Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 09-02-2008, 07:40 AM   #1
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES11 / FC20/ OES / CentOS
Posts: 607

Rep: Reputation: 32

We suffer from a sshd brute force attack.

Its no real securety problem as we have several securety tools that make it impossible to get into the server via ssh-brute-force-attack.

Here is the log-file:

sshd[1367]:admin01 from
sshd[1367]:admin01 from
sshd[1790]:admin01 from
sshd[1803]:admin01 from
sshd[1814]:admin0 from
sshd[1848]:admin0 from
sshd[1853]:admin0 from
sshd[1857]:admin0 from
sshd[1790]:admin01 from
sshd[1803]:admin01 from
sshd[1814]:admin0 from
sshd[1848]:admin0 from
sshd[1853]:admin0 from
sshd[1857]:admin0 from
My question:

The attack seems to be coordinatet between several different IP`s how can that be ?
Old 09-02-2008, 08:16 AM   #2
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
A botnet perhaps?
Old 09-02-2008, 08:19 AM   #3
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES11 / FC20/ OES / CentOS
Posts: 607

Original Poster
Rep: Reputation: 32
Yes, seems so, but does anybody have the same problems or know the virus (just for fun!)
Old 09-02-2008, 09:14 AM   #4
Registered: Aug 2008
Location: Northern Hemisphere
Distribution: Slackware, OpenVMS, fbsd
Posts: 50

Rep: Reputation: 16

the sshd brute force attacks are nothing new and yes, everyone gets them.
Your particualr instance could have been caused by spoofing or as win32sux already stated a distributed attack (botnet).

The attack would not fall into the category of 'virus'.
Old 09-03-2008, 07:07 AM   #5
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Did you read the sticky post here? ====>
Old 09-03-2008, 08:59 AM   #6
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,725

Rep: Reputation: 1294Reputation: 1294Reputation: 1294Reputation: 1294Reputation: 1294Reputation: 1294Reputation: 1294Reputation: 1294Reputation: 1294
The most important things to remember are:
  1. Keep your sshd ("ssh daemon") program scrupulously up-to-date, along with all of the libraries (crypto and so-forth) that it uses.
  2. Understand the SSH configuration (see: man sshd_config).
SSH has the very annoying characteristic that it will start by offering the toughest challenge, but it will then offer (and accept) successively weaker alternatives! You need to configure your system to accept only "digital certificates," and to refuse simpler alternatives like passwords. You should accept only "protocol #2."

A digital certificate is like a non-forgeable (and, individually revocable...) identification badge. The badge can be password-protected to prevent it from being presented by the wrong person, but the bottom line is that in order to connect to your system a valid badge must be presented. (You can issue and revoke the badges without costing any money.) A hacker can knock at your door until he's blue in the face, but he'll never get inside.

Put as many obstacles in the way as you can. For example, close all the inbound pathways except a VPN-portal maintained by your hardware router... once again, secured using digital certificates (not "pre-shared keys"). It's better to keep the hackers outside of the chain-link fence topped with concertina-wire, rather than to let them be milling-about in the front lobby.

Having set-up this system, now actively maintain it. Issue certificates (of the various types) with a drop-dead date and change them periodically. Issue individual certificates, so that each one can be individually revoked.

Last edited by sundialsvcs; 09-03-2008 at 09:01 AM.
Old 09-05-2008, 01:01 AM   #7
Registered: Oct 2006
Location: Kenya
Distribution: Ubuntu, RHEL, OpenBSD
Posts: 287

Rep: Reputation: 32
You could also try and put the annoying ip net blocks under hosts.allow. well this is not a panacea but it kind of moderates the brute-attacks. Its in the thread mentioned. i also receive these attempts but basic ssh security procedures again in the above mentioned thread should keep things in check.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh brute force attempts coolb Linux - Security 4 06-04-2006 04:53 AM
Protect server from brute force attack via ssh babysparrow Linux - Security 6 03-31-2006 09:00 PM
ssh brute force, how do they work? galle Linux - Security 3 03-10-2006 06:58 AM
Brute-force attack - How can I assess the damage? thew00t Linux - Security 4 09-27-2005 06:08 PM
How did the NASA get hacked, was it just a brute force attack? abefroman Linux - Security 2 05-18-2005 05:33 AM

All times are GMT -5. The time now is 02:43 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration