LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-12-2017, 07:33 PM   #1
Izwal
LQ Newbie
 
Registered: Aug 2017
Posts: 1

Rep: Reputation: Disabled
Large number of failed ssh login attempts


Hello,

I own a Raspberry Pi running a ssh server. As I have noticed many login attempts from different locations on earth (mainly from China), I have configured my server to accept connections from only 2 or 3 known IP addresses. I also wanted to see what passwords were used by the attackers so I wrote a small PAM module to log this information. Surprisingly, all passwords are nearly the same. They often start with the 4 ASCII characters #8, #10, #13 and #127 in this order. I havn't found information on the web about possible vulnerability of ssh to special characters. What do you think about that?
 
Old 08-12-2017, 08:33 PM   #2
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mageia, and whatever VMs I happen to be playing with
Posts: 12,373
Blog Entries: 16

Rep: Reputation: 3147Reputation: 3147Reputation: 3147Reputation: 3147Reputation: 3147Reputation: 3147Reputation: 3147Reputation: 3147Reputation: 3147Reputation: 3147Reputation: 3147
My guess is automated random port scans.
 
Old 08-13-2017, 12:58 AM   #3
AwesomeMachine
Senior Member
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 2,981

Rep: Reputation: 511Reputation: 511Reputation: 511Reputation: 511Reputation: 511Reputation: 511
It looks like an automated script to search for systems vulnerable to brute force password attacks on ssh.
 
Old 08-13-2017, 01:42 AM   #4
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 2,216
Blog Entries: 3

Rep: Reputation: 1005Reputation: 1005Reputation: 1005Reputation: 1005Reputation: 1005Reputation: 1005Reputation: 1005Reputation: 1005
If they're coming from the same networks, you can always report them to the netblock owner. That takes a small effort even with a template but often reduces the attack.

Also, there is sshguard which can automatically add most if not all of those attackers to your firewall's block list, even for IPv6 sources.
 
Old 08-13-2017, 05:24 AM   #5
Habitual
LQ Addict
 
Registered: Jan 2011
Posts: 8,477
Blog Entries: 11

Rep: Reputation: 2382Reputation: 2382Reputation: 2382Reputation: 2382Reputation: 2382Reputation: 2382Reputation: 2382Reputation: 2382Reputation: 2382Reputation: 2382Reputation: 2382
Quote:
Originally Posted by Izwal View Post
What do you think about that?
Something doesn't add up, is what I think.
 
Old 08-13-2017, 06:50 AM   #6
Jjanel
Member
 
Registered: Jun 2016
Distribution: any&all, in VBox; Ol'UnixCLI; NO GUI resources
Posts: 995
Blog Entries: 11

Rep: Reputation: 358Reputation: 358Reputation: 358Reputation: 358
Quote:
I wrote a small PAM module to log this information. Surprisingly, all passwords are nearly the same. They often start with the 4 ASCII characters #8, #10, #13 and #127 in this order.
Welcome to LQ! Maybe "doesn't add up" means: Are you *absolutely sure* your capture works? Did you test it, with a login attempt from you, with a test pwd, to check for? I would have expected to find web-search results, but didn't, for:
Quote:
password "8 10 13 127"
Or is that http://ascii.cl "bs lf cr del"? (no results for that either). What was the other "nearly the same" part?

Also, share=post some specifics (those similar pwds, 'logs', -d ,...) that we can have a look at & advise on (of course, obfuscate your publicIP!). 'Picture worth 1K words'. Tips: 4a)CODE, |nc termbin.com 9999

Last edited by Jjanel; 08-13-2017 at 12:43 PM.
 
Old 08-13-2017, 08:30 PM   #7
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 8,326
Blog Entries: 4

Rep: Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840
As long as it is possible for "anyone on the planet" to reach a login: prompt on your box, you will have no end of misery, and "no dictionary will ever protect you." But you do have an alternative: an easy-to-implement alternative will shut all of this completely down, cold, and keep it that way forever after.

Have a look at my LQ blog where I discuss How To Build a 'Dwarvish Door' With OpenVPN.

The strategy which I describe there will bring an immediate end to all such access attempts. To the outside world, your system has no "open ports," and, so far as they can detect, it's not running OpenVPN, either! (Unless they demonstrate in the initial handshake that they probably possess the proper tls-auth certificate, the OpenVPN sever won't even answer the phone.)

The only way to enter is to possess two one-of-a-kind digital certificates, the second one of which also has not been "revoked" by you.

Only then can one reach ssh or anything else. (ssh, which of course you have set up to require a third digital certificate and not to ever prompt for a password, becomes the second also-impenetrable layer in your outer defenses, guarding all access to a shell prompt ... a layer which will never be assaulted because it will never be found.)

Authorized users can clear these obstacles in seconds, and can carry on their communication with your system, securely, as though it were simply attached (through a (software) router) to their local network. They don't have to think further about security: it is secure, and they are certain that they are talking to the intended machine. (In like manner, your machine knows that it is communicating specifically with them. It knows them by name.)

(Digital certificates can be encrypted with a password, e.g. for use with "road warrior" machines that might get stolen in an airport bathroom, so that they can't be used until you get a chance to revoke them, which act instantly and selectively(!) renders them useless – encrypted or not.)

The number of unauthorized access attempts will immediately drop to zero and stay there ... forever.

I've deployed many public servers – I won't tell you the IP-addresses and you can't find them – that have never had an unauthorized access attempt. Ever. Nor will they. Ever.

Last edited by sundialsvcs; 08-14-2017 at 02:53 PM.
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How to monitor failed ssh login attempts on CentOS LXer Syndicated Linux News 0 08-25-2013 09:03 PM
[SOLVED] How to lock the users after ssh failed login attempts ? bala.linuxtech Linux - Security 7 12-07-2012 08:31 AM
Question about failed ssh login attempts natv Linux - Security 3 02-11-2007 06:46 AM
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 03:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration