Is this a virus or script kiddie trying to find a weakness in my ssh?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is this a virus or script kiddie trying to find a weakness in my ssh?
Have you people seen anything similar? I think I am pretty secure:
I keep my system up to date
Dont allow root to access ssh
Only one specified user can access ssh
Passwords disabled (Only certificate)
Added this ip to hosts.deny
Code:
debby:# cat /var/log/auth.log |grep invalid |grep 201.234.230.18
Dec 17 10:46:06 debby sshd[7391]: Failed password for invalid user root from 201.234.230.18 port 58882 ssh2
Dec 17 10:46:10 debby sshd[7393]: Failed password for invalid user admin from 201.234.230.18 port 59751 ssh2
Dec 17 10:46:13 debby sshd[7395]: Failed password for invalid user test from 201.234.230.18 port 60519 ssh2
Dec 17 10:46:18 debby sshd[7397]: Failed password for invalid user guest from 201.234.230.18 port 33096 ssh2
Dec 17 10:46:23 debby sshd[7399]: Failed password for invalid user webmaster from 201.234.230.18 port 33936 ssh2
Dec 17 10:46:27 debby sshd[7402]: Failed password for invalid user mysql from 201.234.230.18 port 35109 ssh2
Dec 17 10:46:31 debby sshd[7404]: Failed password for invalid user oracle from 201.234.230.18 port 36002 ssh2
Dec 17 10:46:37 debby sshd[7406]: Failed password for invalid user library from 201.234.230.18 port 36780 ssh2
Dec 17 10:46:41 debby sshd[7408]: Failed password for invalid user info from 201.234.230.18 port 33907 ssh2
Dec 17 10:46:48 debby sshd[7410]: Failed password for invalid user shell from 201.234.230.18 port 34748 ssh2
Dec 17 10:46:52 debby sshd[7413]: Failed password for invalid user linux from 201.234.230.18 port 36406 ssh2
Dec 17 10:46:56 debby sshd[7416]: Failed password for invalid user unix from 201.234.230.18 port 37243 ssh2
Dec 17 10:47:00 debby sshd[7473]: Failed password for invalid user webadmin from 201.234.230.18 port 38001 ssh2
Dec 17 10:47:04 debby sshd[7478]: Failed password for invalid user ftp from 201.234.230.18 port 38984 ssh2
Dec 17 10:47:08 debby sshd[7480]: Failed password for invalid user test from 201.234.230.18 port 39832 ssh2
Dec 17 10:47:13 debby sshd[7482]: Failed password for invalid user root from 201.234.230.18 port 40601 ssh2
Dec 17 10:47:17 debby sshd[7484]: Failed password for invalid user admin from 201.234.230.18 port 41688 ssh2
Dec 17 10:47:22 debby sshd[7487]: Failed password for invalid user guest from 201.234.230.18 port 42644 ssh2
Dec 17 10:47:26 debby sshd[7489]: Failed password for invalid user master from 201.234.230.18 port 43586 ssh2
Dec 17 10:47:30 debby sshd[7491]: Failed password for invalid user apache from 201.234.230.18 port 44446 ssh2
Dec 17 10:47:34 debby sshd[7493]: Failed password for invalid user root from 201.234.230.18 port 45351 ssh2
Dec 17 10:47:38 debby sshd[7495]: Failed password for invalid user root from 201.234.230.18 port 46249 ssh2
Dec 17 10:47:42 debby sshd[7497]: Failed password for invalid user root from 201.234.230.18 port 47122 ssh2
Dec 17 10:47:46 debby sshd[7499]: Failed password for invalid user root from 201.234.230.18 port 47948 ssh2
Dec 17 10:47:50 debby sshd[7502]: Failed password for invalid user root from 201.234.230.18 port 48854 ssh2
Dec 17 10:47:54 debby sshd[7505]: Failed password for invalid user root from 201.234.230.18 port 49794 ssh2
Dec 17 10:47:58 debby sshd[7507]: Failed password for invalid user root from 201.234.230.18 port 50647 ssh2
Dec 17 10:48:02 debby sshd[7509]: Failed password for invalid user admin from 201.234.230.18 port 51518 ssh2
Dec 17 10:48:07 debby sshd[7511]: Failed password for invalid user admin from 201.234.230.18 port 52439 ssh2
Dec 17 10:48:11 debby sshd[7513]: Failed password for invalid user admin from 201.234.230.18 port 53364 ssh2
