LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-06-2012, 02:10 AM   #1
azenz
LQ Newbie
 
Registered: Oct 2011
Posts: 4

Rep: Reputation: Disabled
auth.log many failed attempts in one second despite MaxAuthTries


Recently we got a spate of attacks on our server. Now the strange thing is that auth.log logs many failed attempts for the exact same time (same second) even though there should be a 3 second delay between each attempt (we run Debian Squeeze Server). Moreover, I had set MaxAuthTries in the sshd_config to 2!

Code:
Dec  5 10:51:09 stein2 sshd[14648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14655]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14647]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14651]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14652]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14658]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14653]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14656]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14659]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:09 stein2 sshd[14660]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14648]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14655]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14647]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14658]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14653]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14652]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14651]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14659]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14656]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 10:51:14 stein2 sshd[14660]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8809]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8801]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8800]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8807]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8802]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8806]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8808]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8815]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8818]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:26 stein2 sshd[8814]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8800]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8809]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8801]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8807]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8802]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8806]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8808]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8818]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8815]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root
Dec  5 13:54:31 stein2 sshd[8814]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=g161166.upc-g.chello.nl  user=root

Now, are these actually 5 connection attempts in total, or one attempt for each log line (which seems technically impossible)? Thanks for your help!

Last edited by unSpawn; 12-06-2012 at 11:33 AM. Reason: //Please dont use font types and sizes
 
Old 12-06-2012, 02:20 PM   #2
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora
Posts: 1,463

Rep: Reputation: 356Reputation: 356Reputation: 356Reputation: 356
Looks like you have MaxStartups at the default of 10, which means sshd allows 10 connections at a time in parallel. I rate-limit repeated attempts from one IP address using iptables. My rules are:

Code:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i p33p1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource 
-A INPUT -i p33p1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name SSH --rsource -j DROP  
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
However, they still keep coming in at the lower rate. I'm currently getting attacks from
219.234.131.41: BEIJING SHEN-GE-JIN-WANG CO.LTD at about 1 every 30 seconds.

Hopefully you don't allow remote login as root, so no password will work.
 
Old 12-12-2012, 05:48 PM   #3
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,330

Rep: Reputation: 1100Reputation: 1100Reputation: 1100Reputation: 1100Reputation: 1100Reputation: 1100Reputation: 1100Reputation: 1100Reputation: 1100
Better yet is to use digital-certificate authentication and disable passwords as a possibility altogether. (Password-protect, that is to say, encrypt, the certificate itself.)

Think about it: when you walk into an office building, there isn't someone standing there requiring you to say the magic word ("sesame"). There's a badge reader. You can't invent badges: either you have one or you don't, and if you do, either your unique badge is enabled or it isn't. End of story. Apply exactly the same methodology to your SSH (or any other type of ...) security. The certificate that you issue to any employee is absolutely unique and un-forgeable. Either they can present it, or they can't. Either you accept the unique credential and grant access, or you don't. ("Passwords? Schmasswords! Hey, we don't use hieroglyphics anymore, either!")

Last edited by sundialsvcs; 12-12-2012 at 05:50 PM.
 
Old 12-16-2012, 05:12 AM   #4
azenz
LQ Newbie
 
Registered: Oct 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks guys, I have adjusted MaxStartups and that should restrict these guys quite a bit! I am aware of public key authentication and that is also an option.
 
  


Reply

Tags
hacking, security, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sshd maxauthtries set to one changes log behaviour zhjim Linux - Software 0 10-08-2012 05:39 AM
/var/log/auth.log doens't have correct date and hostname (Solution) alfmarius Linux - Newbie 0 10-07-2008 06:09 AM
Configure Failed logins to lock accounts after 5 failed attempts mccartjd Linux - Newbie 5 05-05-2008 08:02 AM
vsftpd and log files - can i up the log level to see login attempts? robr Linux - Newbie 3 04-04-2008 11:38 AM
/var/log/messages shows failed login attempts... plan9 Linux - Security 8 08-08-2004 12:52 PM


All times are GMT -5. The time now is 11:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration