Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I keep getting this in my logcheck emails. Is this kind of thing normal, or should I be concerned? I have a good password for root, but it sure looks like someone is trying.
Code:
Mar 15 18:06:36 localhost sshd[30327]: Failed password for root from 216.180.225.242 port 40592 ssh2
Mar 15 18:06:37 localhost sshd[30330]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:06:40 localhost sshd[30330]: Failed password for root from 216.180.225.242 port 40889 ssh2
Mar 15 18:06:41 localhost sshd[30334]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:06:43 localhost sshd[30334]: Failed password for root from 216.180.225.242 port 41141 ssh2
Mar 15 18:06:44 localhost sshd[30339]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:06:45 localhost sshd[30339]: Failed password for root from 216.180.225.242 port 41331 ssh2
Mar 15 18:06:46 localhost sshd[30342]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:06:48 localhost sshd[30342]: Failed password for root from 216.180.225.242 port 41492 ssh2
Mar 15 18:06:49 localhost sshd[30345]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:06:51 localhost sshd[30345]: Failed password for root from 216.180.225.242 port 41649 ssh2
Mar 15 18:06:52 localhost sshd[30348]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:06:54 localhost sshd[30348]: Failed password for root from 216.180.225.242 port 41828 ssh2
Mar 15 18:06:55 localhost sshd[30350]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:06:56 localhost sshd[30350]: Failed password for root from 216.180.225.242 port 41997 ssh2
Mar 15 18:06:57 localhost sshd[30353]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:06:58 localhost sshd[30353]: Failed password for root from 216.180.225.242 port 42133 ssh2
Mar 15 18:06:59 localhost sshd[30355]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:07:02 localhost sshd[30355]: Failed password for root from 216.180.225.242 port 42251 ssh2
Mar 15 18:07:02 localhost sshd[30358]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:07:04 localhost sshd[30358]: Failed password for root from 216.180.225.242 port 42441 ssh2
Mar 15 18:07:04 localhost sshd[30360]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:07:07 localhost sshd[30360]: Failed password for root from 216.180.225.242 port 42587 ssh2
Mar 15 18:07:07 localhost sshd[30367]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:07:09 localhost sshd[30367]: Failed password for root from 216.180.225.242 port 42773 ssh2
Mar 15 18:07:09 localhost sshd[30369]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:07:11 localhost sshd[30369]: Failed password for root from 216.180.225.242 port 42909 ssh2
Mar 15 18:07:12 localhost sshd[30372]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:07:14 localhost sshd[30372]: Failed password for root from 216.180.225.242 port 43052 ssh2
Mar 15 18:07:15 localhost sshd[30376]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:07:17 localhost sshd[30376]: Failed password for root from 216.180.225.242 port 43257 ssh2
Mar 15 18:07:18 localhost sshd[30379]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:07:20 localhost sshd[30379]: Failed password for root from 216.180.225.242 port 43448 ssh2
Mar 15 18:07:20 localhost sshd[30382]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:07:22 localhost sshd[30382]: Failed password for root from 216.180.225.242 port 43639 ssh2
Mar 15 18:07:23 localhost sshd[30384]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:07:25 localhost sshd[30384]: Failed password for root from 216.180.225.242 port 43779 ssh2
Mar 15 18:07:26 localhost sshd[30387]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:07:27 localhost sshd[30387]: Failed password for root from 216.180.225.242 port 43992 ssh2
Mar 15 18:07:28 localhost sshd[30392]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:07:30 localhost sshd[30392]: Failed password for root from 216.180.225.242 port 44132 ssh2
Mar 15 18:07:30 localhost sshd[30395]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.180.225.242 user=root
Mar 15 18:07:33 localhost sshd[30395]: Failed password for root from 216.180.225.242 port 44287 ssh2
System Events
=-=-=-=-=-=-=
Mar 15 18:04:17 localhost ntpd[6962]: sendto(216.52.237.152): Invalid argument
Mar 15 18:06:34 localhost sshd[30327]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:06:37 localhost sshd[30330]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:06:41 localhost sshd[30334]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:06:44 localhost sshd[30339]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:06:46 localhost sshd[30342]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:06:49 localhost sshd[30345]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:06:52 localhost sshd[30348]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:06:55 localhost sshd[30350]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:06:57 localhost sshd[30353]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:06:59 localhost sshd[30355]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:07:02 localhost sshd[30358]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:07:04 localhost sshd[30360]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:07:07 localhost sshd[30367]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:07:09 localhost sshd[30369]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:07:12 localhost sshd[30372]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:07:15 localhost sshd[30376]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:07:18 localhost sshd[30379]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:07:20 localhost sshd[30382]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:07:23 localhost sshd[30384]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:07:26 localhost sshd[30387]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:07:28 localhost sshd[30392]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Mar 15 18:07:30 localhost sshd[30395]: Address 216.180.225.242 maps to webmastershost.net, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
It's an attempt to bruteforce the root users password over sshd. First you should *never* *ever* allow root to login directly over any remote service like ssh. Edit the sshd_config file and set the PermitRootLogin directive to "no" and restart the service (make sure to remove the '#' symbol to uncomment the line). Also check through all of your system logs as well as the output of 'last -i' and make sure that none of these attempts were successfull.