Dec 17 10:48:15 debby sshd[7515]: Failed password for invalid user admin from 201.234.230.18 port 54335 ssh2
Dec 17 10:48:19 debby sshd[7517]: Failed password for invalid user root from 201.234.230.18 port 55128 ssh2
Dec 17 10:48:24 debby sshd[7519]: Failed password for invalid user root from 201.234.230.18 port 56039 ssh2
Dec 17 10:48:28 debby sshd[7521]: Failed password for invalid user test from 201.234.230.18 port 57026 ssh2
Dec 17 10:48:32 debby sshd[7524]: Failed password for invalid user test from 201.234.230.18 port 57922 ssh2
Dec 17 10:48:36 debby sshd[7526]: Failed password for invalid user webmaster from 201.234.230.18 port 58823 ssh2
Dec 17 10:48:40 debby sshd[7532]: Failed password for invalid user user from 201.234.230.18 port 59757 ssh2
Dec 17 10:48:44 debby sshd[7540]: Failed password for invalid user username from 201.234.230.18 port 60527 ssh2
Dec 17 10:48:48 debby sshd[7560]: Failed password for invalid user username from 201.234.230.18 port 33237 ssh2
Dec 17 10:48:51 debby sshd[7563]: Failed password for invalid user user from 201.234.230.18 port 34079 ssh2
Dec 17 10:48:55 debby sshd[7566]: Failed password for invalid user root from 201.234.230.18 port 34829 ssh2
Dec 17 10:48:59 debby sshd[7568]: Failed password for invalid user admin from 201.234.230.18 port 35676 ssh2
Dec 17 10:49:03 debby sshd[7570]: Failed password for invalid user test from 201.234.230.18 port 36494 ssh2
Dec 17 10:49:07 debby sshd[7572]: Failed password for invalid user root from 201.234.230.18 port 37370 ssh2
Dec 17 10:49:11 debby sshd[7574]: Failed password for invalid user root from 201.234.230.18 port 38203 ssh2
Dec 17 10:49:15 debby sshd[7594]: Failed password for invalid user root from 201.234.230.18 port 39013 ssh2
Dec 17 10:49:20 debby sshd[7596]: Failed password for invalid user root from 201.234.230.18 port 39911 ssh2
Dec 17 10:49:24 debby sshd[7598]: Failed password for invalid user danny from 201.234.230.18 port 40968 ssh2
Dec 17 10:49:28 debby sshd[7600]: Failed password for invalid user sharon from 201.234.230.18 port 41876 ssh2
Dec 17 10:49:32 debby sshd[7602]: Failed password for invalid user aron from 201.234.230.18 port 42692 ssh2
Dec 17 10:49:36 debby sshd[7604]: Failed password for invalid user alex from 201.234.230.18 port 43582 ssh2
Dec 17 10:49:40 debby sshd[7606]: Failed password for invalid user brett from 201.234.230.18 port 44490 ssh2
Dec 17 10:49:43 debby sshd[7609]: Failed password for invalid user mike from 201.234.230.18 port 45296 ssh2
Dec 17 10:49:47 debby sshd[7611]: Failed password for invalid user alan from 201.234.230.18 port 46093 ssh2
Dec 17 10:49:51 debby sshd[7614]: Failed password for invalid user data from 201.234.230.18 port 46926 ssh2
Dec 17 10:49:55 debby sshd[7617]: Failed password for invalid user www-data from 201.234.230.18 port 47749 ssh2
Dec 17 10:50:03 debby sshd[7620]: Failed password for invalid user http from 201.234.230.18 port 48690 ssh2
Dec 17 10:50:07 debby sshd[7622]: Failed password for invalid user httpd from 201.234.230.18 port 50245 ssh2
Dec 17 10:50:11 debby sshd[7624]: Failed password for invalid user nobody from 201.234.230.18 port 51079 ssh2
Dec 17 10:50:14 debby sshd[7626]: Failed password for invalid user root from 201.234.230.18 port 51940 ssh2
Dec 17 10:50:18 debby sshd[7629]: Failed password for invalid user backup from 201.234.230.18 port 52742 ssh2
Dec 17 10:50:22 debby sshd[7631]: Failed password for invalid user info from 201.234.230.18 port 53694 ssh2
Dec 17 10:50:26 debby sshd[7633]: Failed password for invalid user shop from 201.234.230.18 port 54537 ssh2
Dec 17 10:50:30 debby sshd[7635]: Failed password for invalid user sales from 201.234.230.18 port 55339 ssh2
Dec 17 10:50:34 debby sshd[7637]: Failed password for invalid user web from 201.234.230.18 port 56160 ssh2
