[SOLVED] invalid user ssh into my ubuntu server constantly ?

andrewysk · 08-14-2021, 08:22 AM

I am trying to play around with remote server..
I realized this in live in auth.log.
Is this normal to have constantly invalid user trying to connect into my ssh server ?

Code:

tail -f /var/log/auth.log | grep invalid
Aug 14 13:16:34 Roc sshd[271939]: Disconnected from invalid user rob 122.51.81.247 port 60494 [preauth]
Aug 14 13:18:09 Roc sshd[271956]: Failed password for invalid user test from 178.62.80.236 port 54540 ssh2
Aug 14 13:18:09 Roc sshd[271956]: Disconnected from invalid user test 178.62.80.236 port 54540 [preauth]
Aug 14 13:18:33 Roc sshd[271960]: Failed password for invalid user joseph from 157.245.80.200 port 35504 ssh2
Aug 14 13:18:35 Roc sshd[271960]: Disconnected from invalid user joseph 157.245.80.200 port 35504 [preauth]
Aug 14 13:18:38 Roc sshd[271962]: Failed password for invalid user server from 103.152.79.161 port 53450 ssh2
Aug 14 13:18:40 Roc sshd[271962]: Disconnected from invalid user server 103.152.79.161 port 53450 [preauth]
Aug 14 13:18:50 Roc sshd[271965]: Failed password for invalid user larry from 37.59.46.217 port 33410 ssh2
Aug 14 13:18:50 Roc sshd[271965]: Disconnected from invalid user larry 37.59.46.217 port 33410 [preauth]
Aug 14 13:19:15 Roc sshd[272003]: Failed password for invalid user tony from 167.99.248.234 port 47266 ssh2
Aug 14 13:19:16 Roc sshd[272003]: Disconnected from invalid user tony 167.99.248.234 port 47266 [preauth]
Aug 14 13:19:38 Roc sshd[272008]: Failed password for invalid user wwwadmin from 122.51.81.247 port 33316 ssh2
Aug 14 13:19:40 Roc sshd[272008]: Disconnected from invalid user wwwadmin 122.51.81.247 port 33316 [preauth]
Aug 14 13:20:24 Roc sshd[272012]: Failed password for invalid user admin from 103.152.79.161 port 48580 ssh2
Aug 14 13:20:25 Roc sshd[272012]: Disconnected from invalid user admin 103.152.79.161 port 48580 [preauth]

andrewysk · 08-14-2021, 08:25 AM

Do i need to enable UFW ?
How to enable ufw (on the remote server) if i am currently ssh into the remote server ?
I was trying to do "sudo ufw enable", but then it prompted me that it might disrupt current ssh session, hence i aborted.
I was scare when i turn on ufw, i will be blocked outside of ssh totally.

andrewysk · 08-14-2021, 08:26 AM

man, the invalid attempt to login into ssh server is not stopping.. keeps logging new failed attempt.

Turbocapitalist · 08-14-2021, 08:39 AM

Yes, it is unfortunately normal with any publicly facing SSH service regardless of which port you run it on. They will find any new SSH server within minutes of going online.

What you can do to reduce some or even most of the noise is to move to SSH certificates or SSH keys and then turn off password authentication. Keys are the most common outside of large-scale sites. However, depending on your use-case(s) SSH certificates might also be a good match. But either way, the important thing is to be able to turn off password authentication. Many of the scanners and bots are smart enough to see that and give up right away.

Changing the SSH service's ports won't do much even though many parrot advice about changing it. If you want really quiet logs you can put the service behind a VPN but then you are tunnelling TCP over UDP or TCP and that is not efficient.

andrewysk · 08-14-2021, 08:52 AM

Quote:

Originally Posted by Turbocapitalist

Yes, it is unfortunately normal with any publicly facing SSH service regardless of which port you run it on. They will find any new SSH server within minutes of going online.

