try pam_tally to limit to 5 attempts for example for login also portsentry for scans from outside and if snort is properly configured it's IPS !!!

I know it was really stupid, but I have a test box I built for RHEL 4 running on Centos , I am a newbie to Linux and thought it wise to mess about for a while, but I decided on a really in secure password as after I let my collegue ssh into my box I reset the password on the fly and choose it with not much care, on Tueday night it was hacked into.

Not sure what was really done to it but accordding to the history there was two rpms installed then removed, so other stuff I was not sure of done, as some files were vi'd and there was a ftp record but not sure what was done again.

I have since rebuilt my PC using Fedora's latest release and have upgraded my security to try and prevent these measures again, but I do have my old hard drive with all the data intact. If any one has some ideas on what you need to look for I can forward any file you want for inspection? I do know though that it took 503 attempts to crack in to it.

Note: I believe that mistakes are good if you learn from them.

how did you count the attempts? 503? quite a passwd or lucky?

I did a grep on the var/log/messges for uknown. To be honest I was supprised it took that many since the password was 'redhat' lol

I have spent the last few days quite amused by it all really.

yes but how did you count the instances |grep unknown for example?

btw: someone tried user name: Pamela on my box ?!?!? it's quite amussing, but MAN NEVER ALLOW REMOTE ROOT ACCESS this will only save you time though

and think about /etc/hosts.deny --> sshd: UNKNOWN this will garantee at least to some point that not known will not have any shhd login

Moderators pls make a sticky with deleted nonsense posts please

If you mean how do I know there was 503 attempts I used cat /var/log/messages |grep unknown|wc -l

didn't know that nice

Wow... outsmarted by a noob

--Abid Kazmi

well I'm not a "grep" guru

This is what i've been getting i suppose its related to the same problem:

Jul 4 17:40:02 linux sshd[19342]: Failed password for invalid user test from 200.67.79.197 port 48306 ssh2
Jul 4 17:40:54 linux sshd[19366]: Invalid user test from 200.67.79.197
Jul 4 17:40:54 linux sshd[19366]: Failed password for invalid user test from 200.67.79.197 port 49006 ssh2
Jul 4 17:42:20 linux sshd[19404]: Invalid user test from 200.67.79.197
Jul 4 17:42:20 linux sshd[19404]: Failed password for invalid user test from 200.67.79.197 port 50139 ssh2
Jul 4 17:42:26 linux sshd[19406]: Invalid user test from 200.67.79.197
Jul 4 17:42:26 linux sshd[19406]: Failed password for invalid user test from 200.67.79.197 port 50199 ssh2
Jul 4 17:43:06 linux sshd[19422]: Invalid user test from 200.67.79.197
Jul 4 17:43:06 linux sshd[19422]: Failed passw

with the amount of time that passing between tries, it looks more like someone doing it by hand, other than the scripts that we've been talking about.

do take the precautions that have been brought up here though.

this is more what they look like-
Jul 2 17:45:54 prometheus sshd[10752]: Illegal user michael from ::ffff:193.65.36.24
Jul 2 17:45:56 prometheus sshd[10754]: Illegal user amanda from ::ffff:193.65.36.24
Jul 2 17:45:57 prometheus sshd[10756]: Illegal user mysql from ::ffff:193.65.36.24
Jul 2 17:45:59 prometheus sshd[10758]: Illegal user rpm from ::ffff:193.65.36.24
Jul 2 17:46:01 prometheus sshd[10760]: Illegal user operator from ::ffff:193.65.36.24
Jul 2 17:46:02 prometheus sshd[10762]: Illegal user sgi from ::ffff:193.65.36.24
Jul 2 17:46:04 prometheus sshd[10764]: Illegal user Aaliyah from ::ffff:193.65.36.24
Jul 2 17:46:06 prometheus sshd[10766]: Illegal user Aaron from ::ffff:193.65.36.24
Jul 2 17:46:07 prometheus sshd[10768]: Illegal user Aba from ::ffff:193.65.36.24
Jul 2 17:46:09 prometheus sshd[10770]: Illegal user Abel from ::ffff:193.65.36.24
Jul 2 17:46:11 prometheus sshd[10772]: Illegal user Jewel from ::ffff:193.65.36.24
Jul 2 17:46:14 prometheus sshd[10776]: Illegal user users from ::ffff:193.65.36.24
Jul 2 17:46:15 prometheus sshd[10778]: Illegal user admins from ::ffff:193.65.36.24
Jul 2 17:46:17 prometheus sshd[10780]: Illegal user admins from ::ffff:193.65.36.24

see how fast they cycle through the names, and then there isn't a passwd spot either.

cheers.

one thing that i would do, is to do a whois on the ip and then send an email to the isp.

you can just use-
whois -h completewhois.com ABUSEDATA ipaddress | grep -i Abuse\ E-mail

you'll see the abuse info. i've found that some asian isps don't have an abuse, they have a security. in that case if the about line doesn't work for you within 15 seconds, then i would do a regular whois on the ip.

some people here will think sending out an email is stupid, yet with a line count of the illegals from last week totalling over 6000, it's nice to see a reply stating that they have been taken offline.

so it's up to you.
cheers.

It's a script for sure, no one will try by hand dictionary with UIDs, try pam_tally to limit the login attempts and if someone can actually tell me how to use it/..
I had "Pamela" as invalid user login attempt it's so funny

p.s. just any tip for pam_tally will do, I tried goolin' for it - no luck

pam_tally only had this problem:

that once the maximum password failures has been exceeded,
SSH/PAM still give a clear indication of when you've cracked the right password.

If you give a bad password, you get a 2-second delay and a new prompt:

dummylocalhost's password:
Permission denied, please try again.
dummylocalhost's password:

If you get it right, you get the message:

dummylocalhost's password:
Read from remote host localhost: Connection reset by peer
Connection to localhost closed.

The solution is pam_abl. An auto black list module, that black lists IP's and not users. So that your users don't get blocked.

pls provide some info about pam_abl and sshd how to bind it together