Dec 17 10:50:38 debby sshd[7640]: Failed password for invalid user www from 201.234.230.18 port 56931 ssh2
Dec 17 10:50:42 debby sshd[7642]: Failed password for invalid user wwwrun from 201.234.230.18 port 57707 ssh2
Dec 17 10:50:49 debby sshd[7647]: Failed password for invalid user stephen from 201.234.230.18 port 59474 ssh2
Dec 17 10:50:53 debby sshd[7650]: Failed password for invalid user richard from 201.234.230.18 port 60285 ssh2
Dec 17 10:50:57 debby sshd[7652]: Failed password for invalid user george from 201.234.230.18 port 32913 ssh2
Dec 17 10:51:01 debby sshd[7654]: Failed password for invalid user michael from 201.234.230.18 port 33705 ssh2
Dec 17 10:51:05 debby sshd[7656]: Failed password for invalid user john from 201.234.230.18 port 34559 ssh2
Dec 17 10:51:09 debby sshd[7658]: Failed password for invalid user david from 201.234.230.18 port 35408 ssh2
Dec 17 10:51:12 debby sshd[7661]: Failed password for invalid user paul from 201.234.230.18 port 36197 ssh2
Dec 17 10:51:16 debby sshd[7663]: Failed password for invalid user news from 201.234.230.18 port 36989 ssh2
Dec 17 10:51:20 debby sshd[7665]: Failed password for invalid user angel from 201.234.230.18 port 37813 ssh2
Dec 17 10:51:25 debby sshd[7667]: Failed password for invalid user games from 201.234.230.18 port 38732 ssh2
Dec 17 10:51:29 debby sshd[7669]: Failed password for invalid user pgsql from 201.234.230.18 port 39699 ssh2
Dec 17 10:51:33 debby sshd[7672]: Failed password for invalid user pgsql from 201.234.230.18 port 40644 ssh2
Dec 17 10:51:37 debby sshd[7674]: Failed password for invalid user mail from 201.234.230.18 port 41539 ssh2
Dec 17 10:51:41 debby sshd[7676]: Failed password for invalid user adm from 201.234.230.18 port 36885 ssh2
Dec 17 10:51:45 debby sshd[7678]: Failed password for invalid user ident from 201.234.230.18 port 37822 ssh2
Dec 17 10:51:49 debby sshd[7681]: Failed password for invalid user resin from 201.234.230.18 port 38721 ssh2
Dec 17 10:51:53 debby sshd[7683]: Failed password for invalid user root from 201.234.230.18 port 39451 ssh2
Dec 17 10:51:57 debby sshd[7686]: Failed password for invalid user root from 201.234.230.18 port 40387 ssh2
Dec 17 10:52:01 debby sshd[7688]: Failed password for invalid user root from 201.234.230.18 port 41306 ssh2
Dec 17 10:52:05 debby sshd[7691]: Failed password for invalid user root from 201.234.230.18 port 42045 ssh2
Dec 17 10:52:09 debby sshd[7693]: Failed password for invalid user root from 201.234.230.18 port 42983 ssh2
Dec 17 10:52:13 debby sshd[7695]: Failed password for invalid user root from 201.234.230.18 port 43926 ssh2
Dec 17 10:52:17 debby sshd[7697]: Failed password for invalid user root from 201.234.230.18 port 44758 ssh2
Dec 17 10:52:21 debby sshd[7699]: Failed password for invalid user root from 201.234.230.18 port 45662 ssh2
Dec 17 10:52:25 debby sshd[7701]: Failed password for invalid user root from 201.234.230.18 port 46574 ssh2
Dec 17 10:52:29 debby sshd[7704]: Failed password for invalid user root from 201.234.230.18 port 47378 ssh2
Dec 17 10:52:34 debby sshd[7715]: Failed password for invalid user root from 201.234.230.18 port 48307 ssh2
Dec 17 10:52:39 debby sshd[7725]: Failed password for invalid user root from 201.234.230.18 port 49324 ssh2
Dec 17 10:52:44 debby sshd[7738]: Failed password for invalid user root from 201.234.230.18 port 50463 ssh2
Dec 17 10:52:50 debby sshd[7742]: Failed password for invalid user root from 201.234.230.18 port 51387 ssh2
Dec 17 10:52:54 debby sshd[7756]: Failed password for invalid user root from 201.234.230.18 port 52663 ssh2
Dec 17 10:52:59 debby sshd[7758]: Failed password for invalid user root from 201.234.230.18 port 53680 ssh2
