are using.
Not by default no, but you can (as long as they're not using pubkey auth) using a Honeypot, a modified SSH daemon or a custom PAM module.
*Note care should be taken when attempting this, IMHO exposing an inert Honeypot in a DMZ would be the relatively best option isolation-wise.
 
Old 08-13-2014, 07:43 AM   #5
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 3,774
Blog Entries: 1

Rep: Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339
Quote:
Originally Posted by unSpawn View Post
I think it would be easier to point the OP to using fail2ban or equivalent as you wouldn't have to think twice about what to block and what not?..
Thats valid as well.

Fail2ban is great for many services, and denyhosts is great for SSH. But those are for dynamic attacks,.. attacks from many endpoints in many countries that aren't able to be 'grouped' together easily.

China, on the other hand, is easy to group together (ip-wise) and statically block at the router level if you have no reason to accept Chinese traffic (example: you run a muffin store in Ohio.)

I think it's better to stop malicious traffic at the edge, IF you can, than allow it into the network.

A mixture of both processes would be best.. if you are going to expose SSH to the world. Get rid of traffic at the router that you know 100% you don't need, and use fail2ban or denyhosts to further secure your world facing services.

Last edited by szboardstretcher; 08-13-2014 at 07:47 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How can i check a string with actual user passwd (ie password in /etc/shadow) iamjayanth Linux - Software 6 09-29-2009 02:34 AM
how actual the password is hashed in linux mehersrinath Linux - Security 6 08-24-2008 12:01 PM
What are the actual differences between distros? davidguygc Linux - Distributions 3 05-05-2007 01:57 PM
actual uptime linuxhippy Slackware 4 08-01-2005 06:07 PM
Getting actual directory name subu_s Programming 6 01-13-2005 08:59 AM


All times are GMT -5. The time now is 04:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration