SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Today, I looked at the output of tail -f /var/log/messages and found something very strange:
Sep 24 10:15:34 slackware sshd[3321]: Address 210.172.175.89 maps to dart.jp, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 24 10:15:34 slackware sshd[3321]: Failed password for invalid user affiliates from 210.172.175.89 port 37251 ssh2
Sep 24 10:15:37 slackware sshd[3323]: Invalid user affiliatesale from 210.172.175.89
Sep 24 10:15:37 slackware sshd[3323]: Address 210.172.175.89 maps to dart.jp, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 24 10:15:37 slackware sshd[3323]: Failed password for invalid user affiliatesale from 210.172.175.89 port 37336 ssh2
Sep 24 10:15:39 slackware sshd[3325]: Invalid user affiliatesuccess from 210.172.175.89
Sep 24 10:15:39 slackware sshd[3325]: Address 210.172.175.89 maps to dart.jp, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 24 10:15:39 slackware sshd[3325]: Failed password for invalid user affiliatesuccess from 210.172.175.89 port 37415 ssh2
Sep 24 10:15:42 slackware sshd[3327]: Invalid user affiliatesupport from 210.172.175.89
Sep 24 10:15:42 slackware sshd[3327]: Address 210.172.175.89 maps to dart.jp, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 24 10:15:42 slackware sshd[3327]: Failed password for invalid user affiliatesupport from 210.172.175.89 port 37499 ssh2
Sep 24 10:15:45 slackware sshd[3329]: Invalid user afrodita from 210.172.175.89
Sep 24 10:15:45 slackware sshd[3329]: Address 210.172.175.89 maps to dart.jp, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 24 10:15:45 slackware sshd[3329]: Failed password for invalid user afrodita from 210.172.175.89 port 37588 ssh2
Sep 24 10:15:47 slackware sshd[3331]: Invalid user agata from 210.172.175.89
Sep 24 10:15:47 slackware sshd[3331]: Address 210.172.175.89 maps to dart.jp, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 24 10:15:47 slackware sshd[3331]: Failed password for invalid user agata from 210.172.175.89 port 37671 ssh2
Sep 24 10:15:50 slackware sshd[3333]: Invalid user agency from 210.172.175.89
Sep 24 10:15:50 slackware sshd[3333]: Address 210.172.175.89 maps to dart.jp, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 24 10:15:50 slackware sshd[3333]: Failed password for invalid user agency from 210.172.175.89 port 37752 ssh2
Sep 24 10:15:53 slackware sshd[3335]: Invalid user agent from 210.172.175.89
Sep 24 10:15:53 slackware sshd[3335]: Address 210.172.175.89 maps to dart.jp, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 24 10:15:53 slackware sshd[3335]: Failed password for invalid user agent from 210.172.175.89 port 37835 ssh2
...
Sep 24 10:19:22 slackware sshd[3568]: Failed password for invalid user barbara from 210.172.175.89 port 44468 ssh2
Sep 24 10:19:25 slackware sshd[3570]: Invalid user barry from 210.172.175.89
Sep 24 10:19:25 slackware sshd[3570]: Address 210.172.175.89 maps to dart.jp, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 24 10:19:25 slackware sshd[3570]: Failed password for invalid user barry from 210.172.175.89 port 44556 ssh2
Sep 24 10:19:27 slackware sshd[3572]: Invalid user bart from 210.172.175.89
Sep 24 10:19:27 slackware sshd[3572]: Address 210.172.175.89 maps to dart.jp, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 24 10:19:27 slackware sshd[3572]: Failed password for invalid user bart from 210.172.175.89 port 44636 ssh2
Sep 24 10:19:30 slackware sshd[3574]: Invalid user baseball from 210.172.175.89
Sep 24 10:19:30 slackware sshd[3574]: Address 210.172.175.89 maps to dart.jp, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 24 10:19:30 slackware sshd[3574]: Failed password for invalid user baseball from 210.172.175.89 port 44722 ssh2
Sep 24 10:19:33 slackware sshd[3576]: Invalid user beach from 210.172.175.89
Sep 24 10:19:33 slackware sshd[3576]: Address 210.172.175.89 maps to dart.jp, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 24 10:19:33 slackware sshd[3576]: Failed password for invalid user beach from 210.172.175.89 port 44805 ssh2
Sep 24 10:19:35 slackware sshd[3579]: Invalid user beautiful from 210.172.175.89
Sep 24 10:19:35 slackware sshd[3579]: Address 210.172.175.89 maps to dart.jp, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 24 10:19:35 slackware sshd[3579]: Failed password for invalid user beautiful from 210.172.175.89 port 44892 ssh2
Sep 24 10:19:38 slackware sshd[3581]: Invalid user beauty from 210.172.175.89
Sep 24 10:19:38 slackware sshd[3581]: Address 210.172.175.89 maps to dart.jp, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Sep 24 10:19:38 slackware sshd[3581]: Failed password for invalid user beauty from 210.172.175.89 port 44976 ssh2
...
The list goes on and on.. Every second a new "Invalid user..." message gets added.
I don't think that somebody can break into my system because I have pretty strong passwords. But I never thought something like this could happen to me. This looks like someone is trying to break into my system using an automated script, doesn't it?
I am completely new to that kind of things, so I don't know what to do about that.
This looks bad to me and I am frightened! Help would be very much appreciated!
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088
Rep:
Alternatively, if you do need SSH access from outside, restrict port 22 to those networks that you need access from. For example, I need to connect to my machine from my uni so I allow port 22 from any computer on the uni's network, and deny everyone else.
Code:
iptables -A INPUT -p TCP -s xxx.xxx.xxx.xxx/xx --destination-port 22 -j ACCEPT
iptables -A INPUT -p TCP -s 0/0 --destination-port 22 -j DROP
Works for me, in that order. xxx.xxx.xxx.xxx/xx is the network you need to connect from.
Or if you need SSH access from random external locations, enforce a rate-limiter to only allow a new SSH connection each 30 seconds (will stop most brut-force scripts) :
Code:
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 30 -j DROP
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --set -j ACCEPT
You could also move SSH to a random port. To be even more secure, add a script/monitoring system that automagically blocks the offending IP address after 2-3 incorrect attempts, such as DenyHosts
Alternatively, if you do need SSH access from outside, restrict port 22 to those networks that you need access from. For example, I need to connect to my machine from my uni so I allow port 22 from any computer on the uni's network, and deny everyone else.
Code:
iptables -A INPUT -p TCP -s xxx.xxx.xxx.xxx/xx --destination-port 22 -j ACCEPT
iptables -A INPUT -p TCP -s 0/0 --destination-port 22 -j DROP
Works for me, in that order. xxx.xxx.xxx.xxx/xx is the network you need to connect from.
I hope this helps
--Ian
Hey Bill, question for you on that please.
Is the syntax for your xxx.xxx.xxx.xxx/xx = 192.168.100.1/255 equal all pc's on a lan?
Secondly, how does the firewall/ip-tables understand that normally the dns/server and/or computer gateway is usually 192.168.100.1 in my expample above.
Reason: many routers/firewall devices you buy at a pc store use a non-routable address of 192.168.0.1, 192.168.1.1 or 192.168.100.1 Does that rule you made account for that or is there anything else needed to be done?
Another alternative would be to stop using usernames and passwords for ssh authentication and move to a key based system. If you don't have the key, you don't get in. Period. There is a good how-to here.
I don't need ssh at the moment so I have just removed the executable permissions from /etc/rc.d/rc.sshd. I saved this thread for later reference. I guess I will have time next week to learn iptables (never had a reason to use it, but this is a reason I guess..).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