Dec 17 10:53:02 debby sshd[7762]: Failed password for invalid user root from 201.234.230.18 port 54607 ssh2
Dec 17 10:53:07 debby sshd[7764]: Failed password for invalid user root from 201.234.230.18 port 55433 ssh2
Dec 17 10:53:11 debby sshd[7766]: Failed password for invalid user root from 201.234.230.18 port 56440 ssh2
Dec 17 10:53:16 debby sshd[7768]: Failed password for invalid user root from 201.234.230.18 port 57397 ssh2
Dec 17 10:53:19 debby sshd[7770]: Failed password for invalid user root from 201.234.230.18 port 58281 ssh2
Dec 17 10:53:23 debby sshd[7772]: Failed password for invalid user root from 201.234.230.18 port 59038 ssh2
Dec 17 10:53:27 debby sshd[7774]: Failed password for invalid user root from 201.234.230.18 port 59893 ssh2
Dec 17 10:53:31 debby sshd[7776]: Failed password for invalid user root from 201.234.230.18 port 60787 ssh2
Dec 17 10:53:38 debby sshd[7783]: Failed password for invalid user root from 201.234.230.18 port 33367 ssh2
Dec 17 10:53:42 debby sshd[7802]: Failed password for invalid user root from 201.234.230.18 port 34728 ssh2
Dec 17 10:53:46 debby sshd[7805]: Failed password for invalid user root from 201.234.230.18 port 35634 ssh2
Dec 17 10:53:50 debby sshd[7808]: Failed password for invalid user root from 201.234.230.18 port 36470 ssh2
Dec 17 10:53:54 debby sshd[7811]: Failed password for invalid user root from 201.234.230.18 port 37354 ssh2
Dec 17 10:53:58 debby sshd[7813]: Failed password for invalid user root from 201.234.230.18 port 38278 ssh2
Dec 17 10:54:01 debby sshd[7861]: Failed password for invalid user root from 201.234.230.18 port 38990 ssh2
Dec 17 10:54:06 debby sshd[7864]: Failed password for invalid user root from 201.234.230.18 port 39825 ssh2
Dec 17 10:54:10 debby sshd[8673]: Failed password for invalid user root from 201.234.230.18 port 40806 ssh2
Dec 17 10:54:14 debby sshd[8675]: Failed password for invalid user root from 201.234.230.18 port 41686 ssh2
Dec 17 10:54:19 debby sshd[8682]: Failed password for invalid user root from 201.234.230.18 port 42499 ssh2
Dec 17 10:54:23 debby sshd[8684]: Failed password for invalid user root from 201.234.230.18 port 43607 ssh2
Dec 17 10:54:28 debby sshd[8773]: Failed password for invalid user root from 201.234.230.18 port 44571 ssh2
Dec 17 10:54:32 debby sshd[8894]: Failed password for invalid user root from 201.234.230.18 port 45641 ssh2
Dec 17 10:54:36 debby sshd[8896]: Failed password for invalid user root from 201.234.230.18 port 46389 ssh2
Dec 17 10:54:41 debby sshd[8898]: Failed password for invalid user root from 201.234.230.18 port 47361 ssh2
Dec 17 10:54:45 debby sshd[8900]: Failed password for invalid user root from 201.234.230.18 port 48279 ssh2
Dec 17 10:54:50 debby sshd[8903]: Failed password for invalid user root from 201.234.230.18 port 49244 ssh2
Dec 17 10:54:55 debby sshd[8906]: Failed password for invalid user root from 201.234.230.18 port 50269 ssh2
Dec 17 10:54:59 debby sshd[8941]: Failed password for invalid user root from 201.234.230.18 port 51271 ssh2
Dec 17 10:55:03 debby sshd[8943]: Failed password for invalid user root from 201.234.230.18 port 52253 ssh2
Dec 17 10:55:07 debby sshd[8945]: Failed password for invalid user root from 201.234.230.18 port 53038 ssh2
Dec 17 10:55:15 debby sshd[8947]: Failed password for invalid user root from 201.234.230.18 port 53881 ssh2
Dec 17 10:55:19 debby sshd[8949]: Failed password for invalid user root from 201.234.230.18 port 55631 ssh2
Dec 17 10:55:23 debby sshd[8951]: Failed password for invalid user root from 201.234.230.18 port 56507 ssh2
Dec 17 10:55:27 debby sshd[8954]: Failed password for invalid user root from 201.234.230.18 port 57403 ssh2
Dec 17 10:55:31 debby sshd[8956]: Failed password for invalid user root from 201.234.230.18 port 58117 ssh2