What you can do to reduce some or even most of the noise is to move to SSH certificates or SSH keys and then turn off password authentication. Keys are the most common outside of large-scale sites. However, depending on your use-case(s) SSH certificates might also be a good match. But either way, the important thing is to be able to turn off password authentication. Many of the scanners and bots are smart enough to see that and give up right away.

Changing the SSH service's ports won't do much even though many parrot advice about changing it. If you want really quiet logs you can put the service behing a VPN but then you are tunnelling TCP over UDP or TCP and that is not efficient.

Hii,
Thank you for input, appreciate it.
I am new to all these security and networking and ssh. So if i started annoying you, please tell me up front (so i know when to stop asking

I have disabled password authentication on my root account already.
I am using ssh key on my ssh connection as an sudo privilege user.

That means i totally have to disable password authentication feature on ssh server..

Btw, these i think should be "brute force" attack on password login attempt , right ? Is there way to see what password they have entered to try to crack into ssh server ? it would be cool to see..

andrewysk · 08-14-2021, 09:05 AM

How about this ? Is this also another attack ?
This is to do with "snap.rocketchat-server" that i am learning to install, but not successful yet.
Why there is so much "denied" ? related to rocketchat server? it is not even finish configurating yet.

What are these "requested_mask="r" denied_mask="r" " stuff ? mask=r ?

Code:

# journalctl -f | grep denie

Aug 14 14:00:55 Roc audit[212202]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/212202/net/netstat" pid=212202 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 14 14:00:55 Roc audit[212202]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/212202/net/snmp" pid=212202 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 14 14:00:56 Roc audit[212202]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/212202/net/netstat" pid=212202 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 14 14:00:56 Roc audit[212202]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/212202/net/snmp" pid=212202 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


Aug 14 14:00:57 Roc kernel: audit: type=1400 audit(1628949656.999:388251): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/212202/net/netstat" pid=212202 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 14 14:00:57 Roc kernel: audit: type=1400 audit(1628949656.999:388252): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/212202/net/snmp" pid=212202 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


Aug 14 14:00:57 Roc audit[212202]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/212202/net/netstat" pid=212202 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 14 14:00:57 Roc audit[212202]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/212202/net/snmp" pid=212202 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Aug 14 14:00:58 Roc kernel: audit: type=1400 audit(1628949657.999:388253): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/212202/net/netstat" pid=212202 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 14 14:00:58 Roc kernel: audit: type=1400 audit(1628949657.999:388254): apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/212202/net/snmp" pid=212202 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

andrewysk · 08-14-2021, 09:27 AM

Quote:

Originally Posted by Turbocapitalist

If you want really quiet logs you can put the service behing a VPN but then you are tunnelling TCP over UDP or TCP and that is not efficient.

I Dont get you on this part. You said tunneling over TCP/ udp is not efficient .. I am using ssh to connect to my remote server, isn't this is tunneling already ? why not efficient ?

andrewysk · 08-14-2021, 09:30 AM

Code:

Aug 14 14:28:32 Roc sshd[272946]: Failed password for invalid user debian from 180.167.0.102 port 54632 ssh2
Aug 14 14:28:35 Roc sshd[272946]: Disconnected from invalid user debian 180.167.0.102 port 54632 [preauth]
Aug 14 14:28:38 Roc sshd[272948]: Failed password for invalid user nginx from 20.56.145.225 port 36044 ssh2
Aug 14 14:28:38 Roc sshd[272948]: Disconnected from invalid user nginx 20.56.145.225 port 36044 [preauth]
Aug 14 14:28:48 Roc sshd[272950]: Failed password for invalid user adam from 143.244.146.44 port 54832 ssh2
Aug 14 14:28:49 Roc sshd[272950]: Disconnected from invalid user adam 143.244.146.44 port 54832 [preauth]

I noticed the IP addr of the "attackers" are not the same.. are they the same attacker ? or tons of different attackers ?
or .. i don't get it, why so many diff ip address ? attempting at the same time ? coordinated attack attempt ?