The second portion of the logs with "POSSIBLE BREAKIN ATTEMPT!" are simply letting you know that the hostname used by the system is not the same as what the IP address resolves to according to DNS. This may or may not mean the IP address was spoofed. It could also simply be that the system was behind a NAT. Spoofing sshd connection attempts are fairly non-trivial so it is unlikely. Regardless, the connection attempts were almost certainly hostile.
Also, take a look at the thread on "Failed SSH logins" at the top of the forum for more tips on preventing these types of attacks.
Good point about root login to ssh. Since this was a new install, I had forgotten about it. Also thought that when I installed bastille, it had taken care of all that stuff. It seems like root login should be disallowed by default.
It would be considerably stronger yet if you did not allow passwords ("ChallengeResponseAuthentication") at all, but instead relied upon digital certificates.
you might also consider installing denyhosts ("apt-get install denyhosts" in testing/unstable), which automatically reads your logs and blocks IPs that repeatedly attack your SSH
Good ol ssh. You guys should take a look at what this creative hacker is trying to do.
Code:
Mar 18 04:20:00 localhost sshd[9403]: Invalid user amy from ::ffff:204.75.253.22
Mar 18 04:20:00 localhost sshd[9403]: reverse mapping checking getaddrinfo for sccdl.253.75.204.in-addr.arpa failed - POSSIBLE BREAKIN ATTEMPT! Mar 18 04:20:03 localhost sshd[9403]: Failed password for invalid user amy from ::ffff:204.75.253.22 port 51359 ssh2 Mar 18 04:20:03 localhost sshd[9405]: Invalid user anastacia from ::ffff:204.75.253.22 Mar 18 04:20:03 localhost sshd[9405]: reverse mapping checking getaddrinfo for sccdl.253.75.204.in-addr.arpa failed - POSSIBLE BREAKIN ATTEMPT! Mar 18 04:20:06 localhost sshd[9405]: Failed password for invalid user anastacia from ::ffff:204.75.253.22 port 51950 ssh2 Mar 18 04:20:07 localhost sshd[9407]: Invalid user anastacia from ::ffff:204.75.253.22 Mar 18 04:20:07 localhost sshd[9407]: reverse mapping checking getaddrinfo for sccdl.253.75.204.in-addr.arpa failed - POSSIBLE BREAKIN ATTEMPT! Mar 18 04:20:10 localhost sshd[9407]: Failed password for invalid user anastacia from ::ffff:204.75.253.22 port 52297 ssh2 Mar 18 04:20:10 localhost sshd[9410]: Invalid user anderson from ::ffff:204.75.253.22 Mar 18 04:20:10 localhost sshd[9410]: reverse mapping checking getaddrinfo for sccdl.253.75.204.in-addr.arpa failed - POSSIBLE BREAKIN ATTEMPT! Mar 18 04:20:13 localhost sshd[9410]: Failed password for invalid user anderson from ::ffff:204.75.253.22 port 52861 ssh2
Dictionary usernames. lol I might want to consider this denyhosts thing myself. Apparently he has a proxy too. oooh
Code:
Mar 17 02:08:04 localhost sshd[22213]: Failed password for root from ::ffff:61.108.15.20 port 53509 ssh2
Mar 17 02:08:08 localhost sshd[22216]: Failed password for root from ::ffff:61.108.15.20 port 54041 ssh2
Mar 17 02:08:13 localhost sshd[22218]: Failed password for root from ::ffff:61.108.15.20 port 54534 ssh2
Mar 17 02:08:17 localhost sshd[22221]: Failed password for root from ::ffff:61.108.15.20 port 54982 ssh2
Mar 17 02:08:21 localhost sshd[22224]: Failed password for root from ::ffff:61.108.15.20 port 55529 ssh2
Mar 17 02:08:26 localhost sshd[22226]: Failed password for root from ::ffff:61.108.15.20 port 56056 ssh2
Mar 17 02:08:30 localhost sshd[22228]: Failed password for root from ::ffff:61.108.15.20 port 56498 ssh2
Mar 17 02:08:34 localhost sshd[22231]: Failed password for root from ::ffff:61.108.15.20 port 57048 ssh2
Mar 17 02:08:39 localhost sshd[22234]: Failed password for root from ::ffff:61.108.15.20 port 57486 ssh2
Mar 17 02:08:43 localhost sshd[22236]: Failed password for root from ::ffff:61.108.15.20 port 58026 ssh2
Mar 17 02:08:48 localhost sshd[22239]: Failed password for root from ::ffff:61.108.15.20 port 58503 ssh2
I must have a neon sign or something. Hack me!
Last edited by slantoflight; 03-18-2006 at 08:50 PM.
One thing you could try as well that will help to slow him down. If you have the 'recent' module compiled into your kernel you can use iptables to slow the amount of connections by the same ipaddress. Add a line like this to your iptables script:
/sbin/iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --set -j ACCEPT
/sbin/iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --update --seconds 60 --hitcount 3 --rttl -j DROP
When the attacker reaches 3 hit counts it will be blocked for 60 seconds before resetting. If the attacker keeps attacking before the 60 seconds are up it will reset the the time limit to another 60 seconds.
This way all your legitimate users will still be able to connect untouched by the hit count, unless they connect too many times in the time specified. You can also change the time and the hit count to what ever you wish.
You may want to also change the default port that ssh server is listening on, try something other than port 22 if this is possible and wont cause to much drama for your current users.
That's a slick solution. Wonder how long before he realizes it'll take 12.3 years to make it through the dictionary and 173.9 years to brute force.... hehe.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.