Dec 17 10:55:35 debby sshd[8958]: Failed password for invalid user root from 201.234.230.18 port 58859 ssh2
Dec 17 10:55:38 debby sshd[8961]: Failed password for invalid user root from 201.234.230.18 port 59741 ssh2
Dec 17 10:55:43 debby sshd[8963]: Failed password for invalid user root from 201.234.230.18 port 60451 ssh2
Dec 17 10:55:46 debby sshd[8967]: Failed password for invalid user root from 201.234.230.18 port 33188 ssh2
Dec 17 10:55:50 debby sshd[8970]: Failed password for invalid user root from 201.234.230.18 port 33987 ssh2
Dec 17 10:55:55 debby sshd[8973]: Failed password for invalid user root from 201.234.230.18 port 34702 ssh2
Dec 17 10:55:58 debby sshd[8976]: Failed password for invalid user root from 201.234.230.18 port 35715 ssh2
Dec 17 10:56:02 debby sshd[8978]: Failed password for invalid user root from 201.234.230.18 port 36513 ssh2
Dec 17 10:56:06 debby sshd[8980]: Failed password for invalid user root from 201.234.230.18 port 37254 ssh2
Dec 17 10:56:09 debby sshd[8982]: Failed password for invalid user root from 201.234.230.18 port 38040 ssh2
Dec 17 10:56:14 debby sshd[8985]: Failed password for invalid user root from 201.234.230.18 port 38979 ssh2
Dec 17 10:56:20 debby sshd[8987]: Failed password for invalid user root from 201.234.230.18 port 39773 ssh2
Dec 17 10:56:24 debby sshd[8990]: Failed password for invalid user root from 201.234.230.18 port 40953 ssh2
Dec 17 10:56:28 debby sshd[8992]: Failed password for invalid user root from 201.234.230.18 port 41871 ssh2
Dec 17 10:56:32 debby sshd[8994]: Failed password for invalid user root from 201.234.230.18 port 42621 ssh2
Dec 17 10:56:36 debby sshd[8996]: Failed password for invalid user root from 201.234.230.18 port 43348 ssh2
Dec 17 10:56:40 debby sshd[8998]: Failed password for invalid user root from 201.234.230.18 port 38395 ssh2
Dec 17 10:56:44 debby sshd[9000]: Failed password for invalid user root from 201.234.230.18 port 39198 ssh2
Dec 17 10:56:48 debby sshd[9002]: Failed password for invalid user root from 201.234.230.18 port 39935 ssh2
Dec 17 10:56:53 debby sshd[9005]: Failed password for invalid user root from 201.234.230.18 port 40777 ssh2
Dec 17 10:56:57 debby sshd[9009]: Failed password for invalid user root from 201.234.230.18 port 41644 ssh2
Dec 17 10:57:02 debby sshd[9011]: Failed password for invalid user root from 201.234.230.18 port 42362 ssh2
Dec 17 10:57:06 debby sshd[9013]: Failed password for invalid user root from 201.234.230.18 port 43364 ssh2
Dec 17 10:57:10 debby sshd[9015]: Failed password for invalid user root from 201.234.230.18 port 44232 ssh2
Dec 17 10:57:13 debby sshd[9019]: Failed password for invalid user root from 201.234.230.18 port 45032 ssh2
Dec 17 10:57:17 debby sshd[9021]: Failed password for invalid user root from 201.234.230.18 port 45726 ssh2
Dec 17 10:57:21 debby sshd[9024]: Failed password for invalid user root from 201.234.230.18 port 46559 ssh2
Dec 17 10:57:25 debby sshd[9026]: Failed password for invalid user root from 201.234.230.18 port 47302 ssh2
Dec 17 10:57:29 debby sshd[9029]: Failed password for invalid user root from 201.234.230.18 port 48160 ssh2
Dec 17 10:57:33 debby sshd[9031]: Failed password for invalid user root from 201.234.230.18 port 48993 ssh2
Dec 17 10:57:37 debby sshd[9033]: Failed password for invalid user root from 201.234.230.18 port 49741 ssh2
Dec 17 10:57:41 debby sshd[9035]: Failed password for invalid user root from 201.234.230.18 port 50569 ssh2
Dec 17 10:57:45 debby sshd[9037]: Failed password for invalid user root from 201.234.230.18 port 51394 ssh2
Dec 17 10:57:49 debby sshd[9040]: Failed password for invalid user root from 201.234.230.18 port 52124 ssh2
Dec 17 10:57:53 debby sshd[9043]: Failed password for invalid user root from 201.234.230.18 port 52971 ssh2