Turbocapitalist · 08-14-2021, 10:23 AM

The SSH protocol runs directly SSH over TCP but you could run it through a VPN and that would then be SSH over TCP over TCP or else SSH over TCP over UDP. Your SSH service is not being singled out. It merely has an online presence and as such is getting tested automatically for no other reason beyond that it exists. If you listen to any random external port, you will see all kinds of probing going on.

Yes, they are probably the same attacker or at most a small number of attackers. The trend for quite a few years has been to spread out the sources of the attacks using a wide range of addresses so as not to trigger SSHGuard or Fail2Ban or, for that matter, UFW or NetFilter or PF all of which used to work until the attacks became slower and more distributed. These attacks come from large pools of compromised Windows machines and the data gathered from each pool is centralized, and maybe traded or otheriwse shared, but there are many such botnets. Peter N M Hansteen dubbed these kinds of attacks Hail Mary, because they represent a long shot and scan millions of machines in hopes that one of them left a default password or re-used a known compromised password, thus letting them in. This kind of attack has a very low yield but makes up for that in volume. Their goal appears to use relatively useless Windows machines to grab control over more useful machines.

These attacks are part of the Total Cost of Ownership for M$ products and comes into play any time they are connected in any way to the net. M$ considers these costs an externality because the rest of us pay the price for those idiots who have connected Windows machines to the net. Control of compromised Windows machines used to be a small cottage industry but now it is a prosperous market gaining money from throwing sand in our gears. Don't like it? Work towards removing Windows from the net in general then.

wpeckham · 08-14-2021, 11:41 AM

Attackers are using IP spoofing and DDOS techniques because people like me routinely load "fail2ban" and a firewall. This results in IP addresses that attempt more than a small number of dictionary attack logon attempt being locked out at the firewall. They get around that by having their IP address appear to change with each attempt to avoid the fail2ban detection.

If you enjoy studying securty issues and solutions, there are some interesting readings and utilities that might be suggested. I simply put a honeypot out on the internet to accept the attacks, that can never succeed. My working machine are on the internal networks, and no authentication protocols are allowed there from the outside.

Ask yourself: do you really NEED ssh listening for connections from the wild? If so, consider a non-standard protected port to reduce the "noise". If not, lock that puppy down to only listening to the local/internal subnet.

ondoho · 08-15-2021, 03:36 AM

Quote:

Originally Posted by andrewysk

How about this ? Is this also another attack ?
This is to do with "snap.rocketchat-server" that i am learning to install, but not successful yet.
Why there is so much "denied" ? related to rocketchat server? it is not even finish configurating yet.

The quirks of containerised software installation, with internet access - rather a different topic.
Let's concentrate on SSH for now.
I believe Turbocapitalist gave you some good pointers.
Another link: https://wiki.archlinux.org/title/OpenSSH and https://wiki.archlinux.org/title/SSH_keys

frankbell · 08-15-2021, 08:28 PM

I doubt these are directed at you individually. More likely, this falls into the category of an automated random port scan.

wpeckham · 08-15-2021, 08:42 PM

Quote:

Originally Posted by frankbell

I doubt these are directed at you individually. More likely, this falls into the category of an automated random port scan.

But it DOES look like an attempt to find something that they can break into.
I would use one or more of the techniques discussed to discourage them.

frankbell · 08-15-2021, 09:48 PM

Quote:

But it DOES look like an attempt to find something that they can break into.

(Grin) That is the best thumbnail definition of a random port scan that I have yet seen!

ondoho · 08-16-2021, 01:33 AM

Thing is, even if you close all these ports or let fail2ban deal with these attempts, something will still show up in the logs every time it happens.
You can't make that disappear completely.
And some users will always be alarmed by it, thinking they're actually getting hacked (and not thinking: my system does the right thing here).

tl;dr: I think frankbell is right to point out the ubiquity of random port scans.