LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   auth.log many failed attempts in one second despite MaxAuthTries (http://www.linuxquestions.org/questions/linux-security-4/auth-log-many-failed-attempts-in-one-second-despite-maxauthtries-4175440232/)

azenz 12-06-2012 02:10 AM

auth.log many failed attempts in one second despite MaxAuthTries
 
Recently we got a spate of attacks on our server. Now the strange thing is that auth.log logs many failed attempts for the exact same time (same second) even though there should be a 3 second delay between each attempt (we run Debian Squeeze Server). Moreover, I had set MaxAuthTries in the sshd_config to 2!

Code:

Dec  5 10:51:09 stein2 sshd[14648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14655]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14647]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14651]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14652]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14658]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14653]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14656]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14659]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14660]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14648]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14655]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14647]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14658]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14653]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14652]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14651]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14659]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14656]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14660]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8809]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8801]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8800]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8807]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8802]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8806]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8808]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8815]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8818]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8814]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8800]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8809]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8801]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8807]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8802]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8806]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8808]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8818]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8815]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8814]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root


Now, are these actually 5 connection attempts in total, or one attempt for each log line (which seems technically impossible)? Thanks for your help!

smallpond 12-06-2012 02:20 PM

Looks like you have MaxStartups at the default of 10, which means sshd allows 10 connections at a time in parallel. I rate-limit repeated attempts from one IP address using iptables. My rules are:

Code:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i p33p1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i p33p1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name SSH --rsource -j DROP 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

However, they still keep coming in at the lower rate. I'm currently getting attacks from
219.234.131.41: BEIJING SHEN-GE-JIN-WANG CO.LTD at about 1 every 30 seconds.

Hopefully you don't allow remote login as root, so no password will work.

sundialsvcs 12-12-2012 05:48 PM

Better yet is to use digital-certificate authentication and disable passwords as a possibility altogether. (Password-protect, that is to say, encrypt, the certificate itself.)

Think about it: when you walk into an office building, there isn't someone standing there requiring you to say the magic word ("sesame"). There's a badge reader. You can't invent badges: either you have one or you don't, and if you do, either your unique badge is enabled or it isn't. End of story. Apply exactly the same methodology to your SSH (or any other type of ...) security. The certificate that you issue to any employee is absolutely unique and un-forgeable. Either they can present it, or they can't. Either you accept the unique credential and grant access, or you don't. ("Passwords? Schmasswords! Hey, we don't use hieroglyphics anymore, either!")

azenz 12-16-2012 05:12 AM

Thanks guys, I have adjusted MaxStartups and that should restrict these guys quite a bit! I am aware of public key authentication and that is also an option.


All times are GMT -5. The time now is 09:23 PM.