Dec 17 10:57:56 debby sshd[9045]: Failed password for invalid user root from 201.234.230.18 port 53711 ssh2
Dec 17 10:58:01 debby sshd[9047]: Failed password for invalid user root from 201.234.230.18 port 54459 ssh2
Dec 17 10:58:04 debby sshd[9049]: Failed password for invalid user root from 201.234.230.18 port 55368 ssh2
Dec 17 10:58:08 debby sshd[9051]: Failed password for invalid user root from 201.234.230.18 port 56064 ssh2
Last edited by unSpawn; 12-17-2008 at 04:56 PM.
Reason: Mod changed quote to code for easier reading.
Thats a cool page should I bother contacting the admin with that log or not worth it? Also what change did you make to my post so that its now more readable (So I dont repeat my mistake)
@unixfool
I did see that post although its pretty old (from 2004) I am finding this security stuff interesting, maybe there is a future in it
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,334
Rep:
Best bet is run ssh on a non standard port, it will at least keep the bots out. also isntall fail2ban and test. 10 strikes and IP gets banned for a few hours.
I had on of my home servers hacked this way, was internet facing and never gave thought to it but ssh has no brute force protection built in (which is retarded since it should) so after weeks, perhaps months, a virus was trying to brute force and eventually guessed my username/password combination. Fail2ban will catch this then ban the IP.
@Red Squirrel
I cant change the default port otherwise my work network doesn't let me out at least on the other ports I have tried so far.
It looks like having a firewall and not allowing anyone but the user you need to logon and only allowing logon with certficates its pretty good at least against brute force attempts like what I and lots of others seem to be seeing from malware and scripts.
Best bet is run ssh on a non standard port, it will at least keep the bots out. also isntall fail2ban and test. 10 strikes and IP gets banned for a few hours.
I don't know if you guys have checked your logs lately but I've noticed a trend. Whereas maybe six months ago, there was rampant large scans from IPs, now the trend is distributed scanning. I checked my logs maybe a month ago and was wondering if my denyhosts setup was broken. I found it was working fine. What's happening is that some botnet masters are now taking a pool of hosts and distributing the scan in a way that won't be detected by a tool that is looking for one IP that is generating, for example, 5 log entries in 5 sec (or even 5 log entries in one hour, for a large pool of IPs). isc.sans.org reported on this a few months ago. What I started doing was just flatout blocking all non-essential IPs (which is essentially what a default deny fw policy will do, even if you make allowances for specific IPs)
Just a word of advice that such ban tools as fail2ban or denyhosts isn't cutting it anymore...
Just a word of advice that such ban tools as fail2ban or denyhosts isn't cutting it anymore...
If your passwords are good it's really a moot point. Brute forcing passwords is looking for lowest hanging fruit. If you can't remember good passwords (>16 chars, unrelated mix of #, chars, symbols) you should be using something like keepass to keep them in.
Even after years of people screaming at the top of their lungs to use good passwords, in 9/10 systems I end up examining after a break in I can find a bad password in <30s using a password cracker that was used to gain initial access to a system (usually a joe (username, name, either forward/backward), common dictionary word (money, computer, monitor, etc), or sports team (eagles, dolphins, browns, mets, etc.) Letting the cracker run for a few days will pick out all the common ones even written in leet or with numbers attached.
Every password should be a MINIMUM of 8 chars (realistically much longer), contain no words even modified, contain symbols, numbers, never be duplicated on multiple systems, and should also contain a mix of upper and lower case letters.
If your passwords are good it's really a moot point. Brute forcing passwords is looking for lowest hanging fruit. If you can't remember good passwords (>16 chars, unrelated mix of #, chars, symbols) you should be using something like keepass to keep them in.
This goes beyond passwords. It is the fact that crackers are adapting by using scaled attacks to circumvent blocking tools. This type of attack is not exactly looking for the lowest hanging fruit (and actually shows that someone may be willing to go through extraordinary measures to get what they want). Note that I'm not talking about the average bruteforcing that has been going on for years...I'm talking about the new trend that has been reported. There's a huge difference between the two.
IMHO, you should not use password authentication at all. Use pubkey authentication. The instructions on the changes to /etc/sshd_config are given in the comments just above the "UsePAM Yes" line.
If you run Windows at work and use putty for ssh, the putty keygen program can generate the keypairs you need. Then load in your key, and at the top, an openssh version of the public key is displayed. You can cut and paste this text to produce a public key to add to the server's authorized_keys file. Do this before disabling password authentication. Keep the old ssh session open after the changes and test it from another terminal.
Be sure to passphrase protect your private key (on the client). Passphrases are typically longer than passwords but can be a lot easier to remember. If you login to different servers or several times during a terminal session, you can use ssh-agent and ssh-add to store the passphrase securely in memory. The next time it won't be needed to enter the passphrase. Remember that the private key is used on the client. If you were to loose it, without a passphrase, it would allow someone else to log into the server.
Unixfool: One thing you might try is something like fail2ban, that bans an IP if certain ports are scanned just once.
Your iptables rules could log attempts on certain ports you aren't using such as telnet or smtp. A cron job could scan the log and modify hosts.deny or add iptables rules. This is similar to fail2ban, but the iptables rule is simpler.
A similar technique is to reserve certain IP addresses in you subnet for a dead-zone. An IDS could be configured to watch for attempts on these IPs which indicate that someone is scanning the network.
For important fixed IP addresses on a local ethernet segment, consider using "arp -s" or "arp -f" to fix the mac addresses to known permanent values. This can help protect against arp poisoning by a compromised host or a jack box on the lan.
Unixfool: One thing you might try is something like fail2ban, that bans an IP if certain ports are scanned just once.
Your iptables rules could log attempts on certain ports you aren't using such as telnet or smtp. A cron job could scan the log and modify hosts.deny or add iptables rules. This is similar to fail2ban, but the iptables rule is simpler.
I am using something akin to fail2ban (I mentioned that earlier). These tools don't work well with distributed scanning (I mentioned this earlier). Tools that threshold alerts do not scale well to a pool of 200 IPs that trigger 2 alerts an hour per IP.
I'm not trying to be rude, really, but have you guys read the above posts and URLs?
This goes beyond passwords. It is the fact that crackers are adapting by using scaled attacks to circumvent blocking tools. This type of attack is not exactly looking for the lowest hanging fruit (and actually shows that someone may be willing to go through extraordinary measures to get what they want). Note that I'm not talking about the average bruteforcing that has been going on for years...I'm talking about the new trend that has been reported. There's a huge difference between the two.
Of course they are, we adapted so they're adapting to our measures. They're still searching for lowest hanging fruit (and lets not forget a lot of these attempts are coming from bot nets now.)
Lets take a quick step into the realm of the absurd just for comparison sake...
Lets assume there are 5m distributed hosts, they know your account name, your machine can take the traffic and load (heh) from the attempts, and your fail2ban is setup for 10th attempt is banned. That equates to them making ~45m c/h.
That is just about equal to having a password cracker running at about 15k c/s (my servers average) locally (54m c/h).
Do the math on how long it will take them to figure out your 16+ character unique password of mixed case, numbers, and common symbols. It's completely absurd.
The chances of a remote exploit on a daemon, hell on ssh itself, are far higher than your password being broken *IF* your password is good.
Don't get me wrong, I'm not saying you shouldn't take additional precautions, but the first precaution taken should be a strong password if the system has to be accessible from the outside via passwords, because without it, the rest of the protections are just offering a false sense of security. The better solution is to use passwords in conjunction with keys... but that can be problematic in some situations.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Is this a virus or script kiddie trying to find a weakness in my ssh?
